Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Rundeck Combined JAAS Module

18 views
Skip to first unread message

Sean McGurk

unread,
Dec 19, 2024, 5:03:07 AM12/19/24
to rundeck-discuss
Hi there!

I'm trying to migrate our existing Rundeck instance from a Red Hat-based yum install to a containerised instance.

My current configuration for the login module is as follows:

Authentication is performed using JAAS. The configuration file is defined using a System property:
java.security.auth.login.config: /etc/rundeck/jaas-ldap.conf
The currently used login module:
ldap

The currently configured jaas-ldap.conf looks like:

ldap {
    com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule optional
      debug="true"
      contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
      providerUrl="ldaps://ldapserveraddress:636"
      bindDn="usernamer@domain"
      bindPassword="LDAP_PASSWORD"
      authenticationMethod="simple"
      forceBindingLogin="true"
      userBaseDn="OU=Branch Offices,DC=nh,DC=corp"
      userRdnAttribute="cn"
      userIdAttribute="sAMAccountName"
      userPasswordAttribute="unicodePwd"
      userObjectClass="user"
      roleBaseDn="OU=Branch Offices,DC=nh,DC=corp"
      roleNameAttribute="cn"
      roleMemberAttribute="member"
      roleObjectClass="group"
      cacheDurationMillis="300000"
      supplementalRoles="user"
      reportStatistics="true"
      storePass="true";

    org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule sufficient
      debug="true"
      useFirstPass="true"
      file="/etc/rundeck/realm.properties";

    org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient
      debug="true"
      file="/etc/rundeck/realm.properties";
};

Which works fine - I am able to login via LDAP and then my username is checked against the realm.properties file, I am assigned the 'admin' role and have access to all of the projects in Rundeck.

This is the message from the logs:

[2024-12-18 19:05:57,435] authorization.RuleEvaluator - Evaluating Decision for: res<name:Releng, type:project> subject<Username:smcgurk Group:admin Group:user Group:NH-GLB-AzurePasswordReset> action<read> env<rundeck:auth:env:application:rundeck>: authorized: true: GRANTED, reason: GRANTED, evaluations:    ACLRule</etc/rundeck/admin.aclpolicy[2][type:project][rule: 1]>{'Admin, all access.' context={application='rundeck'} type='project' for: { group='admin'} allow=[*]} GRANTED for action read => GRANTED (0ms)

I am trying to implement this in my docker container and have written the following Dockerfile:

FROM rundeck/rundeck:5.6.0

ENV RDECK_BASE=/home/rundeck

ENV RUNDECK_LOGGING_STRATEGY=FILE \
    RUNDECK_JAAS_MODULES_0=JettyCombinedLdapLoginModule \
    RUNDECK_JAAS_LDAP_FLAG=optional \
    RUNDECK_JAAS_LDAP_debug=true \
    RUNDECK_JAAS_LDAP_contextFactory=com.sun.jndi.ldap.LdapCtxFactory \
    RUNDECK_JAAS_LDAP_providerUrl=ldaps://ldapserver_address:636 \
    RUNDECK_JAAS_LDAP_bindDn=username@domain.com \
    RUNDECK_JAAS_LDAP_bindPassword=password \
    RUNDECK_JAAS_LDAP_authenticationMethod=simple \
    RUNDECK_JAAS_LDAP_forceBindingLogin=true \
    RUNDECK_JAAS_LDAP_userBaseDn="OU=Branch Offices,DC=nh,DC=corp" \
    RUNDECK_JAAS_LDAP_userRdnAttribute=cn \
    RUNDECK_JAAS_LDAP_userIdAttribute=sAMAccountName \
    RUNDECK_JAAS_LDAP_userPasswordAttribute=unicodePwd \
    RUNDECK_JAAS_LDAP_userObjectClass=user \
    RUNDECK_JAAS_LDAP_roleBaseDn="OU=Branch Offices,DC=nh,DC=corp" \
    RUNDECK_JAAS_LDAP_roleNameAttribute=cn \
    RUNDECK_JAAS_LDAP_roleMemberAttribute=member \
    RUNDECK_JAAS_LDAP_roleObjectClass=group \
    RUNDECK_JAAS_LDAP_cacheDurationMillis=300000 \
    RUNDECK_JAAS_LDAP_supplementalRoles=user \
    RUNDECK_JAAS_LDAP_reportStatistics=true \
    RUNDECK_JAAS_LDAP_storePass=true \

    RUNDECK_JAAS_MODULES_1=PropertyFileLoginModule \
    RUNDECK_JAAS_FILE_FLAG=sufficient

However, when I run the container, I am unable to log in with this configuration.

Removing the property file fall-back environment variables allows me to log in via LDAP but I do not have access to any of the projects in the instance

This is the message I receive when logging in:

[2024-12-18T19:16:43,501] WARN  authorization.LoggingAuthorization - Evaluating Decision for: res<name:Releng, type:project> subject<Username:smcgurk Group:user Group:NH-GLB-AzurePasswordReset> action<app_admin> env<rundeck:auth:env:application:rundeck>: authorized: false:     No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)

Can anyone tell me where I am going wrong with my Dockerfile?

Sean McGurk

unread,
Dec 19, 2024, 5:43:28 AM12/19/24
to rundeck-discuss
Reply all
Reply to author
Forward
0 new messages