Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60443

LDAP Plugin Ignores Group Search Filter

    Details

    • Similar Issues:

      Description

      When configuring a Group Serch Filter in Jenkins it is not evaluated. Step-Debugging the Plugin reveals that the AuthoritiesPopulatorImpl holds the default value in groupSearchFilter. Setting a Group memberhsip filter causes the groupSearchFilter Field in AuthoritiesPopulatorImpl to hold the Group membership filter.

       

      Our Group configuration in LDAP is a tree following this schema:

      ou:Project ---> ou:Tool ---> cn: posixGroup

      We use Group Search Filters to match the correct ou to search Groups having the same Groupname may exist in other tool OUs. The filter used is (ou:dn:=ci) as the Tools ou we host our Jenkins groups in is called ci. Having a group admin in this ou and having a group admin in another ou causes that other Group to also be matched. 

       

      My discovery is, that with a Group Search Filter set in the LDAP Configuration, the AuthoritiesPopulatorImpl holds the Filter "(| (member={0}) (uniqueMember={0}) (memberUid={1}))" in the groupSearchFilter field. As a fix I was able to set the Group membership filter to "(&(ou:dn:=ci)(memberUid={1}))".

       

      Possible fixes: Either drop the Group search filter field entirely as it seems disused or restore usage of this field

        Attachments

          Activity

          There are no comments yet on this issue.

            People

            • Assignee:
              Unassigned
              Reporter:
              juwi Julian Wissmann
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: