Standard Security Setup

This page discusses what probably is the most common set up — let Hudson maintain its own user database (where people can sign up to have their own accounts), and you as the administrator decides who can do what in Hudson.

Initial steps

  1. Go to the system configuration screen (http://server/hudson/configure) and choose "enable security"
  2. Select "Hudson's own user database" as the security realm
  3. Select "Matrix-based security" as the authorization
  4. Give anonymous user the read access
  5. In the text box below the table, type in your user name (you'd be creating this later) and click "add"
  6. Give yourself a full access by checking the entire row for your user name
  7. Scroll all the way to the bottom, click "save"

The configuration should look like the picture below:

At this point, you'll be taken back to the top page, and Hudson is successfully secured. Now you need to create an user account for yourself.

  1. Click "login" link at the top right portion of the page
  2. Choose "create an account"
  3. Use the user name you've used in the above step, and fill in the rest.

If everything works smoothly, you are now logged on as yourself with full permissions. If something goes wrong, follow this to reset the security setting.

Active Directory Setup On Linux Server

If Hudson is running on a Windows server then is better to install the Active Directory plugin.

On a Linux host you have an option to either use the Active Directory plugin or an LDAP based authentication. To configure the LDAP to work with AD provide the following:

Server mydomaincontroller.mycompany.com:389
Root DN dc=mycompany,dc=com
User Search Filter sAMAccountName={0}
Manager DN cn=mymanageruser,ou=users,ou=na,ou=mycompany,dc=mycompany,dc=com
Manager Password *****

Note, that the Manager DN may actually very depending on your AD set up.

LDAP

Select LDAP for the Security Realm and click the help icon for each configuration option to see information about the settings.

If login attempts result in "OperationNotSupportedException - Function Not Implemented", "Administrative Limit Exceeded" or similar error, the LDAP query to determine the group membership for the user may be triggering this. First try setting the "Group search base" setting as specific as possible for your LDAP structure, to reduce the scope of the query. If the error persists, you may need to edit the WEB-INF/security/LDAPBindSecurityRealm.groovy file that is included in hudson.war. Change the line with groupSearchFilter = "(| (member={0}) (uniqueMember={0}) (memberUid={1}))"; to query only of the field used in your LDAP for group membership, such as groupSearchFilter = "(member={0})"; (then restart Hudson).

Groups

  • Prefix LDAP groups with ROLE_ and convert them to uppercase when assigning privileges to LDAP groups. For example, the LDAP group Developers (cn=Developers) would be used as ROLE_DEVELOPERS in Hudson
  • Group names with non-alpha characters such as hyphen (-), space and comma do not seem to work.
  • Hudson does not support indirect group memberships, i.e. if a user is a member of a group A which is itself a member of group B, the user would not get the privileges (e.g. "Adminster Hudson") defined for B - only those defined for A.

LDAP Server known to work

Labels:

Enter labels to add to this page:
Wait Image 
Looking for a label? Just start typing.
  1. Sep 01, 2008

    Alvin Chang says:

    One has to add groups prefixing with "ROLE_" (without quotes). I'm using OpenLDA...

    One has to add groups prefixing with "ROLE_" (without quotes). I'm using OpenLDAP as its backend.

  2. Feb 08, 2010

    Gaurav Tiwari says:

    I have to manage authentication for Hudson using multiple LDAP domains. Although...

    I have to manage authentication for Hudson using multiple LDAP domains. Although I can mention them all in the server field seperating them with commas, the problem I have is that the functional user account (bind DN or manager DN)we would need to access those servers would be different for each domain.

    Is there a way to ensure LDAP authentication of this kind?

  3. Apr 28, 2010

    Jean-Luc Pinardon says:

    Please, it would be very interesting to list the LDAP attributes Hudson needs. I...

    Please, it would be very interesting to list the LDAP attributes Hudson needs. In the case of a corporate LDAP directory, with a centralized IS/IT team, there is often a web interface for asking rights and information to connect an application with the LDAP server. And the list of attributes can be required.

  4. Nov 08, 2011

    R. Stoneback says:

    When using matrix-based security, I cannot trigger builds remotely (using hudson...

    When using matrix-based security, I cannot trigger builds remotely (using hudsonHost/job/project/build?token=token) unless the "Anonymous" user has full read access. We do not want the anonymous user to have any visibility of our projects whatsoever.

    I have followed the steps under "Allowing Developers to do Forced Builds with Security On" found here: http://wiki.hudson-ci.org/display/HUDSON/Quick+and+Simple+Security
    but unless I give Anonymous read access, the build still doesn't work.

    I was under the impression that the Authentication Token is the workaround for users that want to build the project but don't have any access to it (i.e. from a post-build script). Otherwise, I don't even see a use for it. Is there a way to accomplish what we want to do...anonymous user has no access, but build from a script?

    Thanks

  5. Nov 08, 2011

    Anton Sych says:

    Hello, I use the ldap authentication and I can login into the Hudson. But the pr...

    Hello, I use the ldap authentication and I can login into the Hudson. But the problem is that I have to wait for about 1-2 min. and it is slow ldap authentication. What I need to check? Could you please tell me How I can configure the system correctly? I use the Hudson ver. 2.0.0. Thank you in advance for your answer.