Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-41914

Basic authentication with group membership strategy and FreeIPA

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • ldap-plugin
    • None

      We use kerberos-sso, ldap plugin, and role strategy for authentication and authorization.

      A freeipa is configured as ldap server.

      Authorization work well with kerberos login. However, with basic authentication, ldap plugin doesn't return indirect groups of user for authorization.

      Attached files:
      test.groovy: script for check return authorities of login
      ldap-plugin.conf: a part of ldap plugin config
      0001-Fix-bug-basic-authentication-can-t-work-with-group-m.patch: a temporary solution

        1. ldap-plugin.conf
          0.9 kB
        2. test.groovy
          0.3 kB
        3. 0001-Fix-bug-basic-authentication-can-t-work-with-group-m.patch
          4 kB

          [JENKINS-41914] Basic authentication with group membership strategy and FreeIPA

          Toan Pham created issue -
          Toan Pham made changes -
          Attachment New: 0001-Fix-bug-basic-authentication-can-t-work-with-group-m.patch [ 35871 ]
          Toan Pham made changes -
          Description Original: We use kerberos-sso, ldap plugin, and role strategy for authentication and authorization. A freeipa is configured as ldap server.

          Authorization work well with kerberos login. However, with basic authentication, ldap plugin doesn't return indirect groups of user for authorization.

          Attached files:
          test.groovy: script for check return authorities of login
          0001-Fix-bug-basic-authentication-can-t-work-with-group-m.patch: a temporary solution
          		 New: We use kerberos-sso, ldap plugin, and role strategy for authentication and authorization. A freeipa is configured as ldap server.

          Authorization work well with kerberos login. However, with basic authentication, ldap plugin doesn't return indirect groups of user for authorization.
           [^0001-Fix-bug-basic-authentication-can-t-work-with-group-m.patch]
          Attached files:
          test.groovy: script for check return authorities of login
          0001-Fix-bug-basic-authentication-can-t-work-with-group-m.patch: a temporary solution
          Toan Pham made changes -
          Attachment New: test.groovy [ 35872 ]
          Toan Pham made changes -
          Attachment New: ldap-plugin.conf [ 35873 ]
          Toan Pham made changes -
          Description Original: We use kerberos-sso, ldap plugin, and role strategy for authentication and authorization. A freeipa is configured as ldap server.

          Authorization work well with kerberos login. However, with basic authentication, ldap plugin doesn't return indirect groups of user for authorization.
           [^0001-Fix-bug-basic-authentication-can-t-work-with-group-m.patch]
          Attached files:
          test.groovy: script for check return authorities of login
          0001-Fix-bug-basic-authentication-can-t-work-with-group-m.patch: a temporary solution
          		 New: We use kerberos-sso, ldap plugin, and role strategy for authentication and authorization.

          A freeipa is configured as ldap server. And [^ldap-plugin.conf]

          Authorization work well with kerberos login. However, with basic authentication, ldap plugin doesn't return indirect groups of user for authorization.

          Attached files:
          test.groovy: script for check return authorities of login
          ldap-plugin.conf: a part of ldap plugin config
          0001-Fix-bug-basic-authentication-can-t-work-with-group-m.patch: a temporary solution
          Toan Pham made changes -
          Description Original: We use kerberos-sso, ldap plugin, and role strategy for authentication and authorization.

          A freeipa is configured as ldap server. And [^ldap-plugin.conf]

          Authorization work well with kerberos login. However, with basic authentication, ldap plugin doesn't return indirect groups of user for authorization.

          Attached files:
          test.groovy: script for check return authorities of login
          ldap-plugin.conf: a part of ldap plugin config
          0001-Fix-bug-basic-authentication-can-t-work-with-group-m.patch: a temporary solution
          		 New: We use kerberos-sso, ldap plugin, and role strategy for authentication and authorization.

          A freeipa is configured as ldap server.

          Authorization work well with kerberos login. However, with basic authentication, ldap plugin doesn't return indirect groups of user for authorization.

          Attached files:
          test.groovy: script for check return authorities of login
          ldap-plugin.conf: a part of ldap plugin config
          0001-Fix-bug-basic-authentication-can-t-work-with-group-m.patch: a temporary solution

          Oliver Gondža added a comment -

          I am wondering how kerberos plugin is involved. Coincidentally, the basic auth is not handled by kerberos-sso. Do I understand correctly the permissions are correct when kerberos negotiation is used but "wrong" when basic auth is used?

          [1] https://issues.jenkins-ci.org/browse/JENKINS-38687

          Oliver Gondža added a comment - I am wondering how kerberos plugin is involved. Coincidentally, the basic auth is not handled by kerberos-sso. Do I understand correctly the permissions are correct when kerberos negotiation is used but "wrong" when basic auth is used? [1] https://issues.jenkins-ci.org/browse/JENKINS-38687
          Markus Winter made changes -
          Component/s Original: role-strategy-plugin [ 15758 ]
          Oliver Gondža made changes -
          Component/s Original: kerberos-sso-plugin [ 21725 ]

            t_westling Tomas Westling
            ptt_mt0003 Toan Pham
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: