Alexander Dvorsky added a comment - 2015-09-28 17:14 This would make sense as well to have e.g. a user for automation, which doesn't need to exist in the active directory/ldap directory. i would very welcome this as well...

Federico Soria Galvarro added a comment - 2016-02-24 18:21 This bug have any estimated date? As Alexander say make sense, for example I have external user that not exists in the active directory but I want that they can be logged. Also, and most important, if my LDAP is down I can't use Jenkins, is really useful have a local account for this circumstance.

Jens Rosenthal added a comment - 2016-04-22 14:17 Another important - at least I think so - use case is, that in case there is an LDAP problem, that needs a config update, I cannot login to jenkins to fix the problem. So a "standard" account (the admin or root), that is NOT tied to the configured LDAP is needed.

Heiko Nardmann added a comment - 2016-10-12 10:22 I also would like to add some "Technical SCM Trigger User" that is used when the SCM creates a trigger. Such a user shall not be part of LDAP but just be part of Jenkins user database. This avoids an anonymous account inside Jenkins with Discover + Read privileges. This involves either only changing the ldap-plugin or being able to iterate over a list of AbstractPasswordBasedSecurityRealm implementations (as far as I understand). This would probably also involve that getSecurityRealm() has to be replaced by some getSecurityRealms() (returning a list of realms). The same for setSecurityRealm(SecurityRealm securityRealm) .

Sam Zhao added a comment - 2016-10-18 09:54 Very appreciate for these features. As a system admin, to keep Jenkins platform to high availability is very important. If LDAP is down , users will not login Jenkins to do any job.

Kevin Phillips added a comment - 2016-10-25 16:05 I too would like to have the ability to define a couple of static local users on a Jenkins server, for pretty much the same reasons stated above - automated processes accessing Jenkins, accessing the dashboard when LDAP/AD are down, etc. This would be very helpful.

Patryk Cichy added a comment - 2016-11-02 07:45 Why is this marked as duplicate? JENKINS-39065 should be marked as duplicate - it only covers AD plugin and this ticket is also about LDAP plugin.

Félix Belzunce Arcos added a comment - 2017-04-28 12:53 Don't like to have the same Jira issue for multiple components, when on each one we might need a different fix in case this is implemented at plugin level. On AD there is already a Jira opened, so I am keeping this one for LDAP.

Stefan Rink added a comment - 2017-09-15 15:21 I would also need the possibility of fallback to Jenkins' own user database, or at least to a single fallback user (like the AD plugin does). If I implemented this, could I expect the respective pull request to be merged in? Which conditions / coding guidelines would I have to adhere to?

Martin Majewski added a comment - 2019-01-14 11:11 2019 and still nothing at this front? We have users whose AD accounts are disabled due to ID renewal and for this period they cannot log into Jenkins. A local user store would be much appreciated! Best wishes, Martin

Guillaume Dupin added a comment - 2019-02-06 14:38 - edited Agree with all comments above : this feature is important for many use cases. For me, it would be useful to configure Jenkins with Configuration-as-Code plugin with a local (non-LDAP) user that will be responsible to apply Jenkins configuration (and as LDAP is a part of this configuration, cannot use a LDAP user for this) @ fbelzunc any update on this please ? Or at least an estimation date ? Thank you

Baptiste Mathus added a comment - 2019-02-11 19:50 As Félix said above, doing this at the SecurityRealm level would likely imply duplicating code between the various implementations. So, I'm inclined to think this issue here should actually be closed as a duplicate of JENKINS-15063 . Because at least JENKINS-15063 has core as a component, as it should be IMO.

Mike Machnik added a comment - 2019-02-13 16:17 - edited As mentioned in some of the comments above, allowing for both LDAP and local security allows for real users to have access but also allowing for local users to be created for automation.  This support would allow us to create an ideal security environment for our automation.

Sharon Kwok added a comment - 2019-03-21 08:33 Agreed with all the comments above. We really need the support of both local security and LDAP security. Normal users should use LDAP for login, while local users are created for automation and remote API call. It would be highly appreciated if it could be implemented. 

smek added a comment - 2019-05-22 15:14 Is there workaround on this thing other than using PAM? I heard AD plugin supports this, so maybe it's not too difficult to support LDAP with that plugin?

Rory Scott added a comment - 2019-08-19 19:38 +1 to what's been said. Automating with a local user would be great while using LDAP for internal users.

Rajiv KR added a comment - 2019-09-23 09:16 Need this feature as we are trying to make api calls with ldap enabled jenkins, any local hudson users added to ldap will be really useful. Any update on this?

WENJUN XIAO added a comment - 2019-10-20 16:10 I try to mixing local user with others by this plugin [mixing-security-realm-plugin| https://github.com/wenjunxiao/mixing-security-realm-plugin ]

tom zhang added a comment - 2020-08-31 06:30 Agreed with all the comments above. We really need the support of both local security and LDAP security.

Tue Henriksen added a comment - 2020-09-08 05:34 It would be nice if I could create an admin user that was not dependent on LDAP - just in case some IT guys decided to change AD that would brake the LDAP integration.

Christian Gsenger added a comment - 2021-05-26 13:22 +1

Deepak added a comment - 2021-06-02 09:01 12 years and no progress on this. Not sure if there gonna be any useful feature like this in jenkins. 

Baptiste Mathus added a comment - 2021-06-11 19:16 deepakn  fortunately now you're here to implement it. Thanks!

Deepak added a comment - 2021-06-11 20:05 batmat  Not sure if you are being sarcastic or funny. Either ways I won't be able to implement it. My comment was not intented to hurt any one. If you got offended somehow then I'm sorry.

Kalle Niemitalo added a comment - 2021-08-30 08:43 mixing-security-realm-plugin is now hosted at https://github.com/jenkinsci/mixing-security-realm-plugin but does not seem to have any releases available from the update center yet.

WENJUN XIAO added a comment - 2021-09-18 00:39 mix-security-realm-plugin has been published to update center, Sorry for not posting to the update center in time due to configuration and permission issues.

hz hz added a comment - 2021-10-18 01:48 - edited Hi I'd like to ask if you guys have such issue. I need to config mixing security realm to support Jenkins own users database and ldap. if I setup ldap only it verified successfully. but if I config ldap inside mix plugin I got following exception.  I am using java-11-openjdk-11.0.12.0.7-0.el7_9.x86_64 and Jenkins 2.316   "java.lang.IllegalArgumentException":Specified type class hudson.security.MixingSecurityRealm is not assignable to the expected class hudson.security.LDAPSecurityRealm"java.lang.IllegalArgumentException":Specified type class hudson.security.MixingSecurityRealm is not assignable to the expected class hudson.security.LDAPSecurityRealm at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON("RequestImpl.java":"683)Caused":"java.lang.IllegalArgumentException":"Failed to instantiate class hudson.security.LDAPSecurityRealm from"{   "value":"3",    "stapler-class":"hudson.security.MixingSecurityRealm",    "$class":"hudson.security.MixingSecurityRealm",    "allowsSignup":false,    "priority":true,    "optional":[      {         "$enabled":false,          "$id":"hudson.security.SecurityRealm$None"      } ,       {         "$enabled":false,          "$id":"hudson.security.PAMSecurityRealm",          "serviceName":""      } ,       {         "$enabled":true,          "$id":"hudson.security.LDAPSecurityRealm",          "configurations": {            "server":"ldap://www.example.com",             "rootDN":"dc=example,dc=com",             "inhibitInferRootDN":false,             "userSearchBase":"OU=User Accounts",             "userSearch":"userPrincipalName= {0} ",             "groupSearchBase":"OU=Groups",             "groupSearchFilter":"(objectClass=group)",             "groupMembershipStrategy": {               "value":"0",                "attributeName":"memberOf",                "stapler-class":"jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy",                "$class":"jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy"            } ,             "managerDN":"CN=onprembuild,OU=Service Accounts,OU=User Accounts,DC=example,DC=com",             "managerPasswordSecret":" [value redacted] ",             "$redact":"managerPasswordSecret",             "displayNameAttributeName":"displayname",             "mailAddressAttributeName":"mail",             "ignoreIfUnavailable":false         },          "":[            "0",             "0"         ],          "userIdStrategy": {            "stapler-class":"jenkins.model.IdStrategy$CaseInsensitive",             "$class":"jenkins.model.IdStrategy$CaseInsensitive"         } ,          "groupIdStrategy": {            "stapler-class":"jenkins.model.IdStrategy$CaseInsensitive",             "$class":"jenkins.model.IdStrategy$CaseInsensitive"         } ,          "disableMailAddressResolver":false,          "disableRolePrefixing":true      },       {         "$enabled":false,          "$id":"hudson.security.LegacySecurityRealm"      }    ]}

Kalle Niemitalo added a comment - 2021-10-18 05:27 - edited Is there a stack trace for this exception? More than just this at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON("RequestImpl.java":"683)

hz hz added a comment - 2021-10-18 05:41 - edited java.lang.IllegalArgumentException: Specified type class hudson.security.MixingSecurityRealm is not assignable to the expected class hudson.security.LDAPSecurityRealmjava.lang.IllegalArgumentException: Specified type class hudson.security.MixingSecurityRealm is not assignable to the expected class hudson.security.LDAPSecurityRealm at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:683)Caused: java.lang.IllegalArgumentException: Failed to instantiate class hudson.security.LDAPSecurityRealm from { "value" : "3" , "stapler-class" : "hudson.security.MixingSecurityRealm" , "$class" : "hudson.security.MixingSecurityRealm" , "allowsSignup" : false , "priority" : true , "optional" :[{ "$enabled" : false , "$id" : "hudson.security.SecurityRealm$None" },{ "$enabled" : false , "$id" : "hudson.security.PAMSecurityRealm" , "serviceName" : ""},{" $enabled ": true ," $id ":" hudson.security.LDAPSecurityRealm "," configurations ":{" server ":" ldap: //www.example.com "," rootDN ":" dc=example,dc=com "," inhibitInferRootDN ": false ," userSearchBase ":" OU=User Accounts "," userSearch ":" userPrincipalName={0} "," groupSearchBase ":" OU=Groups "," groupSearchFilter ":" (objectClass=group) "," groupMembershipStrategy ":{" value ":" 0 "," attributeName ":" memberOf "," stapler- class& lt;span class= "code-quote" > ":" jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy "," $ class& lt;span class= "code-quote" > ":" jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy "}," managerDN ":" CN=ci-build-onprembuild,OU=Service Accounts,OU=User Accounts,DC=example,DC=com "," managerPasswordSecret ":" [value redacted] "," $redact ":" managerPasswordSecret "," displayNameAttributeName ":" displayname "," mailAddressAttributeName ":" mail "," ignoreIfUnavailable ": false }," ":[" 0 "," 0 "]," userIdStrategy ":{" stapler- class& lt;span class= "code-quote" > ":" jenkins.model.IdStrategy$CaseInsensitive "," $ class& lt;span class= "code-quote" > ":" jenkins.model.IdStrategy$CaseInsensitive "}," groupIdStrategy ":{" stapler- class& lt;span class= "code-quote" > ":" jenkins.model.IdStrategy$CaseInsensitive "," $ class& lt;span class= "code-quote" > ":" jenkins.model.IdStrategy$CaseInsensitive "}," disableMailAddressResolver ": false ," disableRolePrefixing ": true },{" $enabled ": false ," $id ":" hudson.security.LegacySecurityRealm"}]} at org.kohsuke.stapler.RequestImpl$TypePair.convertJSON(RequestImpl.java:693) at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:490) at org.kohsuke.stapler.RequestImpl.bindJSON(RequestImpl.java:486) at hudson.security.LDAPSecurityRealm$DescriptorImpl.doValidate(LDAPSecurityRealm.java:1543) at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:393)Caused: java.lang.reflect.InvocationTargetException at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397) at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:405) at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:77) at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:208) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:141) at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:536) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898) at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:281) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:766) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:898) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:694) at org.kohsuke.stapler.Stapler.service(Stapler.java:240) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799) at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:156) at jenkins.security.ResourceDomainFilter.doFilter(ResourceDomainFilter.java:80) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:153) at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:153) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:159) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:153) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:92) at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:53) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:121) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:115) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:105) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101) at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:92) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:218) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:110) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:62) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:97) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:109) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:51) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:85) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:39) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:578) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.Server.handle(Server.java:516) at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:386) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034) at java.base/java.lang. Thread .run( Thread .java:829) here is the stack trace. thank you so much for your quick respons 

Loren Alatan added a comment - 2022-02-04 06:39 Hi promissing I tried installing the https://github.com/wenjunxiao/mixing-security-realm-plugin plugin. It kind of works having ldap users and a local jenkins user at the same time but ldap groups were not allowed. Are you aware of this issue? Thank you very much.

Loren Alatan added a comment - 2022-02-18 06:20 Tried updating Active Directory plugin to 2.25.1 from 2.25 but it became worse. LDAP users and groups are not working anymore.