Jenkins 中的 Ldap 组配置
Ldap group configuration in Jenkins
我最近安装了 Jenkins 和 Ldap 插件。我可以在 Jenkins 中设置用户身份验证,但现在我也想设置组。但是,我的组织的 Ldap 有点棘手,我无法从组的角度正确设置它。这是我公司的 LDAP 树结构:
我正在使用 Java 1.8,Jenkins LDAP 插件 1.20,Jenkins 2.176.2
这是我在 LDAP 字段中尝试的内容:
试试这个配置:
root DN : dc=domain,dc=com # root base dn
User search base : ou=People # relative to the root search base
Group search base : ou=Groups # relative to the root search base
User search filter : uid={0}
Group search filter : (& (cn={0}) (| (objectclass=groupOfNames) (objectclass=groupOfUniqueNames) (objectclass=posixGroup)))
Group membership : (| (member={0}) (uniqueMember={0}) (memberUid={1}))
上面的Group search filter是默认值,如果不确定是哪个objectClass定义了你的组,就照原样使用,否则去掉OR条件以缩小搜索范围,例如。 :(& (cn={0})(objectclass=groupOfNames))。用于管理组的最常见对象 class 是 groupOfNames,它提供 member 属性来处理成员资格。
Group membership above is set to default as well (in mode "Search for groups containing user"). Now, if your groups have objectClass "groupOfNames" for example, you just need the filter member={0}. Another objectClass might rely on another membership attribute (like "uniqueMember" for "groupOfUniqueNames"). That said, if your backend provides the memberOf attribute, you would probably prefer switching to the other mode "Parse user attribute for list of groups" and set Group membership attribute : memberOf (see here)。
我最近安装了 Jenkins 和 Ldap 插件。我可以在 Jenkins 中设置用户身份验证,但现在我也想设置组。但是,我的组织的 Ldap 有点棘手,我无法从组的角度正确设置它。这是我公司的 LDAP 树结构:
我正在使用 Java 1.8,Jenkins LDAP 插件 1.20,Jenkins 2.176.2
这是我在 LDAP 字段中尝试的内容:
试试这个配置:
root DN : dc=domain,dc=com # root base dn
User search base : ou=People # relative to the root search base
Group search base : ou=Groups # relative to the root search base
User search filter : uid={0}
Group search filter : (& (cn={0}) (| (objectclass=groupOfNames) (objectclass=groupOfUniqueNames) (objectclass=posixGroup)))
Group membership : (| (member={0}) (uniqueMember={0}) (memberUid={1}))
上面的Group search filter是默认值,如果不确定是哪个objectClass定义了你的组,就照原样使用,否则去掉OR条件以缩小搜索范围,例如。 :
(& (cn={0})(objectclass=groupOfNames))。用于管理组的最常见对象 class 是groupOfNames,它提供member属性来处理成员资格。Group membership above is set to default as well (in mode "Search for groups containing user"). Now, if your groups have objectClass "groupOfNames" for example, you just need the filter
member={0}. Another objectClass might rely on another membership attribute (like "uniqueMember" for "groupOfUniqueNames"). That said, if your backend provides thememberOfattribute, you would probably prefer switching to the other mode "Parse user attribute for list of groups" and setGroup membership attribute : memberOf(see here)。