Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48917

Add option to ignore LDAP domains upon connection failures

    Details

    • Type: New Feature
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: ldap-plugin
    • Labels:
      None
    • Similar Issues:

      Description

      If a user has configured multiple LDAP servers, then any operation (i.e. authentication, user lookup, group lookup) which fails because of a connection failure with a server (bad URL, bad manager password) will fail immediately and not try to use subsequent configurations. I would like an option to ignore communication failures so that operations will be attempted against subsequent configurations.

      For example, assume I have configured 2 LDAP servers in Jenkins which contain the following users:

      • Server1: 1 user: alice
      • Server2: 1 user: bob

      Normally, when attempting to authenticate bob, Jenkins first connects to Server1, checks that bob is not a valid user on that server, and then connects to Server2 and attempts to bind using the supplied credentials. If Server1 is down, then Jenkins is unable to check if bob is a valid user on Server1, and so it aborts. This leaves bob unable to log in until the connection to Server1 is fixed, even those his user is not stored on Server1. This behavior is necessary in case of a configuration such as the following, assuming that alice corresponds to a different user on each LDAP server and should not be considered the same Jenkins user:

      • Server1: 1 user: alice
      • Server2: 1 user: alice

      If I know my LDAP servers have non-overlapping usernames, then I would like the ability to mark those servers as ignorable in the event of a connection failure. Given the first set of servers, marking Server1 as ignorable would mean that bob could log in even if Server1 is unavailable. Servers should not be ignored by default, because of the potential security issue, and the ignore option should clearly explain the risks.

        Attachments

          Issue Links

            Activity

            dnusbaum Devin Nusbaum created issue -
            dnusbaum Devin Nusbaum made changes -
            Field Original Value New Value
            Description If a user has configured multiple LDAP domains, then any operation (i.e. authentication, user lookup, group lookup) which fails because of a connection failure with a server (bad URL, bad manager password) will fail immediately and not try to use subsequent configurations. I would like an option to ignore communication failures so that operations will be attempted against subsequent configurations.

            For example, assume I have configured 2 LDAP servers in Jenkins which contain the following users:
            * {{Server1}}: 1 user: {{alice}}
            * {{Server2}}: 1 user: {{bob}}

            Normally, when attempting to authenticate {{bob}}, Jenkins first connects to {{Server1}}, checks that {{bob}} is not a valid user on that server, and then connects to {{Server2}} and attempts to bind using the supplied credentials. If {{Server1}} is down, then Jenkins is unable to check if {{bob}} is a valid user on {{Server1}}, and so it aborts. This leaves {{bob}} unable to log in until the connection to {{Server1}} is fixed, even those his user is not stored on {{Server1}}. This behavior is necessary in case of a configuration such as the following, assuming that {{alice}} corresponds to a different user on each LDAP server and should not be considered the same Jenkins user:
            * {{Server1}}: 1 user: {{alice}}
            * {{Server2}}: 1 user: {{alice}}

            If I know my LDAP servers have non-overlapping usernames, then I would like the ability to mark those servers as ignorable in the event of a connection failure. Given the first set of servers, marking {{Server1}} as ignorable would mean that {{bob}} could log in even if {{Server1}} is unavailable.
            If a user has configured multiple LDAP domains, then any operation (i.e. authentication, user lookup, group lookup) which fails because of a connection failure with a server (bad URL, bad manager password) will fail immediately and not try to use subsequent configurations. I would like an option to ignore communication failures so that operations will be attempted against subsequent configurations.

            For example, assume I have configured 2 LDAP servers in Jenkins which contain the following users:
            * {{Server1}}: 1 user: {{alice}}
            * {{Server2}}: 1 user: {{bob}}

            Normally, when attempting to authenticate {{bob}}, Jenkins first connects to {{Server1}}, checks that {{bob}} is not a valid user on that server, and then connects to {{Server2}} and attempts to bind using the supplied credentials. If {{Server1}} is down, then Jenkins is unable to check if {{bob}} is a valid user on {{Server1}}, and so it aborts. This leaves {{bob}} unable to log in until the connection to {{Server1}} is fixed, even those his user is not stored on {{Server1}}. This behavior is necessary in case of a configuration such as the following, assuming that {{alice}} corresponds to a different user on each LDAP server and should not be considered the same Jenkins user:
            * {{Server1}}: 1 user: {{alice}}
            * {{Server2}}: 1 user: {{alice}}

