Description of problem: Instead of Jenkins Creating an LDAP user for you at gear/cartridge creation, Jenkins should use LDAP authentication. Jenkins created successfully. Please make note of these credentials: User: admin Password: PASSWORD - In an Ideal world, this would pull the LDAP configuration from the broker/console's configuration, and limit access to only the name-space user.
With https://docs.openshift.org/latest/using_images/other_images/jenkins.html#jenkins-as-s2i-builder in origin we have the ability to pass in plugins like https://wiki.jenkins-ci.org/display/JENKINS/LDAP+Plugin#LDAPPlugin-Description I wonder if this can be used to also provide plugin configurations? If so, this could likely be moved to a docs issue, on how to include the plugin and configure it to connect to an LDAP server of your choosing. This would be the simplest solution, or a good starting point, however we might also want to consider pulling in the existing LDAP configuration / sync from the platform and only allowing users with access to the project, access to the pod?
yes the direct/generic ldap auth could be a doc item. the better solution would be for jenkins to auth against openshift (ie the openshift user is used to log in to the jenkins console) which would presumably require a custom auth plugin for jenkins. (but that's also not what was requested here, i guess).
(In reply to Ben Parees from comment #2) > yes the direct/generic ldap auth could be a doc item. > > the better solution would be for jenkins to auth against openshift (ie the > openshift user is used to log in to the jenkins console) which would > presumably require a custom auth plugin for jenkins. (but that's also not > what was requested here, i guess). I think there is flexibility with this request, due to its age. In reviewing the case the Business requirement was for: The capability control security through the use of a standard configuration to control access to the UI and what function is allows a user to operate on. LDAP was simply the suggestion or use at this one customer site. However in your "solution" if LDAP is used for authentication to OpenShift and Authentication to Jenkins is controlled by authentication to OpenShift, this would be one in the same and thus meet the "standard configuration" requirement listed above.
The jenkins image now supports oauth against openshift, so what is described in comment 3 is possible as of OCP v3.4
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0066