Configure LDAP with Rundeck Version 3.4.9 on Windows Server-2019

[Rahul Saxena]

Hi Team,

I am facing an issue while configuring LDAP with my Rundeck server. I also have an old version of Rundeck 2.11 where LDAP configuration is working but with 3.4 it is not. I tried all possible configurations mentioned on Google but no luck so far.  Below is my configuration:

In profile.bat i added below:

set RDECK_JVM_OPTS=-Dloginmodule.conf.name=jaas-activedirectory.conf -Dloginmodule.name=activedirectory -Dcom.dtolabs.rundeck.jetty.jaas.LEVEL=DEBUG -Drundeck.jaaslogin=true

I also tried with below configuration but that didn't help:

set RDECK_JVM_OPTS=-Drundeck.jaaslogin=true -Djava.security.auth.login.config=C:\rundeck\server\config\jaas-activedirectory.conf -Dloginmodule.name=activedirectory

Here is my Profile.bat file:

set RDECK_BASE=C:\rundeck

set JAVA_HOME=C:\Program Files\Java\jre1.8.0_202

:: Unsetting JRE_HOME to ensure there is no conflict with JAVA_HOME
(set JRE_HOME=)

set Path=%JAVA_HOME%\bin;%RDECK_BASE%\tools\bin;%Path%

set RDECK_SSL_OPTS="-Djavax.net.ssl.trustStore=%RDECK_BASE%\etc\truststore -Djavax.net.ssl.trustStoreType=jks -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol"
set RDECK_CLI_OPTS=-Xms256m -Xmx4096m
set RD_LIBDIR=%RDECK_BASE%\tools\lib
set KUBECONFIG=C:\Users\rsaxena\.kube\config
set AWS_CONFIG_FILE=C:\Users\rsaxena\.aws\config
set AWS_SHARED_CREDENTIALS_FILE=C:\Users\rsaxena\.aws\credentials

set RDECK_JVM_OPTS=-Drundeck.jaaslogin=true -Djava.security.auth.login.config=C:\rundeck\server\config\jaas-activedirectory.conf -Dloginmodule.name=activedirectory

Below is my jass-activedirectory.conf file under C:\rundeck\server\config:

activedirectory {
    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
    debug="true"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    providerUrl="ldap://ADURL1:389 ldap://ADURL2:389 ldap://ADURL3:389"
    bindDn="CN=Connect Service,OU=Service,OU=SA,DC=dma,DC=net"
    bindPassword="XXXXX"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="OU=Users,OU=adbe,DC=dma,DC=net"
    userRdnAttribute="sAMAccountName"
    userIdAttribute="sAMAccountName"
    userPasswordAttribute="unicodePwd"
    userObjectClass="user"
    roleBaseDn="OU=Groups,OU=adbe,DC=dma,DC=net"
    roleNameAttribute="cn"
    roleMemberAttribute="member"
    roleObjectClass="group"
    cacheDurationMillis="300000"
    reportStatistics="true"
supplementalRoles="user";
};

It seems like Rundeck is not even trying to authenticate via LDAP and keeps giving me "Bad Credentials" error.  It is only working with default admin/ admin login.

ERROR Log:

[2022-05-17T13:44:43,795] INFO  rundeckapp.BootStrap - Rundeck is ACTIVE: executions can be run.
[2022-05-17T13:44:43,803] WARN  rundeckapp.BootStrap - The JVM default encoding is not UTF-8: windows-1252, you may not see output as expected for multibyte locales. Specify -Dfile.encoding=UTF-8 in the JVM options.
[2022-05-17T13:44:43,999] WARN  rundeckapp.BootStrap - [Development Mode] Usage of H2 database is recommended only for development and testing
[2022-05-17T13:44:44,222] INFO  rundeckapp.BootStrap - Rundeck startup finished in 740ms
[2022-05-17T13:44:44,350] INFO  rundeckapp.Application - Started Application in 38.4736417 seconds (JVM running for 41.799)
Grails application running at http://0.0.0.0:4440 in environment: production
[2022-05-17T13:44:57,973] DEBUG authentication.GrailsUsernamePasswordAuthenticationFilter - Request is to process authentication
[2022-05-17T13:44:58,024] DEBUG authentication.GrailsUsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
org.springframework.security.authentication.BadCredentialsException: Bad credentials
at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:151) ~[spring-security-core-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175) ~[spring-security-core-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]

Can someone please help?

[rac...@rundeck.com]

Hi Rahul, could you test using these Active Directory parameters directly in the launch script like this? (or launch rundeck manually using those params).

Regards!

[Rahul Saxena]

I added below to my profile.bat file:

set RDECK_JVM_="-Drundeck.jaaslogin=true -Dloginmodule.name=ldap -Dloginmodule.conf.name=C:\rundeck\server\config\jaas-activedirectory.conf"

Is it what you were suggesting?

I tried this but it didn't help and I am still getting the same error message.

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/b9e69d15-f0a3-4320-b534-7cab8e41e92bn%40googlegroups.com.

[rac...@rundeck.com]

Hi Rahul,

I mean, passing those AD params directly launching Rundeck manually, that’s a good way to discard any conf issue in your environment, something like: java -Drundeck.jaaslogin=true -Dloginmodule.conf.name=jaas-activedirectory.conf -Dloginmodule.name=activedirectory -jar rundeck-4.2.1-20220511.war and see the behavior.

And then do the same in the startup script, the “start_rundeck.bat” file in this guide.

Greetings.

​

[Rahul Saxena]

I used below parameter from command prompt to start Rundeck service and i could login with LDAP successfully:

c:\rundeck>java -Drundeck.jaaslogin=true -Dloginmodule.conf.name=jaas-activedirectory.conf -Dloginmodule.name=activedirectory -jar rundeck-3.4.9-20211221.war

Do you want me to add the same command in start_rundeck.bat file like below:

set CURDIR=%~dp0
call %CURDIR%etc\profile.bat
java %RDECK_CLI_OPTS% %RDECK_SSL_OPTS% -jar rundeck-3.4.9-20211221.war --skipinstall -d  >> %CURDIR%\var\logs\service.log  2>&1
java -Drundeck.jaaslogin=true -Dloginmodule.conf.name=jaas-activedirectory.conf -Dloginmodule.name=activedirectory -jar rundeck-3.4.9-20211221.war

Please confirm.

Thanks,

Rahul

To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/1767d8b8-7f2b-46c1-bf1d-9f4e18752e5en%40googlegroups.com.

[rac...@rundeck.com]

Hi Rahul,

Right, this is a good way to avoid upgrading problems, take a look.

But in your script, you have two java calls, this example looks more accurate:

set CURDIR=%~dp0
call %CURDIR%etc\profile.bat
java %RDECK_CLI_OPTS% %RDECK_SSL_OPTS% -Drundeck.jaaslogin=true -Dloginmodule.conf.name=jaas-activedirectory.conf -Dloginmodule.name=activedirectory -jar rundeck-4.2.0-20220509.war --skipinstall -d  >> %CURDIR%\var\logs\service.log  2>&1

You can see this on the documentation.

Greetings.

​

[Rahul Saxena]

Thanks for the swift response. I had already made the required changes and successfully authenticated via LDAP.  I figured out when the log file wasn't created so i had commented out the last java call.

set CURDIR=%~dp0
call %CURDIR%etc\profile.bat

java -Drundeck.jaaslogin=true -Dloginmodule.conf.name=jaas-activedirectory.conf -Dloginmodule.name=activedirectory -jar rundeck-3.4.9-20211221.war >> %CURDIR%\var\logs\service.log  2>&1
::java %RDECK_CLI_OPTS% %RDECK_SSL_OPTS% -jar rundeck-3.4.9-20211221.war --skipinstall -d  >> %CURDIR%\var\logs\service.log  2>&1

To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/61e66192-3246-42ba-9fa6-9af9ee9fd63an%40googlegroups.com.

[rac...@rundeck.com]

Great news Rahul! :-)

[Rahul Saxena]

Thanks for all your help in getting this sorted out.  Much appreciated.

To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/ff53cae8-c9e0-43ee-a433-a49318414ab2n%40googlegroups.com.