Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-2256

Hudson Does not Check uniqueMember within LDAP Groups

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • _unsorted
    • None
    • Platform: All, OS: Linux

      Currently Hudson only checks for attribute member in LDAP groups. However, it is
      also quite common to use attribtute uniqueMember to store member list.

      In WEB-INF/security/LDAPBindSecurityRealm.groovy, an one-line change that makes
      Hudson search for both member=

      {0} and uniqueMember={0}

      can be done as follows:

      authoritiesPopulator(DeferredCreationLdapAuthoritiesPopulator,initialDirContextFactory,"ou=groups")
      {
      // groupRoleAttribute = "ou";
      groupSearchFilter = "(|(member=

      {0}) (uniqueMember={0}

      ))"
      }

      Thanks to Kohsuke.Kawaguchi@sun.com for the above code.

          [JENKINS-2256] Hudson Does not Check uniqueMember within LDAP Groups

          alvin_chang created issue -

          zumkehr added a comment -

          Our organisation uses 'memberUid', so while your at it, could you add this as
          well? Of course, configuration options as proposed by Issue 1909 would be fine
          as well.

          zumkehr added a comment - Our organisation uses 'memberUid', so while your at it, could you add this as well? Of course, configuration options as proposed by Issue 1909 would be fine as well.

          Code changed in hudson
          User: : kohsuke
          Path:
          trunk/hudson/main/core/src/main/java/hudson/security/DeferredCreationLdapAuthoritiesPopulator.java
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=13087
          Log:
          [FIXED JENKINS-2256] Added two more lookups as reported in this issue.
          In 1.261.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : kohsuke Path: trunk/hudson/main/core/src/main/java/hudson/security/DeferredCreationLdapAuthoritiesPopulator.java trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=13087 Log: [FIXED JENKINS-2256] Added two more lookups as reported in this issue. In 1.261.
          SCM/JIRA link daemon made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]

          zumkehr added a comment -

          We downloaded 1.261 and tested with our Ldap. Unfortunately, authorisation still
          does not work. Hudson Logs only show:

          FINE: Authentication success:
          org.acegisecurity.providers.UsernamePasswordAuthenticationToken@3cb8dfca:
          Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@3d0bbf6d;
          Password: [PROTECTED]; Authenticated: true; Details:
          org.acegisecurity.ui.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1;
          SessionId: d07bc8256f3dd73af73c2106c98da368; Granted Authorities:

          So no authorities have been granted, not even 'authenticated', as referenced in
          project-based matrix security. Only the rights granted to the user name and
          anonymous have been applied. More detailed logging might be helpfull.

          Is that a different bug or should this one be reopened?

          zumkehr added a comment - We downloaded 1.261 and tested with our Ldap. Unfortunately, authorisation still does not work. Hudson Logs only show: FINE: Authentication success: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@3cb8dfca: Username: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@3d0bbf6d; Password: [PROTECTED] ; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@255f8: RemoteIpAddress: 127.0.0.1; SessionId: d07bc8256f3dd73af73c2106c98da368; Granted Authorities: So no authorities have been granted, not even 'authenticated', as referenced in project-based matrix security. Only the rights granted to the user name and anonymous have been applied. More detailed logging might be helpfull. Is that a different bug or should this one be reopened?
          zumkehr made changes -
          Resolution Original: Fixed [ 1 ]
          Status Original: Resolved [ 5 ] New: Reopened [ 4 ]

          zumkehr added a comment -

          We finally got it to work with memberUid (thanks to alvin_chang):

          The attribute memberUid is specific to the object class posixGroup and only
          contains the username. This is different to groupOfNames, which uses member or
          uniqueMember, containing the full DN of the user. So the comparison has to be
          adapted:

          uid=

          {0} uses the full DN of the user
          uid={1} uses the username

          which leads to

          groupSearchFilter = "(|(member={0}

          ) (uniqueMember=

          {0}

          ) (memberUid=

          {1}

          ))"

          zumkehr added a comment - We finally got it to work with memberUid (thanks to alvin_chang): The attribute memberUid is specific to the object class posixGroup and only contains the username. This is different to groupOfNames, which uses member or uniqueMember, containing the full DN of the user. So the comparison has to be adapted: uid= {0} uses the full DN of the user uid={1} uses the username which leads to groupSearchFilter = "(|(member={0} ) (uniqueMember= {0} ) (memberUid= {1} ))"

          zumkehr added a comment -

          Is this issue scheduled somewhere or has it just been forgotten? If anybody
          would find some time to change a 0 to a 1 it would be fixed... Thanks

          zumkehr added a comment - Is this issue scheduled somewhere or has it just been forgotten? If anybody would find some time to change a 0 to a 1 it would be fixed... Thanks

          Alan Harder added a comment -

          actually in 1.280 the whole query setting was lost, as
          DeferredCreationLdapAuthoritiesPopulator was deprecated and the settings there
          not moved over to the groovy file. I'll move those over, and make the 0->1 change.

          Alan Harder added a comment - actually in 1.280 the whole query setting was lost, as DeferredCreationLdapAuthoritiesPopulator was deprecated and the settings there not moved over to the groovy file. I'll move those over, and make the 0->1 change.
          Alan Harder made changes -
          Status Original: Reopened [ 4 ] New: Open [ 1 ]

            mindless Alan Harder
            alvin_chang alvin_chang
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: