So, was this broken at some later time on purpose? I could have sworn I have used this functionality in the past.
Is this a problem in Role plugin or LDAP plugin? You mention Role plugin, but Role plugin is clearly recognizing the group for admin - it seems like there is a security problem in LDAP plugin that prevents it from reading the groups for non-admin users. -M On Wednesday, August 17, 2016 at 5:25:08 AM UTC-7, Indra Gunawan (ingunawa) wrote: > > LDAP group never works with the Role Based Authorization plugin. Only the > CloudBee paid version of Role based plugin combined with Folder plugin on > Enterprise Jenkins are made to work with LDAP group. > > -Indra > > From: <[email protected] <javascript:>> on behalf of Michael > Lasevich <[email protected] <javascript:>> > Reply-To: "[email protected] <javascript:>" < > [email protected] <javascript:>> > Date: Monday, August 15, 2016 at 1:59 PM > To: Jenkins Users <[email protected] <javascript:>> > Subject: LDAP groups and Role Based Authorization no playing nice. > > I am trying to do something I thought I have done many times before, but > it is not working now - using Roles based Authorization with LDAP > authentication and specifically LDAP Groups > > I believe I have LDAP Authentication setup and working for both users and > groups > I believe I have Role based authentication set up. > > Granting roles to LDAP users directly - either global or project roles - > works. I can login with LDAP user and get expected permissions. Granting > roles to 'authenticated' also seems to work. > > However if I grant permissions to LDAP group - it just does not work. > > I am very confused why assigning roles to groups does not work. > > Few thoughts and observations: > > * "Assign Roles" UI recognizes LDAP Groups and shows a group icon next to > them. > > * "User status" UI (/user/username URI) shows groups for the use and I > even ran that LDAP test groovy script that worked as expected. Although... > > * "User Status" only shows groups to "admin" user. A regular use with just > access to run specific jobs does not see their own groups - perhaps > something is blocking non-admin users from reading their own groups? > > * Increasing logging shows that a user that was granted admin rights > directly has all the groups in the "Granted Authorities" but non-admin user > only has "authenticated" - interestingly enough admin user does NOT have > 'authenticated'... > > * Don't think it is relevant here, but in the past I recall having to do a > special prefix for groups (like '@' I think) - not sure if this is still > necessary > > > Versions -- Running this on: > > * Jenkins 2.10 > * LDAP Plugin 1.12 > * Role Based Authorization Strategy 2.3.2 > > Any thoughts or suggestions would be appreciated.... > > Thanks, > > -Michael > > > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/0c1f3dd2-e132-4c08-b8e3-c4b22cb2974c%40googlegroups.com > > <https://groups.google.com/d/msgid/jenkinsci-users/0c1f3dd2-e132-4c08-b8e3-c4b22cb2974c%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/828f3027-1124-4e11-861b-eba100a1967e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
