Rundeck CE 5.16 – LDAP login is very slow + need strict group→project mapping (JAAS/ACL examples?)
Shaik Yasmeen
Hi all,
I’m new to Rundeck and just stood up Rundeck Community 5.16 on Ubuntu 24. LDAP (LDAPS) auth is working, but I’m stuck on two things: login performance and cleanly mapping LDAP groups to specific projects.
Current JAAS Setupcom.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldaps://qed-ldap.testcompany.com:636"
bindDn="uid=testid,ou=people,dc=testcompany,dc=com"
bindPassword="XXXXXXXXXXXX"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="ou=people,dc=testcompany,dc=com"
userRdnAttribute="uid"
userIdAttribute="uid"
userObjectClass="inetOrgPerson"
roleBaseDn="ou=groups,dc=testcompany,dc=com"
roleNameAttribute="cn"
roleMemberAttribute="uniqueMember"
supplementalRoles="user"
roleObjectClass="groupOfUniqueNames";
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
debug="true"
file="/etc/rundeck/realm.properties";
};
-
Login latency: Logins take ~2–3 minutes. It looks like Rundeck/Jetty is enumerating thousands of groups under roleBaseDn. In practice, each user is only a member of ~5–10 groups.
Ask: Is there a way to limit group lookups/role resolution to a subset of groups or otherwise speed this up? Any recommended JAAS tuning (e.g., narrowing roleBaseDn, timeouts, caching, nested group settings, etc.)? -
Project visibility & ACLs: I need strict group→project mapping. However, with supplementalRoles="user" in place, every LDAP user sees all projects. I tried ACL policies to restrict visibility, but they didn’t behave as expected—users could still see projects they shouldn’t.
Ask: Could you share a working example of JAAS + ACL policies that cleanly limit which projects a group can see and use?
- LDAP Groups: Group1, Group2
- Rundeck Projects: project1, project2
- Rules:
- Members of Group1 → access project1 only
- Members of Group2 → access project2 only
- Users who are in both Group1 and Group2 → should see and use both projects
- Request: Any sample ACL policy files (system + project context) and JAAS configuration that implement the above cleanly would be super helpful.
- Enabled debug="true"; confirmed LDAP auth succeeds.
- Created ACL policies to scope projects per group, but users still saw extra projects (likely due to the default user role and/or my policy placement/contexts).
- I’m happy to test with/without supplementalRoles, but would love guidance on the “right” pattern for CE 5.16.
If you have updated, battle-tested snippets (JAAS + ACL) or best practices for:
- restricting who can log in (e.g., required roles),
- speeding up role lookup for large directories, and
- project scoping so each group only sees its projects,
please share. Example files and notes about where to store ACLs (System vs. Project level) would be great.
Thanks in advance!
Shaik Yasmeen
RDpropertyfilelogin {
// --- Primary LDAP-backed module ---
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient
debug="true"
reportStatistics="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldaps://qed-ldap.testcompany.com:636"
bindDn="uid=testid,ou=people,dc=testcompany,dc=com"
authenticationMethod="simple"
forceBindingLogin="true"
cacheDurationMillis="900000"
cacheSize="1000"
timeoutConnect="5000"
timeoutRead="7000"
userBaseDn="ou=people,dc=testcompany,dc=com"
userRdnAttribute="uid"
userSearchFilter="(uid={0})"
userSearchSubtree="false"
userIdAttribute="uid"
userObjectClass="inetOrgPerson"
userMemberOfAttribute="__disabled__"
nestedGroups="false"
roleBaseDn="ou=groups,dc=testcompany,dc=com"
roleObjectClass="groupOfNames"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleMemberFormat="uid={0},ou=people,dc=testcompany,dc=com"
roleSearchFilter="(&(objectClass=groupOfNames)(|(cn=pdlmsw_core)(cn=elc_esc.help))(member={0}))"
roleSearchSubtree="false";
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
debug="true"
file="/etc/rundeck/realm.properties";
};
