More precisely, if Jenkins is running on a Windows machine and you do not specify a domain, that
machine must be a member of the domain you wish to authenticate against. Jenkins will use ADSI to
figure out all the details, so no additional configuration is required.
On a non-Windows machine (or you specify one or more domains), you need to tell Jenkins the name
of Active Directory domain(s) to authenticate with. Jenkins then uses DNS SRV records and LDAP
service of Active Directory to authenticate users.
Jenkins can determine which groups in Active Directory that the user belongs to, so you can use these
as part of your authorisation strategy. For example, you can use these groups in matrix-based security,
or allow “Domain Admins” to administer Jenkins.
7.4.4. Using Unix Users and Groups
If you are running Jenkins on a Unix machine, you can also ask Jenkins to use the user and group
accounts defined on this machine. In this case, users will log into Jenkins using their Unix account logins
and passwords. This uses Pluggable Authentication Modules (PAM), and also works fine with NIS.
In its most basic form, this is somewhat cumbersome, as it requires new user accounts to be set up and
configured for each new Jenkins user. It is only really useful if these accounts need to be set up for
other purposes.
7.4.5. Delegating to the Servlet Container
Another way to identify Jenkins users is to let your Servlet container do it for you. This approach is
useful if you are running Jenkins on a Servlet container such as Tomcat or GlassFish, and you already
have an established way to integrate the Servlet container with your local enterprise user directory.
Tomcat, for example, allows you to authenticate users against a relational database (using direct JDBC
or a DataSource), JNDI, JAAS, or an XML configuration file. You can also use the roles defined in the
Servlet container’s user directory for use with Matrix and Project-based authorization strategies.
In Jenkins, this is easy to configure—just select this option in the Security Realm section (see
Figure 7.11, “Selecting the security realm”). Once you have done this, Jenkins will let the server take
care of everything.
Figure 7.11. Selecting the security realm