Trouble with AD Auth

[Joe Miller]

Hello,

I am attempting to get AD authentication set up on my RunDeck machine and I'm having some issues.  The AD group in question is called "RunDeckDevOps" and this is the message RunDeck gives me when attempting to log in:

You have no authorized access to projects.

Contact your administrator. (User roles: RunDeckDevops, user)

Here's what the audit log says upon attempting to log in:

Evaluating Decision for: res<type:resource, kind:project> subject<Username:joem Group:RunDeckDevops Group:user> action<create> env<http://dtolabs.com/rundeck/env/application:rundeck>: authorized: false: No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)

I have my jaas-activedirectory.conf file according to documentation and the profile specifying the AD module as opposed to the file based auth that comes out of the box.  I believe since I'm not getting booted out and instead getting the error above means that I am reaching out to AD successfully and that I don't have the roles set up correctly.  Here's my admin.aclpolicy file:

description: Full access.

context:

  project: '.*' # all projects

for:

  resource:

    - allow: '*' # allow read/create all kinds

  adhoc:

    - allow: '*' # allow read/running/killing adhoc jobs

  job:

    - allow: '*' # allow read/write/delete/run/kill of all jobs

  node:

    - allow: '*' # allow read/run for all nodes

by:

  group: RunDeckDevOps

I've added the AD group in question to the web.xml file:

<security-role>

<role-name>user</role-name>

<role-name>admin</role-name>

<role-name>RunDeckDevOps</role-name>

</security-role>

I'm not sure what else I need to do.  Any help is greatly appreciated, thanks!

[titlei...@gmail.com]

These 2 pages helped me figure this out.  I've got AD auth working with groups now.  Perhaps they will help you.  You are very close.

http://ftclausen.github.io/general/rundeck_-_authentication_and_authorisation_notes/

https://meinit.nl/connect-rundeck-active-directory

Jay

[Greg Schueler]

Hi Joe,

I notice you have a case mismatch between "RunDeckDevops" (shown in GUI), and "RunDeckDevOps" (used in aclpolicy file).

The equality comparison is case-sensitive, so try changing the case in the aclpolicy file.

For future reference, you can do a case-insensitive policy using the regular expression syntax provided by Java. E.g. you could change your aclpolicy to:

    group: (?i)RunDeckDevOps

This would then use regular expression matching with the case-insensitive flag enabled.

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/cd39def0-0050-4fbd-8e70-4f4ff2157a26%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Joe Miller]

Hey Greg,

Thanks for pointing that out. However, I am still getting the same error after updating the aclpolicy file and the role name in the web.xml

[Joe Miller]

Thanks Jay, I've been looking at both of these actually.  I think there's something I am still missing because I've reviewed a few of these types of blog posts.

[Kris Musard]

Do you have any messages in service.log when logging in?  What does your jaas configuration file look like

[Joe Miller]

Hey Kris,

In the service log I'm being returned info from AD regarding my user account.  This is why I suspect the AD connection is working fine and its the mapping of roles to RunDeck perms.  Here's the relevant service log line:

2016-01-26 09:50:46.064:INFO:cdrjj.JettyCachingLdapLoginModule:Attempting authentication: CN=Joe Miller,OU=DevOps,OU=Seattle,OU=Company,OU=Users,DC=domain,DC=com

Here's my jaas config:

activedirectory {

    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required

    debug="true"

    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"

    providerUrl="ldap://ABC-01.domain:389"

    bindDn="CN=svcRunDeckLDAP,OU=Service Accounts,OU=Users,DC=paraport,DC=com"

    bindPassword="MYPASSWORD"

    authenticationMethod="simple"

    forceBindingLogin="true"

    userBaseDn="OU=Users,DC=domain,DC=com"

    userRdnAttribute="sAMAccountName"

    userIdAttribute="sAMAccountName"

    userPasswordAttribute="unicodePwd"

    userObjectClass="user"

    forceBindingLoginUseRootContextForRoles="true"

    roleBaseDn="OU=RunDeck,OU=Security Groups,DC=domain,DC=com"

    roleNameAttribute="cn"

    roleMemberAttribute="member"

    roleObjectClass="group"

    cacheDurationMillis="300000"

    reportStatistics="true"

    supplementalRoles="admin,user";

};

[Greg Schueler]

It looks like your AD authentication via LDAP/JAAS is set up correctly.  Since you are seeing "No access to projects", it is an authorization issue (aclpolicy).  A few things to try: 

Try adjusting the group name in aclpolicy, and making sure that Rundeck is loading the policy files you are modifying as expected.  

You can also use the "rd-acl" commandline tool to test the authorization. If you don't specify the policy file location It will attempt to load all of the policy files in the correct config location automatically.  Check the validity and also test the group authorization.

I noticed you pasted the "context: project" section of the aclpolicy...make sure you also have a "context: application: rundeck" section, this is where you grant the access to projects.

About the web.xml user roles: typically you can leave this as "user" role, and leave the supplementalRoles="user" in your JAAS config.  This sets it up so that any valid login via JAAS has access to Rundeck.

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/e69b2ffd-e0dc-47dd-8120-68fd29a09756%40googlegroups.com.

[Joe Miller]

So something interesting happened, I switched RunDeck back to the default file auth so I could log in and take a look and see if all my policy files were being loaded and now I'm getting a very similar message:

You have no authorized access to projects.

Contact your administrator. (User roles: architect, build, admin, user, deploy)

This is using the admin user account set up in the realm.properties file.  I haven't changed anything with this and I've been using this fine up until the point I started working on the AD auth.

[Greg Schueler]

Hi Joe,

That suggests to me that your aclpolicy files are not being loaded by rundeck as you expect: the permissions/ownership are wrong, they are in the wrong location on disk (or rundeck config is expecting them in the wrong location), or something like that.

To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/bf7f01ae-7080-4801-beec-86a344d91d91%40googlegroups.com.

[Joe Miller]

So I was finally able to get AD auth to work, I believe I had a syntax error in one of the policy files.  That wasn't all though, I had to specify "user" and only "user" in the security-roles section in the web.xml. I then had to change my admin aclpolicy file to reference the user group.  This allows me to log in with AD creds but I am still unsure as to how to use AD security groups in the aclpolicy files.  Anything I try doesn't seem to work.  

[Kris Musard]

Now that you can login, click on your user name in the upper right corner and click on "Profile".  Under your profile do you see the expected list of groups being pulled in from AD?

[Joe Miller]

Hey Kris,

I do see the expected group.  But if I change my aclpolicy file to reference the AD group as opposed to the default "user" as specified in the web.xml I can't log in anymore.

[Kris Musard]

Hi Joe,

If you see the groups then your jaas configuration should be ok.  Are you adding the AD group to both the project and application context sections in the policy file and entering the AD group name as seen in the profile exactly including character case? I'm thinking something has to be wrong with the ACL file.

[Ramakanta Sahoo]

Can you check below article. I had the same issue but was able to complete using below steps in link. See if this helps

http://www.techpaste.com/2015/06/rundeck-active-directory-integration-steps/

Thanks,

R

[Joe Miller]

Thanks for this.  I was able to get it to work by messing around with the aclpolicy files.  I think I had some syntax errors (meaningful white space I believe) that was really hard to track down.