I am using oauth authentication for jenkins. I can successfully make api calls if i use my_user_name:api_token when my user name is explicitly configure in global security. It fails when my user name does not exist but a group which contains the user name and has all permissions.
Any idea about this phenomenon ?
thanks in advance
The Jenkins api-token is obtained for a specific user http://<jenkins-server>/user/<username>/configure and can be used for that same user only.
Related
I have installed and configured miniorange plugin following exactly this setup: https://plugins.miniorange.com/saml-single-sign-on-sso-into-jenkins-using-google-apps-g-suite-as-idp#1549619168146-1d45d518-daa7. Google Apps are redirecting me to my instance, but when I try to log in, it says:
More than one user found with this email address.
Any ideas why this is happening?
Error itself stating the solution. Same user can be somewhere else in your Jenkins configuration. To be specific, check your "People" and "Jenkins owned database Users", You will get same user in both pools but possibly with different name. So remove one of them or specifically user that you or admin created in Jenkins Own Database and try.
In "People" pool you will get users those are participating or contributing in triggering Jobs(either by Github commit or other mode) and Jenkins captures the UserID. So keep this UserID as your desired user name and set your authorization or permission in "Matrix based authorization".
I am trying to setup group authorizations using my IDP (Identity Provider) with the Jenkins instance I have.
For individual users, I have been able to setup this up successfully by installing the SAML 2.0 plugin , sending up the Service Provider Metadata to my IDP and completing a successful registration.
I am able to login to my Jenkins successfully using my SAML credentials.
Further more I am able to give users certain roles using the Role Strategy Plugin. I have defined roles like "Job Reader" , "Job Admin" etc etc and assigned those roles to individual users.
All until here is done.
But what Im looking for is rather than having to assign roles to users on the Jenkins layer, I want Jenkins to pull groups defined in my IDP and assign those groups to roles that Ive defined rather than me having to assign roles to individual users.
On my IDP side, I have created groups (I have a group ID) and assigned users to those groups. All I want to do is to have my Jenkins reads those group IDs. Is there some documentation I can follow ?
Below are the steps Ive done so far with unsuccessful results.
In my IDP, Ive created a group jenkins-reader and assigned a user to the group.
When I curl on the data of the user, I can clearly see that my user P000002 is part of a particular group.
{
"uid": "P000002",
.
.
"companyGroups": [
"jenkins-reader"
],
.
.
. }
Now switching to Jenkins, I have the following config.
Under Manage Roles , ive configured Project Roles. Creating a jenkins-reader roles and assigning in Job Read permissions.
Under Assign Roles , I added the group jenkins-reader (same name as defined in IDP) and assigned it the jenkins-reader role configured in the last step.
When I hit Apply and Save, I try to login again and I get the ERROR
Access Denied
P000002 is missing the Overall/Read permission
Now Im not sure whether Ive missed something here or am taking a wrong approach to this. Ive been following this doc.
I am using ApacheDS 2.0.0.v20130628,I use Spring security ldap to authenticate users.
For a new user,once user registers an account with the web application an email will be sent to make the account active so that his email will also be verified.Until User clicks on the link sent to his email,User should not be able to Login to the application.So how can I disable the user account till then?
I came across with an attribute on web nsAccountLock,But I am unable to find this attribute in ApacheDS.
I want to know is there anything in ldap-user-service like "active" which is used in a SQL query for JDBC User service in spring security?
Any suggestions as how to go about on this?
nsAccountLock is used to lock accounts in Oracle Directory Server. But not in apache Directory server. even i'm facing the same issue for finding attribute for disabling user in Apache DS. its looks like they havent created any attribute for it.
I have used 'pager' as a option to know if the user is enabled or disabled.
Use the 'pwdAccountLockedTime' operationsl attribute, that's the standard way in Apache DS.
For more details refer
We're using Jenkins server (v. 1.571) with the following authorization configuration:
Security Realm: Unix user/group database.
Authorization: Matrix-based security
up until now, each member of our team used its private credentials to login and perform operations on this server.
We want to enable bot scripts to login to the server with "global" credentials and perform some of these operations, without changing the current credentials of the users (and hopefully, don't touch the current authorization guidelines).
How can this be achieved?
thanks!
You can check Mask Passwords Plugin. It provides you the option to define user and password in Manage Hudson > Configure System section. To add to it, as the name suggests, the password will be masked in the console output. Even in the Configure section where you create user and password, the password will remain in masked state.
I am trying to implement XPagesSBT on localhost.
I have followed this article http://heidloff.net/home.nsf/dx/12152011034545AMNHECAP.htm and the SBT document by Niklas and was trying to implement dropbox oAuth.
I have also placed http://localhost/XPagesSBT.nsf/ and http://localhost/WebSecurityStore.nsf in root folder
but still i get this error
Error while executing JavaScript action expression
Script interpreter error, line=1, col=26: Error calling method 'isAuthenticated()' on java class 'com.ibm.xsp.extlib.sbt.services.client.endpoints.DropboxEndpoint'
No application is registered with id XPagesSBT and provider Dropbox
if(!#Endpoint("dropbox").isAuthenticated()) {#Endpoint("dropbox").authenticate(true);}
do i need to make any other configuration /setup to XPagesSBT db? or it wont work with Localhost?
I don't remember exactly anymore but reading my blog entry you linked it says you shouldn't use Anonymous:
"Additionally there are a couple of security related settings which are important to understand. First of all you need to assign access to the document with the application keys to the ID with which you signed the two NSFs. In the screenshot above I've entered both OpenNTF servers and my own user ID. When you use the web UI to do this these names are added to the document in an authors field and a readers field.
In the last step you need to configure the ACL of the security store. Anonymous must not have access to this database. All users who you want to be able to use the Social Enabler OAuth functionality need to have author access. This is so that their user keys can be stored in this database so that they only have to do the OAuth dance once. "
It should work on localhost. It looks like a configuration issue with SBT not being able to read the security tokens from the websecuritystore.nsf . Did you create the Dropbox Application Key with an admin id and sign the websecuritystore with the correct id?
Padraic