Since Jenkins 1.548 there's a new extension point SecurityListener. It can be implemented in a way that throws a SecurityException in authenticated(UserDetails) when the same user who just failedToAuthenticate(UserDetails) several times managed to log in successfully. This prevents successful authentication even with correct credentials.
Here's some sample code for a plugin that does just that: https://github.com/daniel-beck/jenkins-login-rate-limiter-plugin Configuration is via system properties (there's no config UI), but otherwise, it works just fine. Note that I don't check IP or do anything more sophisticating than counting the number of failed attempts in the last few minutes for a given user name, so a malicious user could prevent Jenkins use for all users with known user names by just spamming wrong credentials to prevent them from logging in. On 30.01.2014, at 23:11, zee wfo <[email protected]> wrote: > I've found information on how to setup jenkins with ldaps. Is there a way for > jenkins to refuse login attempts from a user after multiple failures? The > goal is to discourage password guessing for accounts in our ldap server who > have access to the jenkins server. > thanks. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
