Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-41251

User loses authenticated group (authority) membership

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • ldap-plugin
    • None
    • jenkins 2.32.1
      matrix-auth 1.4
      ldap 1.13

      In Jenkins the LDAP plugin is configured to talk to an Active Directory server for user authentication. In addition we use the Matrix Authorization plugin to configure access to jobs.

      When a user first logs in everything looks fine. The whoAmI page shows the "authenticated" authority in addition to groups and roles. After a while (about an hour) [1], however, some users are no longer granted the "authenticated" authority. While they are still logged in, they will receive an "access denied" error, when trying to perform an action for which permission is granted to the "authenticated" group.

      Almost all our jobs require the user to log in, while accessing general build information is also granted to anonymous users.

      [1] I believe an hour is the idle time out when not using the "remember me" feature. However, I've also seen it happen when a user does not log out on a laptop. Next day, when visiting Jenkins web interface again, the user is still logged in, but not sufficiently authorized.

          [JENKINS-41251] User loses authenticated group (authority) membership

          It could happen if the group membership strategy is FromUser

          Emilio Escobar added a comment - It could happen if the group membership strategy is FromUser

          T.B. Anton added a comment -

          Yes, we were using FromUserRecordLDAPGroupMembershipStrategy in our configuration. That was left unchanged when we switched from openLDAP to Active Directory.

          Triggered by JENKINS-38124 I took another look at the available options and it seems we are also able to use FromGroupSearchLDAPGroupMembershipStrategy. I changed our configuration and it seems roles do stick now.

          T.B. Anton added a comment - Yes, we were using FromUserRecordLDAPGroupMembershipStrategy in our configuration. That was left unchanged when we switched from openLDAP to Active Directory. Triggered by JENKINS-38124 I took another look at the available options and it seems we are also able to use FromGroupSearchLDAPGroupMembershipStrategy. I changed our configuration and it seems roles do stick now.

          Daniel Beck added a comment -

          Looks like an issue in LDAP plugin, not matrix-auth.

          Daniel Beck added a comment - Looks like an issue in LDAP plugin, not matrix-auth.

          Oleg Nenashev added a comment -

          In order to set proper expectation, I have unassigned Kohsuke from this tickets.
          Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

          Oleg Nenashev added a comment - In order to set proper expectation, I have unassigned Kohsuke from this tickets. Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

            Unassigned Unassigned
            tba T.B. Anton
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: