Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-37858

Group based LDAP authentication does not work

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      When using LDAP Plugin, groups are not read unless user is explicitly granted admin rights ahead of time (defeating the point of using LDAP groups).

      I believe it is not a config issue as if the user is admin, they can, in fact, see groups with same config.

      To Recreate:

      1 - Set up LDAP Plugin to point to a working LDAP server with two user accounts (say, "admin" and "user" - make both have groups attached to them)
      2 - Set Authorization to "Anyone Can Do anything"
      3 - Verify you can login with each user and each user can see own groups by going to /users/<username> uri
      4 - Set up matrix auth (any conditional auth will do, matrix is the easiest one though) and grant "admin" overall admin rights, and "user" overall "read"
      5 - Repeat step 3, - at this point admin will see their own groups, but "user" will not be able too

      This is not just visual, group based authentication does not work - looking in logs it appears that "user" only has "authorized" permission when no admin rights

        Attachments

          Activity

          mlasevich Michael Lasevich created issue -
          Hide
          jagwirez Taylor K added a comment -

          I have same issue with LDAP Plugin 1.12 and Jenkins 2.7.2.

          Using the matrix, I can authenticate usernames but not groups if user is member.

          Show
          jagwirez Taylor K added a comment - I have same issue with LDAP Plugin 1.12 and Jenkins 2.7.2. Using the matrix, I can authenticate usernames but not groups if user is member.
          Hide
          mengugu Guillaume Menguy added a comment - - edited

          Hello,

          Same problem with Jenkins 2.32.2, LDAP 1.14, the LDAP group matrix authorization does not work, all authenticated users have only 'anonymous' default permissions

          Here is a simple Groovy script to test it :

          try {
              println("  Has authorities: " + Jenkins.instance.securityRealm.authenticate("myLdapUser","****").getAuthorities())
            
             println("  Has groups : " + Jenkins.instance.securityRealm.loadUserByUsername("myLdapUser").getAuthorities())
          
          } catch (Exception e) {
          		println(e)
          }
          

          the result with my company Ldap server returns :
          Has authorities: [authenticated]
          Has groups: [INTERNET, TOKEN , *** ,*** .......]

          My understanding is that the first call should contain also the LDAP groups/authorities, no ?

          Show
          mengugu Guillaume Menguy added a comment - - edited Hello, Same problem with Jenkins 2.32.2, LDAP 1.14, the LDAP group matrix authorization does not work, all authenticated users have only 'anonymous' default permissions Here is a simple Groovy script to test it : try { println( " Has authorities: " + Jenkins.instance.securityRealm.authenticate( "myLdapUser" , "****" ).getAuthorities()) println( " Has groups : " + Jenkins.instance.securityRealm.loadUserByUsername( "myLdapUser" ).getAuthorities()) } catch (Exception e) { println(e) } the result with my company Ldap server returns : Has authorities: [authenticated] Has groups: [INTERNET, TOKEN , *** ,*** .......] My understanding is that the first call should contain also the LDAP groups/authorities, no ?
          Hide
          luhkevin Kevin Lu added a comment -

          I'm seeing the same issue with Jenkins 2.5.9.

          We're using JumpCloud, and interestingly, if I "Enable Binding to JumpCloud LDAP Service", I can sign in again.

          Show
          luhkevin Kevin Lu added a comment - I'm seeing the same issue with Jenkins 2.5.9. We're using JumpCloud, and interestingly, if I "Enable Binding to JumpCloud LDAP Service", I can sign in again.
          Hide
          mpridemore Michael Pridemore added a comment -

          Seeing the same issue with Jenkins 2.46.3 and LDAP Plugin 1.15.

          We also use JumpCloud.

          Same configuration was working with an older version of Jenkins.

          Kevin Lu what do you mean by "Enable Binding to JumpCloud LDAP Service"?

          Show
          mpridemore Michael Pridemore added a comment - Seeing the same issue with Jenkins 2.46.3 and LDAP Plugin 1.15. We also use JumpCloud. Same configuration was working with an older version of Jenkins. Kevin Lu what do you mean by "Enable Binding to JumpCloud LDAP Service"?
          Hide
          senthilpalaniappan Senthil Palaniappan added a comment -

          Seeing the same issue with Jenkins 2.66 / 2.73 and LDAP Plugin 1.15.

          Using the matrix, I can authenticate usernames but not groups if user is member.

          When using LDAP Plugin, groups are not read unless user is explicitly granted admin rights ahead of time.

          So can we not use LDAP groups to Authenticate and login to Jenkins ? Please confirm.

          Show
          senthilpalaniappan Senthil Palaniappan added a comment - Seeing the same issue with Jenkins 2.66 / 2.73 and LDAP Plugin 1.15. Using the matrix, I can authenticate usernames but not groups if user is member. When using LDAP Plugin, groups are not read unless user is explicitly granted admin rights ahead of time. So can we not use LDAP groups to Authenticate and login to Jenkins ? Please confirm.
          Hide
          saharon27 Sharon Yanko added a comment -

          Hi,

          Just encountered that problem also.using Jenkins 2.73.1 and LDAP 1.17

          Is there any solution in the near future?

          Show
          saharon27 Sharon Yanko added a comment - Hi, Just encountered that problem also.using Jenkins 2.73.1 and LDAP 1.17 Is there any solution in the near future?
          Hide
          garumaru Joey Jiang added a comment -

          I had same issue when doing Jenkins migration.

          However, after some troubleshooting, it works for me using before LDAP and Matrix authentication plugin version:

          LDAP 1.12
          Matrix auth 1.7

          I did upgrade/downgrade Jenkins server/LDAP plugin/Matrix auth plugin, and found it is not related to Jenkins version(in my troubleshooting, it was 2.19.3 and 2.89.3), but LDAP and Matrix auth plugin version

           

          Show
          garumaru Joey Jiang added a comment - I had same issue when doing Jenkins migration. However, after some troubleshooting, it works for me using before LDAP and Matrix authentication plugin version: LDAP 1.12 Matrix auth 1.7 I did upgrade/downgrade Jenkins server/LDAP plugin/Matrix auth plugin, and found it is not related to Jenkins version(in my troubleshooting, it was 2.19.3 and 2.89.3), but LDAP and Matrix auth plugin version  
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          In order to set proper expectation, I have unassigned Kohsuke from this tickets.
          Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

          Show
          oleg_nenashev Oleg Nenashev added a comment - In order to set proper expectation, I have unassigned Kohsuke from this tickets. Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.
          oleg_nenashev Oleg Nenashev made changes -
          Field Original Value New Value
          Assignee Kohsuke Kawaguchi [ kohsuke ]
          Hide
          linmark333 Mark Lin added a comment - - edited

          For a hack fix, I'm using jumpcloud, if user is enabled with "Enable as LDAP Bind DN", then group can be searched without user being added to admin first.  Although enabled with Bind DN meant user can search LDAP.

          It's still a bit odd, cases where user can see group info.

          1. user without "Enable as LDAP Bind DN" in jumpcloud, but with Administer privileges can view user groups
          2. user with  "Enable as LDAP Bind DN" in jumpcloud, but without Administer privileges can also view user groups

          Of course, user with admin and enable ldap can see group as well.

          That drives an hypothesis which is that admin privileged user can use manager DN in ldap connection setting to search group membership, where user  without admin privileges has to rely on its own ldap permission to query for group.

          jenkins - 2.141

          ldap plugin - 1.20

          Show
          linmark333 Mark Lin added a comment - - edited For a hack fix, I'm using jumpcloud, if user is enabled with "Enable as LDAP Bind DN", then group can be searched without user being added to admin first.  Although enabled with Bind DN meant user can search LDAP. It's still a bit odd, cases where user can see group info. user without "Enable as LDAP Bind DN" in jumpcloud, but with Administer privileges can view user groups user with   "Enable as LDAP Bind DN" in jumpcloud, but without Administer privileges can also view user groups Of course, user with admin and enable ldap can see group as well. That drives an hypothesis which is that admin privileged user can use manager DN in ldap connection setting to search group membership, where user  without admin privileges has to rely on its own ldap permission to query for group. jenkins - 2.141 ldap plugin - 1.20
          Hide
          johnjeffers John Jeffers added a comment -

          Any chance we can get someone to look into this? I have the same problem as others here, also using Jumpcloud. The only way I can get LDAP groups to work is if I give the user account "Enable as LDAP Bind DN" permissions. Without that, group memberships are not honored, and the logged in user does not get the permissions assigned to the group.

          Does anyone using other LDAP providers have this problem, or is this unique to Jumpcloud? Not really sure who I should be asking to fix this problem.

          Show
          johnjeffers John Jeffers added a comment - Any chance we can get someone to look into this? I have the same problem as others here, also using Jumpcloud. The only way I can get LDAP groups to work is if I give the user account "Enable as LDAP Bind DN" permissions. Without that, group memberships are not honored, and the logged in user does not get the permissions assigned to the group. Does anyone using other LDAP providers have this problem, or is this unique to Jumpcloud? Not really sure who I should be asking to fix this problem.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            mlasevich Michael Lasevich
            Votes:
            5 Vote for this issue
            Watchers:
            13 Start watching this issue

              Dates

              Created:
              Updated: