GitHub – jenkinsci/active-directory-plugin: Jenkins active-directory plugin

Введение в дженкинс

Jenkins – это независимый сервер автоматизации с открытым исходным кодом, который можно использовать для автоматизации различных задач, связанных со сборкой, тестированием, доставкой или развертыванием программного обеспечения.

A.- ldap starttls (by default)

Active Directory plugin performs TLS upgrade (StartTLS), it connects to domain controllers through insecure LDAP, then from within the LDAP protocol it “upgrades” the connection to use TLS, achieving the same degree of confidentiality and server authentication as LDAPS does.

As the server needs to have a valid X509 certificate for this to function, if the server fails to do TLS upgrade, the communication continues to happen over insecure LDAP. In other words, in the environment that the server supports this, it’ll automatically use a properly secure connection. See TechNet article for how to install a certificate on your AD domain controllers to enable this feature.

To verify if the connection is upgraded or not, see Logging and adds a logger to hudson.plugins.active_directory.ActiveDirectorySecurityRealm for FINE or above. Search for “TLS” in the log messages. 

Configuration

Select LDAP for the Security Realm. You will most likely need to
configure some of the Advanced options. There is on-line help available
for each option. 

Configuration with jcasc

To get more examples, see yaml files used in tests

Configure jenkins with ldap

root@myserver:~# ldapsearch -x -b 'dc=mycompany,dc=com'
# extended LDIF
#
# LDAPv3
# base <dc=mycompany,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# mycompany.com
dn: dc=mycompany,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: mycompany.com
dc: mycompany

# admin, mycompany.com
dn: cn=admin,dc=mycompany,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# adenoyelle, mycompany.com
dn: cn=adenoyelle,dc=mycompany,dc=com
cn: adenoyelle
objectClass: simpleSecurityObject
objectClass: organizationalRole
objectClass: top

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

LDAP server: ldap://mycompany.com:389
root DN : dc=mycompany,dc=com
DN manager : cn=admin,dc=mycompany,dc=com
manager password : ******

Configuring the trusted certificates

When using TLS for new installs the default will be to use the JVM trust store.

Create/update a dedicated logs recorder

If you think you’ve configured everything correctly but still not being able to login (or any other problems), please enable Logging and configure logging level for “hudson.plugins.active_directory” to ALL. Attempt a login and then file a ticket with the log output.

Also, it might be useful to enable:

Development

Start the local Jenkins instance:

Enable cache

Some LDAP servers may be slow, or rate limit client requests.

Encryption support

From versions 2.26 (SECURITY-1389) the connection to the Active Directory server can be configured via the UI to require the use of TLS for the communications (“require TLS” option).

Prior to this change it was only configured by the now defunct hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps system property and this was not used for ADSI based setups.
For new setups this defaults to on.
If you had previously been using the above property once you save the “Global Security” ($JENKINS_URL/configureSecurity) you can remove the system property.

Note : For upgrades from prior versions without the system property set, connections may still be performed with plain text (if using Enable StartTls and the StartTLS command fails, or the plugin is using ADSI), it is Strongly recommended that you enable the option.

Environment properties

As of 1.7 of the LDAP plugin, you can now specify additional Environment
properties to provide the backing Java LDAP client API. See Oracle’s
documentation for
details of what properties are available and what functionality they
provide. As a minimum you should strongly consider providing the
following

How to install

Run

to create the plugin .hpi file.

To install:

If using domain controller check that all servers on the farm are working correctly

In case, we are using a Domain Controller like in the example below we might want to list all the AD servers in the farm by using:

Important active directory 2.0 – better multi-domains support

The latest release of the Active Directory plugin provides you a better multi-domains support.

Jenkins ldap plugin

Note: This plugin was part of the Jenkins core until 1.468. After
that, it was split out into a separately-updateable plugin. However, for
backwards compatibility purposes, subsequent core releases still bundle
it. If you do not use this plugin at all, you can simply disable it.

License

(The MIT License)

Copyright (c) 2004-2022, Sun Microsystems, Inc., Kohsuke Kawaguchi, Seiji Sogabe,
   Olivier Lamy, CloudBees, Inc., Stephen Connolly, and others

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

Locked accounts

Accounts can be locked by intruder detection systems. The following attributes support this:

• pwdLockout value of TRUE: LDAP password policy;
• UAC flag ADS_UF_LOCK_OUT (0x10) is present (Active Directory); and
• lockedByIntruder value of TRUE (eDirectory).

Manager dn and manager password

If your LDAP server doesn’t support anonymous binding (IOW, if your LDAP
server doesn’t even allow a query without authentication), then Jenkins
would have to first authenticate itself against the LDAP server, and
Jenkins does that by sending “manager” DN and password.

Override domain controllers

This plugin follows the standard lookup procedure to determine the list of candidate Active Directory domain controllers, and this should be sufficient for the normal circumstances. But if for some reasons it isn’t, you can manually override and provide the list of domain controllers by specifying the “Domain controller” field in the advanced section with the value of the format “host:port,host:port,…”.

For historical reasons, the system property “hudson.plugins.active_directory.ActiveDirectorySecurityRealm.domainControllers” for this purpose is still supported, but starting with 1.28, the configuration in the UI is preferred.

If you have multiple AD domains federated into a forest, be sure to use a global catalog, or else you will fail to find group memberships that are defined in other domains.

Performance tuning

Here is a checklist to help improve performance:

Release notes

See Github Release.

Securing access to active directory servers

There are two possible options for securing access to Active Directory:

Setup

Install Certs in Store

Update config.xml

Update jenkins.xml

Tips and tricks

If you are using the LDAP plugin to connect to Active Directory you
should probably read this page of AD syntax
notes.
Pay special attention to Notes 10 and 19. The following settings are
reported to work with Active Directory and nested groups, though they
should carry a warning that they may impact login performance and they
have not been tested for completeness:

Troubleshooting

The following Groovy
script
can be useful when trying to determine whether you have group search
configured correctly:

Use a tool like ‘ldapsearch’ to validate credentials and authentication settings

Take care to escape special character with “ in case it is necessary.

For TLS end-points:

For non-TLS end-points:

In case you don’t want to show your password, you might want to use the command below instead – to be prompted for it.

All these fields should match with the following fields in the AD plugin configuration:

Version history

See the changelog.

Интегрированная конфигурация ldap jenkins

Выберите [Дженкинс] -> [Управление системой] -> [Глобальные настройки безопасности]

Как jenkins и ldap решают проблемы с разрешениями пользователей и авторизацией

При этом используется комбинация глобальной матрицы безопасности проекта матрицы безопасности проекта сертификации ldap для достижения комплексного управления правами.

После установки рекомендуемых по умолчанию плагинов в jenkins существует 5 типов стратегий авторизации:

1. Любой пользователь может делать что угодно (без ограничений)
2. Матрица безопасности
3. Пользователь авторизации может делать все, что угодно
4. Устаревшая модель
5. Стратегия авторизации матрицы проекта

Выбираем стратегию авторизации матрицы проекта, конкретные шаги: выбираем [jenkins] -> [System Management] -> [Global Security Settings], выбираем стратегию авторизации матрицы проекта.

Затем добавьте наши три группы на страницу глобальных настроек безопасности и настройте разрешения для каждой группы.

Настройте параметры разрешений, как показано ниже.

Это глобальная конфигурация, определенные группы могут быть авторизованы только в соответствии с минимальными разрешениями, а дополнительные разрешения могут быть добавлены в матрицу разрешений конкретного проекта. Чтобы

Настройте ldap следующим образом

Примечание. Пароль, используемый в приведенном выше тесте пароля администратора, – oracle.

Об использовании запросов ldap

# Запросить всех пользователей
[[email protected]_0_15_centos ~]# ldapsearch  -LLL -w oracle -x -H ldap://ldap.linuxpanda.tech:389 -D"cn=admin,dc=linuxpanda,dc=tech" -b "ou=people,dc=linuxpanda,dc=tech" # Запрашивать конкретных пользователей
[[email protected]_0_15_centos ~]# ldapsearch  -LLL -w oracle -x -H ldap://ldap.linuxpanda.tech:389 -D"cn=admin,dc=linuxpanda,dc=tech" -b "ou=people,dc=linuxpanda,dc=tech" "uid=test01"
dn: uid=test01,ou=people,dc=linuxpanda,dc=tech
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
gidNumber: 0
givenName: test01
sn: test01
displayName:: 5rWL6K VMQ==
uid: test01
homeDirectory: /home/test01
loginShell: /bin/bash
mail: [email protected]
cn:: 5rWL6K VMQ==
uidNumber: 55545
userPassword:: e1NIQX1ReE5rdGtVUHhIek52Mm9pQmQvYkc2NjNsQkk9

 # Групповой запрос
[[email protected]_0_15_centos ~]# ldapsearch  -LLL -w oracle -x -H ldap://ldap.linuxpanda.tech:389 -D"cn=admin,dc=linuxpanda,dc=tech" -b "ou=jenkins,ou=group,dc=linuxpanda,dc=tech"  
 # Получить соответствующую группу
[[email protected]_0_15_centos ~]# ldapsearch  -LLL -w oracle -x -H ldap://ldap.linuxpanda.tech:389 -D"cn=admin,dc=linuxpanda,dc=tech" -b "ou=jenkins,ou=group,dc=linuxpanda,dc=tech"  "(& (cn=jenkins-admins) (| (objectclass=groupOfNames) (objectclass=groupOfUniqueNames) (objectclass=posixGroup)))"
dn: cn=jenkins-admins,ou=jenkins,ou=group,dc=linuxpanda,dc=tech
objectClass: posixGroup
objectClass: top
cn: jenkins-admins
memberUid: test01
memberUid: admin
gidNumber: 40109

Конфигурация ldap завершена.Я все еще говорю о том, что ldap взаимодействует с пользовательскими разрешениями и распределением разрешений в jenkins, иначе бесполезно интегрировать ldap в jenkins, ха-ха.