Migrating from Active Directory to local users

Using Jenkins Ask a question
1

bs"d

Jenkins setup: 
Jenkins: 2.426.2
OS: Linux - 6.1.0-17-cloud-amd64
Java: 17.0.9 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)

ace-editor:1.1

active-directory:2.34

ant:497.v94e7d9fffa_b_9

antisamy-markup-formatter:162.v0e6ec0fcfcf6

apache-httpcomponents-client-4-api:4.5.14-208.v438351942757

authentication-tokens:1.53.v1c90fd9191a_b_

badge:1.9.1

bootstrap4-api:4.6.0-6

bootstrap5-api:5.3.2-3

bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9

branch-api:2.1144.v1425d1c3d5a_7

build-blocker-plugin:1.7.9

build-timeout:1.32

caffeine-api:3.1.8-133.v17b_1ff2e0599

checks-api:2.0.2

cloudbees-folder:6.858.v898218f3609d

command-launcher:107.v773860566e2e

commons-lang3-api:3.13.0-62.v7d18e55f51e2

commons-text-api:1.11.0-95.v22a_d30ee5d36

credentials:1311.vcf0a_900b_37c2

credentials-binding:642.v737c34dea_6c2

data-tables-api:1.13.8-2

display-url-api:2.200.vb_9327d658781

docker-commons:439.va_3cb_0a_6a_fb_29

docker-workflow:572.v950f58993843

durable-task:543.v262f6a_803410

echarts-api:5.4.3-2

email-ext:2.103

font-awesome-api:6.5.1-1

git:5.2.1

git-client:4.6.0

git-server:99.va_0826a_b_cdfa_d

github:1.37.3.1

github-api:1.318-461.v7a_c09c9fa_d63

github-branch-source:1767.va_7d01ea_c7256

gradle:2.9

groovy-postbuild:228.vcdb_cf7265066

gson-api:2.10.1-15.v0d99f670e0a_7

handlebars:3.0.8

instance-identity:185.v303dc7c645f9

ionicons-api:56.v1b_1c8c49374e

jackson2-api:2.16.1-373.ve709c6871598

jakarta-activation-api:2.0.1-3

jakarta-mail-api:2.0.1-3

javax-activation-api:1.2.0-6

javax-mail-api:1.6.2-9

jaxb:2.3.9-1

jdk-tool:73.vddf737284550

jjwt-api:0.11.5-77.v646c772fddb_0

jquery-detached:1.2.1

jquery3-api:3.7.1-1

jsch:0.2.16-86.v42e010d9484b_

json-path-api:2.8.0-21.v8b_7dc8b_1037b_

junit:1256.v002534a_5f33e

ldap:711.vb_d1a_491714dc

lockable-resources:1228.v1b_2379444670

mailer:463.vedf8358e006b_

mapdb-api:1.0.9-28.vf251ce40855d

matrix-auth:3.2.1

matrix-project:822.v01b_8c85d16d2

mina-sshd-api-common:2.11.0-86.v836f585d47fa_

mina-sshd-api-core:2.11.0-86.v836f585d47fa_

momentjs:1.1.1

okhttp-api:4.11.0-157.v6852a_a_fa_ec11

pam-auth:1.10

pipeline-build-step:540.vb_e8849e1a_b_d8

pipeline-github-lib:42.v0739460cda_c4

pipeline-graph-analysis:202.va_d268e64deb_3

pipeline-groovy-lib:689.veec561a_dee13

pipeline-input-step:477.v339683a_8d55e

pipeline-milestone-step:111.v449306f708b_7

pipeline-model-api:2.2168.vf921b_4e72c73

pipeline-model-declarative-agent:1.1.1

pipeline-model-definition:2.2168.vf921b_4e72c73

pipeline-model-extensions:2.2168.vf921b_4e72c73

pipeline-rest-api:2.34

pipeline-stage-step:305.ve96d0205c1c6

pipeline-stage-tags-metadata:2.2168.vf921b_4e72c73

pipeline-stage-view:2.34

plain-credentials:143.v1b_df8b_d3b_e48

plugin-usage-plugin:4.2

plugin-util-api:3.8.0

popper-api:1.16.1-3

popper2-api:2.11.6-4

resource-disposer:0.23

role-strategy:689.v731678c3e0eb_

scm-api:683.vb_16722fb_b_80b_

script-security:1313.v7a_6067dc7087

slack:684.v833089650554

snakeyaml-api:2.2-111.vc6598e30cc65

ssh:2.6.1

ssh-credentials:308.ve4497b_ccd8f4

ssh-slaves:2.948.vb_8050d697fec

sshd:3.322.v159e91f6a_550

structs:325.vcb_307d2a_2782

subversion:2.17.3

timestamper:1.26

token-macro:400.v35420b_922dcb_

trilead-api:2.133.vfb_8a_7b_9c5dd1

variant:60.v7290fc0eb_b_cd

windows-slaves:1.8.1

workflow-aggregator:596.v8c21c963d92d

workflow-api:1283.v99c10937efcb_

workflow-basic-steps:1042.ve7b_140c4a_e0c

workflow-cps:3837.v305192405b_c0

workflow-cps-global-lib:609.vd95673f149b_b

workflow-durable-task-step:1313.vcb_970b_d2a_fb_3

workflow-job:1385.vb_58b_86ea_fff1

workflow-multibranch:770.v1a_d0708dd1f6

workflow-scm-step:415.v434365564324

workflow-step-api:639.v6eca_cd8c04a_a_

workflow-support:865.v43e78cc44e0d

ws-cleanup:0.45

If I go to the URL /manage/configureSecurity/

The Security Realm is configured as Active Directory.
I want to stop using the AD and manage the users’ credentials built in.

I’m afraid of breaking the system if I just disconnect the AD.

How can I migrate it?

2

Try it out on a test instance and see what happens when you switch the security realm.

Take a backup before applying the change on your productive instance.

But you will most likely need to manually add all the users and set an initial password. The permissions are not affected by this change. So when you create the users and use the same userid as they had with AD, users will not see a difference except they now have an additional password for your Jenkins and no longer can use the domain password.
Or you allow manual signup of users. But signup is a security risk as someone could just use a userid that is not yet registered but already has permissions from before.

One thing to consider:
With the internal user database it is not possible to manage groups, so if you use groups from AD this will not work anymore. You will need to explicitly assign the permissions to your users.

3

Hi @mawinter69, thanks,

Do you know how to start a server (I use docker compose) with all the jobs disabled?

4

Just create a new jenkins and start it

Create a new empty directory /data/jenkins_test
Download the jenkins.war and put it in that directory
export JENKINS_HOME= /data/jenkins_test
run
java -jar /data/jenkins_test/jenkins.war
Jenkins will start on port 8080

1 Like