Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60306

LDAP login user needs read permissions

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: ldap-plugin
    • Labels:
    • Environment:
      Red Hat Enterprise Linux Server 7.6
      Jenkins 2.204
      LDAP Plugin 1.21
    • Similar Issues:

      Description

      In our LDAP server the anonymus access is not allowed, so we need to authenticate with Manager DN and then search the login user attributes. When we "Test LDAP settings" we can see how the Lookup is successful:
       

      Lookup
      User lookup: successful
      User ID: username
      User Dn: CN=username,OU=people,OU=Collaborators,OU=Users,O=domain
      User Display Name: username 
      LDAP Group membership:  GLOBAL_GROUP   
      LDAP Group lookup: successful (1 group)

      But the login failed:
       

      Login 
      Authentication: failed for user "username"
      
      Lockout
      The user "username" will be unable to login with the supplied password.
      If this is your own account this would mean you would be locked out!
      Are you sure you want to save this configuration?

       
      We have checked that the password is okey loging in directly on the LDAP.
       
      We have captured the conversation between Jenkins and the LDAP and analyzing it with Wireshark we found that the LDAP plugin requires two times the read permission for reading the LDAP tree, the first time when the Manager DN search the login user, and a second time when the login user needs to read his own attributes before login, in our LDAP is not allowed for login users to read the attributes for security reasons, that king of users only can login on LDAP not read the tree:so the search find 0 attributes:
       
       

      searchRequest
         baseObject: CN=username,OU=people,OU=Collaborators,OU=Users,O=domain
         scope: baseObject (0)
         derefAliases: derefAlways (3)
         sizeLimit: 0
         timeLimit: 0
         typesOnly: False
         Filter: (objectClass=*)    
            filter: present (7)
            present: objectClass
         attributes: 0 items

       
       
      And produces that error:

      0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT), data 0, best match of:  'O=domain'

       
      I think it is not necessary to read two times the LDAP three, the first time is necessary to lookup (Manager DN) but the login user shouldn't have to read again the LDAP to login.
       

        Attachments

          Activity

          bobgalicia Roberto Galicia created issue -

            People

            • Assignee:
              Unassigned
              Reporter:
              bobgalicia Roberto Galicia
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: