[JIRA] [active-directory] (JENKINS-20064) Cannot use CLI or URL with API token with Active Directory as the access control security realm

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[JIRA] [active-directory] (JENKINS-20064) Cannot use CLI or URL with API token with Active Directory as the access control security realm

JIRA noreply@jenkins-ci.org
Jeff Burke commented on Bug JENKINS-20064

@angelo, take a look at https://wiki.jenkins-ci.org/display/JENKINS/Authenticating+scripted+clients. It shows how the apitoken is supplied. apitoken is being used as a keyword to tell the CLI/SSH to use the token as an account lookup.

On the topic of whether CLI w/API token should verify the account is active w/the underlying security realm... I standby that it needs to do this. It doesn't need to authenticate the credentials, but it does need to verify that the user account hasn't been disabled. Not performing this would, for example, allow previous employees of a company a backdoor into internal Jenkins systems. Long after their AD, LDAP, or PAM account has been disabled, Jenkins SSH would continue to give them access to resources that administrators clearly didn't want them to continue to have.

I'd be fine w/it being a configurable option w/in the SSH CLI.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira

--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/groups/opt_out.