• Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Major Major
    • ldap-plugin
    • None

      I would like to see an option to synchronize Jenkins users with an LDAP database, either manually or automatically in some way.

      There are several reasons for my request, including the following:

      • when information about a user changes it doesn't appear to get reflected in the Jenkins user database (ie: name changes, email address changes, and the like) causing the Jenkins DB to be out of date
      • alternate sources appear to directly manipulate the Jenkins user database, such as the Git plugin (see the "Create new accounts base on author/committer's email" option) which results in superfluous and / or duplicate user profiles getting created on the master
      • when users are removed from LDAP (ie: no longer work for the company) their user profiles remain in the Jenkins database, which exposes their profiles and settings on the Jenkins dashboard for other plugins like the email publisher, claim plugin, etc. to use which is confusing at best and causes build failures at worst

      Having some way to either delete or at least disable Jenkins profiles that are not found in LDAP, and making sure the user information contained in the valid profiles is kept up to date, would be extremely helpful. On large scale rollouts with hundreds or thousands of users and with frequent LDAP changes makes for an extremely tedious and time consuming job to keep these two systems in synch.

      Ideally the solution would be automatic in some way, perhaps synchronizing individual user profile information every time they log in to the Jenkins dashboard and re-synchronizing the entire user database on a schedule to purge obsolete users. If this proves to be too complex, then I would settle for a simple button on the Manage Jenkins page that would allow an admin to trigger this operation manually when desired.

          [JENKINS-39248] Synchronize Jenkins user database with LDAP

          I've linked this improvement to several other issues in the tracker, and admittedly there is some overlap between this and the others however I think there are some unique requirements I'd like to see resolved here that aren't explicitly covered elsewhere.

          For example, the feature for 'disabling' users (JENKINS-11205) would be great however if the process of disabling users is still a manual process once that task is complete then I would like to see it extended such that users for which there is no active LDAP account would be automatically disabled without manual intervention.

          Also, in the case of JENKINS-24894 the scope of work is limited to just the display names of the users. I would suggest that LDAP synchronization should also include changes to email addresses and any other metadata that may be pulled from LDAP and cached by Jenkins and that this process should be automatic as well (ie: on user login). Further, if it makes the logic easier to implement I would suggest that you simply provide a check-box on the Manage Jenkins page for LDAP to force the synchronization of LDAP data to Jenkins, causing any user customizations to be tossed. This would ensure consistency with the LDAP database, which 'should' be the definitive source for user information, and make it easier to keep the Jenkins database in sync (ie: no need to cache previous data from LDAP and compare with local user changes and such). IMO this would be the preferred behavior or any large scale implementation but making it optional - and even disabled by default if so desired - would be acceptable.

          Kevin Phillips added a comment - I've linked this improvement to several other issues in the tracker, and admittedly there is some overlap between this and the others however I think there are some unique requirements I'd like to see resolved here that aren't explicitly covered elsewhere. For example, the feature for 'disabling' users ( JENKINS-11205 ) would be great however if the process of disabling users is still a manual process once that task is complete then I would like to see it extended such that users for which there is no active LDAP account would be automatically disabled without manual intervention. Also, in the case of JENKINS-24894 the scope of work is limited to just the display names of the users. I would suggest that LDAP synchronization should also include changes to email addresses and any other metadata that may be pulled from LDAP and cached by Jenkins and that this process should be automatic as well (ie: on user login). Further, if it makes the logic easier to implement I would suggest that you simply provide a check-box on the Manage Jenkins page for LDAP to force the synchronization of LDAP data to Jenkins, causing any user customizations to be tossed. This would ensure consistency with the LDAP database, which 'should' be the definitive source for user information, and make it easier to keep the Jenkins database in sync (ie: no need to cache previous data from LDAP and compare with local user changes and such). IMO this would be the preferred behavior or any large scale implementation but making it optional - and even disabled by default if so desired - would be acceptable.

          Daniel Beck added a comment -

          Why was this assigned to me?

          Daniel Beck added a comment - Why was this assigned to me?

          Frank yu added a comment -

          At least let users can change passwd when configure Jenkins access control with LDAP.
          Current users can't change there password.

          Frank yu added a comment - At least let users can change passwd when configure Jenkins access control with LDAP. Current users can't change there password.

            Unassigned Unassigned
            leedega Kevin Phillips
            Votes:
            3 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: