Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-55813

Improve AD/LDAP attribute analysis for locked accounts

    Details

    • Similar Issues:

      Description

      In the current situation, there is no check about the accounts that are disabled, locked or expired, or having their credentials expired in active-directory.

      This ticket has the goal to improve the situation by reading as much as possible from the attributes returned by the server.

        Attachments

          Activity

          wfollonier Wadeck Follonier created issue -
          spinus1 Alessio Moscatello made changes -
          Field Original Value New Value
          Assignee Wadeck Follonier [ wfollonier ] Alessio Moscatello [ spinus1 ]
          wfollonier Wadeck Follonier made changes -
          Remote Link This issue links to "#89 in active-directory (Web Link)" [ 22316 ]
          wfollonier Wadeck Follonier made changes -
          Remote Link This issue links to "#34 in ldap (Web Link)" [ 22317 ]
          wfollonier Wadeck Follonier made changes -
          Remote Link This issue links to "#3866 in core (Web Link)" [ 22318 ]
          Hide
          wfollonier Wadeck Follonier added a comment -

          The PRs in ldap and active-directory uses the Microsoft's standard for the attribute names/values. I am not sure that's sufficient to cover most of the usage.

          Show
          wfollonier Wadeck Follonier added a comment - The PRs in ldap and active-directory uses the Microsoft's standard for the attribute names/values. I am not sure that's sufficient to cover most of the usage.
          spinus1 Alessio Moscatello made changes -
          Assignee Alessio Moscatello [ spinus1 ] Wadeck Follonier [ wfollonier ]
          danielbeck Daniel Beck made changes -
          Link This issue is duplicated by SECURITY-900 [ SECURITY-900 ]
          Hide
          jvz Matt Sicker added a comment -

          Wadeck Follonier what do you mean by cover most of the usage? The usage within Jenkins plugins that may wish to impersonate a user? Or other LDAP servers? I've been starting to investigate this and have gotten somewhat confused around the current goal.

          Show
          jvz Matt Sicker added a comment - Wadeck Follonier what do you mean by cover most of the usage? The usage within Jenkins plugins that may wish to impersonate a user? Or other LDAP servers? I've been starting to investigate this and have gotten somewhat confused around the current goal.
          Hide
          wfollonier Wadeck Follonier added a comment -

          Matt Sicker In the core, I covered only the cast of the API Token, but didn't investigate further, it was just a PoC at that time. We need to ensure that every use of the Security realm check methods are consistent, i.e. checking the attribute of the UserDetails before using them.

          Show
          wfollonier Wadeck Follonier added a comment - Matt Sicker In the core, I covered only the cast of the API Token, but didn't investigate further, it was just a PoC at that time. We need to ensure that every use of the Security realm check methods are consistent, i.e. checking the attribute of the UserDetails before using them.
          fbelzunc Félix Belzunce Arcos made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          fbelzunc Félix Belzunce Arcos made changes -
          Status In Progress [ 3 ] Open [ 1 ]
          Hide
          jschlessel James Schlesselman added a comment -

          FYI . . I was not able to login after upgading to 2.15.  I downgraded back to 2.14 and was able to login again.

          Show
          jschlessel James Schlesselman added a comment - FYI . . I was not able to login after upgading to 2.15.  I downgraded back to 2.14 and was able to login again.
          Hide
          nsleigh Neil Sleightholm added a comment -

          Same issue for me, 2.15 stops me logging in had to revert to 2.14.

          Show
          nsleigh Neil Sleightholm added a comment - Same issue for me, 2.15 stops me logging in had to revert to 2.14.
          Hide
          jvz Matt Sicker added a comment -

          I believe this PR was merged prematurely in the AD plugin. I'll submit a revert PR and refile the original as a draft PR.

          Show
          jvz Matt Sicker added a comment - I believe this PR was merged prematurely in the AD plugin. I'll submit a revert PR and refile the original as a draft PR.
          Hide
          jvz Matt Sicker added a comment -

          Adding link to updated AD PR as a draft.

          Show
          jvz Matt Sicker added a comment - Adding link to updated AD PR as a draft.
          jvz Matt Sicker made changes -
          Remote Link This issue links to "#96 in active-directory (Web Link)" [ 23013 ]
          jvz Matt Sicker made changes -
          Remote Link This issue links to "#89 in active-directory (Web Link)" [ 22316 ]
          Hide
          wfollonier Wadeck Follonier added a comment -

          The work on this ticket is "on-hold" for the moment, to be resumed soon-ish.

          Show
          wfollonier Wadeck Follonier added a comment - The work on this ticket is "on-hold" for the moment, to be resumed soon-ish.

            People

            • Assignee:
              wfollonier Wadeck Follonier
              Reporter:
              wfollonier Wadeck Follonier
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated: