-
Type:
Improvement
-
Status: Open (View Workflow)
-
Priority:
Major
-
Resolution: Unresolved
-
Component/s: active-directory-plugin, core, ldap-plugin
-
Labels:None
-
Similar Issues:
In the current situation, there is no check about the accounts that are disabled, locked or expired, or having their credentials expired in active-directory.
This ticket has the goal to improve the situation by reading as much as possible from the attributes returned by the server.
Wadeck Follonier what do you mean by cover most of the usage? The usage within Jenkins plugins that may wish to impersonate a user? Or other LDAP servers? I've been starting to investigate this and have gotten somewhat confused around the current goal.
Matt Sicker In the core, I covered only the cast of the API Token, but didn't investigate further, it was just a PoC at that time. We need to ensure that every use of the Security realm check methods are consistent, i.e. checking the attribute of the UserDetails before using them.
FYI . . I was not able to login after upgading to 2.15. I downgraded back to 2.14 and was able to login again.
Same issue for me, 2.15 stops me logging in had to revert to 2.14.
I believe this PR was merged prematurely in the AD plugin. I'll submit a revert PR and refile the original as a draft PR.
Adding link to updated AD PR as a draft.
The work on this ticket is "on-hold" for the moment, to be resumed soon-ish.
The PRs in ldap and active-directory uses the Microsoft's standard for the attribute names/values. I am not sure that's sufficient to cover most of the usage.