It would have been nice to see this incorporated into the Kerberos SSO plugin, but as you say; <IANAL> the derivative works clause seems to "prevent" that as you've copied and changed some code from Waffle. It would be the same issue for the Active Directory Plugin. I've seen some projects where the majority of the code base has been MIT and a few files mixed in as BSD, but I don't know how legit that is.
So I guess a new "waffle-kerberos-sso-plugin" or similar is the least worst solution, and just send some kudos to the kerberos-sso plugin in the readme or something. </IANAL> /B On Fri, Nov 14, 2014 at 6:44 AM, Bryson Gibbons <[email protected]> wrote: > Story: Where I work, the Jenkins server uses the Active Directory plugin > for authentication. I was tired of having to log back in every 10 minutes > (if I went to do something else), so I started looking for a Single Sign On > solution. I tried the KerberosSSO before seeing the fine print that they > have not gotten it working on Windows yet. I tried for a bit, and was never > successful. In looking for other possibilities, I found Waffle ( > https://github.com/dblock/waffle), and decided to see if I could do some > code modification to the KerberosSSO plugin to make it use Waffle instead > of the Java GSSPI. It turned out that the Waffle code already had a filter, > so I copied the code entry side to the KerberosSSO plugin to a separate > plugin, since configuration was also very different. > > What I have: A working single sign on plugin that will authenticate > against Active Directory (when running on Windows) with minimal > configuration. The way it ties into Jenkins is identical to how the > KerberosSSO plugin ties in. > -Waffle is Windows ONLY. It does not work on Linux. > -Necessary configuration is to make sure that appropriate HTTP/ > computer.domain.com SPNs exist on Active Directory, and that Jenkins is > running as a service with user Local System. > -It uses a modified NegotiateSecurityFilter from Waffle - the > modifications were to pass the authentication information to Jenkins. > > In terms of testing, it works with Firefox, Internet Explorer, and Chrome > on Windows, and with Safari and Chrome on Mac OS X. I don't have access to > a Linux system (with a GUI) at work. > > The question I have: Where does this belong? > - Should it be put into the KerberosSSO plugin for a Windows-specific > configuration? > - Should this be tied into the Windows-only configuration available with > the Active Directory plugin? > - Should it be a new, separate plugin? > > I don't care which way it goes, I just think it should be made publicly > available. I'm not going to make the code publicly available in the short > run, unless there's some agreement that it should be a separate plugin. > Also, since the KerberosSSO plugin is MIT licensed and Waffle is EPLv1.0, > and I did copy some code from Waffle, I am assuming that any release of my > modified source code would need to be under the EPL license. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Robert Sandell *Software Engineer* *CloudBees Inc.* -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
