Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-38124

Although FromUserRecordLDAPGroupMembershipStrategy is configured, Jenkins still populates authorities by using group search (with the default pattern)

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • ldap-plugin
    • None

      To reproduce:

      • configure Jenkins with LDAP security
      • check "Group membership: Parse user attribute for list of groups"
      • this will lead to the following entry in config.xml:
        <groupMembershipStrategy class="jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy"/>
      • configure full logging for the org.acegisecurity package (all log levels)
      • log in with an arbitrary (probably best new) user, let's call him HORST
      • check the logs, you will see something like this:
        Searching for roles for user 'HORST', DN = 'cn=HORST,ou=KEVIN,ou=GUENTHER,dc=big,dc=expensive,dc=corporation,dc=com', with filter (| (member={0}) (uniqueMember={0}) (memberUid={1})) in search base 'OU=KEVIN,OU=GUENTHER'
      • I.e. Jenkins is using the potentially very expensive default group filter on login, although the user configured to use memberOf instead.

      The reason for this is this call here https://github.com/jenkinsci/ldap-plugin/blob/master/src/main/java/hudson/security/LDAPSecurityRealm.java#L1010:

      super.getGroupMembershipRoles(userDn,username)

      Which in turn uses the configured groupSearchFilter in org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator.

      This should probably instead call the code in FromUserRecordLDAPGroupMembershipStrategy.getGrantedAuthorities, like it is called here.

      I would have created a pull request, but it is a bit beyond me how to access groupMembershipStrategy from AuthoritiesPopulatorImpl.

          [JENKINS-38124] Although FromUserRecordLDAPGroupMembershipStrategy is configured, Jenkins still populates authorities by using group search (with the default pattern)

          Ondrej Kmoch added a comment -

          The issues is caused by LdapAuthenticationProvider in method createUserDetails which uses AuthoritiesPopulator during login. MembershipStrategy classes should be probably changed to use always AuthoritiesPopulator and there should be 2 implementations of them.

          Ondrej Kmoch added a comment - The issues is caused by LdapAuthenticationProvider in method createUserDetails which uses AuthoritiesPopulator during login. MembershipStrategy classes should be probably changed to use always AuthoritiesPopulator and there should be 2 implementations of them.

          Emilio Escobar added a comment - - edited

          I'd like to add more context and explanations about how is working currently for justifying that PR (https://github.com/jenkinsci/ldap-plugin/pull/11) .

          A very simple LDAP configuration where user has different groupmembership configured at group and user side:

          LDAP is configured at Jenkins, using group membership - Parse user attribute for list of groups

          And two groups at matrix, brodate has administer permission and gambit just read.

          After login, ajones has manager access

          Emilio Escobar added a comment - - edited I'd like to add more context and explanations about how is working currently for justifying that PR ( https://github.com/jenkinsci/ldap-plugin/pull/11 ) . A very simple LDAP configuration where user has different groupmembership configured at group and user side: LDAP is configured at Jenkins, using group membership - Parse user attribute for list of groups And two groups at matrix, brodate has administer permission and gambit just read. After login, ajones has manager access

          Martin Sander added a comment -

          Thanks escoem for working on this .

          Martin Sander added a comment - Thanks escoem for working on this .

          Jesse Glick added a comment -

          The PR is closed. Is this still In Progress?

          Jesse Glick added a comment - The PR is closed. Is this still In Progress?

            escoem Emilio Escobar
            0x89 Martin Sander
            Votes:
            3 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: