How to filter users which belong to a specific group on Active Directory?

Article ID:230128428
1 minute readKnowledge base

Issue

  • Configure the security authorization/authentication so that to access your Jenkins Enterprise instance, you HAVE to be a member of a specific Active Directory group

Environment

  • CloudBees Jenkins Enterprise

  • LDAP plugin

  • Active Directory plugin

Resolution

There are two way to achieve this goal.

With RBAC plugin and ldap/ad plugin

You just need to configure your Security Realm and then use the RBAC plugin to map the AD group -> Jenkins group and finally apply the corresponded role to this group. Below, there are two videos which show how to achieve this.

This is the recommended way as it is easily scalable.

Filtering directly with LDAP plugin

However, you might want to filter groups at Security Realm level and not Authorization level. In this case, since the AD plugin does not allow to customize your user filter, your only way is to use the LDAP plugin.

Let’s say that on your AD server you have a group called group1 with the distinguisedName CN=group1,CN=Users,DC=support-cloudbees-2,DC=com.

ad filter user jxplorer
ad filter user server

Then, the configuration you should perform should look something like this:

ad filter user jenkins

  • User search filter : (&(sAMAccountName={0})(memberOf=CN=group1,CN=Users,DC=support-cloudbees-2,DC=com))

  • Group search filter : (& (cn={0}) (objectclass=group) )