Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-46884

ActiveDirectory plugin advanced configuration not available without specifying custom domain name

      In "Configure Global Security" it is not possible in the UI to configure advanced active directory options without selecting the "Specify custom Active directory domain name" check box. This prevents users from modifying custom advanced settings (such as caching) without configuring AD manually.

      After investigation I have found that using a custom active directory domain results in random socket closed failures. If I use the default AD config (which appears to use COM objects in code) it works without any issues. However, the default AD config does not provide the ability to configure caching in the UI.

      Users should be able to specify advanced settings for the default AD config option. The "Advanced" button should be moved in the UI so that it does not depend on showing/hiding the "Specify custom Active directory domain name" content. Only options that are used by the default Windows COM mode should be shown independent of the button. If some are not applicable then they should be separated so that there are two sections - generic advanced and unix/custom advanced.

      Workaround
      Settings can be modified manually in config.xml. Here is an example:

        <securityRealm class="hudson.plugins.active_directory.ActiveDirectorySecurityRealm" plugin="active-directory@2.6">
      
          ...
      
          <cache>
            <size>500</size>
            <ttl>1800</ttl>
          </cache>
        </securityRealm>
      

          [JENKINS-46884] ActiveDirectory plugin advanced configuration not available without specifying custom domain name

          Trying to reproduce - I never run Jenkins on Win servers, so likely this is really happening.

          Félix Belzunce Arcos added a comment - Trying to reproduce - I never run Jenkins on Win servers, so likely this is really happening.

          Félix Belzunce Arcos added a comment - The problem is that https://github.com/jenkinsci/active-directory-plugin/blob/active-directory-2.6/src/main/resources/hudson/plugins/active_directory/ActiveDirectorySecurityRealm/config.jelly#L36 should be moved outside the optionalBlock

          mrichar2 Would you mind to try the snapshot generated by https://github.com/jenkinsci/active-directory-plugin/pull/79 and to ack here everything is fine so I can merge the PR, please?

           

           

          Félix Belzunce Arcos added a comment - mrichar2 Would you mind to try the snapshot generated by https://github.com/jenkinsci/active-directory-plugin/pull/79  and to ack here everything is fine so I can merge the PR, please? https://ci.jenkins.io/job/Plugins/job/active-directory-plugin/job/PR-79/1/artifact/target/active-directory.hpi    

          Mark R added a comment -

          The advanced tab is now accessible for non custom AD configurations. However, it exposes properties that are not used by the Windows automatic setup which may be confusing.

          From what I can tell it appears that the automatic Windows setup only makes use of the cache config. https://github.com/jenkinsci/active-directory-plugin/blob/master/src/main/java/hudson/plugins/active_directory/ActiveDirectoryAuthenticationProvider.java#L94

          The Jenkins internal database, groups options, and tls config all appear to only be used if custom active directory domains are setup. https://github.com/jenkinsci/active-directory-plugin/blob/master/src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java#L181

          Hence it may make sense to move those around so that the cache options are always available while the other ones are only available when specifying a custom domain name (aka nested inside of the the custom domain name section whereas the cache options would be at the root layer).

          Mark R added a comment - The advanced tab is now accessible for non custom AD configurations. However, it exposes properties that are not used by the Windows automatic setup which may be confusing. From what I can tell it appears that the automatic Windows setup only makes use of the cache config. https://github.com/jenkinsci/active-directory-plugin/blob/master/src/main/java/hudson/plugins/active_directory/ActiveDirectoryAuthenticationProvider.java#L94 The Jenkins internal database, groups options, and tls config all appear to only be used if custom active directory domains are setup. https://github.com/jenkinsci/active-directory-plugin/blob/master/src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java#L181 Hence it may make sense to move those around so that the cache options are always available while the other ones are only available when specifying a custom domain name (aka nested inside of the the custom domain name section whereas the cache options would be at the root layer).

          Félix Belzunce Arcos added a comment - mrichar2 Yes, you are right. can you try now with  https://ci.jenkins.io/job/Plugins/job/active-directory-plugin/job/PR-79/5/artifact/target/active-directory.hpi?

          Markus Winter added a comment -

          The Remove irrelevant groups feature is also used in both setups.

          So best would be to move the cache and irrelevant groups config totally out of the choose block.

          Markus Winter added a comment - The Remove irrelevant groups feature is also used in both setups. So best would be to move the cache and irrelevant groups config totally out of the choose block.

            fbelzunc Félix Belzunce Arcos
            mrichar2 Mark R
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: