Active Directory plugin

Plugin Information

Plugin ID active-directory
Latest Release 1.31-h1
Latest Release Date Jan 11, 2013
Sources Github
Support Eclipse Hudson Forum
Issue Tracking Eclipse Bugzilla

With this plugin, you can configure Hudson authenticates the username and the password through Active Directory. This plugin internally uses two very different implementations, depending on whether Hudson is running on Windows or non-Windows and if you specify a domain.

  • If Hudson is running on a Windows machine and you do not specify a domain, that machine must be a member of the domain you wish to authenticate against. Hudson uses ADSI to figure out all the details, so no additional configuration is required.
  • If Hudson is running on a non-Windows machine (or you specify one or more domains), then you need to tell Hudson the name of Active Directory domain(s) to authenticate with. Hudson then uses DNS SRV records and LDAP service of Active Directory to authenticate users.

Hudson recognizes all the groups in Active Directory that the user belongs to, so you can use those to make authorization decisions (for example, you can choose the matrix-based security as the authorization strategy and perhaps allow "Domain Admins" to administer Hudson.)

Override Switches

Override domain controllers

This plugin follows the standard lookup procedure to determine the list of candidate Active Directory domain controllers, and this should be suffice for the normal circumstances. But if for some reasons it isn't, you can manually override and provide the list of domain controllers by setting the system property "hudson.plugins.active_directory.ActiveDirectorySecurityRealm.domainControllers" with the value of the format "host:port,host:port,...". The port should be normally 3269 (for global catalog over SSL), 636 (LDAP over SSL), 3268 (for global catalog), or 389 (LDAP.)

Changelog

Version 1.17 (upcoming)

  • Look up is now done via LDAPS instead of LDAP (although there's no certificate check done now.)
  • The plugin now talks to the global catalog for efficiency, as opposed to a domain, if that's available.
  • Some DNS returns '.' at the end of the host name. Handle it correctly (issue #2647)
  • Fixed a possible LDAP injection problem (issue #3118)
  • Try all the available servers before giving up. Useful when some of your domain controllers aren't working properly. (issue #4268)
  • Added the site support (issue #4203)
  • Cleaned up the help text that incorrectly stated that this doesn't work on Unix. It works. (issue #2500)

Version 1.16 (2009/12/8)

  • Added a workaround for WebSphere in doing DNS lookup via JNDI (issue #5045)

Version 1.15 (2009/06/10)

  • Fix bug introduced with 1.14 where an AD setup with circular group references would cause a stack overflow.

Version 1.14 (2009/06/02)

  • Support nested groups (via the Unix provider) (issue #3071)
  • Fixed a bug that prevented the "authenticated" role being honoured (issue #3735)
  • Support authenticting against multiple domains (issue #3576)

Version 1.13 (2009/05/19)

  • Fixed a bug that degraded Windows support (which forces you to enter the domain name.)
  • Implementation of group recognition (for displaying group icon in matrix for instance.)

Version 1.12 (2009/04/08)

  • Some DNS returns '.' at the end of the host name. Handle it correctly (issue #2647) (not correctly fixed until 1.17)
  • Fixed NPE in the form field validation when a group name was added (issue #3344)
  • Lookup fails for members of groups with special characters in the name (like '/') (issue #3249)

Version 1.11 (2009/03/25)

  • No change. This is a re-release since 1.10 didn't hit the update center.

Version 1.10 (2009/03/20)

  • On Windows, specifying the domain name in the "advanced" section wasn't taking effect.

Version 1.9 (2009/02/17)

  • Modified to work with 64bit Winddows (report)

Version 1.8 (2009/02/13)

  • Hudson honors the priority in the SRV entries (patch)

Version 1.7 (2009/01/15)

  • Fixed a bug in handling alternative UPN suffix. (discussion)

Version 1.6 (2009/01/12)

  • Fixed a bug in handling "referrals" (which I believe happens when you run AD forest.)

Version 1.5 (2008/06/24)

  • Windows users can now also use the LDAP-based AD authentication (the same code used on Unix.) This is apparently necessary when Hudson runs as a local user instead of a domain user (discussion)

Version 1.4 (2008/06/11)

  • Fixed a bug where the configuration page doesn't show the configured AD domain name
  • Fixed a bug that prevented this from working with user-defined containers

Version 1.3 (2008/06/09)

  • Supported authentication from Hudson running on non-Windows machines

Version 1.2 (2008/02/27)

  • Fixed IllegalArgumentException in remember-me implementation (issue #1229)

Version 1.0 (2007/01/09)

  • Initial version

Labels:

plugin-user plugin-user Delete
tier3-hudson-plugin tier3-hudson-plugin Delete
Enter labels to add to this page:
Wait Image 
Looking for a label? Just start typing.
  1. Jun 12, 2008

    Travis Bailey says:

    A thousand thank yous for getting this to work on non-windows systems.  It ...

    A thousand thank yous for getting this to work on non-windows systems.  It is excruciatingly painful to get our linux systems to talk to our AD.  LDAP is so limited and tricky.  This was a big win for me.  Works beautifully!

  2. Sep 16, 2008

    Andrew Replogle says:

    Has anyone got the "groups" side of user/groups AD permissions working? I've tri...

    Has anyone got the "groups" side of user/groups AD permissions working? I've tried adding a security group and a global group and when someone who logs in that belongs to either of those, it doesn't give them the permissions that the group is setup for.

    Is it possible to get the source for this plugin or is it not opensource?

    Thanks,

    Andrew

  3. Oct 08, 2008

    Fred Hoare says:

    Our active directory setup does not allow anonymous requests.  If I am runn...

    Our active directory setup does not allow anonymous requests.  If I am running hudson as a non-domain user is there any way I can specify a username and password for the binding to the AD server?

  4. Apr 01, 2009

    Jorge Matos says:

    I noticed that the plugin doesn't seem to work if you specify an AD group that h...

    I noticed that the plugin doesn't seem to work if you specify an AD group that has spaces in it.

    Is there a way to specify an AD group that contains spaces in the name?

  5. Apr 14, 2009

    Scott Carter says:

    Is it possible to bind to multiple domains?  I have two domains and need hu...

    Is it possible to bind to multiple domains?  I have two domains and need hudson to be able to authenticate with both of them but the plugin does not offer an alternate domain to use.  In the active directory box I want to be able to put

    domain1.mydomain.com

    domain2.mydomain.com

    I had thought of setting up a LDAP server and pulling all the information from both domains and storing it all in one but i could not figure that out.

  6. May 12, 2009

    joti says:

    I use this Plugin to secure my Hudson, it works at first try and flawless. Huge ...

    I use this Plugin to secure my Hudson, it works at first try and flawless. Huge thanks for that!

    Nevertheless it would be *really* nice if the Plugin or another Plugin using AD as well could provide

    • EMail-Adresses, assembled according to a pattern given by the user  (in case an email-Address does not just resemble the username or EMail-Name)
    • maybe fill the Jabber-Contact-Field in the same pattern powered way.
    • the Full Name

    for the AD retrieved users.

  7. Nov 18, 2009

    Chris Angove says:

    The plugin is great, but it does not work in my current configuration.  In ...

    The plugin is great, but it does not work in my current configuration.  In my config we have different AD boxes serving our different subnets, which may be in the same domain (same issue as illustrated in issue #4203).  Plus we have some test AD machines that see, to get in the way. So many times the plugin gets the right server, but when it does not the login fails.  So looking through the open issues I think a fix for 4268, 4203 or 4191 would get us moving.   Are any of these on the plate for fixing?  If so any ideas on a release? 

  8. Dec 22, 2009

    Dale Hoshooley says:

    We are planing on using this plugin to secure our Hudson installation.  Our...

    We are planing on using this plugin to secure our Hudson installation.  Our organization has mutliple domains and domain controllers and it would be nice to have an option to have the plug-in connect to the directory's global catalog (port 3268 / 3269 for SSL).

    Is there a way to specify the port the plug-in should use when trying to connect to the AD server?

  9. Feb 04, 2010

    Animesh Banerjee says:

    Is is possible for this plugin to determine the email addresses of users and use...

    Is is possible for this plugin to determine the email addresses of users and use them in email notifications? If so, does it require any further configuration on my end? If not I'd like to suggest this feature be implemented as a useful alternative to having to configure LDAP Email Plugin as a helper to get this working properly which admittedly defeats the whole purpose of having a nice simple AD plugin so we don't have to deal with the nightmare of configuring LDAP against AD.

  10. Feb 08, 2010

    Gaurav Tiwari says:

    I have to manage authentication for Hudson using multiple LDAP domains. Although...

    I have to manage authentication for Hudson using multiple LDAP domains. Although I can mention them all in the server field seperating them with commas, the problem I have is that the functional user account (bind DN or manager DN)we would need to access those servers would be different for each domain.

    Is there a way to ensure LDAP authentication of this kind?

  11. May 13, 2010

    Nelms says:

    We are using this plug in to secure our org.'s hudson. We have noticed a bug tha...

    We are using this plug in to secure our org.'s hudson. We have noticed a bug that when a user logs in, the system said that user has invalid login information and advised to try again but he/she was already login since the user name already appeared in the upper right side of the system page beside the search area as logged in. This has been an intermittent  problem. I am using matrix based security on authorization.

  12. Jul 20, 2010

    Mark says:

    I am really looking for to the upcoming release version 1.17 to address some iss...

    I am really looking for to the upcoming release version 1.17 to address some issues we have been having with our Hudson instance.

    Any chance of getting a timeline or estimate for this release?

    My issues:

    * http://issues.hudson-ci.org/browse/HUDSON-4268

    * http://issues.hudson-ci.org/browse/HUDSON-3356

  13. Aug 23, 2010

    Minwook-Kim says:

    I try to get the code building and installing this plug-in. But is not working ...

    I try to get the code building and installing this plug-in. But is not working ADLDAP at linux system.

    Please let me know your next updating plan?

  14. Nov 15, 2010

    bmerkle says:

    is there a timefrage for a 1.17 release ? or how can I build the plugin myself ?...

    is there a timefrage for a 1.17 release ?
    or how can I build the plugin myself ?

  15. Nov 18, 2010

    Daniel Vigovszky says:

    The latest build changed LDAP access to LDAPS without providing an option to set...

    The latest build changed LDAP access to LDAPS without providing an option to set it back. I was using it on a small internal network where LDAPS is not available, so this update completely broke my hudson installation.
    Could you add a system property maybe allowing the user to switch back to LDAP without SSL?

    1. Dec 02, 2010

      P. Rosenberg says:

      I got the same problem in my network.

      I got the same problem in my network.

  16. Dec 08, 2010

    Peter Yamamoto says:

    Appears we are running into the ldaps issue as well.

    Appears we are running into the ldaps issue as well.

  17. Mar 01, 2011

    Erik Laursen says:

    Hi It seems like there is a problem with fetching this plug-in. I cannot get it...

    Hi

    It seems like there is a problem with fetching this plug-in. I cannot get it from within Hudson or as a file from this page.

  18. Mar 03, 2011

    Vishal says:

    As per my experience with this AD plugin, I will refer not to go with plugin ver...

    As per my experience with this AD plugin, I will refer not to go with plugin ver-1.17 since the major issue with this plugin is - http://issues.hudson-ci.org/browse/HUDSON-8119

    So better to go with 1.16