-
Bug
-
Resolution: Unresolved
-
Major
-
Red Hat Enterprise Linux Server 7.6
Jenkins 2.204
LDAP Plugin 1.21
In our LDAP server the anonymus access is not allowed, so we need to authenticate with Manager DN and then search the login user attributes. When we "Test LDAP settings" we can see how the Lookup is successful:
Lookup User lookup: successful User ID: username User Dn: CN=username,OU=people,OU=Collaborators,OU=Users,O=domain User Display Name: username LDAP Group membership: GLOBAL_GROUP LDAP Group lookup: successful (1 group)
But the login failed:
Login Authentication: failed for user "username" Lockout The user "username" will be unable to login with the supplied password. If this is your own account this would mean you would be locked out! Are you sure you want to save this configuration?
We have checked that the password is okey loging in directly on the LDAP.
We have captured the conversation between Jenkins and the LDAP and analyzing it with Wireshark we found that the LDAP plugin requires two times the read permission for reading the LDAP tree, the first time when the Manager DN search the login user, and a second time when the login user needs to read his own attributes before login, in our LDAP is not allowed for login users to read the attributes for security reasons, that king of users only can login on LDAP not read the tree:so the search find 0 attributes:
searchRequest baseObject: CN=username,OU=people,OU=Collaborators,OU=Users,O=domain scope: baseObject (0) derefAliases: derefAlways (3) sizeLimit: 0 timeLimit: 0 typesOnly: False Filter: (objectClass=*) filter: present (7) present: objectClass attributes: 0 items
And produces that error:
0000208D: NameErr: DSID-031522C9, problem 2001 (NO_OBJECT), data 0, best match of: 'O=domain'
I think it is not necessary to read two times the LDAP three, the first time is necessary to lookup (Manager DN) but the login user shouldn't have to read again the LDAP to login.
I have exactly the same problem (accidentally reported in a different plugin here but the issue is the same there: https://issues.jenkins-ci.org/browse/JENKINS-60306)
It should not be necessary for the user to have read access to the LDAP tree if the ManagerDN is being used to bind. That's the whole point of using a ManagerDN, in case read access otherwise is not enabled except to maybe a few key attributes (like userPassword so the user can edit their own password in some sort of LDAP manager)