Continuing on my journey through centralizing my authentication for a number of services, I come to my Jenkins instance. This was setup recently to handle CI\/CD on some of my personal projects, and has been working extremely well on automated build\/test\/deploy. Since none of the software it supports is going anywhere anytime soon, I decided to add the instance to the grouping of services going to LDAP for authentication. Setting up Jenkins with LDAP is a relatively straight forward process. It requires a few plugins to support it fully (authentication, group based authorization). The difficulty comes in authorization, as the role-based authorization strategy plugin isn’t as well documented as one would hope. It is at least not too hard to work through and works as intended.<\/p>\n\n\n\n
All of the plugins were used in this guide, however for just simple LDAP authentication, only the LDAP plugin is needed. The other plugins are only needed to support role-based authorization. By default, all users who log into Jenkins are treated as administrators. The role-based authorization plugin allows us to limit the rights of different accounts based off of their LDAP groups.<\/p>\n\n\n\n
While reading the LDAP plugin documentation, I noticed the following interesting snippet.<\/p>\n\n\n\n
OpenLDAP with the memberof overlay active (untested, and as memberof is an operational attribute in OpenLDAP it must be explicitly requested, so likely some hacking of LDAPSecurityRealm.groovy required)<\/p>LDAP Plugin Documentation<\/cite><\/blockquote>\n\n\n\n
So according to this, the memberOf attribute in OpenLDAP can be used for getting a users group memberships, it is not the most effective way to do so for Jenkins, and isn’t well supported. For this reason we decided to go the other way, see which users belong to which groups. To start out, I ran an LDAP search on the administrators group to see what attribute name the membership would be under, and the class of LDAP object the group belongs to.<\/p>\n\n\n\n
Administrator@ucs:~$ ldapsearch -xLLL -b cn=administrators,cn=Builtin,dc=rapternet,dc=us -D uid=auth-grafana,cn=users,dc=rapternet,dc=us -W \\* +\nEnter LDAP Password:\ndn: cn=Administrators,cn=Builtin,dc=rapternet,dc=us\nsambaGroupType: 2\ncn: Administrators\nobjectClass: top\nobjectClass: univentionGroup\nobjectClass: posixGroup\nobjectClass: univentionObject\nobjectClass: sambaGroupMapping\nuniventionObjectType: groups\/group\nsambaSID: S-1-5-32-544\ngidNumber: 5052\nuniventionGroupType: -2147483643\ndescription: Administrators have complete and unrestricted access to the compu\n ter\/domain\nstructuralObjectClass: posixGroup\nentryUUID: bc1e8154-1220-1036-9551-016bd08a0cd5\ncreatorsName: cn=admin,dc=rapternet,dc=us\ncreateTimestamp: 20160918192042Z\nmemberUid: Administrator\nuniqueMember: cn=domain admins,cn=groups,dc=rapternet,dc=us\nuniqueMember: cn=enterprise admins,cn=groups,dc=rapternet,dc=us\nuniqueMember: uid=administrator,cn=users,dc=rapternet,dc=us\nentryCSN: 20160918192044.102359Z#000000#000#000000\nmodifiersName: cn=admin,dc=rapternet,dc=us\nmodifyTimestamp: 20160918192044Z\nentryDN: cn=Administrators,cn=Builtin,dc=rapternet,dc=us\nsubschemaSubentry: cn=Subschema\nhasSubordinates: FALSE<\/pre>\n\n\n\nFrom the output, we can see that the object class for our group is posixGroup, which is a part of the default filters for the Jenkins LDAP plugin, and the membership attribute is uniqueMember, which is also a part of the default filters in Jenkins. This is lucky for us as its less configuration to have to do to get our centralized authentication working.<\/p>\n\n\n\n
Setting up the LDAP Plugin<\/h2>\n\n\n\n
The LDAP plugin settings are located under Manage Jenkins \u2192 Configure Global Security. The security realm can then be changed from \u201cJenkins own user database\u201d to \u201cLDAP\u201d. Make sure that LDAP searches are working properly using the \u201cTest LDAP settings\u201d button before saving the settings changes. Click the \u201cAdvanced Server Configuration\u201d button to show the full set of settings for the LDAP plugin.<\/p>\n\n\n\n
The LDAP plugin is straight forward to setup. The only feature I was missing was to allow self signed certs (or to not check the certificates) when using LDAPS. Due to this, and my lack of signed certificates for my LDAP server, I used the unencrypted connection. For an encrypted connection, make sure you have your certificates in order and use an LDAPS url to tell Jenkins to encypt the connection.<\/p>\n\n\n\n