-
Bug
-
Resolution: Unresolved
-
Major
-
None
Reproduction Steps
- Install the Jenkins LDAP plugin
- Configure LDAP authentication
- Under Advanced Server Configuration set Group membership to Parse user attribute for list of LDAP groups
- Set Group membership attribute to memberOf (this step isn't critical, this is just our config)
- Add some groups to the memberOf attribute
- Create an unrelated LDAP group.
- In the Jenkins Script Console, run
Jenkins.get().getSecurityRealm().loadGroupByGroupname("szdlkjasdlkjasdlkasdfTHISISNOTAREALGROUPNAME", true).getName()
and
Jenkins.get().getSecurityRealm().loadGroupByGroupname("real-group-name", true).getName()
Expected Results
- For a real group name, return the correct group name
- For an invalid group name, return nothing. My specific example might end up throwing a NPE for running .getName() on a null object.
Actual Results
Always returns the name of the actual LDAP group instead of parsing the user attribute for list of LDAP groups
Additional Information
This is likely long-standing, but was surfaced via JENKINS-72984 as the validateGroup() method now does a lookup instead of just using the passed groupname
BEFORE
String escapedSid = Functions.escape(groupName);
AFTER
GroupDetails details = sr.loadGroupByGroupname2(groupName, false);
escapedSid = Util.escape(StringUtils.abbreviate(details.getDisplayName(), 50));
This causes the Assign Roles page to display the incorrect groups, which caused us to assign permissions to the wrong group.