+ + + +
+

LDAP

+
Additional configuration for LDAP
+ + +

Configuring LDAP is not supported out of the box, but can be achieved through +plugins and some well tuned configurations.

+ +

The plugin we will use is: https://plugins.jenkins.io/ldap/

+ +
+

Note: This is an example of how LDAP authentication can be achieved. The LDAP +plugin is from a third-party, and there may be other alternatives that suits +your use case better. Use this guide with a grain of salt.

+
+ +

Requirements

+ +
    +

  • LDAP server accessible from the Kubernetes cluster where your Jenkins +instance will live.

    • + +

  • Credentials to a manager account in your AD. Jenkins Operator will use +this account to authenticate with Jenkins for health checks, seed jobs, etc.

    • +
+ +

Steps

+ +

In your Jenkins configuration, add the following plugin:

+
plugins:
+    # Check https://plugins.jenkins.io/ldap/ to find the latest version.
+  - name: ldap
+    version: "2.7"
+

Easiest step is to then start up Jenkins then navigate to your instance’s +“Configure Global Security” page and configure it accordingly.

+ +

http://jenkins.example.com/configureSecurity/

+ +

Once it’s set up and tested, you can navigate to your JCasC page and export +the LDAP settings.

+ +

https://jenkins.example.com/configuration-as-code/

+ +

Feed the relevant new settings into your Kubernetes ConfigMap for your JCasC +settings.

+ +

Here’s a snippet of the LDAP-related configurations:

+
apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: jenkins-casc
+data:
+  ldap.yaml: |
+    jenkins:
+      securityRealm:
+        ldap:
+          configurations:
+            - displayNameAttributeName: "name"
+              groupSearchBase: "OU=Groups,OU=MyCompany"
+              groupSearchFilter: "(& (cn={0}) (objectclass=group) )"
+              inhibitInferRootDN: false
+              managerDN: "CN=Jenkins Admin,OU=UsersSystem,OU=UsersOther,OU=MyCompany,DC=mycompany,DC=local"
+              managerPasswordSecret: "${LDAP_MANAGER_PASSWORD}"
+              rootDN: "DC=mycompany,DC=local"
+              server: "MyCompany.local"
+              userSearch: "SamAccountName={0}"
+              userSearchBase: "OU=MyCompany"
+          disableMailAddressResolver: false
+          disableRolePrefixing: true
+          groupIdStrategy: "caseInsensitive"
+          userIdStrategy: "caseInsensitive"
+
+

Note the use of ${LDAP_MANAGER_PASSWORD} above. You can reference +Kubernetes secrets in your JCasC ConfigMaps by adding the following to your +Jenkins object:

+
> kind: Jenkins
+> spec:
+>   configurationAsCode:
+>     configurations:
+>       - name: jenkins-casc
+>     secret:
+>       # This here
+>       name: jenkins-casc-secrets
+> ```
+>
+> ```yaml
+> apiVersion: v1
+> kind: Secret
+> metadata:
+>   name: jenkins-cred-conf-secrets
+> stringData:
+>   LDAP_MANAGER_PASSWORD: <password-for-manager-created-in-ldap>
+> ```
+>
+> Schema reference: [v1alpha2.ConfigurationAsCode](./schema/#github.com/jenkinsci/kubernetes-operator/pkg/apis/jenkins/v1alpha2.ConfigurationAsCode)
+
+Finally you must configure the Jenkins operator to use the manager's
+credentials from the AD.
+
+This is because this procedure will disable Jenkins' own user database, and the
+Jenkins operator still needs to be able to talk to Jenkins in an authorized
+manner.
+
+Create the following Kubernetes secret:
+

yaml +apiVersion: v1 +kind: Secret +metadata: + name: jenkins-operator-credentials- + namespace: +stringData: + user: + password: +```

+ +

Note: Values in stringData do not need to be base64 encoded. They are +encoded by Kubernetes when the manifest is applied.

+
+ + + +
Last modified October 6, 2021 +
+
+ + +