I am trying to do something I thought I have done many times before, but it is not working now - using Roles based Authorization with LDAP authentication and specifically LDAP Groups
I believe I have LDAP Authentication setup and working for both users and groups I believe I have Role based authentication set up. Granting roles to LDAP users directly - either global or project roles - works. I can login with LDAP user and get expected permissions. Granting roles to 'authenticated' also seems to work. However if I grant permissions to LDAP group - it just does not work. I am very confused why assigning roles to groups does not work. Few thoughts and observations: * "Assign Roles" UI recognizes LDAP Groups and shows a group icon next to them. * "User status" UI (/user/username URI) shows groups for the use and I even ran that LDAP test groovy script that worked as expected. Although... * "User Status" only shows groups to "admin" user. A regular use with just access to run specific jobs does not see their own groups - perhaps something is blocking non-admin users from reading their own groups? * Increasing logging shows that a user that was granted admin rights directly has all the groups in the "Granted Authorities" but non-admin user only has "authenticated" - interestingly enough admin user does NOT have 'authenticated'... * Don't think it is relevant here, but in the past I recall having to do a special prefix for groups (like '@' I think) - not sure if this is still necessary Versions -- Running this on: * Jenkins 2.10 * LDAP Plugin 1.12 * Role Based Authorization Strategy 2.3.2 Any thoughts or suggestions would be appreciated.... Thanks, -Michael -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/0c1f3dd2-e132-4c08-b8e3-c4b22cb2974c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
