LDAP problems
1,452 views
Skip to first unread message
Bruce Mitchener
May 31, 2011, 11:54:41 AM5/31/11
to rundeck...@googlegroups.com
Hello,
I was trying to get LDAP working today with RunDeck 1.2 on an Ubuntu 10.04 system. We use OpenLDAP, but that isn't related to the problems that I was having.
I restart the server, and attempt to log in and in the logs, this is present:
I was trying to get LDAP working today with RunDeck 1.2 on an Ubuntu 10.04 system. We use OpenLDAP, but that isn't related to the problems that I was having.
First, I started by following the directions found here: http://rundeck.org/docs/RunDeck-Guide.html#active-directory
Problems there:
So, at any rate, I create a jaas-openldap.conf file and put a block in it with the correct LDAP configuration and call the login module in that file "openldap". I modify the RDECK_JVM line to add in those -D things, but modified correctly for /var/lib/rundeck/server/config/jaas-openldap.conf and openldap as the loginmodule.name.
- It would be nice if the section were called "LDAP / Active Directory" or something.
- It says: "Update /etc/rundeck/profile Update the RDECK_JVM in /etc/rundeck/profile by changing the following two JVM arguments:" but it should note that in the Launcher mode, that will be $RDECK_BASE/etc/profile
- It says that the line will look like """export RDECK_JVM="-Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule.conf
- -Dloginmodule.name=RDpropertyfilelogin"""", but it does not. Those properties are not there now, just some memory configuration.
- Being picky but "Attempt to logon" should probably be "Attempt to login"
So, at any rate, I create a jaas-openldap.conf file and put a block in it with the correct LDAP configuration and call the login module in that file "openldap". I modify the RDECK_JVM line to add in those -D things, but modified correctly for /var/lib/rundeck/server/config/jaas-openldap.conf and openldap as the loginmodule.name.
I restart the server, and attempt to log in and in the logs, this is present:
WARN: javax.security.auth.login.LoginException: No LoginModules configured for openldap
I'm unable to find any way to make this work, except for replacing the contents of the jaas-loginmodule.conf with my openldap config ... and then calling that config RDpropertyfilelogin so that the configuration doesn't change to point at different files or anything.
At that point, I was able to login via LDAP (I still have to set up some groups to get admin privs).
I'm completely baffled as to why this isn't working correctly. What can I do to help figure this out?
Thoughts?
- Bruce
cforce
Jun 3, 2011, 3:03:54 AM6/3/11
to rundeck-discuss
I agree, the standard ldap (e.g openldap) documentation is to vague. I
would also like to see a non ad example anf step by step configuration
step doc.
Tx in advance!
On 31 Mai, 17:54, Bruce Mitchener <bruce.mitche...@gmail.com> wrote:
> Hello,
>
> I was trying to get LDAP working today with RunDeck 1.2 on an Ubuntu 10.04
> system. We use OpenLDAP, but that isn't related to the problems that I was
> having.
>
> First, I started by following the directions found here:http://rundeck.org/docs/RunDeck-Guide.html#active-directory
>
> Problems there:
>
> - It would be nice if the section were called "LDAP / Active Directory"
> or something.
> - It says: "Update /etc/rundeck/profile Update
> RDECK_JVM="-Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule. conf
> - -Dloginmodule.name=RDpropertyfilelogin"""", but it does not. Those
would also like to see a non ad example anf step by step configuration
step doc.
Tx in advance!
On 31 Mai, 17:54, Bruce Mitchener <bruce.mitche...@gmail.com> wrote:
> Hello,
>
> I was trying to get LDAP working today with RunDeck 1.2 on an Ubuntu 10.04
> system. We use OpenLDAP, but that isn't related to the problems that I was
> having.
>
> First, I started by following the directions found here:http://rundeck.org/docs/RunDeck-Guide.html#active-directory
>
> Problems there:
>
> or something.
