Rundeck job execution error

[Rahul Saxena]

Hi,
I have setup rundeck 2.10.8 on linux machine and configured winrm to execute a job on windows machine. If i run a basic command like hostname via Rundeck job it works.
I need to run the job via domain user. I configured krb5.ini, resources.xml for domain user but when i execute the job i get below error:

[overthere-winrm:servername.domain] failed: WinRM Error: Unexpected HTTP response on http://servername.domain:5985/wsman: (401)
Failed: WinRMProtocolError: WinRM Error: Unexpected HTTP response on http://servername.domain:5985/wsman: (401)
Execution failed: 105 in project tesing_windows: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [servername.domain: WinRMProtocolError: WinRM Error: Unexpected HTTP response on http://servername.domain:5985/wsman: (401) + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, Node failures: {servername.domain=[WinRMProtocolError: WinRM Error: Unexpected HTTP response on http://servername.domain:5985/wsman: (401) + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, status: failed]

Any directions on this will be helpful.

Thanks,
Rahul

[Alex Honor]

Hi Rahul,

Take a look at this doc that addresses possible solutions for the 401: https://github.com/xebialabs/overthere#winrm-command-fails-with-a-401-response-code

Also, you might consider this plugin as an alternative: https://github.com/rundeck-plugins/py-winrm-plugin

Thanks!

[Rahul Saxena]

Hi Alex,

Thanks for your swift response. Let me give it a try and update you.

Regards,
Rahul

[Rahul Saxena]

Hi Alex,

So far no luck with Rundeck.  Can you help me with any doc that has the instructions to execute a Rundeck job via domain user. I followed couple of online forums and configured krb5.conf but still no luck. I need to make sure that any job that i creates must use admin login.  Please help me with the steps.

Thanks,
Rahul

[Rahul Saxena]

Resources.xml:

<project>

<node name="servername" connectionType="WINRM_INTERNAL" node-executor="overthere-winrm" winrm-password-option="winrmPassword" winrm-protocol="http" winrm-auth-type="kerberos" username="us...@domain.local" password="XXXXX"  winrmPassword="XXXXX" description="Windows node" tags="" hostname="servername:5985" osArch="x86_64" osFamily="windows" osName="Microsoft Windows Server 2012 R2 Standard" osVersion="Microsoft Windows Server 2012 R2 Standard" />

<node name="or1saltmaster01" description="salt server node" tags="" hostname="10.54.28.10" osArch="amd64" osFamily="unix" osName="Linux" osVersion="3.10.0-693.21.1.el7.x86_64" username="root"/>

</project>

# Configuration snippets may be placed in this directory as well

includedir /etc/krb5.conf.d/

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 dns_lookup_realm = false

 ticket_lifetime = 24h

 renew_lifetime = 7d

 forwardable = true

 rdns = false

 default_realm = domain.local

 default_ccache_name = KEYRING:persistent:%{uid}

[realms]

 connect.int = {

  kdc = domain.local

  admin_server = servername.domain.local

 }

[domain_realm]

 .domain.local = DOMAIN.LOCAL

 domain.local = DOMAIN.LOCAL

[Alex Honor]

Hi Rahul,

Please try the py-winrm plugin suggested earlier. Setting up kerberos with the overthere library is difficult.

[Luis Toledo]

Hi Rahul,

Can you share your winrm settings on the remote node?

Thanks

Luis

[Rahul Saxena]

************winrm************

Config

    MaxEnvelopeSizekb = 4294967295

    MaxTimeoutms = 4294967295

    MaxBatchItems = 4294967295

    MaxProviderRequests = 4294967295

    Client

        NetworkDelayms = 4294967295

        URLPrefix = wsman

        AllowUnencrypted = true [Source="GPO"]

        Auth

            Basic = true [Source="GPO"]

            Digest = true

            Kerberos = true

            Negotiate = true

            Certificate = true

            CredSSP = false

        DefaultPorts

            HTTP = 5985

            HTTPS = 5986

        TrustedHosts = * [Source="GPO"]

    Service

        RootSDDL = O:NSG:BAD:P(A;;GA;;;BA)(A;;GR;;;IU)S:P(AU;FA;GA;;;WD)(AU;SA;GXGW;;;WD)

