Author Archives: Hal Martin

About Hal Martin

In my free time I like experiment with hardware and embedded systems. Here I write about personal projects and random adventures into firmware land.

Jenkins authenticate with FreeIPA LDAP

2 Replies

I run a Jenkins server to build projects like the Arietta G25 Kernel and Banana Pi Kernel.

I also run a FreeIPA server for central authentication and user rights management. I’m not an expert on LDAP and Kerberos, which is why I like FreeIPA because it allows me to manage these without requiring that I be an LDAP or Kerberos demigod.

So, here’s how to configure Jenkins to authenticate against FreeIPA. You will need to install the Jenkins LDAP plugin before proceeding.

Manage Jenkins

The plugin can be installed by clicking on: Manage Jenkins -> Manage Plugins -> Available -> Search “LDAP Plugin”

On the FreeIPA server create an LDIF file to define an unprivileged user to read the LDAP tree. The FreeIPA LDAP server does not appear to support anonymous binds. I recommend the makepasswd program to generate the user password.

-bash-4.2$ cat jenkins.ldif 
dn: uid=jenkins,cn=sysaccounts,cn=etc,dc=watchmysys,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: jenkins
userPassword: 7b1yYzNINU
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

To create the user you need to apply this LDIF to LDAP:

ldapmodify -h ipa.watchmysys.com -p 389 -x -D "cn=Directory Manager" -W -f jenkins.ldif

When the LDAP plugin is installed go back to the “Manage Jenkins” menu, click on “Configure Global Security” and “Enable security”

Next select “Security Realm” -> “LDAP”, and configure the settings for your IPA server as described below:

Jenkins LDAP Security

Server: ldaps://ipa.watchmysys.com
root DN: dc=watchmysys,dc=com
User search base: cn=users,cn=accounts
User search filter: (objectClass=inetOrgPerson)(objectClass=posixAccount)(uid=%u)
Group search filter: jenkins
Manager DN: uid=jenkins,cn=sysaccounts,cn=etc,dc=watchmysys,dc=com
Manager password: 7b1yYzNINU
Display Name LDAP attribute: displayname
Email Address LDAP attribute: mail

You may want to choose ldap:// instead of ldaps:// during your testing. I found it useful to run tcpdump between my Jenkins server and IPA server to diagnose authentication failures.

In FreeIPA create a role for Jenkins users:
FreeIPA Jenkins Role

Here is what the corresponding LDAP object is:

# jenkins, roles, accounts, watchmysys.com
dn: cn=jenkins,cn=roles,cn=accounts,dc=watchmysys,dc=com
objectClass: groupofnames
objectClass: nestedgroup
objectClass: top
cn: jenkins
description: Jenkins administrators
member: uid=hmartin,cn=users,cn=accounts,dc=watchmysys,dc=com

I decided that all Jenkins users should be allowed to administer once logged in. You may decide to implement a more complex security system with different privilege levels.

Jenkins Authentication Strategy

Save the changes. You will be unable to administer Jenkins without logging in now. Jenkins will update config.xml in its home with the new security settings:

  <useSecurity>true</useSecurity>
  <authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy"/>
  <securityRealm class="hudson.security.LDAPSecurityRealm" plugin="[email protected]">
    <server>ldaps://ipa.watchmysys.com</server>
    <rootDN>dc=watchmysys,dc=com</rootDN>
    <inhibitInferRootDN>false</inhibitInferRootDN>
    <userSearchBase>cn=users,cn=accounts</userSearchBase>
    <userSearch>(objectClass=inetOrgPerson)(objectClass=posixAccount)(uid=%u)</userSearch>
    <groupSearchFilter>jenkins</groupSearchFilter>
    <groupMembershipStrategy class="jenkins.security.plugins.ldap.FromGroupSearchLDAPGroupMembershipStrategy">
      <filter></filter>
    </groupMembershipStrategy>
    <managerDN>uid=jenkins,cn=sysaccounts,cn=etc,dc=watchmysys,dc=com</managerDN>
    <managerPasswordSecret>bdV4rdfP9sQ1JTsDfJYGQSRvqYtsSafFdVLYwiuv6nTyiaAnfIwxeC2GNfQmy0dfs</managerPasswordSecret>
    <disableMailAddressResolver>false</disableMailAddressResolver>
    <displayNameAttributeName>displayname</displayNameAttributeName>
    <mailAddressAttributeName>mail</mailAddressAttributeName>
  </securityRealm>

If you cannot login to Jenkins using your LDAP username and password then remove the above lines from your config.xml and restart Jenkins. Jenkins will revert back to the default policy of anonymous users are admins.

If your user is not in the Jenkins role on the FreeIPA server you will not be able to login.
Jenkins LDAP Failed Login

You should now have LDAP-based authentication working in Jenkins. You now have all the benefits of central user management in Jenkins, enjoy!

Building the Arietta G25 Kernel

Leave a reply

I’m using the Arietta G25 for a project of mine. Earlier I described how to build a bootloader for the 256MB version of the board.

Today I’m going to describe how to build the kernel for the Arietta G25. I needed ADC support as well as modules for some USB to ethernet adaptors that weren’t included in the kernel image ACME Systems provides.

First off you will need to install the toolchain to build armel binaries. ACME Systems has a page describing how to install the ARM9 toolchain. Here’s the short summary:

$ sudo apt-get install emdebian-archive-keyring libc6-armel-cross libc6-dev-armel-cross binutils-arm-linux-gnueabi gcc-arm-linux-gnueabi g++-arm-linux-gnueabi u-boot-tools libncurses5-dev

Once you have the environment setup it’s time to checkout the kernel and build. This is the Jenkins script I use to build the Arietta G25 kernel:

if [ ! -d "linux-3.14.7" ]; then
wget https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.14.7.tar.xz -O linux-3.14.7.tar.xz
tar xvfJ linux-3.14.7.tar.xz
cd linux-3.14.7
wget http://www.acmesystems.it/www/compile_linux_3_14/acme.patch -O acme.patch
patch -p1 < acme.patch

wget https://watchmysys.com/blog/wp-content/uploads/2014/08/linux-at91.config -O .config
wget https://watchmysys.com/blog/wp-content/uploads/2014/08/arietta_256m_ikconfig.patch -O arietta_256m_ikconfig.patch
patch -p1 < arietta_256m_ikconfig.patch
else
cd linux-3.14.7
fi
make ARCH=arm clean
CPUS=$(cat /proc/cpuinfo | grep -c "processor")

wget https://watchmysys.com/blog/wp-content/uploads/2014/08/acme-arietta-adc.dtb -O arch/arm/boot/dts/acme-arietta.dtb
make -j$CPUS ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- zImage
make modules -j$CPUS ARCH=arm CROSS_COMPILE=arm-linux-gnueabi-
make modules_install INSTALL_MOD_PATH=./modules ARCH=arm
mkdir -p modules/boot
cp arch/arm/boot/zImage modules/boot/
rm linux-3.14.7-arietta.tar.bz2
tar -C modules -cjvf linux-3.14.7-arietta.tar.bz2 lib/ boot/

The above commands are available in a bash/Jenkins script at the bottom of this post.

Installation is fairly simple, you need to mount the sdcard /boot and / partitions on your computer and then run:

tar -C /path/to/sdcard -jxvf linux-3.14.7-arietta.tar.bz2

My kernel configuration includes the Atmel ADC driver as a module (at91_adc) so you can unload/reload it (possibly to save power). It also includes the dm9601 and sr9700 modules for the Davicom DM96xx USB 2.0 10/100M Ethernet Adaptor, which is an inexpensive USB to ethernet adaptor available online (such as this one).

If you want to generate your own dtb (for instance enable PWM instead of the ADC) you can do that at this ACME Systems page.

Build script: linux-at91.sh
Kernel and modules: linux-3.14.7-arietta.tar.bz2
Kernel Config: linux-at91-3.14.7.config

Building the Banana Pi LeMaker Kernel

11 Replies

I recently bought a Banana Pi because I wanted something more powerful than a Raspberry Pi (and because I had store credit to use up).

I wanted to run Debian on it, but not the Raspbian distribution provided by Lemaker because I find it’s too resource heavy for what I will be using my Banana Pi for. I followed Christian Bock’s excellent blog post on how to build a Debian rootfs for the Banana Pi.

More pre-built SD card images are coming out for the Banana Pi, but I wanted to use a spare 1GB microSD card and no one provides images that small, so I went and built my own.

As Christian noted in his blog post, the sunxi kernel sources do not work well on the Banana Pi as they contain a broken sunxi ethernet driver. The NIC is unstable when running at gigabit speeds (my testing showed approximately 60% packet loss). A definite deal-breaker if you need reliable network access. LeMaker was a bit slow in releasing their kernel source, but after users complained it was released on github.

Prerequisites for building the kernel are outlined in LeMaker’s wiki page. Basically you need the following packages:

build-essential u-boot-tools uboot-mkimage binutils-arm-linux-gnueabihf gcc-4.7-arm-linux-gnueabihf-base g++-4.7-arm-linux-gnueabihf gcc-arm-linux-gnueabihf cpp-arm-linux-gnueabihf libusb-1.0-0 libusb-1.0-0-dev git wget fakeroot kernel-package zlib1g-dev libncurses5-dev

This is the Jenkins script I use to build the LeMaker kernel for the Banana Pi:

if [ ! -d "linux-bananapi" ]; then
git clone -b bananapi-3.4 https://github.com/LeMaker/linux-bananapi.git
fi
cd linux-bananapi
git pull
wget https://watchmysys.com/blog/wp-content/uploads/2014/08/linux-bananapi.config -O .config
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- clean
make -j4 ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- uImage modules
make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- INSTALL_MOD_PATH=output modules_install
mkdir -p output/boot/
cp arch/arm/boot/uImage output/boot/
tar -C output -cjvf ../linux-bananapi-3.4.90.tar.bz2 boot/ lib/

I’ve included the above commands in a script at the end of this post. I’ve added additional comments explaining the what and why for people who don’t arbitrarily trust strangers on the internet.

Installation is fairly simple, you need to mount the sdcard /boot and / partitions on your computer and then run:

tar -C /path/to/sdcard -jxvf linux-bananapi-3.4.90.tar.bz2

This will extract /boot/uImage and the kernel modules to /lib/modules/3.4.90-00261-gb3b7287

My kernel configuration includes the sunxi ethernet driver as a module (sunxi_gmac) so that you can unload/reload it if necessary. This means you need to use both the uImage and the modules provided or you will not have network connectivity.

Build script: bash/Jenkins build script
Kernel and modules: linux-bananapi-3.4.90.tar.bz2
Kernel Config: linux-bananapi-3.4.90.config