FreeIPA/Red Hat IDM and Jenkins LDAP Auth

This is an extremely short how to regarding the setup of FreeIPA or RH IDM and Jenkins. The guide demonstrates how to configure user and group authentication and authorization using the Jenkins Matrix Based Security plugin. This will allow you to define finer grain access to your Jenkins instances based on LDAP group membership.

Screenshot is worth a thousand words:

screenshot-from-2016-12-05-12-18-01

screenshot-from-2016-12-05-13-20-14

The key takeaways are:

  1. the search base should be limited to the cn=users,cn=accounts subtree. The search filter uid={0} will match the username of the user attempting to login to their IPA/IDM uid field.
  2. Group searches need to be limited to the compat tree, this returns all groups with members of each group defined as memberUid. I believe this may be dependent on the way you create groups in IPA/IDM, ie you need to enable compat.
  3. Group membership is dependant on jenkins determining if memberUid={0} ie the username appearing in a group.
  4. You can visualize this by performing an ldapsearch against the LDAP in question.

    ldapsearch -x -h ldap.example.com  -b cn=groups,cn=compat,dc=example,dc=com

  5. Add the list of groups to the matrix list that you wish to define access rules for. The UI will update dynamically to indicate if the group is found in the LDAP directory.
  6. Most if not all groups should have at least the global READ permission otherwise they cannot do anything in the UI. Exceptions to this would possibly be svc_accounts used for remote hooks etc

How to install the DisplayLink Driver Fedora 24/25

The instructions on the DisplayLink wesite are absolute rubbish but do give at least a glimmer of hope, http://support.displaylink.com/knowledgebase/articles/679060

I found the following article for a 4.4 kernel, http://nothen.com.ar/en/support-for-displaylink-adapters-on-linux/

I am unfortunately running a later kernel, 4.8.4 in Fedora 24 Testing because I unsuccessfully fought an issue with running DisplayPort and HDMI. That was causing the entire system to lock up when the system went into suspend.

So anyway, in order to get this working you need to download the Ubuntu driver, execute it with extra flags and then install manually. It also requires to disable SELinux or if you have time and hair, figure out the profile to add so its happy.

# Run the following as root, your installing kernel modules etc
sudo su -
# Make sure you have kernel-devel
dnf install kernel-devel 
# Disable SELinux till someone creates the relevant policy
setenforce 0
sed s/SELINUX=.*/SELINUX=disabled/ /etc/sysconfig/selinux
# Download the latest driver for Ubuntu
wget http://www.displaylink.com/downloads/file?id=708 -O 'DisplayLink USB Graphics Software for Ubuntu 1.2.1.zip'
# Unzip the driver
unzip 'DisplayLink USB Graphics Software for Ubuntu 1.2.1.zip'
# Make the .run script executable
chmod +x displaylink-driver-1.2.65.run
# Run the script with the noexec flag to prevent it from actually installing the driver
./displaylink-driver-1.2.65.run --noexec --keep
# Enter the directory
cd displaylink-driver-1.2.65
# Patch the displaylink-installer.sh with the patch from this gist
# It modifies the script to work with Fedora (Pretty naively...)
wget https://gist.githubusercontent.com/mattwilmott/d8893a24291f74975b6f2b48fa39fe24/raw/0cec3bbb2f1f21f806588d3cad57fbbdc5127c0a/displaylink-installer.sh.patch -O displaylink-installer.sh.patch
patch displaylink-installer.sh displaylink-installer.sh.patch
# Confirm the script is executable
chmod +x displaylink-installer.sh
# Install the driver
./displaylink-installer.sh install
# It should install without issue if it doesnt unfortunately your on your own. ;(
# Try rebooting and see if the screen works
# The displaylink service should now be active.
systemctl displaylink status
# If you ever need to remove it
# Backup the installer dir as it removes it AND your changes
tar -cjvf ../displaylink-installer.tgz ./
./displaylink-installer.sh uninstall