For what its worth, I believe this is an issue with LDAP Plugin as I was able to recreate it without Role Based auth using Matrix based auth as well
>From a little digging I did, it appears it is some odd permissions issue, as if you grand the user explicit admin rights ahead of time, it can read the groups - but any other kind of user fails. This of course makes LDAP Groups completely useless as only admins can see them. I filed a ticket with LDAP Plugin team: https://issues.jenkins-ci.org/browse/JENKINS-37858 -M On Monday, August 15, 2016 at 3:59:56 PM UTC-5, Michael Lasevich wrote: > > I am trying to do something I thought I have done many times before, but > it is not working now - using Roles based Authorization with LDAP > authentication and specifically LDAP Groups > > I believe I have LDAP Authentication setup and working for both users and > groups > I believe I have Role based authentication set up. > > Granting roles to LDAP users directly - either global or project roles - > works. I can login with LDAP user and get expected permissions. Granting > roles to 'authenticated' also seems to work. > > However if I grant permissions to LDAP group - it just does not work. > > I am very confused why assigning roles to groups does not work. > > Few thoughts and observations: > > * "Assign Roles" UI recognizes LDAP Groups and shows a group icon next to > them. > > * "User status" UI (/user/username URI) shows groups for the use and I > even ran that LDAP test groovy script that worked as expected. Although... > > * "User Status" only shows groups to "admin" user. A regular use with just > access to run specific jobs does not see their own groups - perhaps > something is blocking non-admin users from reading their own groups? > > * Increasing logging shows that a user that was granted admin rights > directly has all the groups in the "Granted Authorities" but non-admin user > only has "authenticated" - interestingly enough admin user does NOT have > 'authenticated'... > > * Don't think it is relevant here, but in the past I recall having to do a > special prefix for groups (like '@' I think) - not sure if this is still > necessary > > > Versions -- Running this on: > > * Jenkins 2.10 > * LDAP Plugin 1.12 > * Role Based Authorization Strategy 2.3.2 > > Any thoughts or suggestions would be appreciated.... > > Thanks, > > -Michael > > > > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/88b7ff85-7488-48e6-9152-5da465e1c781%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
