Jenkins/Hudson - LDAP group *lookup* does not work
Solution 1
had the same problem today with Jenkins 2. LDAP is configured working and I can login as AD user, I can add AD user to matrix, but when I add a group into matrix, it shows "user/group not found" for that group.
Finally fixed it following https://wiki.jenkins-ci.org/display/JENKINS/LDAP+Plugin#LDAPPlugin-Groupsearchbase
The fix is to add (& (cn={0}) (objectclass=group) )
as group search filter.
By Default, Jenkins use
(& (cn={0}) (| (objectclass=groupOfNames) (objectclass=groupOfUniqueNames) (objectclass=posixGroup)))
Our AD group only has
objectClass: top
objectClass: group
Solution 2
I just found out the hard way this morning that Jenkins is CASE SENSITIVE when it comes to AD group-names.
Just adding that as an answer in case somebody is pulling out his/her hair in frustration.
It is totally non-obvious as AD group-names are normally NOT case-sensitive anywhere.
Solution 3
Try making your groupSearchBase fully qualified, i.e. "ou=KSGroups,dc=mydomain,dc=com". Also, group names will almost certainly not end in "@mydomain.com" (unless you named them that way on purpose).
I'd suggest using "ldapsearch" from the openldap tools or a similar command-line tool for Windows to try out variations of the groupSearchFilter until you find one that gives you the results you want, and then import that into the .groovy file.
Related videos on Youtube
Comments
-
Martin over 1 year
I'm trying to get Jenkins to authenticate users via our active directory groups.
If I insert users they are correctly looked up. If I insert group names, they are not found.
Edit: Through trial & error I have found out that the authentication via the groups does in fact work, that is, once I add the group
KS-Soft
to the list, users in this group can log in. However, in the list where the users and group names are entered, Jenkins tries to display an icon for whether it's a user or a group. The user icon is displayed correctly, but the group icon is always an error icon.So it would appear that Jenkins can authenticate users via group membership, but it fails to verify whether a given group name string exists in the directory. Is this technically even possible? (Maybe just the icon display is messed up.)
The Jenkins settings are as follows: (note:
mydomain
andcom
user names are different, the rest are exact values)Server : ldap://ks-dc01.mydomain.com:389 root DN : dc=mydomain,dc=com User Search Base : ou=KSUser User Search Filter : userPrincipalName={0} Group search base : ou=KSGroups Manager DN : CN=Placeholder Martin,OU=Benutzer,OU=KSUser,DC=mydomain,DC=com Manager Password : *****
With this setup, I enter the user
[email protected]
into the list and Jenkins then can look up this user and I can log in.However, I cannot get Jenkins to resolve the Group Names. I use AD Explorer to confirm my groups are in fact below
OU=KSGroups
.I have one group here displayed as
CN=KS-Soft
in AD Explorer and it has amember
attribute that lists all the users I'm interested in. (The user [email protected] is listed asCN=Placeholder Martin,OU=Benutzer,OU=KSUser,DC=mydomain,DC=com
in this attibute.)I have tried these string for the group:
KS-Soft
[email protected]
-
ROLE_KS-Soft
and[email protected]
as per this thread
Note that the Jenkins help has the following to say on the
Group search base
:One of the searches Jenkins does on LDAP is to locate the list of groups for a user.
This field determines the query to be run to identify the organizational unit that contains groups. The query is almost always "ou=groups" so try that first, though this field may be left blank to search from the root DN.
If login attempts result in "Administrative Limit Exceeded" or similar error, try to make this setting as specific as possible for your LDAP structure, to reduce the scope of the query. If the error persists, you may need to edit the
WEB-INF/security/LDAPBindSecurityRealm.groovy
file that is included in jenkins.war. Change the line with:groupSearchFilter = "(| (member={0}) (uniqueMember={0}) (memberUid={1}))";
to query only of the field used in your LDAP for group membership, such as:groupSearchFilter = "(member={0})";
Then restart Jenkins and retry the login.I have tried both values in this file and neither works.
-
Martin almost 13 yearsI think I tried making it fully qualified, but I'll try again. The CLI tip is certainly useful, tx. Can you perchance comment on my edit block wrt. to auth vs lookup?
-
Handyman5 almost 13 yearsI guess the first thing I'd check would be to right-click on the group icon and look up its URL, and then try to figure out if it's broken itself. If the icon is ok, then I'd dig more at Jenkins. Does it have the capability to log exactly what LDAP searches it's running? Also, groups have two names: the displayed name and (if you're using it) the "pre-Windows 2000" short name. I don't remember exactly which attribute each maps to, but dig up a group with a shortname with ldapsearch and see if Jenkins is querying the right attribute.
-
Martin almost 13 yearsDo you known if there is an official binary release for Windows for the openldap tools?
-
Handyman5 almost 13 yearsI found this binary distribution, but I don't think it's official in any way. You could also install Cygwin.