Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37858

Group based LDAP authentication does not work

    Details

    • Similar Issues:

      Description

      When using LDAP Plugin, groups are not read unless user is explicitly granted admin rights ahead of time (defeating the point of using LDAP groups).

      I believe it is not a config issue as if the user is admin, they can, in fact, see groups with same config.

      To Recreate:

      1 - Set up LDAP Plugin to point to a working LDAP server with two user accounts (say, "admin" and "user" - make both have groups attached to them)
      2 - Set Authorization to "Anyone Can Do anything"
      3 - Verify you can login with each user and each user can see own groups by going to /users/<username> uri
      4 - Set up matrix auth (any conditional auth will do, matrix is the easiest one though) and grant "admin" overall admin rights, and "user" overall "read"
      5 - Repeat step 3, - at this point admin will see their own groups, but "user" will not be able too

      This is not just visual, group based authentication does not work - looking in logs it appears that "user" only has "authorized" permission when no admin rights

        Attachments

          Activity

          Hide
          saharon27 Sharon Yanko added a comment -

          Hi,

          Just encountered that problem also.using Jenkins 2.73.1 and LDAP 1.17

          Is there any solution in the near future?

          Show
          saharon27 Sharon Yanko added a comment - Hi, Just encountered that problem also.using Jenkins 2.73.1 and LDAP 1.17 Is there any solution in the near future?
          Hide
          garumaru Joey Jiang added a comment -

          I had same issue when doing Jenkins migration.

          However, after some troubleshooting, it works for me using before LDAP and Matrix authentication plugin version:

          LDAP 1.12
          Matrix auth 1.7

          I did upgrade/downgrade Jenkins server/LDAP plugin/Matrix auth plugin, and found it is not related to Jenkins version(in my troubleshooting, it was 2.19.3 and 2.89.3), but LDAP and Matrix auth plugin version

           

          Show
          garumaru Joey Jiang added a comment - I had same issue when doing Jenkins migration. However, after some troubleshooting, it works for me using before LDAP and Matrix authentication plugin version: LDAP 1.12 Matrix auth 1.7 I did upgrade/downgrade Jenkins server/LDAP plugin/Matrix auth plugin, and found it is not related to Jenkins version(in my troubleshooting, it was 2.19.3 and 2.89.3), but LDAP and Matrix auth plugin version  
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          In order to set proper expectation, I have unassigned Kohsuke from this tickets.
          Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

          Show
          oleg_nenashev Oleg Nenashev added a comment - In order to set proper expectation, I have unassigned Kohsuke from this tickets. Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.
          Hide
          linmark333 Mark Lin added a comment - - edited

          For a hack fix, I'm using jumpcloud, if user is enabled with "Enable as LDAP Bind DN", then group can be searched without user being added to admin first.  Although enabled with Bind DN meant user can search LDAP.

          It's still a bit odd, cases where user can see group info.

          1. user without "Enable as LDAP Bind DN" in jumpcloud, but with Administer privileges can view user groups
          2. user with  "Enable as LDAP Bind DN" in jumpcloud, but without Administer privileges can also view user groups

          Of course, user with admin and enable ldap can see group as well.

          That drives an hypothesis which is that admin privileged user can use manager DN in ldap connection setting to search group membership, where user  without admin privileges has to rely on its own ldap permission to query for group.

          jenkins - 2.141

          ldap plugin - 1.20

          Show
          linmark333 Mark Lin added a comment - - edited For a hack fix, I'm using jumpcloud, if user is enabled with "Enable as LDAP Bind DN", then group can be searched without user being added to admin first.  Although enabled with Bind DN meant user can search LDAP. It's still a bit odd, cases where user can see group info. user without "Enable as LDAP Bind DN" in jumpcloud, but with Administer privileges can view user groups user with   "Enable as LDAP Bind DN" in jumpcloud, but without Administer privileges can also view user groups Of course, user with admin and enable ldap can see group as well. That drives an hypothesis which is that admin privileged user can use manager DN in ldap connection setting to search group membership, where user  without admin privileges has to rely on its own ldap permission to query for group. jenkins - 2.141 ldap plugin - 1.20
          Hide
          johnjeffers John Jeffers added a comment -

          Any chance we can get someone to look into this? I have the same problem as others here, also using Jumpcloud. The only way I can get LDAP groups to work is if I give the user account "Enable as LDAP Bind DN" permissions. Without that, group memberships are not honored, and the logged in user does not get the permissions assigned to the group.

          Does anyone using other LDAP providers have this problem, or is this unique to Jumpcloud? Not really sure who I should be asking to fix this problem.

          Show
          johnjeffers John Jeffers added a comment - Any chance we can get someone to look into this? I have the same problem as others here, also using Jumpcloud. The only way I can get LDAP groups to work is if I give the user account "Enable as LDAP Bind DN" permissions. Without that, group memberships are not honored, and the logged in user does not get the permissions assigned to the group. Does anyone using other LDAP providers have this problem, or is this unique to Jumpcloud? Not really sure who I should be asking to fix this problem.

            People

            • Assignee:
              Unassigned
              Reporter:
              mlasevich Michael Lasevich
            • Votes:
              5 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

              • Created:
                Updated: