Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37856

LDAP Authentication Overall/Read Permissions Missing

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Every few login attempts, our users receive an error that they do not have overall/read permission. These users are part of an LDAP group with Administer permissions.

      The current workaround is to logout and back in until access is given, but this isn't ideal.

      The security section of config.xml is below:

      <useSecurity>true</useSecurity>
        <authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
          <permission>hudson.model.Hudson.Administer:ldapserviceaccount</permission>
          <permission>hudson.model.Hudson.Administer:ldapgroup</permission>
        </authorizationStrategy>
        <securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm" plugin="active-directory@1.42">
          <domain>foo.bar.com</domain>
          <site>wetc</site>
          <bindName>CN=foo,OU=bar,OU=foo,OU=bar,DC=foo,DC=bar,DC=com</bindName>
          <bindPassword>blahblahblah=</bindPassword>
          <groupLookupStrategy>AUTO</groupLookupStrategy>
          <removeIrrelevantGroups>false</removeIrrelevantGroups>
        </securityRealm>
        <disableRememberMe>false</disableRememberMe>
      

        Attachments

          Activity

          Hide
          escoem Emilio Escobar added a comment -

          Hey Zack White , are you using LDAP or Active Directory plugin?

          <securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm" plugin="active-directory@1.42">

          Show
          escoem Emilio Escobar added a comment - Hey Zack White , are you using LDAP or Active Directory plugin? <securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm" plugin="active-directory@1.42">
          Hide
          cweiske Christian Weiske added a comment -

          We experience this problem with the LDAP plugin 1.14, not the AD plugin, on Jenkins 2.46.1. 

          It seems to happen over night. When we come back the next day and resume our computers from sleep, the first access to a jenkins page is denied with the Overall/Read permission error. Logging out and in again makes it all work again.

          Show
          cweiske Christian Weiske added a comment - We experience this problem with the LDAP plugin 1.14, not the AD plugin, on Jenkins 2.46.1.  It seems to happen over night. When we come back the next day and resume our computers from sleep, the first access to a jenkins page is denied with the Overall/Read permission error. Logging out and in again makes it all work again.
          Hide
          ceddlyburge cedd burge added a comment -

          Hi There.

          I have a similar problem.

          Initially, only I could log in, even when giving other users explicit permissions.

          I upgraded to from Jenkins 2.5 to 2.75, and then other uses can log in if I give them individual permissions

          Adding permissions for an Active Directory group seems to have no effect.

          I checked the capitalisation issue that is referenced in various places on the internet.

          Thanks

          Cedd

          Show
          ceddlyburge cedd burge added a comment - Hi There. I have a similar problem. Initially, only I could log in, even when giving other users explicit permissions. I upgraded to from Jenkins 2.5 to 2.75, and then other uses can log in if I give them individual permissions Adding permissions for an Active Directory group seems to have no effect. I checked the capitalisation issue that is referenced in various places on the internet. Thanks Cedd
          Hide
          lavnish Lavnish Lalchandani added a comment -

          I am using "LDAP Plugin 1.18" & "Role-based Authorization Strategy : 2.6.1" on "Jenkins 2.73.3" and getting this error at first time login

          Attached  config.xml,  more details at https://stackoverflow.com/questions/48016844/jenkins-2-x-role-strategy-plugin 

          Let me know if i am missing something , kind of stuck here.

          Show
          lavnish Lavnish Lalchandani added a comment - I am using "LDAP Plugin 1.18" & "Role-based Authorization Strategy : 2.6.1" on "Jenkins 2.73.3" and getting this error at first time login Attached   config.xml ,  more details at https://stackoverflow.com/questions/48016844/jenkins-2-x-role-strategy-plugin   Let me know if i am missing something , kind of stuck here.
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Seems to be an issue with group/authorities cache in LDAP or Jenkins Core

          Show
          oleg_nenashev Oleg Nenashev added a comment - Seems to be an issue with group/authorities cache in LDAP or Jenkins Core
          Hide
          lavnish Lavnish Lalchandani added a comment -

          Oleg Nenashev can you please comment on my issue ... others are getting this error after few login attempts i got it at my first login.

          Show
          lavnish Lavnish Lalchandani added a comment - Oleg Nenashev can you please comment on my issue ... others are getting this error after few login attempts i got it at my first login.
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Lavnish Lalchandani comment where? In StackOverflow? I do not post there

          Show
          oleg_nenashev Oleg Nenashev added a comment - Lavnish Lalchandani comment where? In StackOverflow? I do not post there
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          In order to set proper expectation, I have unassigned Kohsuke from this tickets.
          Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

          Show
          oleg_nenashev Oleg Nenashev added a comment - In order to set proper expectation, I have unassigned Kohsuke from this tickets. Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

            People

            • Assignee:
              Unassigned
              Reporter:
              zackwhiteit Zack White
            • Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated: