Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48917

Add option to ignore LDAP domains upon connection failures

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: ldap-plugin
    • Labels:
      None
    • Similar Issues:

      Description

      If a user has configured multiple LDAP servers, then any operation (i.e. authentication, user lookup, group lookup) which fails because of a connection failure with a server (bad URL, bad manager password) will fail immediately and not try to use subsequent configurations. I would like an option to ignore communication failures so that operations will be attempted against subsequent configurations.

      For example, assume I have configured 2 LDAP servers in Jenkins which contain the following users:

      • Server1: 1 user: alice
      • Server2: 1 user: bob

      Normally, when attempting to authenticate bob, Jenkins first connects to Server1, checks that bob is not a valid user on that server, and then connects to Server2 and attempts to bind using the supplied credentials. If Server1 is down, then Jenkins is unable to check if bob is a valid user on Server1, and so it aborts. This leaves bob unable to log in until the connection to Server1 is fixed, even those his user is not stored on Server1. This behavior is necessary in case of a configuration such as the following, assuming that alice corresponds to a different user on each LDAP server and should not be considered the same Jenkins user:

      • Server1: 1 user: alice
      • Server2: 1 user: alice

      If I know my LDAP servers have non-overlapping usernames, then I would like the ability to mark those servers as ignorable in the event of a connection failure. Given the first set of servers, marking Server1 as ignorable would mean that bob could log in even if Server1 is unavailable. Servers should not be ignored by default, because of the potential security issue, and the ignore option should clearly explain the risks.

        Attachments

          Issue Links

            Activity

            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Devin Nusbaum
            Path:
            src/main/java/hudson/security/LDAPSecurityRealm.java
            src/main/java/jenkins/security/plugins/ldap/FromGroupSearchLDAPGroupMembershipStrategy.java
            src/main/java/jenkins/security/plugins/ldap/FromUserRecordLDAPGroupMembershipStrategy.java
            src/main/java/jenkins/security/plugins/ldap/LDAPConfiguration.java
            src/main/java/jenkins/security/plugins/ldap/LDAPExtendedTemplate.java
            src/main/java/jenkins/security/plugins/ldap/LDAPGroupMembershipStrategy.java
            src/test/java/hudson/security/LDAPEmbeddedTest.java
            src/test/java/hudson/security/LdapMultiEmbeddedTest.java
            src/test/java/jenkins/security/plugins/ldap/LDAPExtendedTemplateTest.java
            http://jenkins-ci.org/commit/ldap-plugin/eea7336ee4cf2e275c469bea99f549eba74fdc2b
            Log:
            Merge branch 'master' into JENKINS-48917

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Devin Nusbaum Path: src/main/java/hudson/security/LDAPSecurityRealm.java src/main/java/jenkins/security/plugins/ldap/FromGroupSearchLDAPGroupMembershipStrategy.java src/main/java/jenkins/security/plugins/ldap/FromUserRecordLDAPGroupMembershipStrategy.java src/main/java/jenkins/security/plugins/ldap/LDAPConfiguration.java src/main/java/jenkins/security/plugins/ldap/LDAPExtendedTemplate.java src/main/java/jenkins/security/plugins/ldap/LDAPGroupMembershipStrategy.java src/test/java/hudson/security/LDAPEmbeddedTest.java src/test/java/hudson/security/LdapMultiEmbeddedTest.java src/test/java/jenkins/security/plugins/ldap/LDAPExtendedTemplateTest.java http://jenkins-ci.org/commit/ldap-plugin/eea7336ee4cf2e275c469bea99f549eba74fdc2b Log: Merge branch 'master' into JENKINS-48917
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Andres Rodriguez
            Path:
            .gitignore
            src/main/java/hudson/security/LDAPSecurityRealm.java
            src/main/java/jenkins/security/plugins/ldap/LDAPConfiguration.java
            src/main/resources/jenkins/security/plugins/ldap/LDAPConfiguration/config.jelly
            src/main/resources/jenkins/security/plugins/ldap/LDAPConfiguration/help-ignoreIfUnavailable.html
            src/test/java/hudson/security/LDAPSecurityRealmTest.java
            src/test/java/hudson/security/LdapMultiEmbeddedTest.java
            http://jenkins-ci.org/commit/ldap-plugin/2a78aeff2839a57b4f20898564938fb0373659eb
            Log:
            Merge pull request #31 from dwnusbaum/JENKINS-48917

            JENKINS-48917 Add option to ignore LDAP servers if they are unavailable.

            Compare: https://github.com/jenkinsci/ldap-plugin/compare/b4e383e9fd8a...2a78aeff2839

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Andres Rodriguez Path: .gitignore src/main/java/hudson/security/LDAPSecurityRealm.java src/main/java/jenkins/security/plugins/ldap/LDAPConfiguration.java src/main/resources/jenkins/security/plugins/ldap/LDAPConfiguration/config.jelly src/main/resources/jenkins/security/plugins/ldap/LDAPConfiguration/help-ignoreIfUnavailable.html src/test/java/hudson/security/LDAPSecurityRealmTest.java src/test/java/hudson/security/LdapMultiEmbeddedTest.java http://jenkins-ci.org/commit/ldap-plugin/2a78aeff2839a57b4f20898564938fb0373659eb Log: Merge pull request #31 from dwnusbaum/ JENKINS-48917 JENKINS-48917 Add option to ignore LDAP servers if they are unavailable. Compare: https://github.com/jenkinsci/ldap-plugin/compare/b4e383e9fd8a...2a78aeff2839
            Hide
            dnusbaum Devin Nusbaum added a comment -

            Released in ldap:1.20

            Show
            dnusbaum Devin Nusbaum added a comment - Released in ldap:1.20

              People

              • Assignee:
                dnusbaum Devin Nusbaum
                Reporter:
                dnusbaum Devin Nusbaum
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: