Error using ldap with rundeck

383 views
Skip to first unread message

abdel.b...@gmail.com

unread,
Aug 29, 2016, 10:48:28 AM8/29/16
to rundeck-discuss
Hello,

I'm trying to configure ldap with rundeck, but I can't  access to rundeck using ldap users.

The error that I have is:

2016-08-29 07:58:21.468:WARN:oejpj.JAASLoginService:
javax.security.auth.login.LoginException: Error obtaining user info.
at com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule.authenticate(JettyCachingLdapLoginModule.java:696)
at com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule.login(JettyCachingLdapLoginModule.java:599)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
at org.eclipse.jetty.plus.jaas.JAASLoginService.login(JAASLoginService.java:217)
at org.eclipse.jetty.security.authentication.FormAuthenticator.validateRequest(FormAuthenticator.java:183)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:456)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1031)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:965)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
at org.eclipse.jetty.server.Server.handle(Server.java:349)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:449)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:925)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:857)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:76)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:609)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:45)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:599)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:534)
at java.lang.Thread.run(Thread.java:745)


This is my config ldap file (jaas-ldap.conf)

ldap {
    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient
      debug="true"
      contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
      providerUrl="ldap://ldap.mysite.com:389"
      bindDn="cn=admin,dc=mysite,dc=com"
      bindPassword="password"
      authenticationMethod="simple"
      forceBindingLogin="true"
      userBaseDn="dc=mysite,dc=com"
      userRdnAttribute="uid"
      userIdAttribute="uid"
      userPasswordAttribute="userPassword"
      userObjectClass="account"
      roleBaseDn="dc=mysite,dc=com"
      roleNameAttribute="cn"
      roleUsernameMemberAttribute="memberUid"
      roleMemberAttribute="memberUid"
      roleObjectClass="posixGroup"
      cacheDurationMillis="300000"
      reportStatistics="true";

      org.eclipse.jetty.plus.jaas.spi.PropertyFileLoginModule required
      debug="true"
      file="/etc/rundeck/realm.properties";
};

and the realm.properties

#
# This sets the default user accounts for the Rundeck app
#
admin:test,user,admin,architect,deploy,build


I use ldapsearch to search the test user and is working correctly:

ldapsearch -H ldap://ldap.mysite.com:389 -D "cn=admin,dc=mysite,dc=com" -x -w 'password' -b "dc=mysite,dc=com" "cn=test"

# extended LDIF
#
# LDAPv3
# base <dc=mysite,dc=com> with scope subtree
# filter: cn=test
# requesting: ALL
#

...

# numResponses: 4
# numEntries: 3


Any suggestion or help to solve this problem?

Thank you!


Chris Cerda

unread,
Sep 16, 2016, 3:16:16 PM9/16/16
to rundeck-discuss
Not sure if there is quite enough information to figure it out from that, but your realm.properties line for admin, assuming admin is a user within ldap, the password needs to be '-'.  Like:

admin:-,user,admin,architect,deploy,build

Now, I am not using the Caching Module, I'm using the Combined Module, but here is my setup:



jaas-loginmodule.conf:
   org.eclipse.jetty.plus.jaas.spi.PropertyFileLoginModule sufficient
      debug="true"
      file="/path/to/realm.properties";

   com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule required
      debug="true"
      contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
      providerUrl="ldap://ldap.mysite.com:389/"
      bindDn="cn=admin,ou=mysite,o=auth"

      bindPassword="password"
      authenticationMethod="simple"
      forceBindingLogin="true"

      userBaseDn="ou=husers,ou=users,o=auth"

      userRdnAttribute="uid"
      userIdAttribute="uid"
      userPasswordAttribute="userPassword"

      userObjectClass="inetOrgPerson"
      roleBaseDn="ou=unix,ou=mysite,o=auth"
      roleNameAttribute="cn"
      roleMemberAttribute="objectClass"
      roleUsernameMemberAttribute="cn"
      roleObjectClass="groupOfNames"
      roleSearchSubtree="true"

      supplementalRoles="user"
      reportStatistics="true"
      timeoutRead="10000"
      timeoutConnect="20000"
      ignoreRoles="true"
      storePass="true";

   org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required
      debug="true"
      useFirstPass="true"
      file="/path/to/realm.properties";
     
};

and here is a snippet from my realm.properties:

#
# This file defines users passwords and roles for a HashUserRealm
#
# The format is
#  <username>: <password>[,<rolename> ...]
#
# Passwords may be clear text, obfuscated or checksummed.  The class
# org.mortbay.util.Password should be used to generate obfuscated
# passwords or password checksums
#
# This sets the temporary user accounts for the Rundeck app
#
admin:admin,user,admin ###Local user that can be for Command Level stuff and a "backdoor" in case LDAP is down
user:user,user
#########################
ldapuser1:-,user,admin
ldapuser2:-,user,admin

Here is what my process looks like, note -Dloginmodule.conf.name and -Dloginmodule.name:

/opt/apps/asa/java8/bin/java -Xmx2048m -Xms1024m -server -Dloginmodule.conf.name=jaas-loginmodule.conf -Dloginmodule.name=multiauth -Dhibernate.jdbc.use_get_generated_keys=true -Dserver.http.port=4440 -server -jar /path/to/rundeck-launcher.jar --skipinstall



Chris Cerda

unread,
Sep 16, 2016, 3:19:24 PM9/16/16
to rundeck-discuss
Please note I messed up when obfuscating users and stuff.  The first user of my realm.properties is a backdoor local user, and the actual admin user name I use for binding to ldap, is NOT admin.  That user is NOT in my realm.properties.
Reply all
Reply to author
Forward
0 new messages