Notes for configuring Jenkins with LDAP inside FreeBSD cluster

Configuring LDAP client

(this looks out-of-dated)

  1. pkg install openldap-client (Not really necessary, but useful for testing LDAP)
  2. copy /usr/local/etc/openldap/* files from freefall.freebsd.org to the Jenkins host

Configuring LDAP in Jenkins

  1. make sure that Jenkins LDAP Plugin is installed

  2. follow Jenkins Standard Security Setup, configuring LDAP

    1. Enabled Matrix Based Security. Create a user in the UI with the same login id as in LDAP.

    2. Look at the config files in /usr/local/etc/openldap/ and put enter the parameters in the Jenkins LDAP Plugin cofiguration UI
    3. Use ldaps:// for the URL so that SSL is used.

Configuring the certificate

This is not needed anymore since ldap.freebsd.org is using letsencrypt and the CA information is in base now

For ldaps:// , it may be necessary to add the certificate associated with the LDAP server to the JDK's list of trusted certificates. This is especially true if the certificate is self-signed or not built-in JDK. If you don't do this, then authentication errors will occur.

If this is necessary, then you should:

  1. Make sure that the opendjk is installed from ports / pkg.

  2. Read: https://issues.jenkins-ci.org/browse/JENKINS-3810

  3. Obtain the certificate for the LDAP server from https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem

  4. Copy default cacert file from $JAVA_HOME/lib/security/cacerts to $JENKINS_HOME/cacerts

  5. Import certificate: 

    keytool -import -trustcacerts -alias gandistandardsslca2 -file GandiStandardSSLCA2.pem -keystore $JENKINS_HOME/cacerts

    (Default password for openjdk certificate store is: changeit)

  6. Make jenkins use this new keystore by adding this line to /etc/rc.conf: 

    jenkins_java_opts="-Djavax.net.ssl.trustStore=/usr/local/jenkins/cacerts"

Jenkins/LDAP (last edited 2021-02-03T22:34:21+0000 by LiWenHsu)