Combining LDAP Auth and Local Auth issue

1,343 views
Skip to first unread message

Chris Cerda

unread,
Jul 8, 2016, 4:33:11 PM7/8/16
to rundeck-discuss
I'm trying to combine both LDAP Authentication with Local Authorization with local Authentication and local authorization and having some issues.  I may just completely be doing it wrong, but I haven't found much in searching the group and other sites on google.  Basically what I'm trying to do is to make sure that even if our backend ldap authentication service goes down, the admin's have a way to continue to work with RunDeck by using a local user id and password.

Right now through the Main Console page, if I use a valid ldap user, it works and i get the correct role.  However, if I try to use the Local user defined in realm.properties, it does not work and throws the below stack trace.

javax.security.auth.login.LoginException: User not found.
        at com
.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule.findUser(JettyCachingLdapLoginModule.java:799)
        at com
.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule.bindingLogin(JettyCachingLdapLoginModule.java:750)
        at com
.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule.authenticate(JettyCachingLdapLoginModule.java:667)
        at com
.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule.login(JettyCombinedLdapLoginModule.java:145)
        at sun
.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun
.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun
.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java
.lang.reflect.Method.invoke(Unknown Source)
        at javax
.security.auth.login.LoginContext.invoke(Unknown Source)




Here is my loginmodule conf:

multiauth {
   com
.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule required
      debug
="true"
      contextFactory
="com.sun.jndi.ldap.LdapCtxFactory"
      providerUrl
="..."
      bindDn
="..."
      bindPassword
="..."
      authenticationMethod
="simple"
      forceBindingLogin
="true"
      userBaseDn
="..."
      userRdnAttribute
="uid"
      userIdAttribute
="uid"
      userPasswordAttribute
="userPassword"
      userObjectClass
="inetOrgPerson"
      roleBaseDn
="..."
      roleNameAttribute
="cn"
      roleMemberAttribute
="objectClass"
      roleUsernameMemberAttribute
="cn"
      roleObjectClass
="groupOfNames"
      roleSearchSubtree
="true"

      ignoreRoles
="true"
      storePass
="true"
      clearPass
="true"
      useFirstPass
="false"
      tryFirstPass
="false"
      supplementalRoles
="user";
     
   org
.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required
      debug
="true"
      useFirstPass
="true"
      file
="/path/to/realm.properties";
     
};


Here is the line from realm.properties with the admin user:

admin:admin,user,admin


The other users look like:
ldapuserid:-,user,admin




Darren K

unread,
Jul 8, 2016, 9:45:15 PM7/8/16
to rundeck...@googlegroups.com
   com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule required
   org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required

You have both modules set as required.  Have you tried setting the ldap module to "sufficient"? (i am basing this from http://rundeck.org/docs/administration/authenticating-users.html#multiple-authentication-modules )

-Darren

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/e75578fa-debc-4764-8b28-0da1918ed3cf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Chris Cerda

unread,
Aug 1, 2016, 2:20:00 PM8/1/16
to rundeck-discuss
When I attempt to do that, it completely changes the behavior. 
if I try to login as the local user i created in realm.properties, admin.  I get:


javax.security.auth.login.LoginException: User not found.
        at com
.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule.findUser(JettyCachingLdapLoginModule.java:799)
        at com
.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule.bindingLogin(JettyCachingLdapLoginModule.java:750)
        at com
.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule.authenticate(JettyCachingLdapLoginModule.java:667)
        at com
.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule.login(JettyCombinedLdapLoginModule.java:145)
        at sun
.reflect.NativeMethodAccessorImpl.invoke0(Native Method)


If I use my LDAP based user, I get the following message on the web-page, but nothing in the service.log log file.


   
                        You have no authorized access to projects.
                        Contact your administrator. (User roles: user)

Darren K

unread,
Aug 1, 2016, 10:21:58 PM8/1/16
to rundeck...@googlegroups.com
something I missed earlier from your config:

JettyRolePropertyFileLoginModule

per the docs at http://rundeck.org/docs/administration/authenticating-users.html#jettyrolepropertyfileloginmodule, this module only does Role lookups:

This module does not authenticate, and requires that useFirstPass or tryFirstPass is set to true, and that a previous module has storePass set to true.

It then looks the username up in the Properties file, and applies any roles for the matching user, if found."


It looks like you don't have any module setup to auth against a local file. "org.eclipse.jetty.plus.jaas.spi.PropertyFileLoginModule" might be what you need.

I also took a look at http://docs.oracle.com/javase/6/docs/api/javax/security/auth/login/Configuration.html .  For the LDAP module, it looks like "optional" is what you want.  I am unsure how to order the local auth and realms to get it to all work. something to test:

JettyCombinedLdapLoginModule -> optional
PropertyFileLoginModule -> sufficient
JettyRolePropertyFileLoginModule -> required

-Darren
 

JayF

unread,
Sep 16, 2016, 5:01:39 PM9/16/16
to rundeck-discuss
Thank you so much for this! I had been wresting with the same issue and following your suggestions it now works!

JettyCombinedLdapLoginModule -> optional
storePass true

PropertyFileLoginModule -> sufficient
storePass true

JettyRolePropertyFileLoginModule -> required
useFirstPass true

Chris Cerda

unread,
Sep 19, 2016, 2:49:43 PM9/19/16
to rundeck-discuss
 To warp this up, I was able to get it working with the below config:

multiauth {                                                                                                                                                                                                                                                                    
   org
.eclipse.jetty.plus.jaas.spi.PropertyFileLoginModule sufficient                                                                                                                                                                                                          
      debug
="true"                                                                                                                                                                                                                                                              
      file
="/path/to/realm.properties";                                                                                                                                                                                                              
                                                                                                                                                                                                                                                                               
   com
.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule required
      debug
="true"
      contextFactory
="com.sun.jndi.ldap.LdapCtxFactory"
      providerUrl
="ldap://ldap.mysite.com:389/"
      bindDn
="cn=admin,ou=datacenter,o=auth"
      bindPassword
="*********"
      authenticationMethod
="simple"
      forceBindingLogin
="true"
      userBaseDn
="ou=users,ou=users,o=auth"

      userRdnAttribute
="uid"
      userIdAttribute
="uid"
      userPasswordAttribute
="userPassword"
      userObjectClass
="inetOrgPerson"

      roleBaseDn
="ou=UNIX,ou=DATACENTER,o=AUTH"

      roleNameAttribute
="cn"
      roleMemberAttribute
="objectClass"
      roleUsernameMemberAttribute
="cn"
      roleObjectClass
="groupOfNames"
      roleSearchSubtree
="true"


      supplementalRoles
="user"
      reportStatistics
="true"
      timeoutRead
="10000"
      timeoutConnect
="20000"
      ignoreRoles
="true"
      storePass
="true";


   org
.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required
      debug
="true"
      useFirstPass
="true"
      file
="/path/to/realm.properties";
     
};

Using that config with the following jvm parameters:

-Dloginmodule.conf.name=jaas-loginmodule.conf -Dloginmodule.name=multiauth


Reply all
Reply to author
Forward
0 new messages