AD/LDAP Binding account password rotation

Using Jenkins
1

Background
I’ve installed Jenkins Community Edition on Windows Server 2022 Datacenter and am evaluating its security features before potentially upgrading to a paid edition. My environment uses Active Directory for user authentication via the AD/LDAP plugin,
and I tried to run Jenkins either under a dedicated AD service account or the Local System account.

I managed to configure AD/LDAP and all AD users authenticate successfully as expected.

For security compliance, the bind account’s password must be rotated on a regular schedule. I plan to leverage a security solution that can:

Change the AD service account password automatically.
Push the new password into Jenkins (via its web interface).

When I manually reset the bind account’s password in AD without updating Jenkins, users continue to log in even after a Jenkins service restart.

Only after some time (cache/Ticket renewal) does authentication begin to fail.

Why does Jenkins continue to authenticate AD users even when the bind password is no longer valid?

Has anyone successfully implemented a fully automated password rotation for the Jenkins bind account—updating both AD and the Jenkins configuration—while maintaining uninterrupted user authentication?

Any help appreciated!

Thanks,

Raphael

2

I know that the AD plugin offers a user cache so not every time AD has to be contacted to validate a user.

I think with AD you have to use 2 accounts to do reliable password rotation. The risk is that during the short time frame between updating the password in AD and updating the bind password in Jenkins someone tries to access Jenkins. This can easily lead to the bind user getting locked due to too many requests with an invalid password.
We do that on our instance. As we have a 100% Configuration as code approach running Jenkins in docker I can’t just update the password via REST or the UI. That change would be lost after a restart of Jenkins. So when password is about to expire for the first user we make sure that the second account has a a fresh password and then I just change the bind user in the code and restart Jenkins.

3

Hello!

Thank you for your message.
I am working on a web plugin to rotate the password but I have experienced that if I manually change the password on the AD side and reboot the Jenkins service, it does not impact the authentication (at least for a while).
It tends to make password rotation a little hasardous.