Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-55813

Improve AD/LDAP attribute analysis for locked accounts

    Details

    • Similar Issues:

      Description

      In the current situation, there is no check about the accounts that are disabled, locked or expired, or having their credentials expired in active-directory.

      This ticket has the goal to improve the situation by reading as much as possible from the attributes returned by the server.

      Relevant docs:

        Attachments

          Activity

          Hide
          jvz Matt Sicker added a comment -

          Adding link to updated AD PR as a draft.

          Show
          jvz Matt Sicker added a comment - Adding link to updated AD PR as a draft.
          Hide
          wfollonier Wadeck Follonier added a comment -

          The work on this ticket is "on-hold" for the moment, to be resumed soon-ish.

          Show
          wfollonier Wadeck Follonier added a comment - The work on this ticket is "on-hold" for the moment, to be resumed soon-ish.
          Hide
          jvz Matt Sicker added a comment -

          I started looking back into this issue and found some interesting info to share:

          1. Acegi has a UserDetailsChecker API which we can re-use rather than the UserDetailsHelper class. This is what's done by AbstractUserDetailsAuthenticationProvider which is used for LDAP and AD.
          2. The LDAP and AD PRs need some proper integration tests added considering they're somewhat complex scenarios.
          3. It would be great if we could make an automated test using a Windows Docker container for the AD scenario, though that might be too complex to set up.

          Basically, we can deliver this in three pieces since the Jenkins core updates will be to ensure user details are checked at all (and not just most) of the necessary call sites while the plugin updates will be to fill in real values other than true.

          Show
          jvz Matt Sicker added a comment - I started looking back into this issue and found some interesting info to share: Acegi has a UserDetailsChecker API which we can re-use rather than the UserDetailsHelper class. This is what's done by AbstractUserDetailsAuthenticationProvider which is used for LDAP and AD. The LDAP and AD PRs need some proper integration tests added considering they're somewhat complex scenarios. It would be great if we could make an automated test using a Windows Docker container for the AD scenario, though that might be too complex to set up. Basically, we can deliver this in three pieces since the Jenkins core updates will be to ensure user details are checked at all (and not just most) of the necessary call sites while the plugin updates will be to fill in real values other than true.
          Hide
          jvz Matt Sicker added a comment -

          Turns out there were more scenarios to support in the original PR. The included Docker tests don't seem to work properly on macOS, so I ended up testing out my changes here using ApacheDS and OpenLDAP locally with the Planet Express data set (along with changing various account attributes to test out account disabled scenarios). All seems to work, though the caching in place would be best served by listening for LDAP events when supported, but that seems like a separate feature.

          Show
          jvz Matt Sicker added a comment - Turns out there were more scenarios to support in the original PR. The included Docker tests don't seem to work properly on macOS, so I ended up testing out my changes here using ApacheDS and OpenLDAP locally with the Planet Express data set (along with changing various account attributes to test out account disabled scenarios). All seems to work, though the caching in place would be best served by listening for LDAP events when supported, but that seems like a separate feature.
          Hide
          jvz Matt Sicker added a comment -

          I've filed some PRs to get this moving:

          https://github.com/jenkinsci/jenkins/pull/4925

          https://github.com/jenkinsci/ldap-plugin/pull/50

          I haven't had a chance to test out the equivalent patch for active-directory-plugin yet.

          Show
          jvz Matt Sicker added a comment - I've filed some PRs to get this moving: https://github.com/jenkinsci/jenkins/pull/4925 https://github.com/jenkinsci/ldap-plugin/pull/50 I haven't had a chance to test out the equivalent patch for active-directory-plugin yet.

            People

            • Assignee:
              wfollonier Wadeck Follonier
              Reporter:
              wfollonier Wadeck Follonier
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated: