Enabling security to my Hudson installation was a fairly straight-foward task although it did take a little trial and error to get it all straight. I chose to authenticate against our existing LDAP directory. One of the things that caught me off guard at first was the ‘User search base’ and ‘Group search base’. These settings are Relative Distinguished Names (ou=People), not the full Distinguished Name (ou=People,dc=crashingdaily,dc=com). Not a big deal; in fact I could have (should have, but I like to tinker) just left these fields empty and Hudson would have figured it out on its own.
Here is my almost final configuration (my final configuration makes use of StartTLS for a secure connection to the LDAP server – more on that in a later post).
The Manager DN is an account that has read-only search permissions. This is required because our LDAP directory is not searchable with anonymous binds.
The LDAP group configuration took me a bit more effort and debugging. I have an HudsonAdmin LDAP group in my directory. The DN for it is cn=HudsonAdmin,ou=Groups,dc=crashingdaily,dc=com
To get this work I had to upgrade to the 1.261 release which adds uniqueMember, memberUid to the existing member in the search filter (my HudsonAdmin group has ‘uniqueMember’ entries). Incidentally, one of the things I love about Hudson is when I run into a bug or missing feature I can usually count on it be addressed in a newer release – and upgrading to a new release is quick and painless.
A not-so-obvious aspect to the configuration is that, when adding an LDAP group, Hudson wants the group name in all uppercase and with ‘ROLE_‘ prefixed to it. So, ‘cn=HudsonAdmin,...‘ becomes ‘ROLE_HUDSONADMIN‘. I did find this requirement documented after a little Google searching, it’s just not spelled out in the admin form’s help.
Tip: When screwing around with your Hudson Authorization, make frequent backups of the working $HUDSON_HOME/config.xml so if you make a mistake and lock yourself out you can restore a working configuration from backup, reload Hudson and be back in business. The Hudson documentation does include a note about recovering from a lockout by setting useSecurity to false in the config.xml file but I find that doing that causes a loss of all your security settings and you’ll have to re-enter all the LDAP values and Authorization settings.
6 comments
Comments feed for this article
March 25, 2009 at 5:18 am
James
This unfortunately did not work for me on an Active Directory host- actually, none of this really applies. Is this out of date?
my user seach base is not people.
my user search filter is on sAMAccountName, not uid.
my group search base required the rest of the DN string…..
and most importantly, I didn’t use ROLE_GROUPNAME, I used GroupName ..
this is quite misleading, but unfortunately the only real example out there –
could you update please?
Thanks…
March 25, 2009 at 2:39 pm
crashingdaily
I believe you should be using Hudson’s Active Directory plugin.
http://wiki.hudson-ci.org/display/HUDSON/Active+Directory+Plugin
http://mattharrah.com/blog/software-development/securing-hudson-using-active-directory/
March 25, 2009 at 10:37 pm
James
Can’t for 2 reasons -
1.) Hudson sits in a separate data centre with different DNS than than our AD server and I can’t seem to hard code the configuration (LDAP IP) of the host.
2.) Even when I run Hudson local to our AD server, it still can’t find the domain with DNS..
.. looking through the code at the moment to find if I can hardcode the IP ..
April 5, 2009 at 11:08 am
Note su Hudson e CruiseControl « Software Libero e non solo
[...] Occorre considerare l’integrazione con LDAP. Per Hudson un post interessante รจ qui. [...]
April 29, 2009 at 4:08 pm
crashingdaily
I finally got around to upgrading to the current version, 1.301, and the above instructions still apply for regular LDAP configurations – specifically, I’m using Fedora Directory Server. Active Directory, apparently not so much.
January 7, 2010 at 5:14 pm
PoWl
Thanks for this post! It was the first one I found while looking for the right way to name groups when adding them to the auth matrix. :)