        MaxConcurrentOperations = 4294967295

        MaxConcurrentOperationsPerUser = 4294967295

        EnumerationTimeoutms = 4294967295

        MaxConnections = 50

        MaxPacketRetrievalTimeSeconds = 4294967295

        AllowUnencrypted = true [Source="GPO"]

        Auth

            Basic = true [Source="GPO"]

            Kerberos = true

            Negotiate = true

            Certificate = false

            CredSSP = true

            CbtHardeningLevel = Relaxed

        DefaultPorts

            HTTP = 5985

            HTTPS = 5986

        IPv4Filter = * [Source="GPO"]

        IPv6Filter [Source="GPO"]

        EnableCompatibilityHttpListener = true [Source="GPO"]

        EnableCompatibilityHttpsListener = false

        CertificateThumbprint

        AllowRemoteAccess = true [Source="GPO"]

    Winrs

        AllowRemoteShellAccess = true

        IdleTimeout = 2147483647

        MaxConcurrentUsers = 100

        MaxShellRunTime = 2147483647

        MaxProcessesPerShell = 5000

        MaxMemoryPerShellMB = 2048

        MaxShellsPerUser = 5000

***********winrmlistener************

Listener [Source="GPO"]

    Address = *

    Transport = HTTP

    Port = 5985

    Hostname

    Enabled = true

    URLPrefix = wsman

    CertificateThumbprint

    ListeningOn = 10.x.x.x, 127.0.0.1

Listener [Source="Compatibility"]

    Address = *

    Transport = HTTP

    Port = 80

    Hostname

    Enabled = true

    URLPrefix = wsman

    CertificateThumbprint

    ListeningOn = 10.x.x.x, 127.0.0.1

Thanks,

Rahul

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to rundeck-discuss@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/a75be46a-2af2-4805-80da-702362ef3d1c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Luis Toledo]

The WINRM settings looks OK.

According to the library's docs (overthere) the options for 401 error could be:

1) a problem with the SPN name

2) a problem with the user permissions.

have you tried with the python plugin? it could be easy to use and it works with domain users.

Luis

To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To post to this group, send email to rundeck...@googlegroups.com.

[Luis Toledo]

Hi Rahul,

I have been doing some test with the python plugin and it worked OK for domain users.

The python plugin has two authentication methods for domain users: ntlm and credssp.

It doesn't include kerberos auhentication because a Kerberos ticket needs to be initiliased outside of pywinrm using the kinit command.

Please check: 

https://github.com/diyan/pywinrm#valid-transport-options

Luis

[Rahul Saxena]

Hi Guys,

I setup Rundeck 2.10.8 on Windows machine and it worked as expected. I executed the jobs successfully. I am not sure whether it is possible or not but want to check with you guys.

I have 2 Jobs in Rundeck.  I want output of Job1 to be used as Input of Job2.

To explain this:

My first job executes a Python script that logs output of two variables: var1 var2

I now need to pass var1 and var2 as an input to Job1.  

I read somewhere that in version 2.9 this is supported but i couldn't figure out how.  Can you guys help me with this?

Thanks,
Rahul

[Luis Toledo]

Hi Rahul,

From 2.9.0 we have a log output filter added on 2.9.0 that can help. However, that feature works inside the same workflow (not for different jobs). Please take a look at this demo:

https://www.rundeck.com/blog/output-processing-data-passing-preview

The other option is using the Uplift plugin, which allows you to capture data between jobs that are called using job reference (for example an overall job that calls others jobs using job reference). This was added on 2.10.1 and it works along with data passing. 

https://github.com/rundeck/rundeck/pull/2952

Are your jobs running locally or are dispatching to an X number of remote nodes? 

[Rahul Saxena]

Hi Luis,

My jobs are running locally and not on different nodes. My job is running on a utility server that can query all the servers in the domain. I setup my Rundeck on that utility server only so all the jobs are local to the server.

Thanks,
Rahul

To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to rundeck-discuss@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/c729206c-7729-4379-8e3c-1c6580613379%40googlegroups.com.

[edu...@rundeck.com]

Hi Rahul,

Thank you so much for the clarification. 

As Luis explained before, since you are only running the jobs locally ( they can also be dispatched to a single node) you can use the "Global Variable" step plugin, also called "Uplift plugin":

Global Variable step plugin: “Allows copying captured data values into a global context in any variable group. E.g. data from a node step to use it in a non-node-step.”

“Within a job, copy data to the export.* group, to have it available in later steps if the job is included as a Job Reference.”

Which works alongside data passing to achieve the behavior you may require, please check the example below:

1.You create a “Parent Job” that runs the workflow steps: JobA and JobB 

Parent Job workflow:

*Notice the argument used by JobB:

2.JobA captures "data " in a global variable, by using “Key Value Data” Log Filter, and then using the “Global Variable” Workflow step to export the variable to the Parent job (variables on the ‘export’ group are exported to the parent Job): 

JobA workflow (notice that we are running this example in 'localhost' ):

 

3. Which can now be used by JobB as an option:

JobB Option and Workflow:

4. When running "Parent Job", the resulting output will display:

Notice the value for 'variable1', that is then used by JobB.

Hope it helps.

Eduardo Carrasco.

[Rahul Saxena]

Hi Team,

I was going through following doc to setup AD with my Rundeck but i am getting errors:

Link : https://vinusumi.wordpress.com/2017/12/28/setup-active-directory-authentication-for-rundeck/

Below is the error i am getting:

2018-04-20 08:04:08.964:WARN:oejj.JAASLoginService:qtp1199823423-76: 

javax.security.auth.login.FailedLoginException

at org.eclipse.jetty.jaas.spi.AbstractLoginModule.login(AbstractLoginModule.java:251)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.access$000(Unknown Source)

at javax.security.auth.login.LoginContext$4.run(Unknown Source)

at javax.security.auth.login.LoginContext$4.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)

at javax.security.auth.login.LoginContext.login(Unknown Source)

at org.eclipse.jetty.jaas.JAASLoginService.login(JAASLoginService.java:241)

at org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:52)

at org.eclipse.jetty.security.authentication.FormAuthenticator.login(FormAuthenticator.java:192)

at org.eclipse.jetty.security.authentication.FormAuthenticator.validateRequest(FormAuthenticator.java:229)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:499)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:213)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1097)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:448)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:175)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1031)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:136)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)

at org.eclipse.jetty.server.Server.handle(Server.java:446)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:271)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:246)

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.run(AbstractConnection.java:358)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:601)

at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:532)

at java.lang.Thread.run(Unknown Source)

My rundeck is setup on Windows machine. Version is 2.10.8.1

My “jaas-activedirectory.conf” looks like below:

activedirectory {

    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required

    debug="true"

    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"

    providerUrl="ldap://example.com:389"

    bindDn="CN=con-svc,OU=WAU,OU=US,DC=lab,DC=net"

    bindPassword="XXXXXXX"

    authenticationMethod="simple"

    forceBindingLogin="true"

    userBaseDn="OU=Users,OU=xyz,DC=dma,DC=abc,DC=net"

    userRdnAttribute="sAMAccountName"

    userIdAttribute="sAMAccountName"

    userPasswordAttribute="unicodePwd"

    userObjectClass="user"

    roleBaseDn="OU=Groups,OU=xyz,DC=dma,DC=abc,DC=net"

    roleNameAttribute="cn"

    roleMemberAttribute="member"

    roleObjectClass="group"

    cacheDurationMillis="300000"

    reportStatistics="true"

    supplementalRoles="user";

};

I added the following in my profile file:

export RDECK_JVM="-Djava.security.auth.login.config=%base_runndeck/etc/jaas-activedirectory.conf \ -Dloginmodule.name=activedirectory"

I setup web.xml and aclpolicy as per the document but i still couldn't make it work with AD user.

Any help will be highly appreciated.

Thanks,
Rahul

[Rahul Saxena]

I tried almost all possible things and also went through all possible post that talked about this error but still  i can't make LDAP authentication to work with my Rundeck 2.10.

I don't even think that Rundeck is attempting to search user in AD. Can you guys point me to the right direction? I couldn't figure out the issue but looks like something is missing and logs are not giving any clear insight.

Thanks,
Rahul

To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/11a62e66-5b32-4da0-b91a-889d3da0a30e%40googlegroups.com.

[Alex Honor]

Hi Rahul,

I noticed you had a back slash in the RDECK_JVM value. Remove that and restart.

export RDECK_JVM="-Djava.security.auth.login.config=%base_runndeck/etc/jaas-activedirectory.conf \ -Dloginmodule.name=activedirectory"

To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/CAFX4brDY-NFcBS1Hu6zdaPRT1y4WE03%2BSA-%2BCpADOhqU%3Dw%2BhcQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Alex Honor

[Rundeck | a...@rundeck.com ]

[edu...@rundeck.com]

Hi Rahul,

From the configuration that you followed appears to apply correctly for a Linux install, but since you installed this instance on Windows, the configuration can differ.