            If I know my LDAP servers have non-overlapping usernames, then I would like the ability to mark those servers as ignorable in the event of a connection failure. Given the first set of servers, marking {{Server1}} as ignorable would mean that {{bob}} could log in even if {{Server1}} is unavailable. Servers should not be ignored by default, because of the potential security issue, and the ignore option should clearly explain the risks.
            dnusbaum Devin Nusbaum made changes -
            Assignee Kohsuke Kawaguchi [ kohsuke ] Devin Nusbaum [ dnusbaum ]
            dnusbaum Devin Nusbaum made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            dnusbaum Devin Nusbaum made changes -
            Description If a user has configured multiple LDAP domains, then any operation (i.e. authentication, user lookup, group lookup) which fails because of a connection failure with a server (bad URL, bad manager password) will fail immediately and not try to use subsequent configurations. I would like an option to ignore communication failures so that operations will be attempted against subsequent configurations.

            For example, assume I have configured 2 LDAP servers in Jenkins which contain the following users:
            * {{Server1}}: 1 user: {{alice}}
            * {{Server2}}: 1 user: {{bob}}

            Normally, when attempting to authenticate {{bob}}, Jenkins first connects to {{Server1}}, checks that {{bob}} is not a valid user on that server, and then connects to {{Server2}} and attempts to bind using the supplied credentials. If {{Server1}} is down, then Jenkins is unable to check if {{bob}} is a valid user on {{Server1}}, and so it aborts. This leaves {{bob}} unable to log in until the connection to {{Server1}} is fixed, even those his user is not stored on {{Server1}}. This behavior is necessary in case of a configuration such as the following, assuming that {{alice}} corresponds to a different user on each LDAP server and should not be considered the same Jenkins user:
            * {{Server1}}: 1 user: {{alice}}
            * {{Server2}}: 1 user: {{alice}}

            If I know my LDAP servers have non-overlapping usernames, then I would like the ability to mark those servers as ignorable in the event of a connection failure. Given the first set of servers, marking {{Server1}} as ignorable would mean that {{bob}} could log in even if {{Server1}} is unavailable. Servers should not be ignored by default, because of the potential security issue, and the ignore option should clearly explain the risks.
            If a user has configured multiple LDAP servers, then any operation (i.e. authentication, user lookup, group lookup) which fails because of a connection failure with a server (bad URL, bad manager password) will fail immediately and not try to use subsequent configurations. I would like an option to ignore communication failures so that operations will be attempted against subsequent configurations.

            For example, assume I have configured 2 LDAP servers in Jenkins which contain the following users:
            * {{Server1}}: 1 user: {{alice}}
            * {{Server2}}: 1 user: {{bob}}

            Normally, when attempting to authenticate {{bob}}, Jenkins first connects to {{Server1}}, checks that {{bob}} is not a valid user on that server, and then connects to {{Server2}} and attempts to bind using the supplied credentials. If {{Server1}} is down, then Jenkins is unable to check if {{bob}} is a valid user on {{Server1}}, and so it aborts. This leaves {{bob}} unable to log in until the connection to {{Server1}} is fixed, even those his user is not stored on {{Server1}}. This behavior is necessary in case of a configuration such as the following, assuming that {{alice}} corresponds to a different user on each LDAP server and should not be considered the same Jenkins user:
            * {{Server1}}: 1 user: {{alice}}
            * {{Server2}}: 1 user: {{alice}}

            If I know my LDAP servers have non-overlapping usernames, then I would like the ability to mark those servers as ignorable in the event of a connection failure. Given the first set of servers, marking {{Server1}} as ignorable would mean that {{bob}} could log in even if {{Server1}} is unavailable. Servers should not be ignored by default, because of the potential security issue, and the ignore option should clearly explain the risks.
            dnusbaum Devin Nusbaum made changes -
            Summary Add ability to ignore LDAP domains upon connection failures Add ability to ignore LDAP configurations upon connection failures
            dnusbaum Devin Nusbaum made changes -
            Summary Add ability to ignore LDAP configurations upon connection failures Add option to ignore LDAP domains upon connection failures
            dnusbaum Devin Nusbaum made changes -
            Remote Link This issue links to "PR #31 (Web Link)" [ 20003 ]
            dnusbaum Devin Nusbaum made changes -
            Status In Progress [ 3 ] Resolved [ 5 ]
            Resolution Fixed [ 1 ]

              People

              • Assignee:
                dnusbaum Devin Nusbaum
                Reporter:
                dnusbaum Devin Nusbaum
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: