Jenkins RBAC User Management OpenLDAP
mehdi pashaFirstly Install the Jenkins using below link .
https://www.jenkins.io/doc/book/installing/linux/#debianubuntu
i have installed Jenkins on ubuntu i will be using single node for this blog
sudo systemctl status jenkins
● jenkins.service - Jenkins Continuous Integration Server
Loaded: loaded (/usr/lib/systemd/system/jenkins.service; enabled; preset: enabled)
Active: active (running)
What is OpenLDAP?
OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP).
It’s used to store and manage users, groups, and access control in a centralized manner.
Think of it as a database for identity management, which Jenkins (or other systems) can connect to for authentication and authorization.
Step 1: Install OpenLDAP on EC2
sudo apt-get install slapd ldap-utils -y
Step 2: Configure OpenLDAP (Interactive Setup)
Select No
You can give any DNS Domain name
You can give any Organization name
Administrator password (Note somewhere to be used for ldap credentials )
If previous configurations exist, move them aside, i have selected No
Step 3 - Configure Open LDAP via the command prompt.
Use the following steps only if you want to configure slapd via the command prompt. Skip this step in case you used step 2.
dn: dc=devopsshack,dc=com
objectClass: top
objectClass: domain
dc: devopsshack
dn: ou=users,dc=devopsshack,dc=com
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=devopsshack,dc=com
objectClass: organizationalUnit
ou: groups
Create a file with name base.ldif
ubuntu@ip-172-31-6-139:~$ touch base.ldif
vi base.ldif
dn: ou=users,dc=devopsshack,dc=com
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=devopsshack,dc=com
objectClass: organizationalUnit
ou: groups
| Element | Purpose |
| dc=devopsshack,dc=com | The root of the LDAP hierarchy. |
| ou=users | Organizational Unit (OU) to store user entries. |
| ou=groups | OU to store group entries. |
Command: Add base DIT
ldapadd -x -D "cn=admin,dc=devopsshack,dc=com" -W -f base.ldif
-D: Specifies the bind DN (LDAP admin).
-W: Prompts for the admin password.
-f: File to load (base.ldif).
ubuntu@ip-172-31-6-139:~$ ldapadd -x -D "cn=admin,dc=devopsshack,dc=com" -W -f b ase.ldif
Enter LDAP Password:
adding new entry "ou=users,dc=devopsshack,dc=com"
adding new entry "ou=groups,dc=devopsshack,dc=com"
Step 4 - Create Users
ubuntu@ip-172-31-6-139:~$ vi users.ldif
dn: uid=adminuser,ou=users,dc=devopsshack,dc=com
objectClass: inetOrgPerson
uid: adminuser
sn: Admin
cn: Admin User
userPassword: adminpass
dn: uid=devuser1,ou=users,dc=devopsshack,dc=com
objectClass: inetOrgPerson
uid: devuser1
sn: Developer1
cn: Dev User1
userPassword: devpass1
dn: uid=devuser2,ou=users,dc=devopsshack,dc=com
objectClass: inetOrgPerson
uid: devuser2
sn: Developer2
cn: Dev User2
userPassword: devpass2
dn: uid=viewer1,ou=users,dc=devopsshack,dc=com
objectClass: inetOrgPerson
uid: viewer1
sn: Viewer1
cn: Viewer User1
userPassword: viewerpass1
| Attribute | Purpose |
| uid | Unique identifier for the user (used for login). |
| sn | Surname (last name). |
| cn | Common name (full display name). |
| userPassword | Password (in plain text for simplicity, better to hash). |
Command: Add users
ldapadd -x -D "cn=admin,dc=devopsshack,dc=com" -W -f users.ldif
ubuntu@ip-172-31-6-139:~$ ldapadd -x -D "cn=admin,dc=devopsshack,dc=com" -W -f u sers.ldif
Enter LDAP Password:
adding new entry "uid=adminuser,ou=users,dc=devopsshack,dc=com"
adding new entry "uid=devuser1,ou=users,dc=devopsshack,dc=com"
adding new entry "uid=devuser2,ou=users,dc=devopsshack,dc=com"
adding new entry "uid=viewer1,ou=users,dc=devopsshack,dc=com"
Step 5: Create Groups
File: groups.ldif
ldapadd -x -D "cn=admin,dc=devopsshack,dc=com" -W -f groups.ldif
ubuntu@ip-172-31-6-139:~$ ldapadd -x -D "cn=admin,dc=devopsshack,dc=com" -W -f g roups.ldif
Enter LDAP Password:
adding new entry "cn=jenkins-admins,ou=groups,dc=devopsshack,dc=com"
adding new entry "cn=jenkins-devs,ou=groups,dc=devopsshack,dc=com"
adding new entry "cn=jenkins-viewers,ou=groups,dc=devopsshack,dc=com"
You can verify the LDAP Directory
ubuntu@ip-172-31-6-139:~$ ldapsearch -x -b "dc=devopsshack,dc=com"
- This queries the entire directory tree and displays all users and groups.
Step 6 Jenkins RBAC with Open LDAP
Step 1: Install LDAP Plugin
1. Go to:
Manage Jenkins → Manage Plugins → Available
2. Search for:
LDAP Plugin
3. Install and restart Jenkins.
________________________________________
Step 2: Configure LDAP Authentication
1. Go to:
Manage Jenkins → Configure Global Security
2. Under Security Realm, select:
During the configuration i got confuse here so highlighting for understanding.
"As shown in the image above, I have added the user 'adminuser' and the group 'jenkins-admin' under matrix-based security."
Option A: Matrix-based Security (Recommended for LDAP)
- Under Authorization, select:
Matrix-based security
Add LDAP groups with @ prefix:
| Identity | Permissions |
| @jenkins-admins | ✔️ Administer (all Jenkins permissions) |
| @jenkins-devs | ✔️ Job Read, ✔️ Job Build |
| @jenkins-viewers | ✔️ Job Read |
| Option B: Role Strategy Plugin (if needed) |
Install Role Strategy Plugin.
Set Authorization to Role-Based Strategy.
Define roles like admin, developer, viewer.
Assign LDAP groups to these roles.
Files Recap:
| File | Purpose |
| base.ldif | Creates root DN, users OU, groups OU. |
| users.ldif | Adds multiple user entries. |
| groups.ldif | Adds groups and links members. |
Jenkins Configuration Summary:
| Section | Details |
| Security Realm | LDAP (uses OpenLDAP for authentication) |
| Authorization | Matrix-based security (RBAC via LDAP groups) |
| Groups | jenkins-admins, jenkins-devs, jenkins-viewers |
| Users | adminuser, devuser1, devuser2, viewer1 |
Subscribe to my newsletter
Read articles from mehdi pasha directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by