Using globalMatrix auth with LDAP groups


Is it possible for globalMatrix (Matrix-based security) to run concurrently with users who are in a given LDAP group? I want to force Jenkins’ Matrix-based security authorization to automatically retrieve users from a given LDAP group and assign them as administrators.

For example, in User search filter (Security Realm LDAP) I have set

(& (sAMAccountName = {0}) (| (memberOf = CN = UserGroup1, OU = Managed, OU = Groups, DC = x, DC = y, DC = z, DC = com) (memberOf = CN = UserGroup2, OU = Delegated, OU = Groups, DC = x, DC = y, DC = z, DC = com)))

In Matrix-based security I want to set the administrators (users) from the UserGroup1 group as follows: I click the “Add user or group…” button, in the prompt field I enter UserGroup1 and after adding and hovering over the added group I have the message "User or group not found "

Is it even possible?



I think what you’re asking to do is to take an LDAP group and assign all members of it to have administrator privileges. Is that correct?

If so, in the Advanced section of your LDAP configuration, you need to set up the “Group search filter” and the “Group membership” appropriately for your LDAP environment. The group search filter is used to locate groups that can be added to the matrix, while the group membership settings configure how Jenkins links users up to groups (whether the user records contain a list of groups or whether the groups contain a list of users and how to find that record).

For example, in our Jenkins environment connected to Active Directory, our group search filter is “(&(cn={0})(objectCategory=group))”, and our group membership is set to search for LDAP groups containing the user with the filter “(&(objectCategory=group)(member:1.2.840.113556.1.4.1941:={0}))”. These were set after reviewing the appropriate LDAP records and some Google searching (especially for that OID!).

Hope that helps,

1 Like

Its been a while since I used matrix auth with groups (My jenkins install is pretty much just me)
isn’t it @group and user?

so wouldn’t it be @UserGroup1?