-
Bug
-
Resolution: Fixed
-
Major
-
None
-
Platform: All, OS: All
I use LDAP and Matrix based security.
I've given the group "hudson_admin" all the permissions in the matrix, and when
I try to log a user that is member of this group, I get this error:
org.acegisecurity.providers.UsernamePasswordAuthenticationToken@79814ff9:
Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@38a3ca;
Password: [PROTECTED]; Authenticated: true; Details:
org.acegisecurity.ui.WebAuthenticationDetails@380f4: RemoteIpAddress: 127.0.0.1;
SessionId: 042D1EDAA097F2C5B1D9A280A6D046D9; Granted Authorities:
ROLE_HUDSON_ADMIN is missing Read
FYI, i've given no permission to "anonymous".
[JENKINS-2234] LDAP Group authorization doesn't work
clemp6r
created issue -
clarkeja
added a comment - I've been able to successfully get link Matrix-based security validated against
LDAP Security Roles. Took a little while to work out but as long as you
populate the groupSearchBase DN record it seems to hang together.
Key link I was Missing was the naming convention... Not quite shown in the help...
If you have a LDAP role called "CN=Blackberry Users,OU=Security
Groups,OU=Bidalonier,DC=acme,DC=int" then the role you add in the matrix window
has to be "ROLE_BLACKBERRY USERS"
e.g.
<securityRealm class="hudson.security.LDAPSecurityRealm">
<server>192.168.0.10</server>
<rootDN>DC=acme,DC=int</rootDN>
<userSearchBase>OU=Bidalonier</userSearchBase>
<userSearch>sAMAccountName=
</userSearch>
<groupSearchBase>OU=Security\20Groups,OU=Bidalonier</groupSearchBase>
<managerDN>ACME\clarkeja</managerDN>
<managerPassword>dfghdghgfsdfsdfgdfg</managerPassword>
</securityRealm>
Even better, if there are no groups/roles assigned hudson tells you what ROLES_
the ldap user account has in the exception stack, so it's a simple matter of
using the ones that are appropriate (well done once again to the Hudson crew!!!).
Hope this helps... So not sure that it is a bug as it seems to be working..
Maybe just the LDAP Help needs a bit of lipstick.
Using Hudson v1.255 against a Microsoft Active Directory
clarkeja
added a comment - I've been able to successfully get link Matrix-based security validated against
LDAP Security Roles. Took a little while to work out but as long as you
populate the groupSearchBase DN record it seems to hang together.
Key link I was Missing was the naming convention... Not quite shown in the help...
If you have a LDAP role called "CN=Blackberry Users,OU=Security
Groups,OU=Bidalonier,DC=acme,DC=int" then the role you add in the matrix window
has to be "ROLE_BLACKBERRY USERS"
e.g.
<securityRealm class="hudson.security.LDAPSecurityRealm">
<server>192.168.0.10</server>
<rootDN>DC=acme,DC=int</rootDN>
<userSearchBase>OU=Bidalonier</userSearchBase>
<userSearch>sAMAccountName=
{0}
</userSearch>
<groupSearchBase>OU=Security\20Groups,OU=Bidalonier</groupSearchBase>
<managerDN>ACME\clarkeja</managerDN>
<managerPassword>dfghdghgfsdfsdfgdfg</managerPassword>
</securityRealm>
Even better, if there are no groups/roles assigned hudson tells you what ROLES_
the ldap user account has in the exception stack, so it's a simple matter of
using the ones that are appropriate (well done once again to the Hudson crew!!!).
Hope this helps... So not sure that it is a bug as it seems to be working..
Maybe just the LDAP Help needs a bit of lipstick.
Using Hudson v1.255 against a Microsoft Active Directory 
paran
added a comment - I have tested the same settings with version 1.257 and 1.249: 1.257 works
perferctly with ldap and project matrix authorization but 1.249 doesn't (again
same error as reported by clemp6r).
paran
added a comment - I have tested the same settings with version 1.257 and 1.249: 1.257 works
perferctly with ldap and project matrix authorization but 1.249 doesn't (again
same error as reported by clemp6r). 1.289 will include the last in a series of refactors in this area, so it will be
hard to trace any previously reported problems. So I'm going to close this
issue, but please do test when 1.289 (or newer) comes out and file new issues
for any LDAP problems you find (including improving the docs around ROLE_
prefix), thanks!
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Workflow | Original: JNJira [ 132307 ] | New: JNJira + In-Review [ 201310 ] |
Jenkins IRC Bot
made changes -
| Component/s | New: _unsorted [ 19622 ] | |
| Component/s | Original: security [ 15508 ] |
Same problem with my installation. I used project base matrix authorization. The
global permissions work until READ was revoked from anonymous. The other
permissions, especially ADMINISTER, seem to work, but it did no in-depth
analysis. Project permissions didn't apply either.
I can reproduce it on Version 1.244 and 1.249.