Discussion:
Is there a sample for LDAP plugin to connect to Active Directory?
dennys
2013-11-18 10:07:21 UTC
Permalink
I can use Jenkins and Active Directory plugin to connect to the AD server,
but due to this issue, it's a problem for us to restart Jenkins every day.
https://issues.jenkins-ci.org/browse/JENKINS-16429

I think I can use LDAP plugin, but I cannot find a sample. For example, our
AD doesn't allow anonymous query, but I'm not sure how to configure the
"manager DN". Is there a sample of AD for LDAP plugin?




--
View this message in context: http://jenkins-ci.361315.n4.nabble.com/Is-there-a-sample-for-LDAP-plugin-to-connect-to-Active-Directory-tp4681322.html
Sent from the Jenkins users mailing list archive at Nabble.com.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.
Daniel Beck
2013-11-18 12:36:37 UTC
Permalink
Post by dennys
I think I can use LDAP plugin, but I cannot find a sample. For example, our
AD doesn't allow anonymous query, but I'm not sure how to configure the
"manager DN". Is there a sample of AD for LDAP plugin?
I've been using the LDAP plugin for Active Directory integration successfully for over a year.

To determine a user's DN, use e.g. the free Softerra LDAP Browser and search for the name of the user you want to authenticate Jenkins with. Example query filter: '(CN=username)' -- without any domain prefix, i.e. only 'user', not 'domain\user' -- (see also https://en.wikipedia.org/wiki/LDAP#Search_and_Compare )

The search result will look like 'CN=username,OU=Users,DC=example,DC=org'. This is the DN.

There's also the helpful LDAP Plugin wiki page: https://wiki.jenkins-ci.org/display/JENKINS/LDAP+Plugin
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.
Maciej Jaros
2013-11-18 14:04:40 UTC
Permalink
Post by Daniel Beck
Post by dennys
I think I can use LDAP plugin, but I cannot find a sample. For example, our
AD doesn't allow anonymous query, but I'm not sure how to configure the
"manager DN". Is there a sample of AD for LDAP plugin?
I've been using the LDAP plugin for Active Directory integration successfully for over a year.
To determine a user's DN, use e.g. the free Softerra LDAP Browser and search for the name of the user you want to authenticate Jenkins with. Example query filter: '(CN=username)' -- without any domain prefix, i.e. only 'user', not 'domain\user' -- (see also https://en.wikipedia.org/wiki/LDAP#Search_and_Compare )
The search result will look like 'CN=username,OU=Users,DC=example,DC=org'. This is the DN.
There's also the helpful LDAP Plugin wiki page: https://wiki.jenkins-ci.org/display/JENKINS/LDAP+Plugin
I also have problem on LDAP so this might not help you, but correct
configuration is (or at least working for me):

* server: "your-ad.domain.com"
* rootDN: "DC=your-ad,DC=domain,DC=com,DC=pl"
* userSearchBase: "CN=Users" - this might be different depending on
you AD structure. NOTE! The auth will work without it but will be
VERY slow.
* user search filter: "sAMAccountName={0}"
* managerDN: "Domain\someUser" - this is any user with rights to list
user accounts AFAIK. So probably any user in your domain will do.
* managerPassword: <someUser password>

You can also turn on caching, but again I'm having OutOfMemoryError
errors too, so I'm not sure what is the problem.

Regards,
Nux.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.
Daniel Beck
2013-11-18 14:13:27 UTC
Permalink
NOTE! The auth will work without it but will be VERY slow.
Probably can be circumvented by using the global catalog at port 3268. That's what I do. I need to leave userSearchBase empty because of distributed user management: I have no idea where/how user accounts are stored for which branch office. User names should be unique in your chosen rootDN+userSearchBase though.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.
dennys
2013-11-20 02:21:59 UTC
Permalink
I use following configuration, it works, but performance is not good. It
takes 2~3 seconds to login.

server: "your-ad.domain.com"
rootDN: "DC=your-ad,DC=domain,DC=com,DC=pl"
user search filter: "sAMAccountName={0}"
managerDN: "Domain\someUser"
managerPassword: <someUser password>

I didn't set userSearchBase, maybe it's the root cause. But "CN=Users"
doesn't work for me, I'll try it.
userSearchBase: "CN=Users" - this might be different depending on you AD
structure. NOTE! The auth will work without it but will be VERY slow.




--
View this message in context: http://jenkins-ci.361315.n4.nabble.com/Is-there-a-sample-for-LDAP-plugin-to-connect-to-Active-Directory-tp4681322p4681659.html
Sent from the Jenkins users mailing list archive at Nabble.com.
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.
Loading...