[JENKINS-75185] LDAP plugin searching for LDAP groups even when configured to Parse user attribute for list of LDAP groups #603
Description
Reproduction Steps
- Install the Jenkins LDAP plugin
- Configure LDAP authentication
- Under Advanced Server Configuration set Group membership to Parse user attribute for list of LDAP groups
- Set Group membership attribute to memberOf (this step isn't critical, this is just our config)
- Add some groups to the memberOf attribute
- Create an unrelated LDAP group.
- In the Jenkins Script Console, run
Jenkins.get().getSecurityRealm().loadGroupByGroupname("szdlkjasdlkjasdlkasdfTHISISNOTAREALGROUPNAME", true).getName()
and
Jenkins.get().getSecurityRealm().loadGroupByGroupname("real-group-name", true).getName()
Expected Results
- For a real group name, return the correct group name
- For an invalid group name, return nothing. My specific example might end up throwing a NPE for running .getName() on a null object.
Actual Results
Always returns the name of the actual LDAP group instead of parsing the user attribute for list of LDAP groups
Additional Information
This is likely long-standing, but was surfaced via JENKINS-72984">JENKINS-72984 as the validateGroup() method now does a lookup instead of just using the passed groupname
BEFORE
String escapedSid = Functions.escape(groupName);
AFTER
GroupDetails details = sr.loadGroupByGroupname2(groupName, false);
escapedSid = Util.escape(StringUtils.abbreviate(details.getDisplayName(), 50));
This causes the Assign Roles page to display the incorrect groups, which caused us to assign permissions to the wrong group.
Originally reported by rickymurphy, imported from: LDAP plugin searching for LDAP groups even when configured to Parse user attribute for list of LDAP groups
- status: Open
- priority: Major
- component(s): ldap-plugin
- resolution: Unresolved
- votes: 0
- watchers: 1
- imported: 2025-12-09
Raw content of original issue
Reproduction Steps
- Install the Jenkins LDAP plugin
- Configure LDAP authentication
- Under Advanced Server Configuration set Group membership to Parse user attribute for list of LDAP groups
- Set Group membership attribute to memberOf (this step isn't critical, this is just our config)
- Add some groups to the memberOf attribute
- Create an unrelated LDAP group.
- In the Jenkins Script Console, run
Jenkins.get().getSecurityRealm().loadGroupByGroupname("szdlkjasdlkjasdlkasdfTHISISNOTAREALGROUPNAME", true).getName()and
Jenkins.get().getSecurityRealm().loadGroupByGroupname("real-group-name", true).getName()Expected Results
- For a real group name, return the correct group name
- For an invalid group name, return nothing. My specific example might end up throwing a NPE for running .getName() on a null object.
Actual Results
Always returns the name of the actual LDAP group instead of parsing the user attribute for list of LDAP groups
Additional Information
This is likely long-standing, but was surfaced via
JENKINS-72984as the validateGroup() method now does a lookup instead of just using the passed groupnameBEFORE
String escapedSid = Functions.escape(groupName);AFTER
GroupDetails details = sr.loadGroupByGroupname2(groupName, false); escapedSid = Util.escape(StringUtils.abbreviate(details.getDisplayName(), 50));This causes the Assign Roles page to display the incorrect groups, which caused us to assign permissions to the wrong group.