-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
Openindiana hipster
The pseudo algorithm to find the object in AD is
- make a bind with the credentials from the login form against the domain where the jenkin server belongs to (as a member, per DNS or where you get the credentials/keytab tor the kerberos plugin)
- if not successful bind with the bindAccount to this domain and query for the user object
In a trusted AD environment this domain contains all necessary informations about accounts from trusted domains.
It is unneccessary to search in multiple domains.
And as described in ticket JENKINS-46226 the are no dependencies between UPN and sAMAccoutname.
The LDAP searches actually used must fail in all cases where first token of UPN is unequal to sAMaccountname.
The username must be in the form a@b.c.d (UPN) or b\e (Netbios-Name of domain\sAMAccountname).
In combination with the Kerberos plugin this approach must fail if used with trusted domains.
The kerberos plugin successful authenticates and removes then the domain information from the UPN. This is really unneccessary and error prone.