In this guide, I’ll show you how to configure your Jenkins Server to Authenticate users against FreeIPA LDAP server. FreeIPA is an Open Source Identity management system sponsored by Red Hat.
The default installation of Jenkins server uses internal user database which doesn’t work for Large development and Operations teams. You have to manually create each user.
The recommended way of managing users in companies is with LDAP or Microsoft Active Directory(AD). This gives you single-sign-on (SSO) for all the internal services that requires authentication and authorization. Lucky enough, Jenkins has a native LDAP plugin which can be used to Authenticate users against an external LDAP server, such as OpenLDAP, FreeIPA e.t.c.
Configure Jenkins FreeIPA (LDAP) Authentication:
The pre-requisites for this setup are:
- Running Jenkins Server
- Running FreeIPA Server
If you’re interested in doing a fresh installation of FreeIPA or Jenkins server, you can refer to our guides below:
FreeIPA Server installation guides:
How to Install FreeIPA Server on CentOS 7
How to Install FreeIPA Server on Ubuntu
How to Install and Configure FreeIPA Server on RHEL / CentOS 8
Jenkins Server installation guides:
How to install Jenkins on CentOS / RHEL 7/8
How to Install Jenkins on Ubuntu
If you have both FreeIPA and Jenkins server installed, follow these steps to setup Jenkins FreeIPA authentication.
Step 1: Create LDAP Bind User on FreeIPA
We’ll need a user for binding to FreeIPA Server. Login to your FreeIPA Server and create a user called jenkins
Navigate to Identity > Users > Add
Fill in the required details and click “Add”
Step 2: Configure Jenkins Server
If you don’t have a domain name for FreeIPA Server configured on DNS, add the line to /etc/hosts file.
echo "192.168.10.3 ldap.example.com" | sudo tee -a /etc/hosts
2. Confirm that you can reach LDAP port from Jenkins server.
$ telnet ldap.example.com 389 Trying 192.168.10.3… Connected to ldap.example.com. Escape character is '^]'.
3. Login to your Jenkins server as admin user and navigate to “Jenkins > Configure Global Security“.
4. Select LDAP under “Access Control“.
5. Enter LDAP Server (FreeIPA) IP and service port.
6. Click on “Advanced Server Configuration” to expand configuration options.
7. Fill FreeIPA LDAP server details for locating users and groups.
LDAP Server: ldap://ldap.example.com:389 root DN: dc=example,dc=com User search base: cn=users,cn=accounts User search filter: uid=0 Group search base: cn=groups,cn=accounts Group membership > Search for LDAP groups containing user Group membership filter: (| (member=0) (uniqueMember=0) (memberUid=1)) Manager DN: uid=jenkins,cn=users,cn=accounts,dc=example,dc=com Manager Password: UserPassword Display Name LDAP attribute: displayname Email Address LDAP attribute: mail
Replace:
dc=example,dc=comwith your LDAP server domain components.UserPasswordwith Jenkins user password ( Created in step 1)
Your configuration should look similar to below.
When done filling the information, click on “Test LDAP settings” to validate your settings.
Provide Username and Password to test with.
If you receive successful lookup. Apply the settings to Save.
Step 3: Login to Jenkins as LDAP User
The first LDAP user to sign in will get Admin rights.
Step 4: Configure User Roles on Jenkins
By default, Jenkins user policy allows logged in users to access anything. This should not be the case and you need to set proper user policies. Check out our Jenkins policy and user management guide below.
How to Manage Users and Roles in Jenkins
Let other users Login with their LDAP credentials and assign them roles which define what they can do on Jenkins server.
Conclusion
You should have successfully configure Jenkins server to Authenticate user via LDAP Server. Please note that once activate LDAP authentication, Jenkins local internal user database is disabled. For some reason, both cannot co-exist and seem there is no solution for it at the moment.
