-
Bug
-
Resolution: Unresolved
-
Critical
-
None
To reproduce:
- configure Jenkins with LDAP security
- check "Group membership: Parse user attribute for list of groups"
- this will lead to the following entry in config.xml:
<groupMembershipStrategy class="jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy"/>
- configure full logging for the org.acegisecurity package (all log levels)
- log in with an arbitrary (probably best new) user, let's call him HORST
- check the logs, you will see something like this:
Searching for roles for user 'HORST', DN = 'cn=HORST,ou=KEVIN,ou=GUENTHER,dc=big,dc=expensive,dc=corporation,dc=com', with filter (| (member={0}) (uniqueMember={0}) (memberUid={1})) in search base 'OU=KEVIN,OU=GUENTHER'
- I.e. Jenkins is using the potentially very expensive default group filter on login, although the user configured to use memberOf instead.
The reason for this is this call here https://github.com/jenkinsci/ldap-plugin/blob/master/src/main/java/hudson/security/LDAPSecurityRealm.java#L1010:
super.getGroupMembershipRoles(userDn,username)
Which in turn uses the configured groupSearchFilter in org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator.
This should probably instead call the code in FromUserRecordLDAPGroupMembershipStrategy.getGrantedAuthorities, like it is called here.
I would have created a pull request, but it is a bit beyond me how to access groupMembershipStrategy from AuthoritiesPopulatorImpl.
- is related to
-
JENKINS-41251 User loses authenticated group (authority) membership
-
- Open
-
- links to
The issues is caused by LdapAuthenticationProvider in method createUserDetails which uses AuthoritiesPopulator during login. MembershipStrategy classes should be probably changed to use always AuthoritiesPopulator and there should be 2 implementations of them.