- Migrating the Role-Based Access Control (RBAC) plugin
Previously, users were not distinguished from groups in the RBAC configuration, leading to some potential misconfigurations when a user has the same name as a group. This issue has been resolved, users and groups are now properly distinguished and validated when added.
In the unlikely event that you have users and groups with the same names, you must manually select whether those items are users or groups when you upgrade. For more information, refer to Migrating the RBAC plugin from versions prior to 5.65 in the CloudBees CI on traditional platforms documentation.
- Additional steps required for Active Directory plugin users
If you are using the Active Directory plugin to authenticate users then additional steps will be required for upgrading this instance.
The Active Directory plugin versions 2.23.1, 2.24.1, and 2.25.1 adds an option to only connect to Active Directory via TLS/SSL to both modes (ADSI and LDAP).
This option is enabled by default for new installations and is now the recommended way to enforce TLS/SSL for connections to Active Directory.
Unlike the existing StartTLS option for the LDAP-based mode, it will not proceed using an insecure connection if establishing a TLS/SSL connection fails.
Administrators upgrading from previous versions of the plugin will be shown a warning on the Jenkins UI requesting they update the plugin configuration unless the (now otherwise obsolete) flag
hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdapswas set to
After upgrading, you should review your Active Directory setup and if required enable the
require TLSoption in the security configuration of Jenkins to require all communication with the LDAP server to be encrypted.
Additionally if previously using the
hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdapsflag you should save the Jenkins security configuration and then remove the system property.
The plugin exposes configuration of the ADSI flags implementing the TLS/SSL requirement via the system properties
hudson.plugins.active_directory.ActiveDirectoryAuthenticationProvider.ADSI_PASSWORDLESS_FLAGS_OVERRIDE. See the plugin documentation for further details.
|Care needs to be taken when reconfiguring the security realm to not accidentally lock yourself out. See the documentation for advice how to resolve this problem if it occurs.|
- Jenkins upgrade notes