How To Configure Jenkins FreeIPA LDAP Authentication

ComputingPost
4 min readOct 5, 2022

--

In this guide, I’ll show you how to configure your Jenkins Server to Authenticate users against FreeIPA LDAP server. FreeIPA is an Open Source Identity management system sponsored by Red Hat.

The default installation of Jenkins server uses internal user database which doesn’t work for Large development and Operations teams. You have to manually create each user.

The recommended way of managing users in companies is with LDAP or Microsoft Active Directory(AD). This gives you single-sign-on (SSO) for all the internal services that requires authentication and authorization. Lucky enough, Jenkins has a native LDAP plugin which can be used to Authenticate users against an external LDAP server, such as OpenLDAP, FreeIPA e.t.c.

jenkins-ldap-plugin

Configure Jenkins FreeIPA (LDAP) Authentication:

The pre-requisites for this setup are:

  • Running Jenkins Server
  • Running FreeIPA Server

If you’re interested in doing a fresh installation of FreeIPA or Jenkins server, you can refer to our guides below:

FreeIPA Server installation guides:

How to Install FreeIPA Server on CentOS 7

How to Install FreeIPA Server on Ubuntu

How to Install and Configure FreeIPA Server on RHEL / CentOS 8

Jenkins Server installation guides:

How to install Jenkins on CentOS / RHEL 7/8

How to Install Jenkins on Ubuntu

If you have both FreeIPA and Jenkins server installed, follow these steps to setup Jenkins FreeIPA authentication.

Step 1: Create LDAP Bind User on FreeIPA

We’ll need a user for binding to FreeIPA Server. Login to your FreeIPA Server and create a user called jenkins

Navigate to Identity > Users > Add

freeipa-add-jenkins-user

Fill in the required details and click “Add

Step 2: Configure Jenkins Server

If you don’t have a domain name for FreeIPA Server configured on DNS, add the line to /etc/hosts file.

echo "192.168.10.3 ldap.example.com" | sudo tee -a /etc/hosts

2. Confirm that you can reach LDAP port from Jenkins server.

$ telnet ldap.example.com 389

Trying 192.168.10.3…

Connected to ldap.example.com.

Escape character is '^]'.

3. Login to your Jenkins server as admin user and navigate to “Jenkins > Configure Global Security“.

jenkins-global-security

4. Select LDAP under “Access Control“.

LDAP-access-control-jenkins-1024x595

5. Enter LDAP Server (FreeIPA) IP and service port.

enter-LDAP-Server-URL

6. Click on “Advanced Server Configuration” to expand configuration options.

7. Fill FreeIPA LDAP server details for locating users and groups.

LDAP Server: ldap://ldap.example.com:389

root DN: dc=example,dc=com

User search base: cn=users,cn=accounts

User search filter: uid=0

Group search base: cn=groups,cn=accounts

Group membership > Search for LDAP groups containing user

Group membership filter: (| (member=0) (uniqueMember=0) (memberUid=1))

Manager DN: uid=jenkins,cn=users,cn=accounts,dc=example,dc=com

Manager Password: UserPassword

Display Name LDAP attribute: displayname

Email Address LDAP attribute: mail

Replace:

  • dc=example,dc=com with your LDAP server domain components.
  • UserPassword with Jenkins user password ( Created in step 1)

Your configuration should look similar to below.

jenkins-freeipa-ldap-information

When done filling the information, click on “Test LDAP settings” to validate your settings.

jenkins-freeipa-test-user

Provide Username and Password to test with.

jenkins-ldap-validate-settings

If you receive successful lookup. Apply the settings to Save.

Step 3: Login to Jenkins as LDAP User

The first LDAP user to sign in will get Admin rights.

jenkins-over-https-ssl-1024x442

Step 4: Configure User Roles on Jenkins

By default, Jenkins user policy allows logged in users to access anything. This should not be the case and you need to set proper user policies. Check out our Jenkins policy and user management guide below.

How to Manage Users and Roles in Jenkins

Let other users Login with their LDAP credentials and assign them roles which define what they can do on Jenkins server.

Conclusion

You should have successfully configure Jenkins server to Authenticate user via LDAP Server. Please note that once activate LDAP authentication, Jenkins local internal user database is disabled. For some reason, both cannot co-exist and seem there is no solution for it at the moment.

https://www.computingpost.com/how-to-configure-jenkins-freeipa-ldap-authentication/?feed_id=7498&_unique_id=633db0a1a6112

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

ComputingPost
ComputingPost

Written by ComputingPost

ComputingPost — Linux Howtos, Tutorials, Guides, News, Tips and Tricks.

No responses yet

Write a response