Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-3459

LDAP Groupname Validation Inconsistent (ROLE_ prefix)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: core
    • Labels:
      None
    • Environment:
      Platform: All, OS: All
    • Similar Issues:

      Description

      When using matrix-based security, groupnames are validated and a corresponding
      icon is displayed. Say we have a group called 'member' in our Ldap. If we use
      'member' in the security configuration, it is successfully validated, but the
      actual roles are not applied. However, if we enter 'ROLE_MEMBER', the validation
      fails, but roles are applied and authorisation works as expected.

        Attachments

          Issue Links

            Activity

            Hide
            mindless Alan Harder added a comment -

            add "LDAP" and "ROLE_" in summary

            Show
            mindless Alan Harder added a comment - add "LDAP" and "ROLE_" in summary
            Hide
            mindless Alan Harder added a comment -
                • Issue 3872 has been marked as a duplicate of this issue. ***
            Show
            mindless Alan Harder added a comment - Issue 3872 has been marked as a duplicate of this issue. ***
            Hide
            mindless Alan Harder added a comment -
                • Issue 3128 has been marked as a duplicate of this issue. ***
            Show
            mindless Alan Harder added a comment - Issue 3128 has been marked as a duplicate of this issue. ***
            Hide
            mindless Alan Harder added a comment -

            What needs fixing (summarizing results of discussion from issue #3128):

            1) Make the groupname validation actually match what acegi will do when finding
            roles at login time.. check the acegi settings if possible to see what prefix
            and case should be used.

            2) Improve the documentation so people know to enter the prefix and use
            uppercase, and maybe a mention of how to change this behavior. Probably we
            won't change these defaults so we don't break installs of people already using
            the prefix and caps.

            morlach01 wrote:
            It is in the last 2 properties acegi uses in the default bean config.
            <bean id="ldapAuthoritiesPopulator"
            class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
            <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
            <constructor-arg><value>ou=groups</value></constructor-arg>
            <property name="groupRoleAttribute"><value>ou</value></property>
            <!-- the following properties are shown with their default values -->
            <property name="searchSubTree"><value>false</value></property>
            <property name="rolePrefix"><value>ROLE_</value></property>
            <property name="convertToUpperCase"><value>true</value></property>
            </bean>

            Show
            mindless Alan Harder added a comment - What needs fixing (summarizing results of discussion from issue #3128): 1) Make the groupname validation actually match what acegi will do when finding roles at login time.. check the acegi settings if possible to see what prefix and case should be used. 2) Improve the documentation so people know to enter the prefix and use uppercase, and maybe a mention of how to change this behavior. Probably we won't change these defaults so we don't break installs of people already using the prefix and caps. morlach01 wrote: It is in the last 2 properties acegi uses in the default bean config. <bean id="ldapAuthoritiesPopulator" class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> <constructor-arg><value>ou=groups</value></constructor-arg> <property name="groupRoleAttribute"><value>ou</value></property> <!-- the following properties are shown with their default values --> <property name="searchSubTree"><value>false</value></property> <property name="rolePrefix"><value>ROLE_</value></property> <property name="convertToUpperCase"><value>true</value></property> </bean>
            Hide
            mindless Alan Harder added a comment -
                • Issue 4078 has been marked as a duplicate of this issue. ***
            Show
            mindless Alan Harder added a comment - Issue 4078 has been marked as a duplicate of this issue. ***
            Hide
            mindless Alan Harder added a comment -

            working on this.. having to jump through some hoops because acegi's
            DefaultLdapAuthoritiesPopulator class has private fields for the
            prefix/all-caps, and no get methods :-/

            Show
            mindless Alan Harder added a comment - working on this.. having to jump through some hoops because acegi's DefaultLdapAuthoritiesPopulator class has private fields for the prefix/all-caps, and no get methods :-/
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in hudson
            User: : mindless
            Path:
            trunk/hudson/main/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java
            trunk/hudson/main/core/src/main/java/hudson/security/LDAPSecurityRealm.java
            trunk/hudson/main/core/src/main/java/hudson/security/SecurityRealm.java
            trunk/hudson/main/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy
            trunk/hudson/main/war/resources/help/security/global-matrix.html
            trunk/www/changelog.html
            http://fisheye4.cenqua.com/changelog/hudson/?cs=20744
            Log:
            [FIXED JENKINS-3459] Matrix permissions with LDAP now properly validates group names
            using configured prefix and case settings; added help text about these settings.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in hudson User: : mindless Path: trunk/hudson/main/core/src/main/java/hudson/security/GlobalMatrixAuthorizationStrategy.java trunk/hudson/main/core/src/main/java/hudson/security/LDAPSecurityRealm.java trunk/hudson/main/core/src/main/java/hudson/security/SecurityRealm.java trunk/hudson/main/war/resources/WEB-INF/security/LDAPBindSecurityRealm.groovy trunk/hudson/main/war/resources/help/security/global-matrix.html trunk/www/changelog.html http://fisheye4.cenqua.com/changelog/hudson/?cs=20744 Log: [FIXED JENKINS-3459] Matrix permissions with LDAP now properly validates group names using configured prefix and case settings; added help text about these settings.

              People

              Assignee:
              mindless Alan Harder
              Reporter:
              zumkehr zumkehr
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: