Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[FIXES JENKINS-17281] Adding configuration options for the filters us…
…ed to search for groups. - It is somewhat confusing that there are two 'group search filters' so I have decided to rename one. - The new name for the 'groupSearchFilter' that is controlled from is the as this filter is used to determine what groups a specific user is a member of - That leaves as a nice clean name for the filter to search for named groups. - This should still respect any existing configuration, i.e. leaving these fields blank will leave the existing defaults or existing overrides in place... but it will make life easier for users going forward - Took quite some digging to figure out exactly what these filters were for... hopefully I have left things in a more obvious framing for anyone else following - I would like a better way to apply the override, but this was the cleanest way I could maintain backwards compatibility
- Loading branch information
Showing
5 changed files
with
112 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
<div> | ||
<p> | ||
When Jenkins resolves a user, the next step in the resolution process is to determine the LDAP groups that | ||
the user belongs to. This field controls the search filter that is used to determine group membership. | ||
If left blank, the default filter will be used. | ||
</p> | ||
<p> | ||
The default default filter is: | ||
</p> | ||
<pre>(| (member={0}) (uniqueMember={0}) (memberUid={1}))</pre> | ||
<p> | ||
This can be overridden by creating a file <code>$JENKINS_HOME/LDAPBindSecurityRealm.groovy</code>. Irrespective | ||
of what the default is, setting this filter to a non-blank value will determine the filter used. | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
stephenc
via email
Author
Member
|
||
</p> | ||
<p> | ||
You are normally safe leaving this field unchanged, however for large LDAP servers where you are seeing messages | ||
such as <code>OperationNotSupportedException - Function Not Implemented</code>, | ||
<code>Administrative Limit Exceeded</code> or similar periodically when trying to login, then that would | ||
indicate that you should change to a more optimum filter for your LDAP server, namely one that queries only | ||
the required field, such as: | ||
</p> | ||
<pre>(member={0})</pre> | ||
<p> | ||
Note: in this field there are two available substitutions: | ||
</p> | ||
<ul> | ||
<li><code>{0}</code> - the fully qualified DN of the user</li> | ||
<li><code>{1}</code> - the username portion of the user</li> | ||
</ul> | ||
</div> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
<div> | ||
<p> | ||
When Jenkins is asked to determine if a named group exists, it uses a default filter of: | ||
</p> | ||
<pre>(& (cn={0}) (| (objectclass=groupOfNames) (objectclass=groupOfUniqueNames) (objectclass=posixGroup)))</pre> | ||
<p> | ||
relative to the <code>Group search base</code> to determine if there is a group with the specified name ( | ||
<code>{0}</code> is substituted by the name being searched for) | ||
</p> | ||
<p> | ||
If you know your LDAP server only stores group information in one specific object class, then you can improve | ||
group search performance by restricting the filter to just the required <code>objectclass</code>. | ||
</p> | ||
<p> | ||
Note: if you are using the LDAP security realm to connect to Active Directory (as opposed to using the | ||
<a href="https://wiki.jenkins-ci.org/display/JENKINS/Active+Directory+plugin">Active Directory plugin</a>'s | ||
security realm) then you will need to change this filter to: | ||
</p> | ||
<pre>(& (cn={0}) (objectclass=group) )</pre> | ||
<p> | ||
Note: if you leave this empty, the default search filter will be used, unless the | ||
<code>hudson.security.LDAPSecurityRealm.groupSearch</code> has been set to modify the default. | ||
</p> | ||
</div> |
This is very confusing in the context of a GUI control. Better to say that for historical reasons, this used to be configured in Groovy, but now is configured here.