-
Bug
-
Resolution: Fixed
-
Trivial
-
None
-
Jenkins 2.46.1
ldap-plugin 1.15
When I configure the plugin and then use the Test LDAP Settings button and enter my credentials I get the following successful checks:
Login
Authentication: successful
User ID: brian
User Dn: uid=brian,cn=users,cn=accounts,dc=example,dc=com
User Display Name: Brian J Murrell
User email: brian.murrell@example.com
LDAP Group membership:
admins
Replication Administrators
Add Replication Agreements
Modify Replication Agreements
Remove Replication Agreements
Modify DNA Range
Read PassSync Managers Configuration
Modify PassSync Managers Configuration
Read LDBM Database Configuration
Add Configuration Sub-Entries
Read DNA Range
System: Read Replication Agreements
Host Enrollment
System: Add krbPrincipalName to a Host
System: Enroll a Host
System: Manage Host Certificates
System: Manage Host Enrollment Password
System: Manage Host Keytab
463232e8-8595-11e6-a87e-00163e3c41db
ipausers
477eee16-8595-11e6-bc28-00163e3c41db
foo-devs
foo-jenkins-admin
ROLE_ADMINS
ROLE_REPLICATION ADMINISTRATORS
ROLE_ADD REPLICATION AGREEMENTS
ROLE_MODIFY REPLICATION AGREEMENTS
ROLE_REMOVE REPLICATION AGREEMENTS
ROLE_MODIFY DNA RANGE
ROLE_READ PASSSYNC MANAGERS CONFIGURATION
ROLE_MODIFY PASSSYNC MANAGERS CONFIGURATION
ROLE_READ LDBM DATABASE CONFIGURATION
ROLE_ADD CONFIGURATION SUB-ENTRIES
ROLE_READ DNA RANGE
ROLE_SYSTEM: READ REPLICATION AGREEMENTS
ROLE_HOST ENROLLMENT
ROLE_SYSTEM: ADD KRBPRINCIPALNAME TO A HOST
ROLE_SYSTEM: ENROLL A HOST
ROLE_SYSTEM: MANAGE HOST CERTIFICATES
ROLE_SYSTEM: MANAGE HOST ENROLLMENT PASSWORD
ROLE_SYSTEM: MANAGE HOST KEYTAB
ROLE_463232E8-8595-11E6-A87E-00163E3C41DB
ROLE_IPAUSERS
ROLE_477EEE16-8595-11E6-BC28-00163E3C41DB
ROLE_FOO-DEVS
ROLE_FOO-JENKINS-ADMIN
Lookup
User lookup: successful
And then things go to hell and I get a bunch of errors:
No LDAP group membership reported.
If the user is a member of some LDAP groups then the group membership settings are probably configured incorrectly.
Email address inconsistent (login brian.murrell@example.com versus lookup null)
User groups inconsistent (login versus lookup)
LDAP Group lookup: failed for 42 groups:
463232e8-8595-11e6-a87e-00163e3c41db
477eee16-8595-11e6-bc28-00163e3c41db
Add Configuration Sub-Entries
Add Replication Agreements
Host Enrollment
Modify DNA Range
Modify PassSync Managers Configuration
Modify Replication Agreements
ROLE_463232E8-8595-11E6-A87E-00163E3C41DB
ROLE_477EEE16-8595-11E6-BC28-00163E3C41DB
ROLE_ADD CONFIGURATION SUB-ENTRIES
ROLE_ADD REPLICATION AGREEMENTS
ROLE_ADMINS
ROLE_HOST ENROLLMENT
ROLE_FOO-DEVS
ROLE_FOO-JENKINS-ADMIN
ROLE_IPAUSERS
ROLE_MODIFY DNA RANGE
ROLE_MODIFY PASSSYNC MANAGERS CONFIGURATION
ROLE_MODIFY REPLICATION AGREEMENTS
ROLE_READ DNA RANGE
ROLE_READ LDBM DATABASE CONFIGURATION
ROLE_READ PASSSYNC MANAGERS CONFIGURATION
ROLE_REMOVE REPLICATION AGREEMENTS
ROLE_REPLICATION ADMINISTRATORS
ROLE_SYSTEM: ADD KRBPRINCIPALNAME TO A HOST
ROLE_SYSTEM: ENROLL A HOST
ROLE_SYSTEM: MANAGE HOST CERTIFICATES
ROLE_SYSTEM: MANAGE HOST ENROLLMENT PASSWORD
ROLE_SYSTEM: MANAGE HOST KEYTAB
ROLE_SYSTEM: READ REPLICATION AGREEMENTS
Read DNA Range
Read LDBM Database Configuration
Read PassSync Managers Configuration
Remove Replication Agreements
Replication Administrators
System: Add krbPrincipalName to a Host
System: Enroll a Host
System: Manage Host Certificates
System: Manage Host Enrollment Password
System: Manage Host Keytab
System: Read Replication Agreements
Does looking up group details require a Manager Dn and password?
Are the group search base and group search filter settings correct?
Lockout
The user "brian" will be unable to login with the supplied password.
If this is your own account this would mean you would be locked out!
Are you sure you want to save this configuration?
Please disregard the warning about the 42 groups that could not be found. Those are administrative groups within the LDAP server that are not searchable by anyone.
But what is worth mentioning is that the errors at the top of the Lookup:
No LDAP group membership reported.
If the user is a member of some LDAP groups then the group membership settings are probably configured incorrectly.
Email address inconsistent (login brian.murrell@example.com versus lookup null)
User groups inconsistent (login versus lookup)
all go away if I put the very same credentials I was testing above into the Manager DN and Manager Password fields. This suggests to me that once the login tests is done, the credentials that were used for the login tests are not used to do the lookup tests. Is that correct?
If so, that is not going to accurately reflect the LDAP settings in environments where uses have to bind to the LDAP server to do lookups.
- links to