I’m trying to use a fairly large Active Directory instance to authenticate Users with Jenkins.
This works quite well with the following settings:
<server>ldaps://dc.example.net:636</server>
<rootDN>OU=EMEA,DC=global,DC=example,DC=net</rootDN>
<inhibitInferRootDN>false</inhibitInferRootDN>
<userSearchBase>OU=Users</userSearchBase>
<userSearch>(&(c=DE)(|(company~=examplea)(company~=exampleb))(&(objectClass=User)(objectClass=Person)(sAMAccountName={0})))</userSearch>
<groupSearchFilter>(& (cn={0}) (objectclass=group) )</groupSearchFilter>
<groupMembershipStrategy class="jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy"/>
<managerDN>CN=sysauth,OU=EMEA,DC=global,DC=example,DC=net</managerDN>
<managerPasswordSecret>not-the-password</managerPasswordSecret>
<disableMailAddressResolver>false</disableMailAddressResolver>
<extraEnvVars class="linked-hash-map">
<entry>
<string>com.sun.jndi.ldap.connect.timeout</string>
<string>5000000</string>
</entry>
<entry>
<string>com.sun.jndi.ldap.read.timeout</string>
<string>5000000</string>
</entry>
</extraEnvVars>
<displayNameAttributeName>displayname</displayNameAttributeName>
<mailAddressAttributeName>mail</mailAddressAttributeName>
<userIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
<groupIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
Note that this only works when rootDN contains OU=EMEA as seen in the working code snippet. As soon as the rootDN is changed to DC=global,DC=example,DC=net authentication fails.
Strangely it also fails if userSearchBase is OU=Users,OU=EMEA which should be equal to the settings which work.
Since there is a need to have access to groups which are somewhere located under OU=not-EMEA,DC=global,DC=example,DC=net, the rootDN has to be DC=global,DC=example,DC=net.
I’ve tried the following things:
- Increase
com.sun.jndi.ldap.connect.timeoutandcom.sun.jndi.ldap.read.timeout-> A value of5000would be "normal" - Playing around with an empty
rootDN
