jenkins/jenkins2-ha-agents Does not work with LDAP authentication

[serverhorror]

TemplateID: jenkins/jenkins2-ha-agents
Region: eu-west-1

The admin username and password are hardcoded in several places. If you change the username, password or authentication method (in our case to LDAP) the setup of the ASG breaks since no data can be sent to the CloudWatch any more.

A workaround would be nice or maybe mentioning this in the limitations?

Thanks,
/M

[michaelwittig]

Hi @serverhorror Can you tell me a little bit more about how you enabled LDAP in your Jenkins?

[serverhorror]

Hi,

Sorry for the late reply.

I didn't do anything special. Just the Jenkins native LDAP authentication, authorization set to "logged in users can do anything" and to test "anyone can do anything".

What happens is that as soon as this is configured the original "admin" user is not a valid user any more and therefore some information in the template is invalidated.

See here:

• https://github.com/widdix/aws-cf-templates/blob/master/jenkins/jenkins2-ha-agents.yaml#L885-L890
• https://github.com/widdix/aws-cf-templates/blob/master/jenkins/jenkins2-ha-agents.yaml#L916-L931
• https://github.com/widdix/aws-cf-templates/blob/master/jenkins/jenkins2-ha-agents.yaml#L951
• ...(and possibly other locations)...

Hope this helps.

[michaelwittig]

After some research I believe that it is not possible to have LDAP enabled and keep a technical user that we can use to talk with the Jenkins API. One possible workaround is to create a technical user in your LDAP and replace the username admin in the template with the username of the new LDAP user.

[serverhorror]

How about something like this:

https://stackoverflow.com/a/55349021/116973

curl 'https://<jenkinsURL>/me/descriptorByName/jenkins.security.ApiTokenProperty/generateNewToken' \
--data 'newTokenName=foo' \
--user username:Password

(supposedly) produces:

{
  "status": "ok",
  "data": {
    "tokenName": "foo",
    "tokenUuid": "<uuid>",
    "tokenValue": "<redacted>"
  }
}

If the tokens stay valid, or maybe there are "system tokens", then it would be possible to get rid of relying on the auth method in all scripts?

I am by no means experienced with scripting Jenkins and everything I know about using Jenkins without the GUI is from your stacks :)

[michaelwittig]

I also looked at the new token mechanism and as far as I understand they are coupled to a user: "Jenkins API tokens are an authentication mechanism that allows a tool (script, application, etc.) to impersonate a user without providing the actual password for use with the Jenkins API or CLI."

I haven not found a "system token" feature that we could use. But I will talk to some people who know Jenkins better than me if there is an option.

[claydanford]

I ran into this same issue trying to integrate SAML.

I was already using a heavily modified version of this template. I decided to migrate to Terraform and use the SWARM plugin.

The API token is tied to the user, but is still used, even if user authentication changes.

https://github.com/neiman-marcus/terraform-aws-jenkins-ha-agents

In this repo, you can look at the cloud-init user-data and see that I generate an API key, publish it to systems manager, and then instruct the agent to pull it for authentication. This might be helpful for this project.

Generating API key:
https://gist.github.com/claydanford/75c21e8192ab3767ceabdbe83185a998

Agent fetching master information and API key:
https://gist.github.com/claydanford/a3da778964493b56bd49ca12f27c6161

Agent connecting via swarm plugin:
https://gist.github.com/claydanford/4bc4cc7cea86d8a57102b725a3eb1498

Hth,

CRD