> - It says: "Update /etc/rundeck/profile Update
> the RDECK_JVM in /etc/rundeck/profile by changing the following two JVM
> arguments:" but it should note that in the Launcher mode, that will
> be $RDECK_BASE/etc/profile
> - It says that the line will look like """export
> arguments:" but it should note that in the Launcher mode, that will
> be $RDECK_BASE/etc/profile
> RDECK_JVM="-Djava.security.auth.login.config=/etc/rundeck/jaas-loginmodule. conf
> - -Dloginmodule.name=RDpropertyfilelogin"""", but it does not. Those
> properties are not there now, just some memory configuration.
> - Being picky but "Attempt to logon" should probably be "Attempt to
Bruce Mitchener
Jun 3, 2011, 3:26:02 AM6/3/11
to rundeck...@googlegroups.com
Are you using the RPM or the Launcher?
My problem ended up being that with the Launcher, you can't change the value for java.security.auth.login.config ... so I put my OpenLDAP config in $RDECK_BASE/server/config/jaas-loginmodule.conf. I added a flag to the JVM command line args to pass -Dloginmodule.name=openldap. That flag went into $RDECK_BASE/etc/profile
As for the OpenLDAP configuration ... what you want there will depend on your schema and other details of your LDAP installation.
Mine looks roughly like:
openldap {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://ldap.example.com:389"
bindDn="cn=admin,dc= example,dc=com"
bindPassword="XXXXXXXX"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="dc=example,dc=com"
userRdnAttribute="cn"
userIdAttribute="cn"
userPasswordAttribute="userPassword"
userObjectClass="inetOrgPerson"
roleBaseDn="ou=Groups,dc=example,dc=com"
roleNameAttribute="cn"
roleMemberAttribute="uniqueMember"
roleObjectClass="groupOfUniqueNames"
cacheDurationMillis="300000"
reportStatistics="true";
};
Once that was done, I added 2 new groups to my LDAP server: admin and user. The people who need access to RunDeck were added to those groups. I assume that you can change the names of the groups and such ... but I didn't want to dig into things that deeply yet.
Restart RunDeck at this point and give logging in a try. If you can't login with your LDAP credentials, look in $RDECK_BASE/var/log/service.log.
Hope that you find that helpful,
- Bruce
Greg Schueler
Jun 3, 2011, 12:29:59 PM6/3/11
to rundeck...@googlegroups.com
a few pointers on launcher config..
you can specify the java.security.auth.config value by passing -Dloginmodule.conf.name=filename.conf to the launcher. it will look for server/conf/filename.conf for the file.
On Fri, Jun 3, 2011 at 12:26 AM, Bruce Mitchener <bruce.m...@gmail.com> wrote:
Are you using the RPM or the Launcher?My problem ended up being that with the Launcher, you can't change the value for java.security.auth.login.config ... so I put my OpenLDAP config in $RDECK_BASE/server/config/jaas-loginmodule.conf. I added a flag to the JVM command line args to pass -Dloginmodule.name=openldap. That flag went into $RDECK_BASE/etc/profile
you can specify the java.security.auth.config value by passing -Dloginmodule.conf.name=filename.conf to the launcher. it will look for server/conf/filename.conf for the file.
you can also override the loginmodule with -Dloginmodule.name=openldap (as you said) the default loginmodule name is "rundecklogin"
Bruce Mitchener
Jun 3, 2011, 10:38:15 PM6/3/11
to rundeck...@googlegroups.com
Greg,
Thanks for these pointers ... unfortunately, this is pretty different from what the docs say.
I'd file a bug, but have to head out for a road trip for a few days.
- Bruce
Greg Schueler
Jun 9, 2011, 12:40:03 PM6/9/11
to rundeck...@googlegroups.com
Bruce,
I have added a bug about documenting the launcher options and referencing via the LDAP doc section
Bruce Mitchener
Jun 9, 2011, 12:42:37 PM6/9/11
to rundeck...@googlegroups.com
Thanks! I forgot to do this when I returned home...
- Bruce
Reply all
Reply to author
Forward
0 new messages