Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60306

LDAP login user needs read permissions

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: ldap-plugin
    • Labels:
    • Environment:
      Red Hat Enterprise Linux Server 7.6
      Jenkins 2.204
      LDAP Plugin 1.21
    • Similar Issues:

      Description

      In our LDAP server the anonymus access is not allowed, so we need to authenticate with Manager DN and then search the login user attributes. When we "Test LDAP settings" we can see how the Lookup is successful:
       

      Lookup
      User lookup: successful
      User ID: username
      User Dn: CN=username,OU=people,OU=Collaborators,OU=Users,O=domain
      User Display Name: username 
      LDAP Group membership:  GLOBAL_GROUP   
      LDAP Group lookup: successful (1 group)

      But the login failed:
       

      Login 
      Authentication: failed for user "username"
      
      Lockout
      The user "username" will be unable to login with the supplied password.
      If this is your own account this would mean you would be locked out!
      Are you sure you want to save this configuration?

       
      We have checked that the password is okey loging in directly on the LDAP.
       
      We have captured the conversation between Jenkins and the LDAP and analyzing it with Wireshark we found that the LDAP plugin requires two times the read permission for reading the LDAP tree, the first time when the Manager DN search the login user, and a second time when the login user needs to read his own attributes before login, in our LDAP is not allowed for login users to read the attributes for security reasons, that king of users only can login on LDAP not read the tree:so the search find 0 attributes:
       
       

      searchRequest
         baseObject: CN=username,OU=people,OU=Collaborators,OU=Users,O=domain
         scope: baseObject (0)
         derefAliases: derefAlways (3)
         sizeLimit: 0
         timeLimit: 0
         typesOnly: False
         Filter: (objectClass=*)    
            filter: present (7)
            present: objectClass
         attributes: 0 items

       
       
      And produces that error:

      0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT), data 0, best match of:  'O=domain'

       
      I think it is not necessary to read two times the LDAP three, the first time is necessary to lookup (Manager DN) but the login user shouldn't have to read again the LDAP to login.
       

        Attachments

          Activity

          Hide
          mig5 Mig Jacq added a comment -

          I have exactly the same problem (accidentally reported in a different plugin here but the issue is the same there: https://issues.jenkins-ci.org/browse/JENKINS-60306)

          It should not be necessary for the user to have read access to the LDAP tree if the ManagerDN is being used to bind. That's the whole point of using a ManagerDN, in case read access otherwise is not enabled except to maybe a few key attributes (like userPassword so the user can edit their own password in some sort of LDAP manager)

          Show
          mig5 Mig Jacq added a comment - I have exactly the same problem (accidentally reported in a different plugin here but the issue is the same there: https://issues.jenkins-ci.org/browse/JENKINS-60306 ) It should not be necessary for the user to have read access to the LDAP tree if the ManagerDN is being used to bind. That's the whole point of using a ManagerDN, in case read access otherwise is not enabled except to maybe a few key attributes (like userPassword so the user can edit their own password in some sort of LDAP manager)
          Hide
          mig5 Mig Jacq added a comment - - edited

          This worked for me:

          olcAccess: {3}to *
            by self read
            by * break
          

          (other access controls to * but with filters, allowed to other bind auth credentials follow, hence the break)

          This works for my needs as it appears to only allow read access to the user's own object itself (rather than read all users)

          Show
          mig5 Mig Jacq added a comment - - edited This worked for me: olcAccess: {3}to * by self read by * break (other access controls to * but with filters, allowed to other bind auth credentials follow, hence the break) This works for my needs as it appears to only allow read access to the user's own object itself (rather than read all users)

            People

            • Assignee:
              Unassigned
              Reporter:
              bobgalicia Roberto Galicia
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: