-
Bug
-
Resolution: Unresolved
-
Critical
-
None
To reproduce:
- configure Jenkins with LDAP security
- check "Group membership: Parse user attribute for list of groups"
- this will lead to the following entry in config.xml:
<groupMembershipStrategy class="jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy"/> - configure full logging for the org.acegisecurity package (all log levels)
- log in with an arbitrary (probably best new) user, let's call him HORST
- check the logs, you will see something like this:
Searching for roles for user 'HORST', DN = 'cn=HORST,ou=KEVIN,ou=GUENTHER,dc=big,dc=expensive,dc=corporation,dc=com', with filter (| (member={0}) (uniqueMember={0}) (memberUid={1})) in search base 'OU=KEVIN,OU=GUENTHER'
- I.e. Jenkins is using the potentially very expensive default group filter on login, although the user configured to use memberOf instead.
The reason for this is this call here https://github.com/jenkinsci/ldap-plugin/blob/master/src/main/java/hudson/security/LDAPSecurityRealm.java#L1010:
super.getGroupMembershipRoles(userDn,username)
Which in turn uses the configured groupSearchFilter in org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator.
This should probably instead call the code in FromUserRecordLDAPGroupMembershipStrategy.getGrantedAuthorities, like it is called here.
I would have created a pull request, but it is a bit beyond me how to access groupMembershipStrategy from AuthoritiesPopulatorImpl.
- is related to
-
-
- Open
-
- links to
[JENKINS-38124] Although FromUserRecordLDAPGroupMembershipStrategy is configured, Jenkins still populates authorities by using group search (with the default pattern)
| Description |
Original:
To reproduce: * configure Jenkins with LDAP security * check "Group membership: Parse user attribute for list of groups" * this will lead to the following entry in {{config.xml}}:{code}<groupMembershipStrategy class="jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy"/>{code} * configure full logging for the {{org.acegisecurity}} package (all log levels) * log in with an arbitrary (probably best new) user, let's call him HORST * check the logs, you will see something like this: {code}Searching for roles for user 'HORST', DN = 'cn=HORST,ou=KEVIN,ou=GUENTHER,dc=big,dc=expensivie,dc=corporation,dc=com', with filter (| (member={0}) (uniqueMember={0}) (memberUid={1})) in search base 'OU=KEVIN,OU=GUENTHER'{code} * I.e. Jenkins is using the potentially very expensive default group filter on login, although the user configured to use {{memberOf}} instead. The reason for this is this call here https://github.com/jenkinsci/ldap-plugin/blob/master/src/main/java/hudson/security/LDAPSecurityRealm.java#L1010: {code}super.getGroupMembershipRoles(userDn,username){code} Which in turn uses the configured {{groupSearchFilter}} in org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator. This should probably instead call the code in {{FromUserRecordLDAPGroupMembershipStrategy.getGrantedAuthorities}}, like it is called [here|https://github.com/jenkinsci/ldap-plugin/blob/master/src/main/java/hudson/security/LDAPSecurityRealm.java#L896]. I would have created a pull request, but it is a bit beyond me how to access groupMembershipStrategy from AuthoritiesPopulatorImpl. |
New:
To reproduce: * configure Jenkins with LDAP security * check "Group membership: Parse user attribute for list of groups" * this will lead to the following entry in {{config.xml}}:{code}<groupMembershipStrategy class="jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy"/>{code} * configure full logging for the {{org.acegisecurity}} package (all log levels) * log in with an arbitrary (probably best new) user, let's call him HORST * check the logs, you will see something like this: {code}Searching for roles for user 'HORST', DN = 'cn=HORST,ou=KEVIN,ou=GUENTHER,dc=big,dc=expensive,dc=corporation,dc=com', with filter (| (member={0}) (uniqueMember={0}) (memberUid={1})) in search base 'OU=KEVIN,OU=GUENTHER'{code} * I.e. Jenkins is using the potentially very expensive default group filter on login, although the user configured to use {{memberOf}} instead. The reason for this is this call here https://github.com/jenkinsci/ldap-plugin/blob/master/src/main/java/hudson/security/LDAPSecurityRealm.java#L1010: {code}super.getGroupMembershipRoles(userDn,username){code} Which in turn uses the configured {{groupSearchFilter}} in org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator. This should probably instead call the code in {{FromUserRecordLDAPGroupMembershipStrategy.getGrantedAuthorities}}, like it is called [here|https://github.com/jenkinsci/ldap-plugin/blob/master/src/main/java/hudson/security/LDAPSecurityRealm.java#L896]. I would have created a pull request, but it is a bit beyond me how to access groupMembershipStrategy from AuthoritiesPopulatorImpl. |
| Comment |
[ correction: Probably, {{LDAPSecurityRealm$AuthoritiesPopulatorImpl}} should override {{getGrantedAuthorities}} in addition to {{getGroupMembershipRoles}}, and do the correct call there. ] |
| Assignee | Original: Kohsuke Kawaguchi [ kohsuke ] | New: Emilio Escobar [ escoem ] |
| Attachment | New: 01-ldap-ajones-user.png [ 35687 ] |
| Attachment | New: 02-ldap-brodate-group.png [ 35688 ] |
| Attachment | New: 03-ldap-gambit-group.png [ 35689 ] |
| Attachment | New: 04-jenkins-security-ldap-fromuser.png [ 35690 ] |
| Attachment | New: 05-jenkins-security-matrixroles.png [ 35691 ] |
The issues is caused by LdapAuthenticationProvider in method createUserDetails which uses AuthoritiesPopulator during login. MembershipStrategy classes should be probably changed to use always AuthoritiesPopulator and there should be 2 implementations of them.