Rundeck war deployment with tomcat / Unable to acces LDAP : issue with com.sun.security.auth.module.LdapLoginModule

360 views
Skip to first unread message

Frederic Egmorte

unread,
Aug 3, 2016, 10:43:23 AM8/3/16
to rundeck-discuss
Hi,

We have an issue with a rundeck setup as tomcat war deployement.
We are trying to configure LDAP access via tomcat and JAAS.

We configure realm in the server.xml : 

<Realm className="org.apache.catalina.realm.CombinedRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" digest="sha-256"/>


        <Realm className="org.apache.catalina.realm.JAASRealm"
          appName="rundeck_app_name_ldap"
          userClassNames="com.sun.security.auth.UserPrincipal"
        roleClassNames="com.sun.security.auth.UserPrincipal" debug="99"
        />
</Realm>


We also configure the WEB-INF/jaas.conf :

rundeck_app_name_ldap {
        com.sun.security.auth.module.LdapLoginModule REQUIRED
        debug="true"
        useSSL="false"
        contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
        providerUrl="ldap://xx.xx.xx.xx:389"
        bindDn="cn=usertouse,dc=company,dc=fr"
        bindPassword="password"
        authenticationMethod="simple"
        forceBindingLogin="true"
        userBaseDn="ou=def_tree,ou=def_tree,dc=company,dc=fr"
        userRdnAttribute="sAMAccountName"
        userIdAttribute="sAMAccountName"
        userPasswordAttribute="unicodePwd"
        userObjectClass="user"
         roleBaseDn="ou=def_tree,ou=def_tree,dc=tessi-techno,dc=fr"
         roleNameAttribute="sAMAccountName"
         roleMemberAttribute="member"
         roleObjectClass="group"
         cacheDurationMillis="300000"
         supplementalRoles="user"
         reportStatistics="true"
         timeoutRead="10000"
         timeoutConnect="20000"
         nestedGroups="true";
        };


We change the tomcat launcher to set up the conf at startup :
JAVA_OPTS="${JAVA_OPTS} -Drundeck.config.location=${RDECK_BASE}/rundeck-config.properties -Drdeck.base=${RDECK_BASE}"
JAVA_OPTS="${JAVA_OPTS} -Djava.security.auth.login.config=/path/to/rundeck/WEB-INF/jaas.conf -Dloginmodule.name=rundeck_app_name_ldap"


When we launch tomcat,, everything is ok.

We can login with user defined in tomcat_users.xml

BUT we can't connect to the LDAP.

We get an error message when I try to connect whith my user :


2016-08-03 15:24:56,623 [main][INFO ][org.apache.catalina.startup.Catalina] - Server startup in 42359 ms
                [LdapLoginModule] search-first mode; SSL disabled
                [LdapLoginModule] aborted authentication
2016-08-03 15:25:57,847 [http-apr-8080-exec-1][WARN ][org.apache.catalina.realm.JAASRealm] - Exception lors de l'authentification par login du nom d'utilisateur myPersonalUser
javax.security.auth.login.LoginException: Unable to locate the LDAP directory service
        at com.sun.security.auth.module.LdapLoginModule.login(LdapLoginModule.java:503)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:595)
        at org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:433)
        at org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:354)
        at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146)
        at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:294)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:449)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
        at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2377)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)


Any idea ? 

Thanks for your reply :)

Frederic Egmorte

unread,
Aug 3, 2016, 3:42:44 PM8/3/16
to rundeck-discuss
So i finally understant that the attributes used in the jaas.conf don't match with the class.
The new jaas.conf : 

rundeck_app_name_ldap {
        com.sun.security.auth.module.LdapLoginModule REQUIRED
        debug="true"
        useSSL="false"
        contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
        userProvider="ldap://xx.xx.xx.xx:389/cn=user,dc=company,dc=fr"
        authIdentity="{USERNAME}"
        userFilter="sAMAccountName";
        };

Now i have an authentication failed.
I don't know if they are an attribute to set the technical user password ?

And i don't know where that's failed...

The tomcat log :
[LdapLoginModule] authentication-first mode; SSL disabled
                [LdapLoginModule] user provider: ldap://xx.xx.xx.xx:389/cn=userTechnical,dc=company,dc=fr
                [LdapLoginModule] attempting to authenticate user: myUser
                [LdapLoginModule] authentication failed
                [LdapLoginModule] aborted authentication

I don't put any change on the rundeck web.xml concerning the security-role section.


Any idea again ?

Thanks

Frederic Egmorte

unread,
Aug 4, 2016, 11:50:07 AM8/4/16
to rundeck-discuss
Finally,

I succeeded to connect to the active dicrectory.

If that help someone, below the jaas.conf that works with my AD configuration :

rundeck_app_name_ldap {
        com.sun.security.auth.module.LdapLoginModule REQUIRED
        useSSL="false"
        debug="true"
        java.naming.security.principal="CN=TechUserToSearchAD,OU=COMPTES SERVICES,DC=company,DC=fr"
        java.naming.security.credentials="TechPassword"
        userProvider="ldap://xx.xx.xx.xx:389/OU=UTILISATEURS,OU=BORD,OU=SITES,DC=company,DC=fr"
        userFilter="(&(samAccountName={USERNAME})(userPrincipalName={USERNAME}@company.fr)(objectClass=user))";
        };


Alex Honor

unread,
Aug 4, 2016, 12:25:27 PM8/4/16
to rundeck-discuss
Hi Frederic,

This is a good example for JAAS setup in Tomcat. Thanks for pursuing it since we didn't have an example. I was curious if you considered the JNDIRealm for LDAP integration and why JAAS was prefered.

Frederic Egmorte

unread,
Aug 4, 2016, 6:40:19 PM8/4/16
to rundeck-discuss
Hi Alex,

I tried to use JNDIRealm but I didn't succeed to access my Active Directory.
So, as rundeck uses jaas with jetty and tomcat can be set with JAASRealm, I tried and that works... But unfortunately, i'm now facing another issue.

We created specific group under active directory and tried to assign role by AD group but when i connect to rundeck, my user didn't have any user role assigned. :-(

And i figured out the JAAS LdapLoginModule doesn't manage user role (it seems).

If someone have any idea ... Otherwise, i will come back to tell you the end of the story :)
        userFilter="(&(samAccountName={USERNAME})(userPrincipalName={USER...@company.fr)(objectClass=user))";
        };


Frederic Egmorte

unread,
Aug 5, 2016, 10:53:22 AM8/5/16
to rundeck-discuss
Alex,

Alex,

Finally, i set a JNDI Realm on server.xml because of the unavailability to retrieve the group from AD to assign a role and credentials ACL with JAASRealm.
JAASLdapLoginModule lacks some attributes to search role from AD.

My conf in the tomcat server.xml :

<Realm className="org.apache.catalina.realm.JNDIRealm"
          connectionName="CN=TechUserToSearchAD,OU=COMPTES SERVICES,DC=company,DC=fr"
          connectionPassword="TechUserPassword"
          connectionURL="ldap://xx.xx.xx.xx:389"
          referrals="follow"
          userBase="OU=UTILISATEURS,OU=BORDEAUX-1,OU=SITES,DC=company,DC=fr"
          userSearch="(sAMAccountName={0})"
          userSubtree="true"
          roleBase="OU=GROUPES,DC=company,DC=fr"
          roleName="cn"
          roleSearch="(member={0})"
          roleSubtree="true"
          roleNested="true"
          commonRole="user"  />


I let the security-role (user) in the web.xml

I changed the adminacl.policy to match section for my AD RUNDECK GROUP

And that is working fine. 
Reply all
Reply to author
Forward
0 new messages