I have already migrate Jenkins to use LDAP login, and have no problem.
But when I tried to migrate phabricator to use LDAP, I got "Username or password are incorrect." every time, and I'm sure the same username and passwd can login Jenkins. I was using the same OpenLDAP server, and the LDAP has a readonly DN: cn=readonly,dc=my-company,dc=com. Phabricator configurations list below:
Allow: "Allow Login"
LDAP Hostname & Port: exactly the same with my Jenkins configuration
Base Distinguished Name: ou=user,dc=my-company,dc=com (while Jenkins root DN was dc=my-company,dc=com)
Search Attributes: empty
Always Search: unchecked
Anonymous Username: cn=readonly, dc=my-company, dc=com (same with Jenkins Manager DN)
Anonymous Password: the password (same with Jenkins Manager password)
Username Attribute: uid
Realname Attributes: empty
LDAP Version: 3
This has block me two days, is there something I missed?
Thanks for your answer~
Oh, I figure it out. Phabricator has a different LDAP login mechanism with Jenkins. Phabricator always bind LDAP with the user's DN and password (to verify login), then search the user's DN itself. Below is the comment in the LDAP login code:
// This is unusual (since the bind succeeded) but we've seen it at least
// once in the wild, where the anonymous user is allowed to search but
// the credentialed user is not.
// If we don't have anonymous credentials, raise an explicit exception
// here since we'll fail a typehint if we don't return an array anyway
// and this is a more useful error.
// If we do have anonymous credentials, we'll rebind and try the search
// again below. Doing this automatically means things work correctly more
// often without requiring additional configuration.
So, LDAP users must have search acl, like:
olcAccess: {1}to *
by self write
by dn="cn=admin,dc=my-company,dc=com" write
by dn="cn=readonly,dc=my-company,dc=com" read
by users search
by * none
I didn't have 'by users search' option, so login failed.
Related
I am trying to find a way to use the roles I manage in Okta to work with Jenkins. I have been trying to get role-strategy plugin to work, but when I log in, I get <user> is missing the Overall/Read permission.
My configuration includes OIDC for Okta, using oic-auth plugin, and I am specifying the authorizationStrategy config via JCasC. For example I have this on my JCasC okta.yaml:
authorizationStrategy:
roleBased:
roles:
global:
- name: "my_okta_group"
permissions:
- "Overall/Administer"
I see this properly getting converted into $JENKINS_HOME/config.xml.
What I don't specify, but seems to be required, is assignments:, because - it's RBAC after all, and the user assignments into roles should be made in Okta, not Jenkins.
After browsing the plug-in code, it appears hard-wired for an explicit user SID list to be specified in the JCasC. That's not going to work for me.
Is there a different way to use this plug-in to achieve the goal?
Is there another RBAC plug-in that would work better?
The above is very close to a working solution. assignments: is indeed required, and it supports username or group. Also the 'name' of 'authorizationStrategy.roleBased.roles' is the Jenkins role name, not the OIDC group name.
The oic-auth configuration maps OIDC token fields to Jenkins user properties, and then the role-strategy checks for the OIDC token's username, as well as its group(s).
My working config is:
jenkins:
securityRealm:
oic:
clientId: "${clientId}"
clientSecret: "${clientSecret}"
wellKnownOpenIDConfigurationUrl: "${oidcIssuerUrl}/.well-known/openid-configuration"
userInfoServerUrl: "${oidcIssuerUrl}/oauth2/v1/userinfo"
tokenFieldToCheckKey: ""
tokenFieldToCheckValue: ""
fullNameFieldName: "name"
groupsFieldName: "groups"
disableSslVerification: false
logoutFromOpenidProvider: true
endSessionEndpoint: "${oidcIssuerUrl}/oauth2/v1/logout"
postLogoutRedirectUrl: "https://${dns_name_full}"
escapeHatchEnabled: false
escapeHatchUsername: ""
escapeHatchSecret: "my-unused-password"
escapeHatchGroup: ""
automanualconfigure: "auto"
emailFieldName: "email"
userNameField: "name"
tokenServerUrl: "${oidcIssuerUrl}/oauth2/v1/token"
authorizationServerUrl: "${oidcIssuerUrl}/oauth2/v1/authorize"
scopes: "address phone openid profile offline_access groups email"
authorizationStrategy:
roleBased:
roles:
global:
- name: "my_jenkins_role"
permissions:
- "Overall/Administer"
assignments:
- "my_okta_group"
BTW, I specify the yaml with Helm:
...
