In Jenkins how do you configure LDAP to restrict access to a specific group?

2
votes

I'm currently trying to setup a new install of Jenkins on a new VM to replace the old box in the corner server that currently runs. The old box was only ever configured with some basic users to share whereas the new box needs to correctly use the company's login system. I've managed to get it configured to such a point that LDAP works and users are able to login with their standard company username/password however it currently lets anyone log in (see image).

LDAP Configuration

What I need to do is restrict it to a specific group I have setup. The group is basically as below:

Group: CN=IA-EC-DEV,OU=w2k,OU=group,OU=meplc,DC=users,DC=com

Is there a way to modify the LDAP settings so that it only authenticates and allows users within this group to login?

Version Info:
Jenkins ver. 2.190.2
Active Directory plugin 2.16
LDAP Plugin 1.21
1
jenkinsactive-directoryldapjenkins-plugins

1 Answers

1
votes

Active Directory has a back-linked attribute, "memberOf". If all authorized users are directly a member of the group, use a filter like (&(cn={0})(memberOf=CN=IA-EC-DEV,OU=w2k,OU=group,OU=meplc,DC=users,DC=com))

If you use nested groups (i.e. I'm a member of a group that is a member of a group that is a member of IA-EC-DEV and thus should be able to log into Jenkins), Active Directory has a special rule matching OID that handles ancestry. It is called LDAP_MATCHING_RULE_IN_CHAIN and is used as (&(cn={0})(memberOf:1.2.840.113556.1.4.1941:=CN=IA-EC-DEV,OU=w2k,OU=group,OU=meplc,DC=users,DC=com))