Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-75185

LDAP plugin searching for LDAP groups even when configured to Parse user attribute for list of LDAP groups

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • ldap-plugin
    • None

      Reproduction Steps

      1. Install the Jenkins LDAP plugin
      2. Configure LDAP authentication
      3. Under Advanced Server Configuration set Group membership to Parse user attribute for list of LDAP groups
      4. Set Group membership attribute to memberOf (this step isn't critical, this is just our config)
      5. Add some groups to the memberOf attribute
      6. Create an unrelated LDAP group.
      7. In the Jenkins Script Console, run
        Jenkins.get().getSecurityRealm().loadGroupByGroupname("szdlkjasdlkjasdlkasdfTHISISNOTAREALGROUPNAME", true).getName()
        

        and

        Jenkins.get().getSecurityRealm().loadGroupByGroupname("real-group-name", true).getName()

      Expected Results

      1. For a real group name, return the correct group name
      2. For an invalid group name, return nothing. My specific example might end up throwing a NPE for running .getName() on a null object.

      Actual Results

      Always returns the name of the actual LDAP group instead of parsing the user attribute for list of LDAP groups

      Additional Information

      This is likely long-standing, but was surfaced via JENKINS-72984 as the validateGroup() method now does a lookup instead of just using the passed groupname

      BEFORE

      String escapedSid = Functions.escape(groupName);
      

      AFTER

      GroupDetails details = sr.loadGroupByGroupname2(groupName, false);
      escapedSid = Util.escape(StringUtils.abbreviate(details.getDisplayName(), 50));
      

       
      This causes the Assign Roles page to display the incorrect groups, which caused us to assign permissions to the wrong group.
       

          [JENKINS-75185] LDAP plugin searching for LDAP groups even when configured to Parse user attribute for list of LDAP groups

          There are no comments yet on this issue.

            Unassigned Unassigned
            rickymurphy Ricky Murphy
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: