Scenario / Questions

I’m trying to get Jenkins to authenticate users via our active directory groups.

If I insert users they are correctly looked up.
If I insert group names, they are not found.


Edit: Through trial & error I have found out that the authentication via the groups does in fact work, that is, once I add the group KS-Soft to the list, users in this group can log in. However, in the list where the users and group names are entered, Jenkins tries to display an icon for whether it’s a user or a group. The user icon is displayed correctly, but the group icon is always an error icon.

So it would appear that Jenkins can authenticate users via group membership, but it fails to verify whether a given group name string exists in the directory. Is this technically even possible? (Maybe just the icon display is messed up.)


The Jenkins settings are as follows: (note: mydomain and com user names are different, the rest are exact values)

Server  : ldap://ks-dc01.mydomain.com:389
root DN : dc=mydomain,dc=com
User Search Base : ou=KSUser
User Search Filter : userPrincipalName={0}
Group search base : ou=KSGroups
Manager DN : CN=Placeholder Martin,OU=Benutzer,OU=KSUser,DC=mydomain,DC=com
Manager Password : *****

With this setup, I enter the user martin.placeholder@mydomain.com into the list and Jenkins then can look up this user and I can log in.

However, I cannot get Jenkins to resolve the Group Names. I use AD Explorer to confirm my groups are in fact below OU=KSGroups.

I have one group here displayed as CN=KS-Soft in AD Explorer and it has a memberattribute that lists all the users I’m interested in. (The user martin.placeholder@mydomain.com is listed as CN=Placeholder Martin,OU=Benutzer,OU=KSUser,DC=mydomain,DC=com in this attibute.)

I have tried these string for the group:

  • KS-Soft
  • KS-SOft@mydomain.com
  • ROLE_KS-Soft and ROLE_KS-Soft@mydomain.com as per this thread

Note that the Jenkins help has the following to say on the Group search base:

One of the searches Jenkins does on
LDAP is to locate the list of groups
for a user.

This field determines the query to be
run to identify the organizational
unit that contains groups. The query
is almost always “ou=groups” so try
that first, though this field may be
left blank to search from the root DN.

If login attempts result in
“Administrative Limit Exceeded” or
similar error, try to make this
setting as specific as possible for
your LDAP structure, to reduce the
scope of the query. If the error
persists, you may need to edit the
WEB-INF/security/LDAPBindSecurityRealm.groovy
file that is included in jenkins.war.
Change the line with:
groupSearchFilter = "(| (member={0})
(uniqueMember={0}) (memberUid={1}))";

to query only of the field used in
your LDAP for group membership, such
as: groupSearchFilter =
"(member={0})";
Then restart Jenkins
and retry the login.

I have tried both values in this file and neither works.

Find below all possible solutions or suggestions for the above questions..

Suggestion: 1

had the same problem today with Jenkins 2. LDAP is configured working and I can login as AD user, I can add AD user to matrix, but when I add a group into matrix, it shows “user/group not found” for that group.

Finally fixed it following
https://wiki.jenkins-ci.org/display/JENKINS/LDAP+Plugin#LDAPPlugin-Groupsearchbase

The fix is to add (& (cn={0}) (objectclass=group) ) as group search filter.

By Default, Jenkins use
(& (cn={0}) (| (objectclass=groupOfNames) (objectclass=groupOfUniqueNames) (objectclass=posixGroup)))

Our AD group only has

objectClass: top
objectClass: group

Suggestion: 2

I just found out the hard way this morning that Jenkins is CASE SENSITIVE when it comes to AD group-names.
Just adding that as an answer in case somebody is pulling out his/her hair in frustration.
It is totally non-obvious as AD group-names are normally NOT case-sensitive anywhere.

Suggestion: 3

Try making your groupSearchBase fully qualified, i.e. “ou=KSGroups,dc=mydomain,dc=com”. Also, group names will almost certainly not end in “@mydomain.com” (unless you named them that way on purpose).

I’d suggest using “ldapsearch” from the openldap tools or a similar command-line tool for Windows to try out variations of the groupSearchFilter until you find one that gives you the results you want, and then import that into the .groovy file.