So, was this broken at some later time on purpose? I could have sworn I have used this functionality in the past.
Is this a problem in Role plugin or LDAP plugin? You mention Role plugin, but Role plugin is clearly recognizing the group for admin - it seems like there is a security problem in LDAP plugin that prevents it from reading the groups for non-admin users. -M On Wednesday, August 17, 2016 at 5:25:08 AM UTC-7, Indra Gunawan (ingunawa) wrote: > > LDAP group never works with the Role Based Authorization plugin. Only the > CloudBee paid version of Role based plugin combined with Folder plugin on > Enterprise Jenkins are made to work with LDAP group. > > -Indra > > From: <jenkins...@googlegroups.com <javascript:>> on behalf of Michael > Lasevich <mlas...@gmail.com <javascript:>> > Reply-To: "jenkins...@googlegroups.com <javascript:>" < > jenkins...@googlegroups.com <javascript:>> > Date: Monday, August 15, 2016 at 1:59 PM > To: Jenkins Users <jenkins...@googlegroups.com <javascript:>> > Subject: LDAP groups and Role Based Authorization no playing nice. > > I am trying to do something I thought I have done many times before, but > it is not working now - using Roles based Authorization with LDAP > authentication and specifically LDAP Groups > > I believe I have LDAP Authentication setup and working for both users and > groups > I believe I have Role based authentication set up. > > Granting roles to LDAP users directly - either global or project roles - > works. I can login with LDAP user and get expected permissions. Granting > roles to 'authenticated' also seems to work. > > However if I grant permissions to LDAP group - it just does not work. > > I am very confused why assigning roles to groups does not work. > > Few thoughts and observations: > > * "Assign Roles" UI recognizes LDAP Groups and shows a group icon next to > them. > > * "User status" UI (/user/username URI) shows groups for the use and I > even ran that LDAP test groovy script that worked as expected. Although... > > * "User Status" only shows groups to "admin" user. A regular use with just > access to run specific jobs does not see their own groups - perhaps > something is blocking non-admin users from reading their own groups? > > * Increasing logging shows that a user that was granted admin rights > directly has all the groups in the "Granted Authorities" but non-admin user > only has "authenticated" - interestingly enough admin user does NOT have > 'authenticated'... > > * Don't think it is relevant here, but in the past I recall having to do a > special prefix for groups (like '@' I think) - not sure if this is still > necessary > > > Versions -- Running this on: > > * Jenkins 2.10 > * LDAP Plugin 1.12 > * Role Based Authorization Strategy 2.3.2 > > Any thoughts or suggestions would be appreciated.... > > Thanks, > > -Michael > > > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-use...@googlegroups.com <javascript:>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/0c1f3dd2-e132-4c08-b8e3-c4b22cb2974c%40googlegroups.com > > <https://groups.google.com/d/msgid/jenkinsci-users/0c1f3dd2-e132-4c08-b8e3-c4b22cb2974c%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/828f3027-1124-4e11-861b-eba100a1967e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