JCasC:
configScripts:
okta: |
jenkins:
securityRealm:
...
I'm trying to configure Oauth authorization on websphere 8.5.5.16. I added interceptor with issuerIdentifier parameter = https://company.com/abc I next step I added trust external realm: https://company.com/abc And when I try to start service in my app (IBM BPM) I getting an error: NullPointer Exception. Please look at the logs on how the user is created:
Principal: https://company.com/abc/login_user
Public Credential: com.ibm.ws.security.auth.WSCredentialImpl#ebc4e0d2
Private Credential: {setLtpaCookie=false, com.ibm.wsspi.security.cred.securityName=login_user, com.ibm.wsspi.security.cred.uniqueId=user:https://company.com/abc/login_user, token_type=, access_token=xxx, id_token=, com.ibm.wsspi.security.cred.realm=https://company.com/abc, com.ibm.wsspi.security.cred.groups=[], refresh_token=, JsonWebToken=JsonWebToken:{"aud":"0000","iss":"https://company.com/abc","iat":122,"nbf":123,"exp":232,"auth_time":222,"nonce":"aaa","sub":"ddddd/fffff","upn":"login_user","unique_name":"domain\\login_user","pwd_url":"https://company.com/abc/portal/updatepassword/","pwd_exp":"4545","sid":"S-1-5-21-66-117609710","authorities":["Group_1, Group_2"],"given_name":"Name","family_name":"Surname","apptype":"Public","appid":"0000","authmethod":"http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows","ver":"1.0","scp":"openid"}}
Private Credential: com.ibm.ws.security.token.SingleSignonTokenImpl#347c9d2b
Private Credential: com.ibm.ws.security.token.AuthenticationTokenImpl#718ea698
Private Credential: com.ibm.ws.security.token.AuthorizationTokenImpl#27e8a5bb
00000187 UserOrgModule 1 com.lombardisoftware.userorg.UserOrgModule getIdFromPrincipalName getIdFromPrincipalName() user=/company.com/abc/login_user, id=null
user = /company.com/abc/login_user not: login_user Why? Please help.
From message "00000187 UserOrgModule", I can tell your BPM application can not help realm name that contains '/' character. You can resolve the problem with following steps:
In your TAI properties, add useRealm property, and give an unique and meaningful value as realm, for example,
provider_.useRealm=abc123
Add "abc123" as trusted realm. This value matches value you define in step 1.
If you assign roles to users unique id, you need reassign roles again with unique id build from this new realm.
Thanks. I did exactly as you wrote.
I added in my interceptor config: provider_1.useRealm=myrealm
I added trusted realm in Global security > Federated repositories > Trusted authentication realms - inbound (Name = myrealm, Trusted).
I restarted server.
Nothing has changed. I still see: user=/company.com/abc/login_user, id=null because in JWT token, in iss field I have value: 'https://company.com/abc' and unfortunately I cannot change this
This question is about Jenkins LDAP root DN & Display Name LDAP attribute
Environment:-
Jenkins Version - 2.235.5(LTS)
LDAP Plugin - 1.24
I am trying to configure LDAP(AD) Authentication in our Jenkins, Below is the configuration settings.
root DN - DC=Company,DC=domain,DC=com
User search base: OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com
User search filter: sAMAccountName={0}
Group search base: OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com
Group search filter: (&(objectclass=group)(cn={0}))
Group membership
Group membership filter - (&(objectCategory=group)(member:1.2.840.113556.1.4.1941:={0}))
Manager DN: CN=jenkins,OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com
Manager Password: password
Display Name LDAP attribute: displayname
Email Address LDAP attribute: mail
But while testing the LDAP connection it fails below error.
Login
Authentication: failed for user "jenkins-user"
Lookup
User lookup: failed for user "jenkins-user"
LdapCallback;[LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=domain,DC=com'
]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100241, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=domain,DC=com'
]; remaining name 'OU=Users,OU=Division,OU=Team,DC=Company,DC=domain,DC=com'
LDAP Group lookup: could not verify.
Please try with a user that is a member of at least one LDAP group.
Lockout
The user "jenkins-user" will be unable to login with the supplied password.
If this is your own account this would mean you would be locked out!
Are you sure you want to save this configuration?
Suppose if i keep the root DN as empty and enabled the tick mark - Allow blank rootDN. my test connection is getting successful.
But i would like to know that currently i am running root DN as empty and enabled - Allow blank rootDN in plugin section. Is this is fine for production environment?
Also for the logged in users, The display name shown as below which is too lengthy.
First-Name/Sur-Name/Team-Name/Location/Title/Company-Name
i would like to display only First-Name + Sur-Name. For this i tried to change Display Name LDAP attribute: with name, givenName, cn & sn but none of them were worked. So is it possible to display only First name + Sur-name in Jenkins?
I have fixed it. Each time when we change/update the Display Name LDAP attribute value in LDAP configuration section, We need to delete the user from people category and need to login. Post that it displays the configured settings.
I have tried most of the configuration examples of user to return a Configuration-Token attribute. I need an example configuration and which file to place it in (e.g. user or user.conf).
tried something like (in user.conf):
testing Cleartext-Password := "password"
reply: Configuration-Token="hello"
This caused freeradius to not run
Freeradius would not execute.
I've install FR3LdapBundle & FOSUserBundle with Symfony3 successfully as per my blog, and I'm able to authenticate against this test LDAP server; but now I'm trying to authenticate against our internal Active Directory Server.
Here is the change in config (I have obsfucated the config information on purpose):
fr3d_ldap:
driver:
host: somehost
username: administrateur
password: somepass
port: 389
accountDomainName: somedom.local
accountDomainNameShort: somedom
user:
usernameAttribute: administrateur
baseDn: ou=utilisateurs,dc=somedom,dc=local
attributes:
- { ldap_attr: administrateur, user_method: setUsername }
- { ldap_attr: mail, user_method: setEmail }
filter: (&(ObjectClass=person))
The above is the only change I made. In my DEV logs, when I log in I get these important messages:
[2017-05-09 15:56:54] ldap_driver.DEBUG: ldap_search(ou=utilisateurs,dc=somedom,dc=local, (&(&(ObjectClass=person)) (sAMAccountName=somedom\5cadministrateur)), [array]) {"action":"ldap_search","base_dn":"ou=utilisateurs,dc=somedom,dc=local","filter":"(&(&(ObjectClass=person))(sAMAccountName=somedom\\5cadministrateur))","attributes":[]} []
[2017-05-09 15:56:54] security.INFO: User somedom\administrateur not found on LDAP {"action":"loadUserByUsername","username":"somedom\\administrateur","result":"not found"} []
So I wonder if I need a special config?
Login as:
administrateur
instead, in the log it shows you are trying to login as "somedom\administrateur", but you don't need to add the domain.
I think that's the problem. Can you try it and if it doesn't work, I'll get you to try something else.
EDIT #2
I also see you have this set in your config.yml code:
attributes:
- { ldap_attr: administrateur, user_method: setUsername }
But instead should be:
attributes:
- { ldap_attr: samaccountname, user_method: setUsername }
Then if you use the LDAP browser, verify that the user exists in the baseDn you specified, and look for the attribute sAMAccountName and this is the user string you should enter in the login name field.