Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43994

Test LDAP Settings not binding as the user being tested?

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Trivial Trivial
    • ldap-plugin
    • None
    • Jenkins 2.46.1
      ldap-plugin 1.15

      When I configure the plugin and then use the Test LDAP Settings button and enter my credentials I get the following successful checks:

      Login
      Authentication: successful
      User ID: brian
      User Dn: uid=brian,cn=users,cn=accounts,dc=example,dc=com
      User Display Name: Brian J Murrell
      User email: brian.murrell@example.com
      LDAP Group membership:
      admins
      Replication Administrators
      Add Replication Agreements
      Modify Replication Agreements
      Remove Replication Agreements
      Modify DNA Range
      Read PassSync Managers Configuration
      Modify PassSync Managers Configuration
      Read LDBM Database Configuration
      Add Configuration Sub-Entries
      Read DNA Range
      System: Read Replication Agreements
      Host Enrollment
      System: Add krbPrincipalName to a Host
      System: Enroll a Host
      System: Manage Host Certificates
      System: Manage Host Enrollment Password
      System: Manage Host Keytab
      463232e8-8595-11e6-a87e-00163e3c41db
      ipausers
      477eee16-8595-11e6-bc28-00163e3c41db
      foo-devs
      foo-jenkins-admin
      ROLE_ADMINS
      ROLE_REPLICATION ADMINISTRATORS
      ROLE_ADD REPLICATION AGREEMENTS
      ROLE_MODIFY REPLICATION AGREEMENTS
      ROLE_REMOVE REPLICATION AGREEMENTS
      ROLE_MODIFY DNA RANGE
      ROLE_READ PASSSYNC MANAGERS CONFIGURATION
      ROLE_MODIFY PASSSYNC MANAGERS CONFIGURATION
      ROLE_READ LDBM DATABASE CONFIGURATION
      ROLE_ADD CONFIGURATION SUB-ENTRIES
      ROLE_READ DNA RANGE
      ROLE_SYSTEM: READ REPLICATION AGREEMENTS
      ROLE_HOST ENROLLMENT
      ROLE_SYSTEM: ADD KRBPRINCIPALNAME TO A HOST
      ROLE_SYSTEM: ENROLL A HOST
      ROLE_SYSTEM: MANAGE HOST CERTIFICATES
      ROLE_SYSTEM: MANAGE HOST ENROLLMENT PASSWORD
      ROLE_SYSTEM: MANAGE HOST KEYTAB
      ROLE_463232E8-8595-11E6-A87E-00163E3C41DB
      ROLE_IPAUSERS
      ROLE_477EEE16-8595-11E6-BC28-00163E3C41DB
      ROLE_FOO-DEVS
      ROLE_FOO-JENKINS-ADMIN

      Lookup
      User lookup: successful

      And then things go to hell and I get a bunch of errors:

      No LDAP group membership reported.
      If the user is a member of some LDAP groups then the group membership settings are probably configured incorrectly.
      Email address inconsistent (login brian.murrell@example.com versus lookup null)
      User groups inconsistent (login versus lookup)
      LDAP Group lookup: failed for 42 groups:
      463232e8-8595-11e6-a87e-00163e3c41db
      477eee16-8595-11e6-bc28-00163e3c41db
      Add Configuration Sub-Entries
      Add Replication Agreements
      Host Enrollment
      Modify DNA Range
      Modify PassSync Managers Configuration
      Modify Replication Agreements
      ROLE_463232E8-8595-11E6-A87E-00163E3C41DB
      ROLE_477EEE16-8595-11E6-BC28-00163E3C41DB
      ROLE_ADD CONFIGURATION SUB-ENTRIES
      ROLE_ADD REPLICATION AGREEMENTS
      ROLE_ADMINS
      ROLE_HOST ENROLLMENT
      ROLE_FOO-DEVS
      ROLE_FOO-JENKINS-ADMIN
      ROLE_IPAUSERS
      ROLE_MODIFY DNA RANGE
      ROLE_MODIFY PASSSYNC MANAGERS CONFIGURATION
      ROLE_MODIFY REPLICATION AGREEMENTS
      ROLE_READ DNA RANGE
      ROLE_READ LDBM DATABASE CONFIGURATION
      ROLE_READ PASSSYNC MANAGERS CONFIGURATION
      ROLE_REMOVE REPLICATION AGREEMENTS
      ROLE_REPLICATION ADMINISTRATORS
      ROLE_SYSTEM: ADD KRBPRINCIPALNAME TO A HOST
      ROLE_SYSTEM: ENROLL A HOST
      ROLE_SYSTEM: MANAGE HOST CERTIFICATES
      ROLE_SYSTEM: MANAGE HOST ENROLLMENT PASSWORD
      ROLE_SYSTEM: MANAGE HOST KEYTAB
      ROLE_SYSTEM: READ REPLICATION AGREEMENTS
      Read DNA Range
      Read LDBM Database Configuration
      Read PassSync Managers Configuration
      Remove Replication Agreements
      Replication Administrators
      System: Add krbPrincipalName to a Host
      System: Enroll a Host
      System: Manage Host Certificates
      System: Manage Host Enrollment Password
      System: Manage Host Keytab
      System: Read Replication Agreements
      Does looking up group details require a Manager Dn and password?
      Are the group search base and group search filter settings correct?
      Lockout
      The user "brian" will be unable to login with the supplied password.
      If this is your own account this would mean you would be locked out!
      Are you sure you want to save this configuration?

      Please disregard the warning about the 42 groups that could not be found.  Those are administrative groups within the LDAP server that are not searchable by anyone.

      But what is worth mentioning is that the errors at the top of the Lookup:

      No LDAP group membership reported.
      If the user is a member of some LDAP groups then the group membership settings are probably configured incorrectly.
      Email address inconsistent (login brian.murrell@example.com versus lookup null)
      User groups inconsistent (login versus lookup)

      all go away if I put the very same credentials I was testing above into the Manager DN and Manager Password fields.  This suggests to me that once the login tests is done, the credentials that were used for the login tests are not used to do the lookup tests.  Is that correct?

      If so, that is not going to accurately reflect the LDAP settings in environments where uses have to bind to the LDAP server to do lookups.

            stephenconnolly Stephen Connolly
            brianjmurrell Brian J Murrell
            Votes:
            2 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: