I'm trying to get Jenkins to authenticate users via our active directory groups.
If I insert users they are correctly looked up. If I insert group names, they are not found.
Edit: Through trial & error I have found out that the authentication via the groups does in fact work, that is, once I add the group KS-Soft
to the list, users in this group can log in. However, in the list where the users and group names are entered, Jenkins tries to display an icon for whether it's a user or a group. The user icon is displayed correctly, but the group icon is always an error icon.
So it would appear that Jenkins can authenticate users via group membership, but it fails to verify whether a given group name string exists in the directory. Is this technically even possible? (Maybe just the icon display is messed up.)
The Jenkins settings are as follows: (note: mydomain
and com
user names are different, the rest are exact values)
Server : ldap://ks-dc01.mydomain.com:389
root DN : dc=mydomain,dc=com
User Search Base : ou=KSUser
User Search Filter : userPrincipalName={0}
Group search base : ou=KSGroups
Manager DN : CN=Placeholder Martin,OU=Benutzer,OU=KSUser,DC=mydomain,DC=com
Manager Password : *****
With this setup, I enter the user [email protected]
into the list and Jenkins then can look up this user and I can log in.
However, I cannot get Jenkins to resolve the Group Names. I use AD Explorer to confirm my groups are in fact below OU=KSGroups
.
I have one group here displayed as CN=KS-Soft
in AD Explorer and it has a member
attribute that lists all the users I'm interested in. (The user [email protected] is listed as CN=Placeholder Martin,OU=Benutzer,OU=KSUser,DC=mydomain,DC=com
in this attibute.)
I have tried these string for the group:
KS-Soft
[email protected]
ROLE_KS-Soft
and[email protected]
as per this thread
Note that the Jenkins help has the following to say on the Group search base
:
One of the searches Jenkins does on LDAP is to locate the list of groups for a user.
This field determines the query to be run to identify the organizational unit that contains groups. The query is almost always "ou=groups" so try that first, though this field may be left blank to search from the root DN.
If login attempts result in "Administrative Limit Exceeded" or similar error, try to make this setting as specific as possible for your LDAP structure, to reduce the scope of the query. If the error persists, you may need to edit the
WEB-INF/security/LDAPBindSecurityRealm.groovy
file that is included in jenkins.war. Change the line with:groupSearchFilter = "(| (member={0}) (uniqueMember={0}) (memberUid={1}))";
to query only of the field used in your LDAP for group membership, such as:groupSearchFilter = "(member={0})";
Then restart Jenkins and retry the login.
I have tried both values in this file and neither works.
had the same problem today with Jenkins 2. LDAP is configured working and I can login as AD user, I can add AD user to matrix, but when I add a group into matrix, it shows "user/group not found" for that group.
Finally fixed it following https://wiki.jenkins-ci.org/display/JENKINS/LDAP+Plugin#LDAPPlugin-Groupsearchbase
The fix is to add
(& (cn={0}) (objectclass=group) )
as group search filter.By Default, Jenkins use
(& (cn={0}) (| (objectclass=groupOfNames) (objectclass=groupOfUniqueNames) (objectclass=posixGroup)))
Our AD group only has
I just found out the hard way this morning that Jenkins is CASE SENSITIVE when it comes to AD group-names.
Just adding that as an answer in case somebody is pulling out his/her hair in frustration.
It is totally non-obvious as AD group-names are normally NOT case-sensitive anywhere.
Try making your groupSearchBase fully qualified, i.e. "ou=KSGroups,dc=mydomain,dc=com". Also, group names will almost certainly not end in "@mydomain.com" (unless you named them that way on purpose).
I'd suggest using "ldapsearch" from the openldap tools or a similar command-line tool for Windows to try out variations of the groupSearchFilter until you find one that gives you the results you want, and then import that into the .groovy file.