[JENKINS-18961] LDAP plugin does not support nested groups

Type: Improvement
Resolution: Unresolved
Priority: Major
Component/s: ldap-plugin
Labels:
None
Environment:
OpenLDAP/slapd

Similar Issues:
Powered by SuggestiMate

Show

I have a group in LDAP called "Jira Administrators" and I have a user called test.user.

If I put test.user directly in the Jira Administrators, then authentication and authorization works fine. The user has full administrator access to Jenkins.

But if I put test.user into a group called "Administrators" and then put that group as a member of the "Jira Administrators" group, then test.user can log in but gets treated like an anonymous; it has no permission to do anything an administrator should be able to do.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

Screen Shot 2016-12-01 at 08.26.55.png
155 kB
2016-12-01 07:28

Mark Haase created issue - 2013-07-27 04:32

Nicolas De Loof added a comment - 2014-01-15 11:36

Depends on https://jira.springsource.org/browse/SEC-1823

Nicolas De Loof added a comment - 2014-01-15 11:36 Depends on https://jira.springsource.org/browse/SEC-1823

Bruce Coveny added a comment - 2014-09-08 13:11

There has been some chat on the springsource ticket and wondering if this could be investigated to what they said to allow nested groups. My firm only uses nested groups so instead of one or two groups we now have to add 50 different groups to Jenkins security console and maintain them all.

Jean-Pierre Bergamin added a comment - 17/Jun/14 1:31 AM

I use this class here: https://gist.github.com/ractive/258dd06c99d2939781c0
Put it in the package org.springframework.security.ldap.authentication.ad and you should be ready to go...

Bruce Coveny added a comment - 2014-09-08 13:11 There has been some chat on the springsource ticket and wondering if this could be investigated to what they said to allow nested groups. My firm only uses nested groups so instead of one or two groups we now have to add 50 different groups to Jenkins security console and maintain them all. Jean-Pierre Bergamin added a comment - 17/Jun/14 1:31 AM I use this class here: https://gist.github.com/ractive/258dd06c99d2939781c0 Put it in the package org.springframework.security.ldap.authentication.ad and you should be ready to go...

Abhimanyu Bishnoi added a comment - 2016-03-02 23:08

Has there been any update on this issue? I have Jenkins 1.636 and i still see this exact issue.
Please let me know how can this be fixed. I used LDAP plugin and our company use Oracle not Active Directory.

Thanks

Abhimanyu Bishnoi added a comment - 2016-03-02 23:08 Has there been any update on this issue? I have Jenkins 1.636 and i still see this exact issue. Please let me know how can this be fixed. I used LDAP plugin and our company use Oracle not Active Directory. Thanks

R. Tyler Croy made changes - 2016-07-25 23:50

Workflow

Original: JNJira [ 150408 ]

New: JNJira + In-Review [ 177640 ]

Félix Belzunce Arcos made changes - 2016-11-25 09:16

Issue Type

Original: Bug [ 1 ]

New: Improvement [ 4 ]

Félix Belzunce Arcos made changes - 2016-12-01 07:28

Attachment

New: Screen Shot 2016-12-01 at 08.26.55.png [ 35052 ]

Félix Belzunce Arcos added a comment - 2016-12-01 07:28

LDAP plugin works agains AD server in which users are a member of nested groups. You just need to change the query on the plugin following the section of the wiki "Tips and Tricks".

Félix Belzunce Arcos added a comment - 2016-12-01 07:28 LDAP plugin works agains AD server in which users are a member of nested groups. You just need to change the query on the plugin following the section of the wiki "Tips and Tricks".

Emory Penney added a comment - 2017-03-07 23:53

Wow, that query is slow. So slow my login attempts time out when I try to use it.

Emory Penney added a comment - 2017-03-07 23:53 Wow, that query is slow. So slow my login attempts time out when I try to use it.

Oleg Nenashev added a comment - 2018-06-12 17:45

In order to set proper expectation, I have unassigned Kohsuke from this tickets.
Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

Oleg Nenashev added a comment - 2018-06-12 17:45 In order to set proper expectation, I have unassigned Kohsuke from this tickets. Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

Oleg Nenashev made changes - 2018-06-12 17:45

Assignee

Original: Kohsuke Kawaguchi [ kohsuke ]

Assignee:: Unassigned

Reporter:: Mark Haase

Votes:: 11 Vote for this issue

Watchers:: 18 Start watching this issue

Created:: 2013-07-27 04:32

Updated:: 2020-10-06 11:03

Jenkins

Details

Description

Attachments

Attachments

Activity

Collapse comment: Nicolas De Loof added a comment - 2014-01-15 11:36

Expand comment: Nicolas De Loof added a comment - 2014-01-15 11:36

Collapse comment: Bruce Coveny added a comment - 2014-09-08 13:11

Expand comment: Bruce Coveny added a comment - 2014-09-08 13:11

Collapse comment: Abhimanyu Bishnoi added a comment - 2016-03-02 23:08

Expand comment: Abhimanyu Bishnoi added a comment - 2016-03-02 23:08

Collapse comment: Félix Belzunce Arcos added a comment - 2016-12-01 07:28

Expand comment: Félix Belzunce Arcos added a comment - 2016-12-01 07:28

Collapse comment: Emory Penney added a comment - 2017-03-07 23:53

Expand comment: Emory Penney added a comment - 2017-03-07 23:53

Collapse comment: Oleg Nenashev added a comment - 2018-06-12 17:45

Expand comment: Oleg Nenashev added a comment - 2018-06-12 17:45

People

Dates