How to Configure LDAP in Jenkins

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in today's video we are going to set up jenkins to use ldap as its authentication source [Music] are you new here if you are welcome and if you are new here you don't know who i am my name is darren pope and i'm a developer advocate for cloudbees when you first start out with jenkins you might just use the internal user database that's inside of jenkins because well you've only got two or three people but eventually somebody from security comes along and says hey stop doing that you need to use our fill in the blank and today that fill in the blank is going to be ldap why do you want to use a centralized authentication source there's a lot of reasons why you would want to do that but usually it boils down to business reasons somebody comes onto the team somebody leaves the team and then all of a sudden you're going through and checking things out it's like hey this person left a long time ago why is there still a user account set up for this person they shouldn't be able even though they're not here that account shouldn't exist it's those kinds of things why you want to use a centralized authentication source to get started today let's go ahead and level set what we're going to be using i have a jenkins lts instance that's 2.27.2 when it was installed i used install suggested plugins during the install suggested plugins phase the ldap plugin is automatically installed for us and today it's at version 2.5 i also have a standalone ldap server setup if you're going to be setting up your own ldap server i don't have instructions for that go and set up an ldap server do it your way however you want to do it that's what i have to start with today so let's get started right now this is just a fresh install of jenkins 2.277.2 it does have a single user in it so i've not integrated with ldap yet so i'm just logging in with the internal user database and we can verify that by going to manage jenkins configure global security and then under security realm that's the authentication sources you can see that we're using the jenkins own user database so that's where jenkins admin is defined what we're wanting to do is we want to move to ldap so let's select the ldap radio button and it says hey you need to give us server information it sort of makes sense so i need to give it server or server port or if you're using secured ldap ldap s server port so i'm going to start out simple to begin with and i am going to enter an ip address because i don't have a name associated with my ldap server you'll also notice in this right hand corner down here is test ldap settings so let's go ahead and click on that and let's see what happens it gives us a box to be able to test out a username and password so i have a user set up inside of ldap named sam so i'm going to type in sam and sam's password just happens to be sam so let's go ahead and click on test and see what happens we can see here that the authentication failed for sam it's like it may not exist does looking up your user details require a manager dn password we'll take a look at that in a moment it couldn't look up groups so basically it's like i can't get there yet so what do we do well let's go to our advanced server configuration and let's take a look at the fields that are available for us to configure now we don't have to configure many of these at all in fact really we're only going to have to set up one of these for my specific ldap server but we'll take a look at a couple of the other fields just so you understand what you may have to do so in my case what i have to define is a root dn did i set up my ldap server wrong do i not have my network set up right i don't know i didn't check it out to that level of detail but i'm going to set up a root dn now if you're not an ldap administrator you're looking at this and going i don't know what this is that's okay your ldap administrator will know what this means so if you're not administrating your own ldap talk to the person that is and they can give you what the root dn is for your ldap configuration once you have that set up i want to go ahead and select our test again but before i do that i want you to understand a couple of things there is a default for both display name and for email address and it's expecting that the attribute that lives inside of ldap is display name for display name all lowercase and then male there your casing you may be case insensitive you may be case sensitive so just on the outside chance it is case sensitive make sure that the attributes that you have defined here match what the attributes are inside of ldap so if inside of my ldap it was display name upper in then i would define that here but inside of my ldap server i have display name just like it's defined right here and also have mail let's go and click on test ldap settings again i'm going to use sam and sam and let's click on test what you're going to see here now is i have a bunch of green check boxes authentication was successful user id sam i received my user dn i have the display name i have an email i also have the ldap group memberships all of this worked as i wanted however as i defined this you'll notice the only two things that we have defined that we defined that weren't already predefined for us was the server and the root dn what this means is my ldap server allows anonymous queries in your case you may not be able to do that you may have to provide a user in order to even query against ldap which is not an abnormal thing to see so what you would do in that case is you would define a manager dn and a manager password for that now notice that it says manager dn that is a hint to you that it's just not a username it needs to be an ldap user which is defined as cn and then the dc's for the rest of the definition of the user so i also have another user defined within ldap when the ldap server was set up i created an admin user so i can't just use admin i have to define what the fully qualified manager dn is for the admin user and then the password is just the password so in this case i'm going to go ahead and click on test ldap settings again i'll type in sam and click on test if i scroll down a little bit more again everything was fine i did not have to specifically define my manager dn but i did just for your use case because you may not be able to make an unauthenticated query against your ldap server there are other fields here that i haven't filled in you'll notice here that the user search filter is uid equals brace 0. there's also an empty user search base there's a group search base and a group search filter for my ldap server i don't need any of these fields because really really it's just a small ldap server in the case to where you may have a very large ldap server meaning tens of thousands of users and tens of thousands of groups you might need to do some tuning or if your ldap administrators didn't follow what would be considered normal conventions to where you would have a top level people and a top level groups they defined it to be something else then you would probably have to do some changes to these search bases or maybe change a group filter that's going to be up to your environment and how your ldap server is set up but for just simple use cases this is all you really need if when you are trying to integrate with your ldap server you're having problems below this video there are some links to some knowledge based articles to help you troubleshoot your ldap configuration if you're having any problems go take a look at those knowledgebase articles okay so now that we have all this set up let's go ahead and click on save but before i click on save i want to show you one thing we're still logged in as jenkins admin and that's cool but let's click on save i'm still logged in as jenkins admin and that's okay too because i currently have a session under jenkins admin however right now my security realm is set up to be ldap so the thing to keep in mind here is when i made that change i'm still logged in i did not get automatically logged out from jenkins admin when i clicked on save so let's go ahead and log out now and let's log back in as jenkins admin and let's see what happens you can see here it says invalid username and password or password the reason why is because of the change that we just made remember we just changed our authentication source from jenkins own user database to ldap jenkins admin is not a defined user inside of ldap but we do know a user that is defined inside of ldap and that is sam so let's go ahead and log in as sam and click on sign in and we logged right in in fact you can see sam up here in the top bar let's go and click on sam smith that takes us to the sam smith detail page so we see sam smith we see the user id of sam and we also see the groups that are associated with sam which in this case is net device users this is an ldap group let's click on configure you can see here again full name is sam smith that's our display name think back to the ldap attributes here's our email address mail from then ld from the ldap attribute and that's pretty much it from the detail page that's coming back from ldap if you're still using the jenkins user database to authenticate users into jenkins and you have ldap or active directory or some saml provider available to you i highly recommend that you make the change to use whatever your standard authentication source is for your organization lots of reasons to do that i talked about them before primarily business not so much technical but all it takes is one day for security to come around and then your life is now turned probably upside down doing unplanned work to try to remediate why these login ids still exist by integrating with ldap if your organization is using ldap all of that pain goes away you're able to just use the authentication you don't have to remind people to change passwords all of those things no longer matter hand that off to ldap let it deal with being your authentication source and you go on being a jenkins administrator if you have any questions or comments on this video you can reach out to us at cloudbeesdevs if this video was helpful to you give us a thumbs up and if you haven't subscribed to cloudbees tv yet why not take a moment click on that subscribe button and then ring that bell and you'll be notified anytime there is new content available on cloudbees tv thanks for watching and we will see you in the next video

Info

Channel: CloudBeesTV

Views: 2,495

Rating: undefined out of 5

Keywords: darin pope, jenkins, jenkins tutorial, jenkins ldap, ldap, jenkins basics, jenkins security realm, jenkins security realm plugin, continuous integration

Id: UFX-z2ORN3g

Channel Id: undefined

Length: 13min 5sec (785 seconds)

Published: Tue Apr 20 2021