jenkins LDAP authentication - deny

0
votes

We use Jenkins with LDAP authentication. My question: is it possible to implement this rights scenario?

if not logged-in (anonymous)                      ==> read all                           
if logged in (via LDAP) but not a "special" user  ==> full access to specified jobs only 
if logged in (via LDAP) and also a "special" user ==> full admin access

My goal is to avoid having to manage large numbers of users explicitly.

There's a plugin "Role Strategy Plugin" that supports permissions for specified jobs, but it doesn't distinguish between anonymous and logged-in (via LDAP) users. It seems that the only way to grant access to specified jobs is to grant it user by user...which I want to avoid.

1
authenticationjenkinsldap

1 Answers

0
votes

Can you use Active Directory? If so:

  • you can use groups for authentication, and therefore assign rights to the entire group.
  • you can use a project-based matrix, so specified jobs will only be visible to specific groups

If you cannot (only LDAP):

I think you can still do the above, but I think your LDAP configuration will require more work for groups. I am not sure of group support in the Jenkins LDAP API.