Jenkins LDAP and SSHA passwords
155 views
Skip to first unread message
Maciej D
Mar 23, 2017, 11:40:58 AM3/23/17
to Jenkins Users
Hi Jenkins users!
I'm trying to bind jenkins to LDAP auth.
Jenkins is successfully downloading the user list.
Unfortunately the credentials are wrong every-time I try to login with an valid account.
My LDAP server stores salted sha (SSHA) in base64 for user passwords.
Can jenkins detect i.e base64 decode then take the salt and calculate the hash to compare it to the password hash that's stored in LDAP?
Thanks for help!
Björn Pedersen
Mar 24, 2017, 3:24:35 AM3/24/17
to Jenkins Users
Hi,
that's not how LDAP-auth normally works:
Jenkins takes the user and password, and tries an LDAP bind with this password. If the LDAP server returns success, then the login is granted.
I suspect there is some other problem with your LDAP config.
Questions:
* What type of LDAP server are you running (ActiveDirectory, OpenLDAP, FreeIPA, ...)?
* What is your LDAP config (remember to remove passwords/sensitive information before posting)
Björn
that's not how LDAP-auth normally works:
Jenkins takes the user and password, and tries an LDAP bind with this password. If the LDAP server returns success, then the login is granted.
I suspect there is some other problem with your LDAP config.
Questions:
* What type of LDAP server are you running (ActiveDirectory, OpenLDAP, FreeIPA, ...)?
* What is your LDAP config (remember to remove passwords/sensitive information before posting)
Björn
Maciej Drobniuch
Mar 24, 2017, 4:11:50 AM3/24/17
to jenkins...@googlegroups.com
Hi Björn
I'm using Freeipa.
That would mean that I'm using a wrong DN?
I'm using the DN because it's able to see tha password hashes.
Thanks for help!
Server: ldaps://ipa.mydomain root DN: dc=mydomain,dc=com User search base: cn=users,cn=accounts User search filter: (objectClass=inetOrgPerson)(objectClass=posixAccount)(uid=%u) Manager DN: cn=Directory Manager Display Name LDAP attribute: displayname Email Address LDAP attribute: mail
--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-users/P-kqf68q3Kc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/3531dc35-60f4-446a-8a26-f43d04bcb203%40googlegroups.com.
Pozdrawiam!
Maciej Drobniuch
Maciej Drobniuch
Björn Pedersen
Mar 24, 2017, 10:47:37 AM3/24/17
to Jenkins Users
Hi,
You can find the docs at: https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#ldap
What you pasted is not a valid gerrit LDAP configuration entry.
Björn
You can find the docs at: https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#ldap
What you pasted is not a valid gerrit LDAP configuration entry.
Björn
To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/3531dc35-60f4-446a-8a26-f43d04bcb203%40googlegroups.com.
--Pozdrawiam!
Maciej Drobniuch
Björn Pedersen
Mar 24, 2017, 10:49:25 AM3/24/17
to Jenkins Users
And note: FreeIPA is auto-detected only with current master, for older releases you need to configure all attributes manually.
See https://gerrit-review.googlesource.com/#/c/94925/ for hints.
Björn
See https://gerrit-review.googlesource.com/#/c/94925/ for hints.
Björn
To unsubscribe from this group and all its topics, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/3531dc35-60f4-446a-8a26-f43d04bcb203%40googlegroups.com.
--Pozdrawiam!
Maciej Drobniuch
Reply all
Reply to author
Forward
0 new messages