Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37856

LDAP Authentication Overall/Read Permissions Missing

    Details

    • Similar Issues:

      Description

      Every few login attempts, our users receive an error that they do not have overall/read permission. These users are part of an LDAP group with Administer permissions.

      The current workaround is to logout and back in until access is given, but this isn't ideal.

      The security section of config.xml is below:

      <useSecurity>true</useSecurity>
        <authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
          <permission>hudson.model.Hudson.Administer:ldapserviceaccount</permission>
          <permission>hudson.model.Hudson.Administer:ldapgroup</permission>
        </authorizationStrategy>
        <securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm" plugin="active-directory@1.42">
          <domain>foo.bar.com</domain>
          <site>wetc</site>
          <bindName>CN=foo,OU=bar,OU=foo,OU=bar,DC=foo,DC=bar,DC=com</bindName>
          <bindPassword>blahblahblah=</bindPassword>
          <groupLookupStrategy>AUTO</groupLookupStrategy>
          <removeIrrelevantGroups>false</removeIrrelevantGroups>
        </securityRealm>
        <disableRememberMe>false</disableRememberMe>
      

        Attachments

          Activity

          zackwhiteit Zack White created issue -
          zackwhiteit Zack White made changes -
          Field Original Value New Value
          Description Every few login attempts, our users receive an error that they do not have overall/read permission. These users are part of an LDAP group with Administer permissions.

          The current workaround is to logout and back in until access is given, but this isn't ideal.

          The security section of config.xml is below:
          {{<useSecurity>true</useSecurity>
            <authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
              <permission>hudson.model.Hudson.Administer:ldapserviceaccount</permission>
              <permission>hudson.model.Hudson.Administer:ldapgroup</permission>
            </authorizationStrategy>
            <securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm" plugin="active-directory@1.42">
              <domain>foo.bar.com</domain>
              <site>wetc</site>
              <bindName>CN=foo,OU=bar,OU=foo,OU=bar,DC=foo,DC=bar,DC=com</bindName>
              <bindPassword>blahblahblah=</bindPassword>
              <groupLookupStrategy>AUTO</groupLookupStrategy>
              <removeIrrelevantGroups>false</removeIrrelevantGroups>
            </securityRealm>
            <disableRememberMe>false</disableRememberMe>}}
          Every few login attempts, our users receive an error that they do not have overall/read permission. These users are part of an LDAP group with Administer permissions.

          The current workaround is to logout and back in until access is given, but this isn't ideal.

          The security section of config.xml is below:

          {code:java}
          <useSecurity>true</useSecurity>
            <authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
              <permission>hudson.model.Hudson.Administer:ldapserviceaccount</permission>
              <permission>hudson.model.Hudson.Administer:ldapgroup</permission>
            </authorizationStrategy>
            <securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm" plugin="active-directory@1.42">
              <domain>foo.bar.com</domain>
              <site>wetc</site>
              <bindName>CN=foo,OU=bar,OU=foo,OU=bar,DC=foo,DC=bar,DC=com</bindName>
              <bindPassword>blahblahblah=</bindPassword>
              <groupLookupStrategy>AUTO</groupLookupStrategy>
              <removeIrrelevantGroups>false</removeIrrelevantGroups>
            </securityRealm>
            <disableRememberMe>false</disableRememberMe>
          {code}
          lavnish Lavnish Lalchandani made changes -
          Attachment config.xml [ 40928 ]
          lavnish Lavnish Lalchandani made changes -
          Attachment config.xml [ 40929 ]
          lavnish Lavnish Lalchandani made changes -
          Attachment config.xml [ 40929 ]
          lavnish Lavnish Lalchandani made changes -
          Attachment Untitled.png [ 40930 ]
          lavnish Lavnish Lalchandani made changes -
          Comment [ [~oleg_nenashev] can you comment here , the issue i am facing is because of this defect or a mis-configuation at my end ... as i am getting this error at time of first login while others are getting it at after few login attempts , i dont think its because of mis-configuration  ]
          oleg_nenashev Oleg Nenashev made changes -
          Assignee Kohsuke Kawaguchi [ kohsuke ]

            People

            • Assignee:
              Unassigned
              Reporter:
              zackwhiteit Zack White
            • Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated: