Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-3459

LDAP Groupname Validation Inconsistent (ROLE_ prefix)

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core
    • None
    • Platform: All, OS: All

      When using matrix-based security, groupnames are validated and a corresponding
      icon is displayed. Say we have a group called 'member' in our Ldap. If we use
      'member' in the security configuration, it is successfully validated, but the
      actual roles are not applied. However, if we enter 'ROLE_MEMBER', the validation
      fails, but roles are applied and authorisation works as expected.

          [JENKINS-3459] LDAP Groupname Validation Inconsistent (ROLE_ prefix)

          Alan Harder added a comment -

          add "LDAP" and "ROLE_" in summary

          Alan Harder added a comment - add "LDAP" and "ROLE_" in summary

          Alan Harder added a comment -
              • Issue 3872 has been marked as a duplicate of this issue. ***

          Alan Harder added a comment - Issue 3872 has been marked as a duplicate of this issue. ***

          Alan Harder added a comment -
              • Issue 3128 has been marked as a duplicate of this issue. ***

          Alan Harder added a comment - Issue 3128 has been marked as a duplicate of this issue. ***

          Alan Harder added a comment -

          What needs fixing (summarizing results of discussion from issue #3128):

          1) Make the groupname validation actually match what acegi will do when finding
          roles at login time.. check the acegi settings if possible to see what prefix
          and case should be used.

          2) Improve the documentation so people know to enter the prefix and use
          uppercase, and maybe a mention of how to change this behavior. Probably we
          won't change these defaults so we don't break installs of people already using
          the prefix and caps.

          morlach01 wrote:
          It is in the last 2 properties acegi uses in the default bean config.
          <bean id="ldapAuthoritiesPopulator"
          class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
          <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
          <constructor-arg><value>ou=groups</value></constructor-arg>
          <property name="groupRoleAttribute"><value>ou</value></property>
          <!-- the following properties are shown with their default values -->
          <property name="searchSubTree"><value>false</value></property>
          <property name="rolePrefix"><value>ROLE_</value></property>
          <property name="convertToUpperCase"><value>true</value></property>
          </bean>

          Alan Harder added a comment - What needs fixing (summarizing results of discussion from issue #3128): 1) Make the groupname validation actually match what acegi will do when finding roles at login time.. check the acegi settings if possible to see what prefix and case should be used. 2) Improve the documentation so people know to enter the prefix and use uppercase, and maybe a mention of how to change this behavior. Probably we won't change these defaults so we don't break installs of people already using the prefix and caps. morlach01 wrote: It is in the last 2 properties acegi uses in the default bean config. <bean id="ldapAuthoritiesPopulator" class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> <constructor-arg><value>ou=groups</value></constructor-arg> <property name="groupRoleAttribute"><value>ou</value></property> <!-- the following properties are shown with their default values --> <property name="searchSubTree"><value>false</value></property> <property name="rolePrefix"><value>ROLE_</value></property> <property name="convertToUpperCase"><value>true</value></property> </bean>

          Alan Harder added a comment -
              • Issue 4078 has been marked as a duplicate of this issue. ***

          Alan Harder added a comment - Issue 4078 has been marked as a duplicate of this issue. ***

          Alan Harder added a comment -

          working on this.. having to jump through some hoops because acegi's
          DefaultLdapAuthoritiesPopulator class has private fields for the
          prefix/all-caps, and no get methods :-/

          Alan Harder added a comment - working on this.. having to jump through some hoops because acegi's DefaultLdapAuthoritiesPopulator class has private fields for the prefix/all-caps, and no get methods :-/

          Code changed in hudson
          User: : mindless
          Path:
          trunk/hudson/main/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java
          trunk/hudson/main/core/src/main/java/hudson/security/LDAPSecurityRealm.java
          trunk/hudson/main/core/src/main/java/hudson/security/SecurityRealm.java
          trunk/hudson/main/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy
          trunk/hudson/main/war/resources/help/security/global-matrix.html
          trunk/www/changelog.html
          http://fisheye4.cenqua.com/changelog/hudson/?cs=20744
          Log:
          [FIXED JENKINS-3459] Matrix permissions with LDAP now properly validates group names
          using configured prefix and case settings; added help text about these settings.

          SCM/JIRA link daemon added a comment - Code changed in hudson User: : mindless Path: trunk/hudson/main/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java trunk/hudson/main/core/src/main/java/hudson/security/LDAPSecurityRealm.java trunk/hudson/main/core/src/main/java/hudson/security/SecurityRealm.java trunk/hudson/main/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy trunk/hudson/main/war/resources/help/security/global-matrix.html trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=20744 Log: [FIXED JENKINS-3459] Matrix permissions with LDAP now properly validates group names using configured prefix and case settings; added help text about these settings.

            mindless Alan Harder
            zumkehr zumkehr
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: