-
Bug
-
Resolution: Unresolved
-
Critical
-
Jenkins 2.10 (recreated in 1.566)
ldap-plugin 1.12
When using LDAP Plugin, groups are not read unless user is explicitly granted admin rights ahead of time (defeating the point of using LDAP groups).
I believe it is not a config issue as if the user is admin, they can, in fact, see groups with same config.
To Recreate:
1 - Set up LDAP Plugin to point to a working LDAP server with two user accounts (say, "admin" and "user" - make both have groups attached to them)
2 - Set Authorization to "Anyone Can Do anything"
3 - Verify you can login with each user and each user can see own groups by going to /users/<username> uri
4 - Set up matrix auth (any conditional auth will do, matrix is the easiest one though) and grant "admin" overall admin rights, and "user" overall "read"
5 - Repeat step 3, - at this point admin will see their own groups, but "user" will not be able too
This is not just visual, group based authentication does not work - looking in logs it appears that "user" only has "authorized" permission when no admin rights
Hello,
Same problem with Jenkins 2.32.2, LDAP 1.14, the LDAP group matrix authorization does not work, all authenticated users have only 'anonymous' default permissions
Here is a simple Groovy script to test it :
the result with my company Ldap server returns :
Has authorities: [authenticated]
Has groups: [INTERNET, TOKEN , *** ,*** .......]
My understanding is that the first call should contain also the LDAP groups/authorities, no ?