Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1057752

Summary: [RFE] Incorporate LDAP with Jenkins Image
Product: OpenShift Container Platform Reporter: Eric Rich <erich>
Component: RFEAssignee: Gabe Montero <gmontero>
Status: CLOSED ERRATA QA Contact: Johnny Liu <jialiu>
Severity: low Docs Contact:
Priority: medium    
Version: 3.1.0CC: aos-bugs, bleanhar, bparees, jokerman, mmccomas, pruan, tdawson
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1057769 (view as bug list) Environment:
Last Closed: 2017-01-18 12:38:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1057769    

Description Eric Rich 2014-01-24 18:09:04 UTC 
Description of problem:

Instead of Jenkins Creating an LDAP user for you at gear/cartridge creation, Jenkins should use LDAP authentication. 

Jenkins created successfully.  Please make note of these credentials:

   User: admin
   Password: PASSWORD

- In an Ideal world, this would pull the LDAP configuration from the broker/console's configuration, and limit access to only the name-space user.
Comment 1 Eric Rich 2016-04-14 17:41:48 UTC 
With https://docs.openshift.org/latest/using_images/other_images/jenkins.html#jenkins-as-s2i-builder in origin we have the ability to pass in plugins like https://wiki.jenkins-ci.org/display/JENKINS/LDAP+Plugin#LDAPPlugin-Description I wonder if this can be used to also provide plugin configurations? 

If so, this could likely be moved to a docs issue, on how to include the plugin and configure it to connect to an LDAP server of your choosing. 

This would be the simplest solution, or a good starting point, however we might also want to consider pulling in the existing LDAP configuration / sync from the platform and only allowing users with access to the project, access to the pod?
Comment 2 Ben Parees 2016-04-15 13:08:02 UTC 
yes the direct/generic ldap auth could be a doc item.  

the better solution would be for jenkins to auth against openshift (ie the openshift user is used to log in to the jenkins console) which would presumably require a custom auth plugin for jenkins.  (but that's also not what was requested here, i guess).
Comment 3 Eric Rich 2016-04-15 13:25:24 UTC 
(In reply to Ben Parees from comment #2)
> yes the direct/generic ldap auth could be a doc item.  
> 
> the better solution would be for jenkins to auth against openshift (ie the
> openshift user is used to log in to the jenkins console) which would
> presumably require a custom auth plugin for jenkins.  (but that's also not
> what was requested here, i guess).

I think there is flexibility with this request, due to its age. In reviewing the case the Business requirement was for: 

The capability control security through the use of a standard configuration to control access to the UI and what function is allows a user to operate on. 

LDAP was simply the suggestion or use at this one customer site. However in your "solution" if LDAP is used for authentication to OpenShift and Authentication to Jenkins is controlled by authentication to OpenShift, this would be one in the same and thus meet the "standard configuration" requirement listed above.
Comment 4 Ben Parees 2016-11-02 14:04:16 UTC 
The jenkins image now supports oauth against openshift, so what is described in comment 3 is possible as of OCP v3.4
Comment 6 errata-xmlrpc 2017-01-18 12:38:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0066