I'm trying to get Jenkins to authenticate users via our active directory groups.
If I insert users they are correctly looked up.
If I insert group names, they are not found.
Edit: Through trial & error I have found out that the authentication via the groups does in fact work, that is, once I add the group KS-Soft to the list, users in this group can log in. However, in the list where the users and group names are entered, Jenkins tries to display an icon for whether it's a user or a group. The user icon is displayed correctly, but the group icon is always an error icon.
So it would appear that Jenkins can authenticate users via group membership, but it fails to verify whether a given group name string exists in the directory. Is this technically even possible? (Maybe just the icon display is messed up.)
The Jenkins settings are as follows: (note: mydomain and com user names are different, the rest are exact values)
Server : ldap://ks-dc01.mydomain.com:389
root DN : dc=mydomain,dc=com
User Search Base : ou=KSUser
User Search Filter : userPrincipalName={0}
Group search base : ou=KSGroups
Manager DN : CN=Placeholder Martin,OU=Benutzer,OU=KSUser,DC=mydomain,DC=com
Manager Password : *****
With this setup, I enter the user martin.placeholder@mydomain.com into the list and Jenkins then can look up this user and I can log in.
However, I cannot get Jenkins to resolve the Group Names. I use AD Explorer to confirm my groups are in fact below OU=KSGroups.
I have one group here displayed as CN=KS-Soft in AD Explorer and it has a memberattribute that lists all the users I'm interested in. (The user martin.placeholder@mydomain.com is listed as CN=Placeholder Martin,OU=Benutzer,OU=KSUser,DC=mydomain,DC=com in this attibute.)
I have tried these string for the group:
KS-SoftKS-SOft@mydomain.comROLE_KS-SoftandROLE_KS-Soft@mydomain.comas per this thread
Note that the Jenkins help has the following to say on the Group search base:
One of the searches Jenkins does on
LDAP is to locate the list of groups
for a user.This field determines the query to be
run to identify the organizational
unit that contains groups. The query
is almost always "ou=groups" so try
that first, though this field may be
left blank to search from the root DN.If login attempts result in
"Administrative Limit Exceeded" or
similar error, try to make this
setting as specific as possible for
your LDAP structure, to reduce the
scope of the query. If the error
persists, you may need to edit the
WEB-INF/security/LDAPBindSecurityRealm.groovy
file that is included in jenkins.war.
Change the line with:
groupSearchFilter = "(| (member={0})
(uniqueMember={0}) (memberUid={1}))";
to query only of the field used in
your LDAP for group membership, such
as:groupSearchFilter =Then restart Jenkins
"(member={0})";
and retry the login.
I have tried both values in this file and neither works.
Best Answer
had the same problem today with Jenkins 2. LDAP is configured working and I can login as AD user, I can add AD user to matrix, but when I add a group into matrix, it shows "user/group not found" for that group.
Finally fixed it following https://wiki.jenkins-ci.org/display/JENKINS/LDAP+Plugin#LDAPPlugin-Groupsearchbase
The fix is to add
(& (cn={0}) (objectclass=group) )as group search filter.By Default, Jenkins use
(& (cn={0}) (| (objectclass=groupOfNames) (objectclass=groupOfUniqueNames) (objectclass=posixGroup)))Our AD group only has