I searched for my issue and found quite the same here with no answer, this does no help, neither this, so I ask here.
I have an openldap
Version
(version slapd (Ubuntu) (May 22 2018 13:54:12) $ buildd@bos02-arm64-019:/build/openldap-AktVWV/openldap-2.4.42+dfsg/debian/build/servers/slapd)
on an odroid hc1 working fine (I can authenticate on some VM using PAM_ldap) and a jenkins (version 2.138) on my local machine working fine as well.
Issue comes in when I configure jenkins to use ldap to authenticate users. When testing the settings with the "Test ldap settings" button, lookup is ok
Lookup User lookup: successful User ID: test User Dn: "cn=test+gidNumber=5556+givenName=test+homeDirectory=/home/test+loginShell=/bin/bash+sn=test+uid=test,ou=users",dc=home,dc=local User Display Name: test User email: [email protected] LDAP Group membership: jenkins LDAP Group lookup: successful (1 group)
but login fails and a lockout warning message is displayed
The user "test" will be unable to login with the supplied password. If this is your own account this would mean you would be locked out! Are you sure you want to save this configuration?
Here is the ldap config in jenkins:
Server: ldap://192.168.1.106
root DN: dc=home,dc=local
User search filter: uid={0}
Group membership: Search for LDAP groups containing user
Manager DN: cn=admin,dc=home,dc=local
Manager Password: ••••••••••
Display Name LDAP attribute: uid
Email Address LDAP attribute: mail
ldap's log shows this when jenkins login fails:
slapd[844]: conn=1254 op=0 do_bind: invalid dn ("cn=test+gidNumber=5556+givenName=test+homeDirectory=/home/test+loginShell=/bin/bash+sn=test+uid=test,ou=users",dc=home,dc=local)
note the double quote after ou=users. Does it seem like a concatination issue?
the dn computed by jenkins and sent to openldap is invalid and should be
("cn=test+gidNumber=5556+givenName=test+homeDirectory=/home/test+loginShell=/bin/bash+sn=test+uid=test,ou=users,dc=home,dc=local")
If I use Apache Directory Studio and issue the search using the invalid dn, it fails (obviously) and if I search using the fixed dn, the search returns the expected record.
Openldap does not allow anonymous binding, hence admin credentials in jenkins config.
I tried to add/remove root dn (test fails if missing), search base (test fails if filled or not), search group (same).
I'm kindda out of ideas to sort this up.
I must be missing something.
Any help is appreciated.
Edit: add test user ldif
dn: cn=test+gidNumber=5556+givenName=test+homeDirectory=/home/test+loginShel
l=/bin/bash+sn=test+uid=test,ou=users,dc=home,dc=local
objectClass: simpleSecurityObject
objectClass: posixAccount
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: test
gidNumber: 5556
homeDirectory: /home/test
sn: test
uid: test
uidNumber: 5556
userPassword:: e1NTSEF9aCtmbmhraXVJSXp1MmRETUY4Zm4wK3NpYzVrUEF6VXJmWUhKUmc9P
Q==
givenName: test
loginShell: /bin/bash
mail: [email protected]
Edit2: I have an install of free artifactory. I was able to add ldap settings and test authentication with the same test user with success and without any change in ldap configuration or tree.
