Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-61761

LDAP not matching groups with different base dn as user


    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Critical
    • Resolution: Unresolved
    • Component/s: ldap-plugin
    • Labels:
    • Environment:
      Jenkins: 2.190.2
      LDAP Plugin: 1.21
    • Similar Issues:


      We have a pretty large company that has users created in different domains and user groups in a single domain. When we attempt to do user grouping, if the users base dn doesn't match the group dn, the group won't match to the user. We try to manage access all via a single (largely nested) group.

      What I observe:

      User 1: CN=UserName1,OU=Users,OU=SomePlace,dc=foo,DC=company,DC=com
      User 2: CN=UserName2,OU=Users,OU=SomeOtherPlace,dc=bar,DC=company,DC=com

      Group 1: CN=MyBigGroup,OU=Distribution Lists,DC=foo,DC=company,DC=com
      Group 2: CN=MyNestedGroup,OU=Distribution Lists,DC=foo,DC=company,DC=com

      User 1 and User 2 are a members of "MyNestedGroup". 

      Here is my ldap config:

      Server: ldap://server.company.com:3268
      Root DN: DC=company,DC=com
      User Search Base: <empty>
      User Search Filter: sAMAccountName={0}
      Group Search Base: <empty>
      Group Search Filter: (&(cn={0})(objectclass=group))
      Group Membership: (Search for LDAP groups containing user)
      Group Membership Filter: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={0}))

      When I search for "UserName1" it matches to MyNestedGroup and MyBigGroup, when I search for "UserName2" it doesn't match to any groups.

      Am I doing something wrong with my queries/filters or is this a bug in the ldap-plugin?

      *Note, when I do "Parse user attribute for list of LDAP groups" instead, I see "MyNestedGgroup" for both users (no matches to MyBigGroup, which is expected as not reverse lookup appears to be done here)


      When I run the script console with the following, I see that everything has the right members:

      println(Jenkins.instance.securityRealm.loadGroupByGroupname('MyBigGroup', true).getMembers())
      println(Jenkins.instance.securityRealm.loadGroupByGroupname("MyNestedGroup", true).getMembers())
      [User1, User2]





          There are no comments yet on this issue.


            • Assignee:
              topher Topher Perusse
            • Votes:
              0 Vote for this issue
              1 Start watching this issue


              • Created: