Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-24894

Users' display names should be synchronized with LDAP

    • Icon: New Feature New Feature
    • Resolution: Unresolved
    • Icon: Major Major
    • ldap-plugin
    • None
    • Jenkins 1.581, LDAP plugin 1.10.2

      When changing display name on LDAP settings, if a user account is already created, the change won't be reflected.

          [JENKINS-24894] Users' display names should be synchronized with LDAP

          Daniel Beck added a comment -

          Please be more specific as to what you're trying to do. Providing exact steps to reproduce would be best.

          Daniel Beck added a comment - Please be more specific as to what you're trying to do. Providing exact steps to reproduce would be best.

          Laurent TOURREAU added a comment - - edited

          Here is the use case:
          1/ Enable security in "Configure Global Security"
          2/ Select LDAP as Security Realm
          3/ Enter LDAP settings. Enter"CN" as displayname.
          4/ Save the config.
          5/ Log as a new LDAP registered user. On the top right you see your First Name + Full Name (depending the CN field content on LDAP user record). --> Until that it's ok.
          6/ Unlog from Jenkins.
          7/ Go back in "Configure Global Security"
          8/ In LDAP settings, change displayname by "mail"
          9/ Save the config
          10 / Log as previous LDAP registered user. On the top right you should see user's mail, but it's not the case, instead you get First Name + Full Name as "CN" was again the displayname.

          The workaround : Delete the user from Jenkins and relog as it again, this will recreate it and this time you will get user's mail displayed as expected on the top right.

          N.B. I tried to stop and restart Jenkins server after changing displayname at step 8, it doesn't solve the problem

          Regards

          Laurent TOURREAU added a comment - - edited Here is the use case: 1/ Enable security in "Configure Global Security" 2/ Select LDAP as Security Realm 3/ Enter LDAP settings. Enter"CN" as displayname. 4/ Save the config. 5/ Log as a new LDAP registered user. On the top right you see your First Name + Full Name (depending the CN field content on LDAP user record). --> Until that it's ok. 6/ Unlog from Jenkins. 7/ Go back in "Configure Global Security" 8/ In LDAP settings, change displayname by "mail" 9/ Save the config 10 / Log as previous LDAP registered user. On the top right you should see user's mail, but it's not the case, instead you get First Name + Full Name as "CN" was again the displayname. The workaround : Delete the user from Jenkins and relog as it again, this will recreate it and this time you will get user's mail displayed as expected on the top right. N.B. I tried to stop and restart Jenkins server after changing displayname at step 8, it doesn't solve the problem Regards

          Daniel Beck added a comment -

          Right, this is only for the initial creation of a user record in Jenkins. Afterwards, it can be changed in Jenkins (/user/USERNAME/configure) only.

          Reclassifying this as a feature request.

          One possible problem here is that an out of date display name set by the realm (which should probably be replaced) is indistinguishable from a completely custom display name set in Jenkins.

          Daniel Beck added a comment - Right, this is only for the initial creation of a user record in Jenkins. Afterwards, it can be changed in Jenkins ( /user/USERNAME/configure ) only. Reclassifying this as a feature request. One possible problem here is that an out of date display name set by the realm (which should probably be replaced) is indistinguishable from a completely custom display name set in Jenkins.

          Thanks for the reply.
          Concerning the distinction between out of date display name and custom name, we should deal that as it:
          On user configuration screen we have a ratio button choice
          -Allow display name synchronization with LDAP -> This will make the custom name text box read only, leaving it in grey background color.
          -Custom display name -> This will enable the custom name text box for edition. So we take account that custom display name instead of this from realm.

          What's your opinion?

          Laurent TOURREAU added a comment - Thanks for the reply. Concerning the distinction between out of date display name and custom name, we should deal that as it: On user configuration screen we have a ratio button choice -Allow display name synchronization with LDAP -> This will make the custom name text box read only, leaving it in grey background color. -Custom display name -> This will enable the custom name text box for edition. So we take account that custom display name instead of this from realm. What's your opinion?

          Daniel Beck added a comment -

          This will make no sense for authentication realms that do not provide a display name. And the user screen isn't extensible that way (remember, LDAP auth realm is a plugin that depends on available extension points; and core extension points need to make sense for multiple implementations).

          One possibility that could be solved in the plugin would be to store the last know display name from LDAP in the user record, and always compare it to the one reported by LDAP; if it changes, check if the display name of the user is the same – if it is, update it, else don't. Then update the stored known LDAP display name.


          Besides that, I think the more common use case is when a user's field in LDAP is changed rather than reconfiguration of Jenkins. Same problem, but cannot be solved by manually fixing things, as e.g. changing teams/departments (if part of the display name field) of some user likely happens without the Jenkins admin knowing.

          Daniel Beck added a comment - This will make no sense for authentication realms that do not provide a display name. And the user screen isn't extensible that way (remember, LDAP auth realm is a plugin that depends on available extension points; and core extension points need to make sense for multiple implementations). One possibility that could be solved in the plugin would be to store the last know display name from LDAP in the user record, and always compare it to the one reported by LDAP; if it changes, check if the display name of the user is the same – if it is, update it, else don't. Then update the stored known LDAP display name. Besides that, I think the more common use case is when a user's field in LDAP is changed rather than reconfiguration of Jenkins. Same problem, but cannot be solved by manually fixing things, as e.g. changing teams/departments (if part of the display name field) of some user likely happens without the Jenkins admin knowing.

          Björn Martin added a comment -

          This could also be approached the other way around: Within Global Security's LDAP configuration the Jenkins admin can specify (via checkbox) if the display name - if one is found within LDAP - should be refreshed within Jenkins. This may annoy users that like to "tweak" their Jenkins user name to something different than the one specified within Jenkins. On the other side it's usually a company-wide decision how those fields are populated / kept up-to-date.

          Björn Martin added a comment - This could also be approached the other way around: Within Global Security 's LDAP configuration the Jenkins admin can specify (via checkbox) if the display name - if one is found within LDAP - should be refreshed within Jenkins. This may annoy users that like to "tweak" their Jenkins user name to something different than the one specified within Jenkins. On the other side it's usually a company-wide decision how those fields are populated / kept up-to-date.

          Oleg Nenashev added a comment -

          In order to set proper expectation, I have unassigned Kohsuke from this tickets.
          Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

          Oleg Nenashev added a comment - In order to set proper expectation, I have unassigned Kohsuke from this tickets. Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

          Krishnan PR added a comment - - edited

          I was able to update the username and email address like this,

           

          import hudson.security.LDAPSecurityRealm
          import hudson.security.LDAPSecurityRealm.LDAPUserDetailsService
          import jenkins.security.plugins.ldap.LDAPConfiguration.*
          import org.apache.commons.lang.StringUtils;
          import hudson.tasks.Mailer;
          import hudson.tasks.Mailer.UserProperty;

          @NonCPS
          def Update()
          {
              def config=Jenkins.instance.securityRealm.getConfigurations()[0]
              def appContext = config.createApplicationContext(Jenkins.instance.securityRealm);
              def allusers=User.getAll()
              allusers.each{
                  def currentid=it.id
                  //println currentid
                  def newusr= User.get(currentid,true)
                  if(newusr.id!="" && newusr.id!="SYSTEM" && newusr.id!="unknown")
                  {
                      try
                      {
                          def userdetails=Jenkins.instance.securityRealm.loadUserByUsername2(currentid)
                          def usr=Jenkins.instance.securityRealm.updateUserDetails(userdetails,appContext.ldapUserSearch)
                          def attributes = usr.getAttributes(usr, appContext.ldapUserSearch);
                          def configuration = Jenkins.instance.securityRealm.getConfigurationFor(userdetails);
                          def descriptor=Jenkins.instance.securityRealm.getDescriptor()
                          String displayNameAttributeName;
                          String mailAddressAttributeName;
                          if (configuration != null) {
                              displayNameAttributeName = configuration.getDisplayNameAttributeName();
                              mailAddressAttributeName = configuration.getMailAddressAttributeName();
                              if (StringUtils.isEmpty(displayNameAttributeName))

          {                         displayNameAttributeName = descriptor.DEFAULT_DISPLAYNAME_ATTRIBUTE_NAME;                     }

                              if (StringUtils.isEmpty(mailAddressAttributeName))

          {                         mailAddressAttributeName = descriptor.DEFAULT_MAILADDRESS_ATTRIBUTE_NAME;                     }

                          } else

          {                     displayNameAttributeName = descriptor.DEFAULT_DISPLAYNAME_ATTRIBUTE_NAME;                     mailAddressAttributeName = descriptor.DEFAULT_MAILADDRESS_ATTRIBUTE_NAME;                 }

                          def attribute = attributes.get(displayNameAttributeName);
                          String displayName = attribute == null ? null : (String) attribute.get();
                          newusr.setFullName(displayName)
                          attribute = attributes.get(mailAddressAttributeName);
                          String mailAddress = attribute == null ? null : (String) attribute.get();
                          if (StringUtils.isNotBlank(mailAddress))

          {                     newusr.addProperty(new Mailer.UserProperty(mailAddress));                 }

                          newusr.save()
                      }
                      catch (Exception e)
                      {
                          if( e.message.contains("User ${currentid} not found in directory"))
                          {
                              println "User ${currentid} not found in directory"
                              it.delete()
                          }
                          else if( e.message.contains("""The user "${currentid}" is administratively disabled"""))
                          {
                              println """The user "${currentid}" is administratively disabled"""
                          }
                          else
                         

          {                     throw e                 }

                      }
                  }
                  if(newusr.id==newusr.getFullName())
                 

          {             println newusr         }

              }
              Jenkins.instance.reload()
          }
          Update()

          Krishnan PR added a comment - - edited I was able to update the username and email address like this,   import hudson.security.LDAPSecurityRealm import hudson.security.LDAPSecurityRealm.LDAPUserDetailsService import jenkins.security.plugins.ldap.LDAPConfiguration.* import org.apache.commons.lang.StringUtils; import hudson.tasks.Mailer; import hudson.tasks.Mailer.UserProperty; @NonCPS def Update() {     def config=Jenkins.instance.securityRealm.getConfigurations() [0]     def appContext = config.createApplicationContext(Jenkins.instance.securityRealm);     def allusers=User.getAll()     allusers.each{         def currentid=it.id         //println currentid         def newusr= User.get(currentid,true)         if(newusr.id!="" && newusr.id!="SYSTEM" && newusr.id!="unknown")         {             try             {                 def userdetails=Jenkins.instance.securityRealm.loadUserByUsername2(currentid)                 def usr=Jenkins.instance.securityRealm.updateUserDetails(userdetails,appContext.ldapUserSearch)                 def attributes = usr.getAttributes(usr, appContext.ldapUserSearch);                 def configuration = Jenkins.instance.securityRealm.getConfigurationFor(userdetails);                 def descriptor=Jenkins.instance.securityRealm.getDescriptor()                 String displayNameAttributeName;                 String mailAddressAttributeName;                 if (configuration != null) {                     displayNameAttributeName = configuration.getDisplayNameAttributeName();                     mailAddressAttributeName = configuration.getMailAddressAttributeName();                     if (StringUtils.isEmpty(displayNameAttributeName)) {                         displayNameAttributeName = descriptor.DEFAULT_DISPLAYNAME_ATTRIBUTE_NAME;                     }                     if (StringUtils.isEmpty(mailAddressAttributeName)) {                         mailAddressAttributeName = descriptor.DEFAULT_MAILADDRESS_ATTRIBUTE_NAME;                     }                 } else {                     displayNameAttributeName = descriptor.DEFAULT_DISPLAYNAME_ATTRIBUTE_NAME;                     mailAddressAttributeName = descriptor.DEFAULT_MAILADDRESS_ATTRIBUTE_NAME;                 }                 def attribute = attributes.get(displayNameAttributeName);                 String displayName = attribute == null ? null : (String) attribute.get();                 newusr.setFullName(displayName)                 attribute = attributes.get(mailAddressAttributeName);                 String mailAddress = attribute == null ? null : (String) attribute.get();                 if (StringUtils.isNotBlank(mailAddress)) {                     newusr.addProperty(new Mailer.UserProperty(mailAddress));                 }                 newusr.save()             }             catch (Exception e)             {                 if( e.message.contains("User ${currentid} not found in directory"))                 {                     println "User ${currentid} not found in directory"                     it.delete()                 }                 else if( e.message.contains("""The user "${currentid}" is administratively disabled"""))                 {                     println """The user "${currentid}" is administratively disabled"""                 }                 else                 {                     throw e                 }             }         }         if(newusr.id==newusr.getFullName())         {             println newusr         }     }     Jenkins.instance.reload() } Update()

            Unassigned Unassigned
            lautou Laurent TOURREAU
            Votes:
            5 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: