LDAP Configuration series Two: Jenkins integrated LDAP

LDAP Configuration Series II: Jenkins Integrated Ldapjenkins Introduction

Jenkins is a standalone, open source Automation server that can be used to automate a variety of tasks related to building, testing, delivering, or deploying software.

Jenkins Official Document: jenkins.io/doc/

Jenkins installation

jenkins:jenkins.io/download/

# jdk1.8 Download [Root@vm_0_15_centos local]#wgethttp//download.linuxpanda.tech/java/jdk-8u172-linux-x64.tar.gz[Root@vm_0_15_centos local]#TarXF jdk-8u172-linux-x64.Tar. GZ [Root@vm_0_15_centos local]# cd jdk1.8.0_172/# jenkins installation [Root@vm_0_15_centos local]#Yum InstallHttps//pkg.jenkins.io/redhat/jenkins-2.141-1.1.noarch.rpm# Configuration modification [Root@vm_0_15_centos~]# vim/etc/sysconfig/Jenkinsjenkins_java_cmd="/usr/local/jdk1.8.0_172/bin/java"# Firewall Release [Root@vm_0_15_centos~]# Firewall-cmd--permanent--add-port=8080/TCP [Root@vm_0_15_centos~]# Firewall-cmd--reload# Restart Jenkins[root@vm_0_15_centos~]# systemctl Restart Jenkins[root@vm_0_15_centos~]# systemctl Status Jenkins[root@vm_0_15_centos~]# NETSTAT-TUNLP |grep 8080# access the corresponding extranet # Jenkins.linuxpanda.tech:8080Install the necessary plugins.

Note: I am on my centos7 server directly above the Yum install Jenkins is a problem, can not access, yum install a specific RPM package. Do not know where the situation temporarily.

The home page after installation is:

LDAP preparation

If there is no LDAP server, can refer to www.cnblogs.com/zhaojiedi1992/p/zhaojiedi_liunx_52_ldap.html, here I use ldapadmin.exe this small software to manage LDAP.

Add Jenkins-related test accounts and groups

1. Under Group This OU creates an OU for Jenkins.
2. Create 3 groups within the Jenkins OU, named Jenkins-admins,jenkins-editors,jenkins-users.
3. Create 4 accounts under Ou=people, named admin,test01,test02,test03, and configure your mailbox and password.
4. Add the corresponding user, Jenkins-admins Group add admin,test01 User, jenkins-editors Group add test02 User, Jenkins-users Group add test03 user in three groups.

The final organization chart is as follows:

Jenkins Integrated LDAP configuration

Select "Jenkins", "System Management", "Global security Settings"

Configure LDAP as follows

Note: My password above admin test uses the password for Oracle.

About LDAP queries using

# Query All users [Root@vm_0_15_centos~]# Ldapsearch-lll-WOracle-x-H LDAP://ldap.linuxpanda.tech:389-d "Cn=admin,dc=linuxpanda,dc=tech"-B "Ou=people,dc=linuxpanda,dc=tech"# Query a specific user [Root@vm_0_15_centos~]# Ldapsearch-lll-WOracle-x-H LDAP://ldap.linuxpanda.tech:389-d "Cn=admin,dc=linuxpanda,dc=tech"-B "Ou=people,dc=linuxpanda,dc=tech" " uid=test01"Dn:uid=test01,ou=people,dc=linuxpanda,dc=TechobjectClass:posixAccountobjectClass:topobjectClass:inetOrgPersongidNumber:0givenName:test01sn:test01displayName:: 5rwl6k +vmq== uid:test01homedirectory:/home/Test01loginshell:/bin/BashMail:test01@linuxpanda.techcn:: 5rwl6k+vmq==Uidnumber:55545UserPassword:: e1niqx1ree5rdgtvuhhiek52mm9pqmqvykc2njnsqkk9# group query [Root@vm_0_15_centos~]# Ldapsearch-lll-WOracle-x-H LDAP://ldap.linuxpanda.tech:389-d "Cn=admin,dc=linuxpanda,dc=tech"-B "Ou=jenkins,ou=group,dc=linuxpanda,dc=tech" # get the corresponding group [Root@vm_0_15_centos~]# Ldapsearch-lll-WOracle-x-H LDAP://ldap.linuxpanda.tech:389-d "Cn=admin,dc=linuxpanda,dc=tech"-B "Ou=jenkins,ou=group,dc=linuxpanda,dc=tech " " (& (Cn=jenkins-admins) (| (Objectclass=groupofnames) (Objectclass=groupofuniquenames) (Objectclass=posixgroup)))"Dn:cn=jenkins-admins,ou=jenkins,ou=group,dc=linuxpanda,dc=TechobjectClass:posixGroupobjectClass:topcn:jenkins-AdminsmemberUid:test01memberUid:admingidNumber:40109

LDAP configuration is complete, or to talk about LDAP with Jenkins inside the user rights and permissions assigned to the thing, or just LDAP integration to Jenkins there is no use ah, haha.

How Jenkins and LDAP resolve user rights and licensing issues

This adoption of the global Project Security Matrix + Project Security matrix +LDAP Authentication combination to achieve complex rights management.

There are 5 kinds of authorization policies available after the default recommended plugins are installed in Jenkins:

1. Any user can do anything (without any restrictions)
2. Security matrix
3. Login users can do anything
4. Legacy mode
5. Project Matrix Authorization Policy

We choose the project matrix authorization policy, specific steps: Select "Jenkins", "System Management", "Global Security Settings", select the project matrix authorization policy.

Then add the three groups to our global Security Settings page and configure the permissions for each group.

Configure the permission settings as

This is a global configuration, specific groups can only be authorized by the minimum permissions, additional permissions can be added in the specific project permissions matrix.

If the user in LDAP added to the Jenkins-admins this group, is to have all the permissions, this group is generally only the OPS and department bosses to join.

If the user is added to the Jenkins-editors group in LDAP, they have the checkmark, and the members of this group can complete the modification of the Jenkins configuration. This group is generally not open to anyone, may be to the front or back end of the development of the boss Open.

If the user in LDAP added to the Jenkins-users this group, has the Read permission, this read is Jenkins inside the very basic permissions, without this permission is not logged into Jenkins, this group is generally a developer to join.

The above is only a global level of a permission setting, for a developer, he can publish the project can only be his responsible project, this time still need to be in the specific Jenkins project configuration to open Project Security this option, and add specific specific development into this list, and grant permissions.

This allows for detailed authorization to the user.