Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37858

Group based LDAP authentication does not work


    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • ldap-plugin
    • Jenkins 2.10 (recreated in 1.566)
      ldap-plugin 1.12

      When using LDAP Plugin, groups are not read unless user is explicitly granted admin rights ahead of time (defeating the point of using LDAP groups).

      I believe it is not a config issue as if the user is admin, they can, in fact, see groups with same config.

      To Recreate:

      1 - Set up LDAP Plugin to point to a working LDAP server with two user accounts (say, "admin" and "user" - make both have groups attached to them)
      2 - Set Authorization to "Anyone Can Do anything"
      3 - Verify you can login with each user and each user can see own groups by going to /users/<username> uri
      4 - Set up matrix auth (any conditional auth will do, matrix is the easiest one though) and grant "admin" overall admin rights, and "user" overall "read"
      5 - Repeat step 3, - at this point admin will see their own groups, but "user" will not be able too

      This is not just visual, group based authentication does not work - looking in logs it appears that "user" only has "authorized" permission when no admin rights

            Unassigned Unassigned
            mlasevich Michael Lasevich
            5 Vote for this issue
            14 Start watching this issue