Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-38124

Although FromUserRecordLDAPGroupMembershipStrategy is configured, Jenkins still populates authorities by using group search (with the default pattern)

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • ldap-plugin
    • None

      To reproduce:

      • configure Jenkins with LDAP security
      • check "Group membership: Parse user attribute for list of groups"
      • this will lead to the following entry in config.xml:
        <groupMembershipStrategy class="jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy"/>
      • configure full logging for the org.acegisecurity package (all log levels)
      • log in with an arbitrary (probably best new) user, let's call him HORST
      • check the logs, you will see something like this:
        Searching for roles for user 'HORST', DN = 'cn=HORST,ou=KEVIN,ou=GUENTHER,dc=big,dc=expensive,dc=corporation,dc=com', with filter (| (member={0}) (uniqueMember={0}) (memberUid={1})) in search base 'OU=KEVIN,OU=GUENTHER'
      • I.e. Jenkins is using the potentially very expensive default group filter on login, although the user configured to use memberOf instead.

      The reason for this is this call here https://github.com/jenkinsci/ldap-plugin/blob/master/src/main/java/hudson/security/LDAPSecurityRealm.java#L1010:

      super.getGroupMembershipRoles(userDn,username)

      Which in turn uses the configured groupSearchFilter in org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator.

      This should probably instead call the code in FromUserRecordLDAPGroupMembershipStrategy.getGrantedAuthorities, like it is called here.

      I would have created a pull request, but it is a bit beyond me how to access groupMembershipStrategy from AuthoritiesPopulatorImpl.

          [JENKINS-38124] Although FromUserRecordLDAPGroupMembershipStrategy is configured, Jenkins still populates authorities by using group search (with the default pattern)

          Martin Sander created issue -
          Martin Sander made changes -
          Description Original: To reproduce:
          * configure Jenkins with LDAP security
          * check "Group membership: Parse user attribute for list of groups"
          * this will lead to the following entry in {{config.xml}}:{code}<groupMembershipStrategy class="jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy"/>{code}
          * configure full logging for the {{org.acegisecurity}} package (all log levels)
          * log in with an arbitrary (probably best new) user, let's call him HORST
          * check the logs, you will see something like this: {code}Searching for roles for user 'HORST', DN = 'cn=HORST,ou=KEVIN,ou=GUENTHER,dc=big,dc=expensivie,dc=corporation,dc=com', with filter (| (member={0}) (uniqueMember={0}) (memberUid={1})) in search base 'OU=KEVIN,OU=GUENTHER'{code}
          * I.e. Jenkins is using the potentially very expensive default group filter on login, although the user configured to use {{memberOf}} instead.

          The reason for this is this call here https://github.com/jenkinsci/ldap-plugin/blob/master/src/main/java/hudson/security/LDAPSecurityRealm.java#L1010:

          {code}super.getGroupMembershipRoles(userDn,username){code}

          Which in turn uses the configured {{groupSearchFilter}} in org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator.

          This should probably instead call the code in {{FromUserRecordLDAPGroupMembershipStrategy.getGrantedAuthorities}}, like it is called [here|https://github.com/jenkinsci/ldap-plugin/blob/master/src/main/java/hudson/security/LDAPSecurityRealm.java#L896].

          I would have created a pull request, but it is a bit beyond me how to access groupMembershipStrategy from AuthoritiesPopulatorImpl.
          New: To reproduce:
          * configure Jenkins with LDAP security
          * check "Group membership: Parse user attribute for list of groups"
          * this will lead to the following entry in {{config.xml}}:{code}<groupMembershipStrategy class="jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy"/>{code}
          * configure full logging for the {{org.acegisecurity}} package (all log levels)
          * log in with an arbitrary (probably best new) user, let's call him HORST
          * check the logs, you will see something like this: {code}Searching for roles for user 'HORST', DN = 'cn=HORST,ou=KEVIN,ou=GUENTHER,dc=big,dc=expensive,dc=corporation,dc=com', with filter (| (member={0}) (uniqueMember={0}) (memberUid={1})) in search base 'OU=KEVIN,OU=GUENTHER'{code}
          * I.e. Jenkins is using the potentially very expensive default group filter on login, although the user configured to use {{memberOf}} instead.

          The reason for this is this call here https://github.com/jenkinsci/ldap-plugin/blob/master/src/main/java/hudson/security/LDAPSecurityRealm.java#L1010:

          {code}super.getGroupMembershipRoles(userDn,username){code}

          Which in turn uses the configured {{groupSearchFilter}} in org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator.

          This should probably instead call the code in {{FromUserRecordLDAPGroupMembershipStrategy.getGrantedAuthorities}}, like it is called [here|https://github.com/jenkinsci/ldap-plugin/blob/master/src/main/java/hudson/security/LDAPSecurityRealm.java#L896].

          I would have created a pull request, but it is a bit beyond me how to access groupMembershipStrategy from AuthoritiesPopulatorImpl.
          Martin Sander made changes -
          Comment [ correction:
          Probably, {{LDAPSecurityRealm$AuthoritiesPopulatorImpl}} should override {{getGrantedAuthorities}} in addition to {{getGroupMembershipRoles}}, and do the correct call there. ]
          Emilio Escobar made changes -
          Assignee Original: Kohsuke Kawaguchi [ kohsuke ] New: Emilio Escobar [ escoem ]
          Emilio Escobar made changes -
          Attachment New: 01-ldap-ajones-user.png [ 35687 ]
          Emilio Escobar made changes -
          Attachment New: 02-ldap-brodate-group.png [ 35688 ]
          Emilio Escobar made changes -
          Attachment New: 03-ldap-gambit-group.png [ 35689 ]
          Emilio Escobar made changes -
          Attachment New: 04-jenkins-security-ldap-fromuser.png [ 35690 ]
          Emilio Escobar made changes -
          Attachment New: 05-jenkins-security-matrixroles.png [ 35691 ]
          Emilio Escobar made changes -
          Attachment New: 06-jenkins-ajones-manager-BAD.png [ 35693 ]
          Emilio Escobar made changes -
          Attachment New: 07-jenkins-ajones-groups.png [ 35694 ]

            escoem Emilio Escobar
            0x89 Martin Sander
            Votes:
            3 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: