FreeIPA/Red Hat IDM and Jenkins LDAP Auth

This is an extremely short how to regarding the setup of FreeIPA or RH IDM and Jenkins. The guide demonstrates how to configure user and group authentication and authorization using the Jenkins Matrix Based Security plugin. This will allow you to define finer grain access to your Jenkins instances based on LDAP group membership.

Screenshot is worth a thousand words:

screenshot-from-2016-12-05-12-18-01

screenshot-from-2016-12-05-13-20-14

The key takeaways are:

  1. the search base should be limited to the cn=users,cn=accounts subtree. The search filter uid={0} will match the username of the user attempting to login to their IPA/IDM uid field.
  2. Group searches need to be limited to the compat tree, this returns all groups with members of each group defined as memberUid. I believe this may be dependent on the way you create groups in IPA/IDM, ie you need to enable compat.
  3. Group membership is dependant on jenkins determining if memberUid={0} ie the username appearing in a group.
  4. You can visualize this by performing an ldapsearch against the LDAP in question.

    ldapsearch -x -h ldap.example.com  -b cn=groups,cn=compat,dc=example,dc=com

  5. Add the list of groups to the matrix list that you wish to define access rules for. The UI will update dynamically to indicate if the group is found in the LDAP directory.
  6. Most if not all groups should have at least the global READ permission otherwise they cannot do anything in the UI. Exceptions to this would possibly be svc_accounts used for remote hooks etc

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s