Figure 7.10. Using LDAP Groups in Jenkins
7.4.3. Using Microsoft Active Directory
Microsoft Active Directory is a directory service product widely used in Microsoft architectures.
Although Active Directory does provide an LDAP service, it can be a little tricky to set up, and it is
simpler to get Jenkins to talk directly to the Active Directory server. Fortunately, there’s a plugin for that.
The Jenkins Active Directory plugin lets you configure Jenkins to authenticate against a Microsoft
Active Directory server. You can both authenticate users, and retrieve their groups for Matrix and
Project-based authorization. Note that, unlike the conventional LDAP integration (see Section 7.4.2,
“Using an LDAP Repository”), there is no need to prefix group names with ROLE_—you can use Active
Directory groups (such as “Domain Admins”) directory.
To configure the plugin, you need to provide the full domain name of your Active Directory server.
If you have more than one domain, you can provide a comma-separated list. If you provide the forest
name (say “acme.com” instead of “europe.acme.com”), then the search will be done against the global
catalog. Note that if you do this without specifying the bind DN (see below), the user would have to
login as “europe\joe” or “joe@europe”.
The advanced options let you specify a site name (to improve performance by restricting the domain
controllers that Jenkins queries), and a Binding DN and password, which come in handy if you are
connecting to a multidomain forest. You need to provide a valid Binding DN and password values,
that Jenkins can use to connect to your server so that it can establish the full identity of the user being
authenticated. This way, the user can simply type in “jack” or “jill”, and have the system automatically
figure out that they are [email protected] or [email protected]. You need to provide the full
user principal name with domain name, like [email protected], or a LDAP-style distinguished
name, such as CN=Administrator,OU=europe,DC=acme,DC=com.
Another nice thing about this plugin is that it works both in a Windows environment and in a Unix
environment. So if Jenkins is running on a Unix server, it can still authenticate against a Microsoft
Active Directory service running on another machine.