-
Bug
-
Resolution: Unresolved
-
Critical
-
Jenkins 2.10 (recreated in 1.566)
ldap-plugin 1.12
When using LDAP Plugin, groups are not read unless user is explicitly granted admin rights ahead of time (defeating the point of using LDAP groups).
I believe it is not a config issue as if the user is admin, they can, in fact, see groups with same config.
To Recreate:
1 - Set up LDAP Plugin to point to a working LDAP server with two user accounts (say, "admin" and "user" - make both have groups attached to them)
2 - Set Authorization to "Anyone Can Do anything"
3 - Verify you can login with each user and each user can see own groups by going to /users/<username> uri
4 - Set up matrix auth (any conditional auth will do, matrix is the easiest one though) and grant "admin" overall admin rights, and "user" overall "read"
5 - Repeat step 3, - at this point admin will see their own groups, but "user" will not be able too
This is not just visual, group based authentication does not work - looking in logs it appears that "user" only has "authorized" permission when no admin rights
[JENKINS-37858] Group based LDAP authentication does not work
Michael Lasevich
created issue -
Hello,
Same problem with Jenkins 2.32.2, LDAP 1.14, the LDAP group matrix authorization does not work, all authenticated users have only 'anonymous' default permissions
Here is a simple Groovy script to test it :
try { println(" Has authorities: " + Jenkins.instance.securityRealm.authenticate("myLdapUser","****").getAuthorities()) println(" Has groups : " + Jenkins.instance.securityRealm.loadUserByUsername("myLdapUser").getAuthorities()) } catch (Exception e) { println(e) }
the result with my company Ldap server returns :
Has authorities: [authenticated]
Has groups: [INTERNET, TOKEN , *** ,*** .......]
My understanding is that the first call should contain also the LDAP groups/authorities, no ?
Guillaume Menguy
added a comment - - edited Hello,
Same problem with Jenkins 2.32.2, LDAP 1.14, the LDAP group matrix authorization does not work, all authenticated users have only 'anonymous' default permissions
Here is a simple Groovy script to test it :
try {
println( " Has authorities: " + Jenkins.instance.securityRealm.authenticate( "myLdapUser" , "****" ).getAuthorities())
println( " Has groups : " + Jenkins.instance.securityRealm.loadUserByUsername( "myLdapUser" ).getAuthorities())
} catch (Exception e) {
println(e)
}
the result with my company Ldap server returns :
Has authorities: [authenticated]
Has groups: [INTERNET, TOKEN , *** ,*** .......]
My understanding is that the first call should contain also the LDAP groups/authorities, no ? 
Kevin Lu
added a comment - I'm seeing the same issue with Jenkins 2.5.9.
We're using JumpCloud, and interestingly, if I "Enable Binding to JumpCloud LDAP Service", I can sign in again.
Kevin Lu
added a comment - I'm seeing the same issue with Jenkins 2.5.9.
We're using JumpCloud, and interestingly, if I "Enable Binding to JumpCloud LDAP Service", I can sign in again. 
Michael Pridemore
added a comment - Seeing the same issue with Jenkins 2.46.3 and LDAP Plugin 1.15.
We also use JumpCloud.
Same configuration was working with an older version of Jenkins.
luhkevin what do you mean by "Enable Binding to JumpCloud LDAP Service"?
Michael Pridemore
added a comment - Seeing the same issue with Jenkins 2.46.3 and LDAP Plugin 1.15.
We also use JumpCloud.
Same configuration was working with an older version of Jenkins.
luhkevin what do you mean by "Enable Binding to JumpCloud LDAP Service"? 
Senthil Palaniappan
added a comment - Seeing the same issue with Jenkins 2.66 / 2.73 and LDAP Plugin 1.15.
Using the matrix, I can authenticate usernames but not groups if user is member.
When using LDAP Plugin, groups are not read unless user is explicitly granted admin rights ahead of time.
So can we not use LDAP groups to Authenticate and login to Jenkins ? Please confirm.
Senthil Palaniappan
added a comment - Seeing the same issue with Jenkins 2.66 / 2.73 and LDAP Plugin 1.15.
Using the matrix, I can authenticate usernames but not groups if user is member.
When using LDAP Plugin, groups are not read unless user is explicitly granted admin rights ahead of time.
So can we not use LDAP groups to Authenticate and login to Jenkins ? Please confirm. Hi,
Just encountered that problem also.using Jenkins 2.73.1 and LDAP 1.17
Is there any solution in the near future?
Joey Jiang
added a comment - I had same issue when doing Jenkins migration.
However, after some troubleshooting, it works for me using before LDAP and Matrix authentication plugin version:
LDAP 1.12
Matrix auth 1.7
I did upgrade/downgrade Jenkins server/LDAP plugin/Matrix auth plugin, and found it is not related to Jenkins version(in my troubleshooting, it was 2.19.3 and 2.89.3), but LDAP and Matrix auth plugin version
Joey Jiang
added a comment - I had same issue when doing Jenkins migration.
However, after some troubleshooting, it works for me using before LDAP and Matrix authentication plugin version:
LDAP 1.12
Matrix auth 1.7
I did upgrade/downgrade Jenkins server/LDAP plugin/Matrix auth plugin, and found it is not related to Jenkins version(in my troubleshooting, it was 2.19.3 and 2.89.3), but LDAP and Matrix auth plugin version
In order to set proper expectation, I have unassigned Kohsuke from this tickets.
Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.
| Assignee | Original: Kohsuke Kawaguchi [ kohsuke ] |
I have same issue with LDAP Plugin 1.12 and Jenkins 2.7.2.
Using the matrix, I can authenticate usernames but not groups if user is member.