Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-45576

AD recognizes groups by CN and sAMAccount when authorities only works with CN

    Details

    • Similar Issues:

      Description

      The AD plugins recognizes groups by CN and sAMAccount. Firstly, it will try to look for the CN and later if not found by the sAMAccount. However, it always returns what was introduced as groupname, when it should be returning something like group.getCN() where group is an Attribute.

      https://github.com/jenkinsci/active-directory-plugin/blob/active-directory-2.6/src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java#L524-L536

      The problem is that when looking for users through loadUserByUsername, it adds as Authorities the group CN, but not the group sAMAccount.

      https://github.com/jenkinsci/active-directory-plugin/blob/16bc35c9bb441fef4431ff0267506494b2647269/src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java#L602

        Attachments

          Issue Links

            Activity

            Hide
            dariver Darío Villadiego added a comment -

            I've been investigating this and it seems that the problem doesn't have a complete fix in the AD plugin.

            Changing the loadGroupByGroupname method to return the CN found instead of groupname received won't guarantee that works because it depends on how the authorization plugins are implemented (for example Matrix authorization plugin ignore the returned by loadGroupByGroupname and saves the group typed by user).

            Allowing search by sAMAccount will continue causing issues because Jenkins is considering one AD group as two different (the one resolved by cn and the other by sAMAccount). FMPOV the best approach here is ignoring the sAMAccount search for groups to avoid confusion.

            Show
            dariver Darío Villadiego added a comment - I've been investigating this and it seems that the problem doesn't have a complete fix in the AD plugin. Changing the loadGroupByGroupname method to return the CN found instead of groupname received won't guarantee that works because it depends on how the authorization plugins are implemented (for example  Matrix authorization plugin  ignore the returned by loadGroupByGroupname and saves the group typed by user). Allowing search by  sAMAccount will continue causing issues because Jenkins is considering one AD group as two different (the one resolved by cn and the other by sAMAccount ). FMPOV the best approach here is ignoring the sAMAccount search for groups to avoid confusion.
            Hide
            dariver Darío Villadiego added a comment -

            PR sent

            Show
            dariver Darío Villadiego added a comment - PR sent
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Darío Villadiego
            Path:
            src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java
            src/test/java/hudson/plugins/active_directory/docker/TheFlintstonesTest.java
            src/test/resources/hudson/plugins/active_directory/docker/TheFlintstonesTest/TheFlintstones/custom.sh
            http://jenkins-ci.org/commit/active-directory-plugin/eae7cb85eaa3514b932010a46566cc6ac39b9b93
            Log:
            [FIXED JENKINS-45576] AD recognizes groups by CN and sAMAccount when authorities only works with CN (#81)

            JENKINS-45576 Removing the ability to search groups by sammaccountname.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Darío Villadiego Path: src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java src/test/java/hudson/plugins/active_directory/docker/TheFlintstonesTest.java src/test/resources/hudson/plugins/active_directory/docker/TheFlintstonesTest/TheFlintstones/custom.sh http://jenkins-ci.org/commit/active-directory-plugin/eae7cb85eaa3514b932010a46566cc6ac39b9b93 Log: [FIXED JENKINS-45576] AD recognizes groups by CN and sAMAccount when authorities only works with CN (#81) JENKINS-45576 Removing the ability to search groups by sammaccountname.

              People

              • Assignee:
                fbelzunc Félix Belzunce Arcos
                Reporter:
                fbelzunc Félix Belzunce Arcos
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: