Jenkins use LDAP Groups with Project Matrix Auth

Question

So I have a Jenkins server that is connected to my FreeIPA LDAP servers and I am using Project-based Matrix Authorization.

When I add an individual user and assign permissions all works as expected but if I use a group then try to log in as a memberof said group I get this:

jenkins.test2 is missing the Overall/Read permission

The user is a member of the group and I have confirmed using a small groovy script that Jenkins is able to read the group.

Jenkins.instance.securityRealm.loadGroupByGroupname(name)

I have also confirmed that the ldap DN settings for groups is correct and that my group exists on the LDAP server in the defined DN.

Why can I not authenticate and sign in as a valid member of a group that has been assigned permissions?

score 2 · Answer 1 · answered Dec 13 '16 at 16:52

2

We are using the ActiveDirectory option, with Matrix based security, and can enable access via Group names. Case does matter though. is enabled.

When I then go to a User, I can click on them to see the Groups they belong to from ActicveDirectory. This allows me to test a user name

and ensure they belong to the group I expect for safety. The listing shows the group, so I can then delete the user, and try again, and they will be able to login via ActiveDirectory and access the projects.

answered Dec 13 '16 at 16:52

Steven Scott

10,234
9
69
117

Interesting, any idea what the minimum permissions required are to log in are? Maybe I have missed something. The reference guide I have must be prior to v1.4 as they mention using ROLE_GROUPNAME. – SnazzyBootMan Dec 13 '16 at 17:53
Overall Read was needed to see the screens when I was testing. We have the ability to see a job listed for our DevGroup and the build option (obviously for that job) as well. For others, just the overall read is all we have listed. – Steven Scott Dec 13 '16 at 22:56

score 0 · Answer 2 · answered Jan 25 '17 at 15:06

0

So I finally got back to this one and before I started work on it a colleague had upgraded from Jenkins 2.19 to Jenkins 2.32.1 (LTS).

Lo and behold groups is now working, I did notice that Jenkins is a little funny about making multiple changes at once.

answered Jan 25 '17 at 15:06

SnazzyBootMan

669
2
15
30

Hey Chris, can you please share what all changes you have made to make this working in LDAP and Jenkins. I am also struggling with the same issue. – Vaibhav Jain Feb 27 '18 at 05:40

Jenkins use LDAP Groups with Project Matrix Auth

2 Answers2