Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37856

LDAP Authentication Overall/Read Permissions Missing

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • ldap-plugin
    • Jenkins v1.618
      LDAP Plugin v1.11 & v1.12 (tested both)

      Every few login attempts, our users receive an error that they do not have overall/read permission. These users are part of an LDAP group with Administer permissions.

      The current workaround is to logout and back in until access is given, but this isn't ideal.

      The security section of config.xml is below:

      <useSecurity>true</useSecurity>
        <authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
          <permission>hudson.model.Hudson.Administer:ldapserviceaccount</permission>
          <permission>hudson.model.Hudson.Administer:ldapgroup</permission>
        </authorizationStrategy>
        <securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm" plugin="active-directory@1.42">
          <domain>foo.bar.com</domain>
          <site>wetc</site>
          <bindName>CN=foo,OU=bar,OU=foo,OU=bar,DC=foo,DC=bar,DC=com</bindName>
          <bindPassword>blahblahblah=</bindPassword>
          <groupLookupStrategy>AUTO</groupLookupStrategy>
          <removeIrrelevantGroups>false</removeIrrelevantGroups>
        </securityRealm>
        <disableRememberMe>false</disableRememberMe>
      

          [JENKINS-37856] LDAP Authentication Overall/Read Permissions Missing

          Hey zackwhiteit , are you using LDAP or Active Directory plugin?

          <securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm" plugin="active-directory@1.42">

          Emilio Escobar added a comment - Hey zackwhiteit , are you using LDAP or Active Directory plugin? <securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm" plugin="active-directory@1.42">

          We experience this problem with the LDAP plugin 1.14, not the AD plugin, on Jenkins 2.46.1. 

          It seems to happen over night. When we come back the next day and resume our computers from sleep, the first access to a jenkins page is denied with the Overall/Read permission error. Logging out and in again makes it all work again.

          Christian Weiske added a comment - We experience this problem with the LDAP plugin 1.14, not the AD plugin, on Jenkins 2.46.1.  It seems to happen over night. When we come back the next day and resume our computers from sleep, the first access to a jenkins page is denied with the Overall/Read permission error. Logging out and in again makes it all work again.

          cedd burge added a comment -

          Hi There.

          I have a similar problem.

          Initially, only I could log in, even when giving other users explicit permissions.

          I upgraded to from Jenkins 2.5 to 2.75, and then other uses can log in if I give them individual permissions

          Adding permissions for an Active Directory group seems to have no effect.

          I checked the capitalisation issue that is referenced in various places on the internet.

          Thanks

          Cedd

          cedd burge added a comment - Hi There. I have a similar problem. Initially, only I could log in, even when giving other users explicit permissions. I upgraded to from Jenkins 2.5 to 2.75, and then other uses can log in if I give them individual permissions Adding permissions for an Active Directory group seems to have no effect. I checked the capitalisation issue that is referenced in various places on the internet. Thanks Cedd

          I am using "LDAP Plugin 1.18" & "Role-based Authorization Strategy : 2.6.1" on "Jenkins 2.73.3" and getting this error at first time login

          Attached  config.xml,  more details at https://stackoverflow.com/questions/48016844/jenkins-2-x-role-strategy-plugin 

          Let me know if i am missing something , kind of stuck here.

          Lavnish Lalchandani added a comment - I am using "LDAP Plugin 1.18" & "Role-based Authorization Strategy : 2.6.1" on "Jenkins 2.73.3" and getting this error at first time login Attached   config.xml ,  more details at https://stackoverflow.com/questions/48016844/jenkins-2-x-role-strategy-plugin   Let me know if i am missing something , kind of stuck here.

          Oleg Nenashev added a comment -

          Seems to be an issue with group/authorities cache in LDAP or Jenkins Core

          Oleg Nenashev added a comment - Seems to be an issue with group/authorities cache in LDAP or Jenkins Core

          oleg_nenashev can you please comment on my issue ... others are getting this error after few login attempts i got it at my first login.

          Lavnish Lalchandani added a comment - oleg_nenashev can you please comment on my issue ... others are getting this error after few login attempts i got it at my first login.

          Oleg Nenashev added a comment -

          lavnish comment where? In StackOverflow? I do not post there

          Oleg Nenashev added a comment - lavnish comment where? In StackOverflow? I do not post there

          Oleg Nenashev added a comment -

          In order to set proper expectation, I have unassigned Kohsuke from this tickets.
          Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

          Oleg Nenashev added a comment - In order to set proper expectation, I have unassigned Kohsuke from this tickets. Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

            Unassigned Unassigned
            zackwhiteit Zack White
            Votes:
            2 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: