• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • _unsorted
    • None
    • Platform: All, OS: All

      I use LDAP and Matrix based security.
      I've given the group "hudson_admin" all the permissions in the matrix, and when
      I try to log a user that is member of this group, I get this error:

      org.acegisecurity.providers.UsernamePasswordAuthenticationToken@79814ff9:
      Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@38a3ca;
      Password: [PROTECTED]; Authenticated: true; Details:
      org.acegisecurity.ui.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1;
      SessionId: 042D1EDAA097F2C5B1D9A280A6D046D9; Granted Authorities:
      ROLE_HUDSON_ADMIN is missing Read

      FYI, i've given no permission to "anonymous".

          [JENKINS-2234] LDAP Group authorization doesn't work

          paran added a comment -

          Same problem with my installation. I used project base matrix authorization. The
          global permissions work until READ was revoked from anonymous. The other
          permissions, especially ADMINISTER, seem to work, but it did no in-depth
          analysis. Project permissions didn't apply either.

          I can reproduce it on Version 1.244 and 1.249.

          paran added a comment - Same problem with my installation. I used project base matrix authorization. The global permissions work until READ was revoked from anonymous. The other permissions, especially ADMINISTER, seem to work, but it did no in-depth analysis. Project permissions didn't apply either. I can reproduce it on Version 1.244 and 1.249.

          clarkeja added a comment -

          I've been able to successfully get link Matrix-based security validated against
          LDAP Security Roles. Took a little while to work out but as long as you
          populate the groupSearchBase DN record it seems to hang together.

          Key link I was Missing was the naming convention... Not quite shown in the help...

          If you have a LDAP role called "CN=Blackberry Users,OU=Security
          Groups,OU=Bidalonier,DC=acme,DC=int" then the role you add in the matrix window
          has to be "ROLE_BLACKBERRY USERS"

          e.g.

          <securityRealm class="hudson.security.LDAPSecurityRealm">
          <server>192.168.0.10</server>
          <rootDN>DC=acme,DC=int</rootDN>
          <userSearchBase>OU=Bidalonier</userSearchBase>
          <userSearch>sAMAccountName=

          {0}

          </userSearch>
          <groupSearchBase>OU=Security\20Groups,OU=Bidalonier</groupSearchBase>
          <managerDN>ACME\clarkeja</managerDN>
          <managerPassword>dfghdghgfsdfsdfgdfg</managerPassword>
          </securityRealm>

          Even better, if there are no groups/roles assigned hudson tells you what ROLES_
          the ldap user account has in the exception stack, so it's a simple matter of
          using the ones that are appropriate (well done once again to the Hudson crew!!!).

          Hope this helps... So not sure that it is a bug as it seems to be working..
          Maybe just the LDAP Help needs a bit of lipstick.

          Using Hudson v1.255 against a Microsoft Active Directory

          clarkeja added a comment - I've been able to successfully get link Matrix-based security validated against LDAP Security Roles. Took a little while to work out but as long as you populate the groupSearchBase DN record it seems to hang together. Key link I was Missing was the naming convention... Not quite shown in the help... If you have a LDAP role called "CN=Blackberry Users,OU=Security Groups,OU=Bidalonier,DC=acme,DC=int" then the role you add in the matrix window has to be "ROLE_BLACKBERRY USERS" e.g. <securityRealm class="hudson.security.LDAPSecurityRealm"> <server>192.168.0.10</server> <rootDN>DC=acme,DC=int</rootDN> <userSearchBase>OU=Bidalonier</userSearchBase> <userSearch>sAMAccountName= {0} </userSearch> <groupSearchBase>OU=Security\20Groups,OU=Bidalonier</groupSearchBase> <managerDN>ACME\clarkeja</managerDN> <managerPassword>dfghdghgfsdfsdfgdfg</managerPassword> </securityRealm> Even better, if there are no groups/roles assigned hudson tells you what ROLES_ the ldap user account has in the exception stack, so it's a simple matter of using the ones that are appropriate (well done once again to the Hudson crew!!!). Hope this helps... So not sure that it is a bug as it seems to be working.. Maybe just the LDAP Help needs a bit of lipstick. Using Hudson v1.255 against a Microsoft Active Directory

          paran added a comment -

          I have tested the same settings with version 1.257 and 1.249: 1.257 works
          perferctly with ldap and project matrix authorization but 1.249 doesn't (again
          same error as reported by clemp6r).

          paran added a comment - I have tested the same settings with version 1.257 and 1.249: 1.257 works perferctly with ldap and project matrix authorization but 1.249 doesn't (again same error as reported by clemp6r).

          Alan Harder added a comment -

          1.289 will include the last in a series of refactors in this area, so it will be
          hard to trace any previously reported problems. So I'm going to close this
          issue, but please do test when 1.289 (or newer) comes out and file new issues
          for any LDAP problems you find (including improving the docs around ROLE_
          prefix), thanks!

          Alan Harder added a comment - 1.289 will include the last in a series of refactors in this area, so it will be hard to trace any previously reported problems. So I'm going to close this issue, but please do test when 1.289 (or newer) comes out and file new issues for any LDAP problems you find (including improving the docs around ROLE_ prefix), thanks!

            Unassigned Unassigned
            clemp6r clemp6r
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: