Active Directory plugin

Skip to end of metadata
Go to start of metadata

Plugin Information

Plugin ID active-directory Changes In Latest Release
Since Latest Release
Latest Release
Latest Release Date
Required Core
Dependencies
1.39 (archives)
Nov 17, 2014
1.532
mailer (version:1.5)
Source Code
Issue Tracking
Maintainer(s)
GitHub
Open Issues
Kohsuke Kawaguchi (id: kohsuke)
Usage Installations 2014-Apr 9508
2014-May 9763
2014-Jun 9909
2014-Jul 10358
2014-Aug 10522
2014-Sep 10972
2014-Oct 11386
2014-Nov 11447
2014-Dec 11462
2015-Jan 11877
2015-Feb 12212
2015-Mar 12844

With this plugin, you can configure Jenkins to authenticate the username and the password through Active Directory. This plugin internally uses two very different implementations, depending on whether Jenkins is running on Windows or non-Windows and if you specify a domain.

  • If Jenkins is running on a Windows machine and you do not specify a domain, that machine must be a member of the domain you wish to authenticate against. Jenkins uses ADSI to figure out all the details, so no additional configuration is required.
  • If Jenkins is running on a non-Windows machine (or you specify one or more domains), then you need to tell Jenkins the name of Active Directory domain(s) to authenticate with. Jenkins then uses DNS SRV records and LDAP service of Active Directory to authenticate users.

Jenkins recognizes all the groups in Active Directory that the user belongs to, so you can use those to make authorization decisions (for example, you can choose the matrix-based security as the authorization strategy and perhaps allow "Domain Admins" to administer Jenkins).

Securing access to Active Directory servers

Active Directory plugin performs TLS upgrade — it connects to domain controllers through insecure LDAP, then from within the LDAP protocol it "upgrades" the connection to use TLS, achieving the same degree of confidentiality and server authentication as LDAPS does.

As the server needs to have a valid X509 certificate for this to function, if the server fails to do TLS upgrade, the communication continues to happen over insecure LDAP. In other words, in the environment that the server supports this, it'll automatically use a properly secure connection. See TechNet article for how to install a certificate on your AD domain controllers to enable this feature.

To verify if the connection is upgraded or not, see Logging and adds a logger to hudson.plugins.active_directory.ActiveDirectorySecurityRealm for FINE or above. Search fot "TLS" in the log messages.

If you must insist on using LDAPS, and not TLS upgrade, you can set the system property hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps=true as a startup parameter to force Jenkins to start a connection with LDAPS, even though this will buy you nothing over LDAP+TLS upgrade. Example: Add -Dhudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps=true inside the <arguments> tag in Jenkins.xml. You will also need to check inside config.xml to ensure either the secured port is defined (636 or 3269) or not defined at all.

<SecurityRealm ...> <server>your.hostname.com[|:636|:3269]</server></SecurityRealm>

Override domain controllers

This plugin follows the standard lookup procedure to determine the list of candidate Active Directory domain controllers, and this should be sufficient for the normal circumstances. But if for some reasons it isn't, you can manually override and provide the list of domain controllers by specifying the "Domain controller" field in the advanced section with the value of the format "host:port,host:port,...". The port should normally be 3269 (for global catalog over SSL), 636 (LDAP over SSL), 3268 (for global catalog), or 389 (LDAP).

For historical reasons, the system property "hudson.plugins.active_directory.ActiveDirectorySecurityRealm.domainControllers" for this purpose is still supported, but starting with 1.28, the configuration in the UI is preferred.

Group Names

If you have added a group and it appears in the list with a red stop sign, Jenkins cannot find it. Remove it and investigate why.

If you are not sure what the notation for a group name is, try the following procedure:

  1. Grant full access to anonymous user (in case you have to reconfigure security having logged out)
  2. Configure the AD server, test it, and save the configuration
  3. Log in using the AD user. Click your name to see a page listing the groups you were found in
  4. Add the relevant groups found to the security matrix with appropriate permissions
  5. Do not forget to withdraw permissions from the anonymous user, taking into consideration the Overall:Read permission (hover over the column header for detail)

Troubleshooting

If you think you've configured everything correctly but still not being able to login (or any other problems), please enable Logging and configure logging level for "hudson.plugins.active_directory" to ALL. Attempt a login and then file a ticket with the log output.

Warning for 1.37

Be careful if you intend to install version 1.37. It has been known to cause excessive load on Active Directory authentication servers. If you install this version you should carefully monitor traffic on relevant ports, e.g.: tcpdump port 389 or 3268.

Changelog

Version 1.40 (2015/04/06)

  • De-emphasize custom domain setting in the ADSI mode, but once that's selected, expose a full set of options (issue #27763)

Version 1.39 (2014/11/17)

  • A hack-ish switch to enable faster group lookup (issue #24195)
  • Login based on userPrincipalName (which looks like an email address) was not working

Version 1.38 (2014/06/03)

  • Apparently the "improvement" in 1.37 backfired for some users. Providing an option for them to select the algorithm as a fallback (issue #22830)

Version 1.37 (2014/04/15)

  • Drastically speed up the recursive group membership search through the use of a Microsoft extension in the LDAP filter expression.

Version 1.36 (2014/03/27)

  • Fixed a thread leak problem when running on Windows (issue #16429)

Version 1.35 (2014/03/11)

  • Implemented "remember me" support in conjunction with upcoming Jenkins 1.556. (issue #9258)

Version 1.34 (2014/03/10)

  • Make test-button work for multi-domain configurations (Pull request #7)
  • Fix forceLDAPs system property and fix ports when using the system property (issue #21073)
  • Added form validation check to the ADSI codepath (issue #17923)

Version 1.33 (2013/05/06)

  • Fixed a show-stopper that broke most ADSI deployments (issue #17676)

Version 1.32 (2013/05/01)

  • Fixed a regression in 1.31 that caused encoding problems with ADSI (issue #17692)

Version 1.31 (2013/04/18)

  • Performance improvement.
  • Fixed a bug in handling OU that contains tricky characters like '/'.
  • Ignore the lookup failure for the memberOf group as it's possible that the authenticating user doesn't have permissions to access the group (issue #16205)

Version 1.30 (2012/11/06)

  • NullPointerException encountered while testing connection.

Version 1.29 (2012/06/06)

  • Added additional logging statements for diagnosis.

Version 1.28 (2012/05/07)

  • Fixed a regression in 1.27 issue #13650
  • If an authentication fails (as opposed to a communication problem), don't fallback to other domain controllers to prevent a cascade of login failures, which can result in an account lock out.

Version 1.27 (2012/04/26)

  • Started caching group definitions to reduce the traffic to domain controllers
  • ADSI implementation now more eagerly releases COM objects without waiting for GC
  • Removed bogus error message when an user wasn't found (issue #12619)
  • When attempting anonymous bind, don't pass in the user name to prevent it from counted as a failure in case anonymous bind is disabled (issue #13595)
  • Fixed a bug that broke the handling of exotic group names (issue #12907)
  • Canonicalize the user name as per writtein AD, instead of using what the user gave us (issue #12607)
  • Updated com4j to use ADSI even on 64bit Windows JVMs (issue #11719)

Version 1.26 (2012/01/27)

  • Improved caching on group information (pull #3)
  • The "Test" button in the config page now supports multi-domain test. (pull #2)
  • Honor LDAP timeout setting when talking to domain controllers (pull #1)

Version 1.25 (2012/01/24)

  • Fixed a security vulnerability that affects AD with anonymoud binding enabled.

Version 1.24 (2012/01/05)

  • Fixed a bug in server lookup. We should still consider lower-priority servers if higher priority ones are unreachable
  • Supported group lookup by name
  • Report all attempted authentication when trying to authenticate against multiple domains (issue #11948)

Version 1.23 (2011/11/29)

  • Fixed a poor interaction with the matrix security form check (issue #11720)
  • Fixed a regression in 1.22 that broke the distribution group lookup (issue #11668)

Version 1.22 (2011/11/8)

Version 1.21 (2011/11/4)

  • Plugin shouldn't require a record on the domain
  • Fixed a bug in the TLS upgrade (issue #8132)
  • Plugin was not recognizing the user's primary group ("Domain Users" most typically)
  • E-mail and full name are now propagated to Jenkins (issue #6648)
  • Made to correctly work with CLI username/password authentication (issue #7995)

Version 1.20 (2011/10/19)

  • Fixed a security vulnerability (SECURITY-18)

Version 1.19

  • If we fail to check the account disabled flag, assume it's enabled (issue #10086)
  • If/when the socket factory is given, JRE appears to automatically try to connect via SSL, so we can only do so during StartTLS call.
  • Error only if there's no server (either configured or discovered.)
  • Added the preferred Server functionality back

Version 1.18 (2011/03/20)

  • Add a preferred server in configuration options
  • Update for Jenkins

Version 1.17 (2010/11/16)

  • Look up is now done via LDAPS instead of LDAP (although there's no certificate check done now.)
  • The plugin now talks to the global catalog for efficiency, as opposed to a domain, if that's available.
  • Some DNS returns '.' at the end of the host name. Handle it correctly (issue #2647)
  • Fixed a possible LDAP injection problem (issue #3118)
  • Try all the available servers before giving up. Useful when some of your domain controllers aren't working properly. (issue #4268)
  • Added the site support (issue #4203)
  • Cleaned up the help text that incorrectly stated that this doesn't work on Unix. It works. (issue #2500)

Version 1.16 (2009/12/8)

  • Added a workaround for WebSphere in doing DNS lookup via JNDI (issue #5045)

Version 1.15 (2009/06/10)

  • Fix bug introduced with 1.14 where an AD setup with circular group references would cause a stack overflow.

Version 1.14 (2009/06/02)

  • Support nested groups (via the Unix provider) (issue #3071)
  • Fixed a bug that prevented the "authenticated" role being honoured (issue #3735)
  • Support authenticting against multiple domains (issue #3576)

Version 1.13 (2009/05/19)

  • Fixed a bug that degraded Windows support (which forces you to enter the domain name.)
  • Implementation of group recognition (for displaying group icon in matrix for instance.)

Version 1.12 (2009/04/08)

  • Some DNS returns '.' at the end of the host name. Handle it correctly (issue #2647) (not correctly fixed until 1.17)
  • Fixed NPE in the form field validation when a group name was added (issue #3344)
  • Lookup fails for members of groups with special characters in the name (like '/') (issue #3249)

Version 1.11 (2009/03/25)

  • No change. This is a re-release since 1.10 didn't hit the update center.

Version 1.10 (2009/03/20)

  • On Windows, specifying the domain name in the "advanced" section wasn't taking effect.

Version 1.9 (2009/02/17)

  • Modified to work with 64bit Winddows (report)

Version 1.8 (2009/02/13)

  • Hudson honors the priority in the SRV entries (patch)

Version 1.7 (2009/01/15)

  • Fixed a bug in handling alternative UPN suffix. (discussion)

Version 1.6 (2009/01/12)

  • Fixed a bug in handling "referrals" (which I believe happens when you run AD forest.)

Version 1.5 (2008/06/24)

  • Windows users can now also use the LDAP-based AD authentication (the same code used on Unix.) This is apparently necessary when Hudson runs as a local user instead of a domain user (discussion)

Version 1.4 (2008/06/11)

  • Fixed a bug where the configuration page doesn't show the configured AD domain name
  • Fixed a bug that prevented this from working with user-defined containers

Version 1.3 (2008/06/09)

  • Supported authentication from Hudson running on non-Windows machines

Version 1.2 (2008/02/27)

  • Fixed IllegalArgumentException in remember-me implementation (issue #1229)

Version 1.0 (2007/01/09)

  • Initial version

Labels

plugin-user plugin-user Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
  1. Jun 12, 2008

    Travis Bailey says:

    A thousand thank yous for getting this to work on non-windows systems.  It ...

    A thousand thank yous for getting this to work on non-windows systems.  It is excruciatingly painful to get our linux systems to talk to our AD.  LDAP is so limited and tricky.  This was a big win for me.  Works beautifully!

  2. Sep 16, 2008

    areplogle - says:

    Has anyone got the "groups" side of user/groups AD permissions working? I've tri...

    Has anyone got the "groups" side of user/groups AD permissions working? I've tried adding a security group and a global group and when someone who logs in that belongs to either of those, it doesn't give them the permissions that the group is setup for.

    Is it possible to get the source for this plugin or is it not opensource?

    Thanks,

    Andrew

  3. Oct 08, 2008

    Fred Hoare says:

    Our active directory setup does not allow anonymous requests.  If I am runn...

    Our active directory setup does not allow anonymous requests.  If I am running hudson as a non-domain user is there any way I can specify a username and password for the binding to the AD server?

  4. Apr 01, 2009

    Jorge Matos says:

    I noticed that the plugin doesn't seem to work if you specify an AD group that h...

    I noticed that the plugin doesn't seem to work if you specify an AD group that has spaces in it.

    Is there a way to specify an AD group that contains spaces in the name?

    1. Jun 03, 2011

      Jerry Schwartz says:

      I'm also experiencing this issue. Is there a way to escape the space, use quotes...

      I'm also experiencing this issue. Is there a way to escape the space, use quotes, or specify the GID?

  5. Apr 14, 2009

    Scott Carter says:

    Is it possible to bind to multiple domains?  I have two domains and need hu...

    Is it possible to bind to multiple domains?  I have two domains and need hudson to be able to authenticate with both of them but the plugin does not offer an alternate domain to use.  In the active directory box I want to be able to put

    domain1.mydomain.com

    domain2.mydomain.com

    I had thought of setting up a LDAP server and pulling all the information from both domains and storing it all in one but i could not figure that out.

  6. May 12, 2009

    joti says:

    I use this Plugin to secure my Hudson, it works at first try and flawless. Huge ...

    I use this Plugin to secure my Hudson, it works at first try and flawless. Huge thanks for that!

    Nevertheless it would be *really* nice if the Plugin or another Plugin using AD as well could provide

    • EMail-Adresses, assembled according to a pattern given by the user  (in case an email-Address does not just resemble the username or EMail-Name)
    • maybe fill the Jabber-Contact-Field in the same pattern powered way.
    • the Full Name

    for the AD retrieved users.

  7. Nov 18, 2009

    cangove - says:

    The plugin is great, but it does not work in my current configuration.  In ...

    The plugin is great, but it does not work in my current configuration.  In my config we have different AD boxes serving our different subnets, which may be in the same domain (same issue as illustrated in issue #4203).  Plus we have some test AD machines that see, to get in the way. So many times the plugin gets the right server, but when it does not the login fails.  So looking through the open issues I think a fix for 4268, 4203 or 4191 would get us moving.   Are any of these on the plate for fixing?  If so any ideas on a release? 

  8. Dec 22, 2009

    Dale Hoshooley says:

    We are planing on using this plugin to secure our Hudson installation.  Our...

    We are planing on using this plugin to secure our Hudson installation.  Our organization has mutliple domains and domain controllers and it would be nice to have an option to have the plug-in connect to the directory's global catalog (port 3268 / 3269 for SSL).

    Is there a way to specify the port the plug-in should use when trying to connect to the AD server?

  9. Feb 04, 2010

    Animesh Banerjee says:

    Is is possible for this plugin to determine the email addresses of users and use...

    Is is possible for this plugin to determine the email addresses of users and use them in email notifications? If so, does it require any further configuration on my end? If not I'd like to suggest this feature be implemented as a useful alternative to having to configure LDAP Email Plugin as a helper to get this working properly which admittedly defeats the whole purpose of having a nice simple AD plugin so we don't have to deal with the nightmare of configuring LDAP against AD.

  10. Feb 08, 2010

    Gaurav Tiwari says:

    I have to manage authentication for Hudson using multiple LDAP domains. Although...

    I have to manage authentication for Hudson using multiple LDAP domains. Although I can mention them all in the server field seperating them with commas, the problem I have is that the functional user account (bind DN or manager DN)we would need to access those servers would be different for each domain.

    Is there a way to ensure LDAP authentication of this kind?

  11. May 13, 2010

    Nelms says:

    We are using this plug in to secure our org.'s hudson. We have noticed a bug tha...

    We are using this plug in to secure our org.'s hudson. We have noticed a bug that when a user logs in, the system said that user has invalid login information and advised to try again but he/she was already login since the user name already appeared in the upper right side of the system page beside the search area as logged in. This has been an intermittent  problem. I am using matrix based security on authorization.

  12. Jul 20, 2010

    mark1900 - says:

    I am really looking for to the upcoming release version 1.17 to address some iss...

    I am really looking for to the upcoming release version 1.17 to address some issues we have been having with our Hudson instance.

    Any chance of getting a timeline or estimate for this release?

    My issues:

    * http://issues.jenkins-ci.org/browse/JENKINS-4268

    * http://issues.jenkins-ci.org/browse/JENKINS-3356

  13. Aug 23, 2010

    Minwook-Kim says:

    I try to get the code building and installing this plug-in. But is not working ...

    I try to get the code building and installing this plug-in. But is not working ADLDAP at linux system.

    Please let me know your next updating plan?

  14. Nov 15, 2010

    bmerkle says:

    is there a timefrage for a 1.17 release ? or how can I build the plugin myself ?...

    is there a timefrage for a 1.17 release ?
    or how can I build the plugin myself ?

  15. Nov 18, 2010

    Daniel Vigovszky says:

    The latest build changed LDAP access to LDAPS without providing an option to set...

    The latest build changed LDAP access to LDAPS without providing an option to set it back. I was using it on a small internal network where LDAPS is not available, so this update completely broke my hudson installation.
    Could you add a system property maybe allowing the user to switch back to LDAP without SSL?

    1. Dec 02, 2010

      P. Rosenberg says:

      I got the same problem in my network.

      I got the same problem in my network.

    2. Jul 06, 2011

      Jim Divine says:

      Same problem here.

      Same problem here.

  16. Dec 08, 2010

    yamo - says:

    Appears we are running into the ldaps issue as well.

    Appears we are running into the ldaps issue as well.

    1. Mar 09, 2011

      RCobb1 - says:

      Same here... had to revert back to the 1.16 plugin to keep things functional

      Same here... had to revert back to the 1.16 plugin to keep things functional

  17. Mar 25, 2011

    Brian Sayatovic says:

    I reverted to 1.16 after 1.18 failed to connect since I don't have LDAPS set up ...

    I reverted to 1.16 after 1.18 failed to connect since I don't have LDAPS set up (it's all internal to our network).  Is there a way to configure any version since 1.17 to use non-SSL connections?  I'm unclear if setting the system property with a port that is by convention typically non-secure would work.

  18. Jun 08, 2011

    Carl Wilson says:

    1.16 worked for me with Active Directory whilst running Hudson on Red Hat Linux ...

    1.16 worked for me with Active Directory whilst running Hudson on Red Hat Linux under tomcat.  Upgraded to Jenkins and changed to 1.18 and it all stopped.  Moved back to 1.16 and life is ok again.  1.18 'tested' ok - but needs more comprehensive checks that it will authenticate users.

  19. Dec 31, 2011

    mj shi says:

    This is superb plugin.  Install it and works, very simple.  Thank you ...

    This is superb plugin.  Install it and works, very simple.  Thank you for the great work!

  20. May 03, 2012

    Keith Starling says:

    Just opened https://issues.jenkins-ci.org/browse/JENKINS-13674 for this plu...

    Just opened https://issues.jenkins-ci.org/browse/JENKINS-13674 for this plugin due to the fact that it no longer functions correctly to use usernames in authorization strategies since Jenkins appears to be comparing against the LDAP full name rather than the username. 

  21. May 28, 2012

    Allen Xu says:

    I installed a new Jenkins(1.462) and active-directory-plugin(1.26). But in the c...

    I installed a new Jenkins(1.462) and active-directory-plugin(1.26). But in the configuration of configure system, there is no "Site", "Bind DN", "Bind Password" and the "Test" button. So i can not connect the Jenkins to my domain. But for my previous Jenkins, the ADP plugin works and we can test my domain account.

  22. Jun 14, 2012

    wade rocco says:

    hello - are there any known issues with this plugin (1.28) against windows 2008 ...

    hello - are there any known issues with this plugin (1.28) against windows 2008 R2 based domain controllers??

  23. Oct 11, 2012

    Matthew Stevens says:

    Running Win2k8 R2 for our DC. Users can login however, groups are not working ex...

    Running Win2k8 R2 for our DC. Users can login however, groups are not working except for the built-in authenticated user. Anyone have any success with group permissions?

  24. Dec 06, 2012

    Alastair Reilly says:

    I too am having issues getting groups to work. Colleague is using it successfull...

    I too am having issues getting groups to work. Colleague is using it successfully at job level on another build server but I can't use groups at server/jenkins level. 

  25. Jun 11, 2013

    Andrew Sumner says:

    Is there any way to enable single signon with this plugin so that users are requ...

    Is there any way to enable single signon with this plugin so that users are required to enter a password?

  26. Jul 04, 2013

    Michael Scholz says:

    Are multiple domain names supported for Windows? Can you add an example of a co...

    Are multiple domain names supported for Windows?

    Can you add an example of a correct configuration?

  27. Oct 14, 2013

    christof w. says:

    Hi, Is there a way to see all the groups I am in from active directory? I remem...

    Hi,

    Is there a way to see all the groups I am in from active directory? I remember being able to see it when i go to configure in ../username/configure/ or something similar

    1. Jan 14, 2014

      mo barger says:

      Hi christof w - If you have AD configured you should be able to go to http://you...

      Hi christof w - If you have AD configured you should be able to go to http://your_jenkins_URL/whoAmI/ to see that info.

  28. Oct 23, 2013

    System Administrator says:

    I have enabled security on the Manage Global Security page, then selected Matrix...

    I have enabled security on the Manage Global Security page, then selected Matrix-based security.  I can configure the users or groups and they get the right icon, suggesting that they are detected in AD.  Users can log in using their credentials if I assign permissions individually but if I remove the individuals and assign permissions to groups the system accepts their credentials (using the wrong password is rejected, suggesting that it is checking with AD properly) but says they are missing the Overall/Read permission.  If I set permissions by user it works OK.  Can anyone suggest what I might be doing wrong?

  29. Feb 10, 2014

    Martin-Louis Bright says:

    How does one enable the cache?

    How does one enable the cache?

  30. Apr 23, 2014

    Marius Nesser says:

    Info: Using Jenkins ver. 1.560, Upgrading 1.36 --> 1.37. gave a LDAP...

    Info: Using Jenkins ver. 1.560, Upgrading 1.36 --> 1.37. gave a LDAP timeout exception when logging in. Had to downgrade to login.

  31. Apr 23, 2014

    Marius Nesser says:

    double post

    double post

  32. Aug 08, 2014

    Paul Landolt says:

    The AD plugin allows us to configure the Domain Name and Domain Controller.&nbs...

    The AD plugin allows us to configure the Domain Name and Domain Controller.  When will we be able to Authenticate for AD servers that don't allow anonymous access?

    I've seen another Jenkins AD plugin that has "Site", "Bind DN" and "Bind Password".  Are those features limited to the "Enterprise" version, or will they be making their way down to the FOSS version any time soon?

    1. Sep 03, 2014

      Stephen Herd says:

      Click the "Advanced" button on the right side (Just below where it says Domain N...

      Click the "Advanced" button on the right side (Just below where it says Domain Name).. Bind info is in there.

  33. Sep 03, 2014

    Stephen Herd says:

    Hey Guys, Can't seem to find it anywhere (I may be blind) but I'm having an iss...

    Hey Guys,

    Can't seem to find it anywhere (I may be blind) but I'm having an issue.

    The plugin itself works great, but I'm creating a backup/restore scheme for Jenkins right now and the problem is that when I restore the jenkins config.xml (with the stored Bind DN/Password) I lock out the Bind User account because the Password HASH doesn't resolve to the correct password.  Do you know of any way to solve this issue?

  34. Sep 04, 2014

    Juraj Proksa says:

    Please be warned that this plugin sends all user passwords in plain text over ne...

    Please be warned that this plugin sends all user passwords in plain text over network.

    You cannot use SSL/TLS enabled port 636 or 3269 and TLS upgrade does not work. Regardless of AD controller setup.

    This is due to bugs

    1. Feb 03

      Christian Schmid says:

      Hi, i configured the plugin with the parameter "hudson.plugins.active_directory...

      Hi,

      i configured the plugin with the parameter "hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps".

      No warnings are produced in the log and the traffic seems encrypted when inspecting it with tcpdump.

  35. Sep 08, 2014

    Alex Vesely says:

    Works VERY slowly in my corporate network. Authentication takes 1-2 minutes, and...

    Works VERY slowly in my corporate network. Authentication takes 1-2 minutes, and I don't see any tweaks to help that. Do you have any suggestions?

    1. Sep 09, 2014

      Alex Vesely says:

      I downloaded and compiled the yet-unreleased 1.39 with the option to ignore irre...

      I downloaded and compiled the yet-unreleased 1.39 with the option to ignore irrelevant groups. Together with "Matching rule in chain", this sped up my login to 15 seconds! Which is not perfect, but is OK. Thanks very much!
      If it helps further debug, the bulk of the time is spent between the following logs:

      Sep 09, 2014 2:40:27 PM FINER hudson.plugins.active_directory.LDAPSearchBuilder
      
      searching (member:1.2.840.113556.1.4.1941:={0})[CN=ec abc unix xxx my_name,OU=GenericAccounts,OU=xxx,OU=UNIX,OU=XXX XXX,OU=Resources,DC=abc,DC=corp,DC=company,DC=com] in DC=abc,DC=corp,DC=company,DC=com using {java.naming.ldap.attributes.binary=tokenGroups objectSid, java.naming.security.credentials=…, java.naming.referral=follow, java.naming.provider.url=ldap://server.abc.corp.company.com:389/, java.naming.security.principal=abc\manager_name, java.naming.ldap.version=3} with scope 2 returning [cn]
      
      Sep 09, 2014 2:40:37 PM FINE hudson.plugins.active_directory.ActiveDirectoryUnixAuthenticationProvider
      
  36. Mar 16

    movavi team says:

    The plug-in doesn't work if to try to be connected to it through Internet, using...

    The plug-in doesn't work if to try to be connected to it through Internet, using port forward and the indication of port with a domain name.

    https://issues.jenkins-ci.org/browse/JENKINS-27139

  37. Apr 16

    Jesse Jacob says:

    Couple of things--if the maintainer(s) could let me know if they think these are...

    Couple of things--if the maintainer(s) could let me know if they think these are bugs or regressions I would really appreciate it, otherwise I'll take it up with other plugin owners:

    1) There appears to be an undocumented discrepancy between admin users and non-admin users. Admin users can see their list of AD groups on their user status page, while non-admin users cannot. Is this a restriction of the "users" feature or of the Active Directory plugin? I'm using matrix auth and granting limited rights to authenticated users...any idea which item in the matrix I need to get access to 

    2) If you are using the matrix auth strategies, you MUST enter the groups so that there is an exact case match of the name in the matrix to the actual security group. I just wasted a bunch of time troubleshooting this after finding out there was an accidental upper-case character in a group name. There is no documented indicator that this is necessary for either matrix auth or Active Directory plugins. Would this be an issue with the matrix plugin or with the Active Directory plugin?

    Thanks!