Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37858

Group based LDAP authentication does not work

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • ldap-plugin
    • Jenkins 2.10 (recreated in 1.566)
      ldap-plugin 1.12

      When using LDAP Plugin, groups are not read unless user is explicitly granted admin rights ahead of time (defeating the point of using LDAP groups).

      I believe it is not a config issue as if the user is admin, they can, in fact, see groups with same config.

      To Recreate:

      1 - Set up LDAP Plugin to point to a working LDAP server with two user accounts (say, "admin" and "user" - make both have groups attached to them)
      2 - Set Authorization to "Anyone Can Do anything"
      3 - Verify you can login with each user and each user can see own groups by going to /users/<username> uri
      4 - Set up matrix auth (any conditional auth will do, matrix is the easiest one though) and grant "admin" overall admin rights, and "user" overall "read"
      5 - Repeat step 3, - at this point admin will see their own groups, but "user" will not be able too

      This is not just visual, group based authentication does not work - looking in logs it appears that "user" only has "authorized" permission when no admin rights

          [JENKINS-37858] Group based LDAP authentication does not work

          Guillaume Menguy added a comment - - edited

          Hello,

          Same problem with Jenkins 2.32.2, LDAP 1.14, the LDAP group matrix authorization does not work, all authenticated users have only 'anonymous' default permissions

          Here is a simple Groovy script to test it :

          try {
              println("  Has authorities: " + Jenkins.instance.securityRealm.authenticate("myLdapUser","****").getAuthorities())
            
             println("  Has groups : " + Jenkins.instance.securityRealm.loadUserByUsername("myLdapUser").getAuthorities())
          
          } catch (Exception e) {
          		println(e)
          }
          

          the result with my company Ldap server returns :
          Has authorities: [authenticated]
          Has groups: [INTERNET, TOKEN , *** ,*** .......]

          My understanding is that the first call should contain also the LDAP groups/authorities, no ?

          Guillaume Menguy added a comment - - edited Hello, Same problem with Jenkins 2.32.2, LDAP 1.14, the LDAP group matrix authorization does not work, all authenticated users have only 'anonymous' default permissions Here is a simple Groovy script to test it : try { println( " Has authorities: " + Jenkins.instance.securityRealm.authenticate( "myLdapUser" , "****" ).getAuthorities()) println( " Has groups : " + Jenkins.instance.securityRealm.loadUserByUsername( "myLdapUser" ).getAuthorities()) } catch (Exception e) { println(e) } the result with my company Ldap server returns : Has authorities: [authenticated] Has groups: [INTERNET, TOKEN , *** ,*** .......] My understanding is that the first call should contain also the LDAP groups/authorities, no ?

          Kevin Lu added a comment -

          I'm seeing the same issue with Jenkins 2.5.9.

          We're using JumpCloud, and interestingly, if I "Enable Binding to JumpCloud LDAP Service", I can sign in again.

          Kevin Lu added a comment - I'm seeing the same issue with Jenkins 2.5.9. We're using JumpCloud, and interestingly, if I "Enable Binding to JumpCloud LDAP Service", I can sign in again.

          Seeing the same issue with Jenkins 2.46.3 and LDAP Plugin 1.15.

          We also use JumpCloud.

          Same configuration was working with an older version of Jenkins.

          luhkevin what do you mean by "Enable Binding to JumpCloud LDAP Service"?

          Michael Pridemore added a comment - Seeing the same issue with Jenkins 2.46.3 and LDAP Plugin 1.15. We also use JumpCloud. Same configuration was working with an older version of Jenkins. luhkevin what do you mean by "Enable Binding to JumpCloud LDAP Service"?

          Seeing the same issue with Jenkins 2.66 / 2.73 and LDAP Plugin 1.15.

          Using the matrix, I can authenticate usernames but not groups if user is member.

          When using LDAP Plugin, groups are not read unless user is explicitly granted admin rights ahead of time.

          So can we not use LDAP groups to Authenticate and login to Jenkins ? Please confirm.

          Senthil Palaniappan added a comment - Seeing the same issue with Jenkins 2.66 / 2.73 and LDAP Plugin 1.15. Using the matrix, I can authenticate usernames but not groups if user is member. When using LDAP Plugin, groups are not read unless user is explicitly granted admin rights ahead of time. So can we not use LDAP groups to Authenticate and login to Jenkins ? Please confirm.

          Sharon Yanko added a comment -

          Hi,

          Just encountered that problem also.using Jenkins 2.73.1 and LDAP 1.17

          Is there any solution in the near future?

          Sharon Yanko added a comment - Hi, Just encountered that problem also.using Jenkins 2.73.1 and LDAP 1.17 Is there any solution in the near future?

          Joey Jiang added a comment -

          I had same issue when doing Jenkins migration.

          However, after some troubleshooting, it works for me using before LDAP and Matrix authentication plugin version:

          LDAP 1.12
          Matrix auth 1.7

          I did upgrade/downgrade Jenkins server/LDAP plugin/Matrix auth plugin, and found it is not related to Jenkins version(in my troubleshooting, it was 2.19.3 and 2.89.3), but LDAP and Matrix auth plugin version

           

          Joey Jiang added a comment - I had same issue when doing Jenkins migration. However, after some troubleshooting, it works for me using before LDAP and Matrix authentication plugin version: LDAP 1.12 Matrix auth 1.7 I did upgrade/downgrade Jenkins server/LDAP plugin/Matrix auth plugin, and found it is not related to Jenkins version(in my troubleshooting, it was 2.19.3 and 2.89.3), but LDAP and Matrix auth plugin version  

          Oleg Nenashev added a comment -

          In order to set proper expectation, I have unassigned Kohsuke from this tickets.
          Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

          Oleg Nenashev added a comment - In order to set proper expectation, I have unassigned Kohsuke from this tickets. Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

          Mark Lin added a comment - - edited

          For a hack fix, I'm using jumpcloud, if user is enabled with "Enable as LDAP Bind DN", then group can be searched without user being added to admin first.  Although enabled with Bind DN meant user can search LDAP.

          It's still a bit odd, cases where user can see group info.

          1. user without "Enable as LDAP Bind DN" in jumpcloud, but with Administer privileges can view user groups
          2. user with  "Enable as LDAP Bind DN" in jumpcloud, but without Administer privileges can also view user groups

          Of course, user with admin and enable ldap can see group as well.

          That drives an hypothesis which is that admin privileged user can use manager DN in ldap connection setting to search group membership, where user  without admin privileges has to rely on its own ldap permission to query for group.

          jenkins - 2.141

          ldap plugin - 1.20

          Mark Lin added a comment - - edited For a hack fix, I'm using jumpcloud, if user is enabled with "Enable as LDAP Bind DN", then group can be searched without user being added to admin first.  Although enabled with Bind DN meant user can search LDAP. It's still a bit odd, cases where user can see group info. user without "Enable as LDAP Bind DN" in jumpcloud, but with Administer privileges can view user groups user with   "Enable as LDAP Bind DN" in jumpcloud, but without Administer privileges can also view user groups Of course, user with admin and enable ldap can see group as well. That drives an hypothesis which is that admin privileged user can use manager DN in ldap connection setting to search group membership, where user  without admin privileges has to rely on its own ldap permission to query for group. jenkins - 2.141 ldap plugin - 1.20

          John Jeffers added a comment -

          Any chance we can get someone to look into this? I have the same problem as others here, also using Jumpcloud. The only way I can get LDAP groups to work is if I give the user account "Enable as LDAP Bind DN" permissions. Without that, group memberships are not honored, and the logged in user does not get the permissions assigned to the group.

          Does anyone using other LDAP providers have this problem, or is this unique to Jumpcloud? Not really sure who I should be asking to fix this problem.

          John Jeffers added a comment - Any chance we can get someone to look into this? I have the same problem as others here, also using Jumpcloud. The only way I can get LDAP groups to work is if I give the user account "Enable as LDAP Bind DN" permissions. Without that, group memberships are not honored, and the logged in user does not get the permissions assigned to the group. Does anyone using other LDAP providers have this problem, or is this unique to Jumpcloud? Not really sure who I should be asking to fix this problem.

          James Nord added a comment - - edited

          > or is this unique to Jumpcloud

          this seems unique to JumpCloud, potentially you may need to change the configuration in Jenkins that tells Jenkins how to retrieve Users group membership.
          As JumpCLoud is a paid service and this works with Microsft Active Directory and openldap maybe you could reach out to their support team to ask them specifically how you should configure Jenkins to work with their LDAP flaour and share that here so it can be documented?

          James Nord added a comment - - edited > or is this unique to Jumpcloud this seems unique to JumpCloud, potentially you may need to change the configuration in Jenkins that tells Jenkins how to retrieve Users group membership. As JumpCLoud is a paid service and this works with Microsft Active Directory and openldap maybe you could reach out to their support team to ask them specifically how you should configure Jenkins to work with their LDAP flaour and share that here so it can be documented?

            Unassigned Unassigned
            mlasevich Michael Lasevich
            Votes:
            5 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated: