[Freeipa-users] Jenkins integration?

Sat Feb 11 12:28:42 UTC 2017

Alexander Bokovoy wrote:
> On la, 11 helmi 2017, Michael Ströder wrote:
>> Harald Dunkel wrote:
>>> On 02/10/17 15:07, Tomasz Torcz wrote:
>>>> On Fri, Feb 10, 2017 at 02:03:48PM +0100, Harald Dunkel wrote:
>>>>> did anybody succeed in using Freeipa for Jenkins' LDAP module?
>>>>> I can't make it work :-(.
>>>>
>>>>   I'm using Jenkins with FreeIPA, but not with Jenkins's LDAP.
>>>> I have Jenkins set to PAM authentication, which in turn goes thru SSSD.
>>>> It works fine, groups are resolved correctly, too.
>>>
>>> Thats plan B. Its good to know that this works, but I
>>> don't give up that easy.
>>
>> Jenkins' LDAP integration is pretty good and flexible. I made it work with various
>> LDAP servers in customer projects. I did not have do that with FreeIPA yet but I'd
>> be very surprised if it doesn't work.
>>
>> (Personally I'd avoid going through PAM.)
>
> Any specific reason for not using pam_sss?

At the end it's a matter of personal taste.

In my deployments PAM logins have most times nothing to do with the services running on a
host which might even use a completely different LDAP service.

> Remember, with SSSD involved you get also authentication for trusted users from Active
> Directory realms. You don't get that with generic LDAP way.

This might be a use-case for which to prefer going through pam_sss.
As usual your mileage may vary. But we both know next to nothing about the original
posters infrastructure.

> Also, you'd be more efficient in terms of utilising LDAP connections.

Hmm, IMHO this depends very much on the client software used.
Modern Java software has decent LDAP connection pooling.

Ciao, Michael. (not a Java fan though)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170211/5f9a2b66/attachment.p7s>