我的组织通过启用带有ldap插件的AD,使对Jenkins CI(停靠)的访问更加严格。对Jenkins示例的所有访问都要求授予用户一个角色。即使我确实授予了该角色,我也无法登录。由于我的组织拆分为多个组织单位,我怀疑插件中指定的ldap筛选器存在问题。
我们已经尝试使用https://plugins.jenkins.io/ldap/中的groovy脚本进行故障排除
Checking the name 'Role-BlaBla-Dev'...
It is a USER: org.acegisecurity.userdetails.UserDetails$1@58faef7b
Has groups/authorities: [Role-system-qa, authenticated]
Checking the name 'MyUserName'...
It is a GROUP: hudson.security.LDAPSecurityRealm$GroupDetailsImpl@5e4f6228
Checking the name 'AnotherUserNameWithAccess'...
It is a USER: org.acegisecurity.userdetails.UserDetails$1@56d7bb22
Has groups/authorities: [...]
我看到的是我的用户名总是打印“这是一个组:“。而能够登录的用户打印“这是一个用户:“。什么可能区分一个组和一个用户?任何关于如何进一步调试的观点都非常感谢。
config.xml中的安全配置如下所示:
<useSecurity>true</useSecurity>
<authorizationStrategy class="hudson.security.GlobalMatrixAuthorizationStrategy">
<permission>GROUP:hudson.model.Hudson.Administer:Role-BlaBla-Dev</permission>
</authorizationStrategy>
<securityRealm class="hudson.security.LDAPSecurityRealm" plugin="ldap@2.12">
<disableMailAddressResolver>false</disableMailAddressResolver>
<configurations>
<jenkins.security.plugins.ldap.LDAPConfiguration>
<server>ldaps://ldapserver-org.no</server>
<rootDN>OU=DSA,OU=Customers,DC=db1,DC=orgname,DC=no</rootDN>
<inhibitInferRootDN>false</inhibitInferRootDN>
<userSearchBase></userSearchBase>
<userSearch>sAMAccountName={0}</userSearch>
<groupSearchBase>ou=groups</groupSearchBase>
<groupMembershipStrategy class="jenkins.security.plugins.ldap.FromUserRecordLDAPGroupMembershipStrategy">
<attributeName>memberOf</attributeName>
</groupMembershipStrategy>
<managerDN>CN=Service Account SVC-Jenkins-Test-JHZ,OU=ServiceAccounts,OU=Administration,OU=JHZ,OU=Customers,DC=db1,DC=orgname,DC=no</managerDN>
<managerPasswordSecret>{XXXXXXXXXX}</managerPasswordSecret>
<displayNameAttributeName>displayname</displayNameAttributeName>
<mailAddressAttributeName>mail</mailAddressAttributeName>
<ignoreIfUnavailable>false</ignoreIfUnavailable>
</jenkins.security.plugins.ldap.LDAPConfiguration>
</configurations>
1条答案
按热度按时间zvokhttg1#
问题与rootDN的配置有关。删除OU=DSA解决了问题。groovy脚本现在可以使用“It is a USER:“正确地标识我。