LDAP group / role mapping help
1,257 views
Skip to first unread message
Gunnar Kramm
Oct 26, 2011, 1:09:11 PM10/26/11
to rundeck-discuss
I am having difficulty following the documentation to get LDAP groups
mapped in rundeck-config.properties
my jaas-activedirectory.conf is
activedirectory {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule
required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://uslcldap07.regence.com:389"
bindDn="uid=wasadm,ou=Special Users,dc=regence,dc=org"
bindPassword="XXXXX"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="ou=Employees,ou=Internal,ou=People,dc=regence,dc=org"
userRdnAttribute="uid"
userIdAttribute="uid"
userPasswordAttribute="unicodePwd"
userObjectClass="inetOrgPerson"
roleBaseDn="ou=groups,dc=regence,dc=org"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass="group"
cacheDurationMillis="300000"
reportStatistics="true";
};
when I query LDAP i get the following for my ID:
ldapsearch -h uslcldap07.regence.com -p 389 -b "dc=regence,dc=org" -s
sub "uid=r620268" -x
# extended LDIF
#
# LDAPv3
# base <dc=regence,dc=org> with scope subtree
# filter: uid=r620268
# requesting: ALL
#
# r620268, Employees, Internal, People, regence.org
dn: uid=r620268,ou=Employees,ou=Internal,ou=People,dc=regence,dc=org
twikiuser: yes
objectClass: top
objectClass: trgperson
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
givenName: GUNNAR
cn: GUNNAR KRAMM
sn: KRAMM
mail: r62...@regence.com
uid: r620268
I think that is telling me that one of my LDAP groups is Employees, so
in
rundeck-config.properties
I've got
mappedRoles.admin=admin,api_token_group,Employees
mappedRoles.user_admin=admin,api_token_group,Employees
mappedRoles.workflow_read=user,api_token_group,Employees
mappedRoles.workflow_create=admin,api_token_group,Employees
mappedRoles.workflow_update=admin,api_token_group,Employees
mappedRoles.workflow_delete=admin,api_token_group,Employees
mappedRoles.workflow_kill=user,api_token_group,Employees
mappedRoles.workflow_run=user,api_token_group,Employees
mappedRoles.events_read=user,api_token_group,Employees
mappedRoles.events_create=user,api_token_group,Employees
mappedRoles.events_update=user,api_token_group,Employees
mappedRoles.events_delete=user,api_token_group,Employees
mappedRoles.resources_read=user,api_token_group,Employees
mappedRoles.resources_create=admin,api_token_group,Employees
mappedRoles.resources_update=admin,api_token_group,Employees
mappedRoles.resources_delete=admin,api_token_group,Employees
but when I try to loging I get the following error
2011-10-26 11:04:44.669::INFO: Attempting authentication:
uid=r620268,ou=Employees,ou=Internal,ou=People,dc=regence,dc=org
2011-10-26 11:04:44,848 WARN RoleService - User r620268 has no
membership of any mapped roles.
2011-10-26 11:04:44,944 WARN FrameworkService - rdeck.base is: /usr/
pservices/rundeck
2011-10-26 11:04:45,359 WARN RoleService - User r620268 has no
membership of any mapped roles.
2011-10-26 11:04:45,406 ERROR AuthorizationFilters - r620268
UNAUTHORIZED for framework/nodes
2011-10-26 11:04:45.555:/:INFO: Initializing Spring FrameworkServlet
'gsp'
2011-10-26 11:04:45.555:/:INFO: GSP servlet initialized
how do I properly map the roles?
I can login as my user (r620268)
mapped in rundeck-config.properties
my jaas-activedirectory.conf is
activedirectory {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule
required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://uslcldap07.regence.com:389"
bindDn="uid=wasadm,ou=Special Users,dc=regence,dc=org"
bindPassword="XXXXX"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="ou=Employees,ou=Internal,ou=People,dc=regence,dc=org"
userRdnAttribute="uid"
userIdAttribute="uid"
userPasswordAttribute="unicodePwd"
userObjectClass="inetOrgPerson"
roleBaseDn="ou=groups,dc=regence,dc=org"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass="group"
cacheDurationMillis="300000"
reportStatistics="true";
};
when I query LDAP i get the following for my ID:
ldapsearch -h uslcldap07.regence.com -p 389 -b "dc=regence,dc=org" -s
sub "uid=r620268" -x
# extended LDIF
#
# LDAPv3
# base <dc=regence,dc=org> with scope subtree
# filter: uid=r620268
# requesting: ALL
#
# r620268, Employees, Internal, People, regence.org
dn: uid=r620268,ou=Employees,ou=Internal,ou=People,dc=regence,dc=org
twikiuser: yes
objectClass: top
objectClass: trgperson
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
givenName: GUNNAR
cn: GUNNAR KRAMM
sn: KRAMM
mail: r62...@regence.com
uid: r620268
I think that is telling me that one of my LDAP groups is Employees, so
in
rundeck-config.properties
I've got
mappedRoles.admin=admin,api_token_group,Employees
mappedRoles.user_admin=admin,api_token_group,Employees
mappedRoles.workflow_read=user,api_token_group,Employees
mappedRoles.workflow_create=admin,api_token_group,Employees
mappedRoles.workflow_update=admin,api_token_group,Employees
mappedRoles.workflow_delete=admin,api_token_group,Employees
mappedRoles.workflow_kill=user,api_token_group,Employees
mappedRoles.workflow_run=user,api_token_group,Employees
mappedRoles.events_read=user,api_token_group,Employees
mappedRoles.events_create=user,api_token_group,Employees
mappedRoles.events_update=user,api_token_group,Employees
mappedRoles.events_delete=user,api_token_group,Employees
mappedRoles.resources_read=user,api_token_group,Employees
mappedRoles.resources_create=admin,api_token_group,Employees
mappedRoles.resources_update=admin,api_token_group,Employees
mappedRoles.resources_delete=admin,api_token_group,Employees
but when I try to loging I get the following error
2011-10-26 11:04:44.669::INFO: Attempting authentication:
uid=r620268,ou=Employees,ou=Internal,ou=People,dc=regence,dc=org
2011-10-26 11:04:44,848 WARN RoleService - User r620268 has no
membership of any mapped roles.
2011-10-26 11:04:44,944 WARN FrameworkService - rdeck.base is: /usr/
pservices/rundeck
2011-10-26 11:04:45,359 WARN RoleService - User r620268 has no
membership of any mapped roles.
2011-10-26 11:04:45,406 ERROR AuthorizationFilters - r620268
UNAUTHORIZED for framework/nodes
2011-10-26 11:04:45.555:/:INFO: Initializing Spring FrameworkServlet
'gsp'
2011-10-26 11:04:45.555:/:INFO: GSP servlet initialized
how do I properly map the roles?
I can login as my user (r620268)
Greg Schueler
Oct 26, 2011, 1:50:40 PM10/26/11
to rundeck...@googlegroups.com
The "roles" that rundeck sees will be listed in your user profile page after you log in.
I believe you need to have something like this for your groups:
dn: cn=Employees,ou=groups,dc=regence,dc=org
cn=Employees
objectClass: group
member: uid=r620268,ou=Employees,ou=Internal,ou=People,dc=regence,dc=org
QuatBoatMan
Oct 26, 2011, 3:05:19 PM10/26/11
to rundeck-discuss
Is there a limit to the number of "roles' that will be displayed on
the profile page? I currently have 6 listed of which I know should to
be a larger number.
> > mail: r620...@regence.com
> > I can login as my user (r620268)- Hide quoted text -
>
> - Show quoted text -
the profile page? I currently have 6 listed of which I know should to
be a larger number.
>
> - Show quoted text -
Gunnar Kramm
Oct 26, 2011, 6:05:36 PM10/26/11
to rundeck-discuss
when I look at my user profile I see
User Profile: r620268
First Name:
Last Name:
Email:
Username: r620268
Groups:
(there is nothing in groups) that seems wrong.
are you saying I should see
if not what do you mean by:
"I believe you need to have something like this for your groups:
dn: cn=Employees,ou=groups,dc=regence,dc=org
cn=Employees
objectClass: group
member:
uid=r620268,ou=Employees,ou=Internal,ou=People,dc=regence,dc=org "
*where* should that be?
> > mail: r620...@regence.com
User Profile: r620268
First Name:
Last Name:
Email:
Username: r620268
Groups:
(there is nothing in groups) that seems wrong.
are you saying I should see
"dn: cn=Employees,ou=groups,dc=regence,dc=org
cn=Employees
objectClass: group
member:
uid=r620268,ou=Employees,ou=Internal,ou=People,dc=regence,dc=org "
in my groups?
cn=Employees
objectClass: group
member:
uid=r620268,ou=Employees,ou=Internal,ou=People,dc=regence,dc=org "
if not what do you mean by:
"I believe you need to have something like this for your groups:
dn: cn=Employees,ou=groups,dc=regence,dc=org
cn=Employees
objectClass: group
member:
uid=r620268,ou=Employees,ou=Internal,ou=People,dc=regence,dc=org "
Greg Schueler
Oct 26, 2011, 6:08:30 PM10/26/11
to rundeck...@googlegroups.com
Hi Gunnar,
I meant that your LDAP directory should have something like that LDIF to define your groups.
if your LDAP group definitions are different you would have to change these configuration values:
>>>
>>> roleBaseDn="ou=groups,dc=regence,dc=org"
>>> roleNameAttribute="cn"
>>> roleMemberAttribute="member"
>>> roleObjectClass="group"
Gunnar Kramm
Oct 26, 2011, 6:46:51 PM10/26/11
to rundeck-discuss
OH!!!
I think I get it. the "Groups" value in the profiles is pulled from
LDAP. and to populate the value I need to configure the 4 role
setting in jaas-activedirectory.conf.
I think I get it. the "Groups" value in the profiles is pulled from
LDAP. and to populate the value I need to configure the 4 role
setting in jaas-activedirectory.conf.
Reply all
Reply to author
Forward
0 new messages