If your configuration remains as you posted previously, you can try this to get things working:

1st. You may Remove any lines that you added to your 'profile' file. In a windows environment, you will be working with profile.bat to set the variables.

2nd. Move your "jaas-activedirectory.conf" file from "%base_runndeck/etc/" to %RDECK_BASE%\server\config

3rd. Modify the following line of your 'profile.bat' file (keep in mind the -Xms and -Xmx values of this example, as they may not apply to your server available resources ):

set RDECK_CLI_OPTS=-Xms512m -Xmx1024m

to this:

set RDECK_CLI_OPTS=-Xms512m -Xmx1024m -Dloginmodule.conf.name=jaas-activedirectory.conf -Dloginmodule.name=activedirectory

4th. Now, as outlined in the documentation (http://rundeck.org/docs/administration/installation.html, you can create a .bat file that will launch Rundeck. Create the file "start_rundeck.bat" in %RDECK_BASE% with the following code:

set CURDIR=%~dp0
call %CURDIR%etc\profile.bat
java %RDECK_CLI_OPTS% %RDECK_SSL_OPTS% -jar rundeck-launcher-2.10.8.jar --skipinstall -d

Finally, you can start rundeck by running start_rundeck.bat (either CLI or GUI). The .bat file will load the "RDECK_CLI_OPTS=" that you set in your profile.bat.

Optionally, you can follow the guide to set rundeck to start as a service: http://rundeck.org/docs/administration/installation.html#install-the-launcher-as-a-service

Hope it helps.

Eduardo Carrasco

[Rahul Saxena]

Hi Eduardo,

Need your help again as for some reason i still can't make my LDAP to work with Rundeck.  I am again sharing below the configs:

1: jass-ldap.conf file located under %RDECK_BASE%\server\config\jaas-ldap.conf with the below configuration:

ldap {

    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required

    debug="true"

    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"

    providerUrl="ldap://domain:389"

    bindDn="CN=user,OU=Service,OU=SA,DC=dma,DC=local,DC=net"

    bindPassword="XXXXXXXXX"

    authenticationMethod="simple"

    forceBindingLogin="true"

    userBaseDn="OU=Users,OU=adbe,DC=dma,DC=local,DC=net"

    userRdnAttribute="sAMAccountName"

    userIdAttribute="sAMAccountName"

    userPasswordAttribute="unicodePwd"

    userObjectClass="user"

    roleBaseDn="OU=Groups,OU=adbe,DC=dma,DC=local,DC=net"

    roleNameAttribute="cn"

    roleMemberAttribute="member"

    roleObjectClass="group"

    cacheDurationMillis="300000"

    reportStatistics="true"

    supplementalRoles="user"

    nestedGroups="true"

    ignoreRoles="true"

    storePass="true"

    clearPass="true"

    useFirstPass="false"

    tryFirstPass="false"

    supplementalRoles="user";

};

************************************************************************************************

2: start_rundeck.bat file located under %RDECK_BASE% with the below contents:

set CURDIR=%RDECK_BASE%

call %CURDIR%etc\profile.bat

java %RDECK_CLI_OPTS% %RDECK_SSL_OPTS% -jar rundeck-launcher-2.10.8.jar --skipinstall -d  >> %CURDIR%\var\logs\service.log  2>&1

************************************************************************************************

3: My profile.bat file looks like below. Even though i enabled -Dloginmodule.name=ldap -Dcom.dtolabs.rundeck.jetty.jaas.LEVEL=DEBUG, i still can't see detailed service.log

set RDECK_BASE=C:\rundeck

set JAVA_HOME=c:\Program Files\Java\jre1.8.0_71

:: Unsetting JRE_HOME to ensure there is no conflict with JAVA_HOME

(set JRE_HOME=)

set Path=%JAVA_HOME%\bin;%RDECK_BASE%\tools\bin;%Path%

set RDECK_SSL_OPTS="-Djavax.net.ssl.trustStore=%RDECK_BASE%\etc\truststore -Djavax.net.ssl.trustStoreType=jks -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol"

set RDECK_CLI_OPTS=-Xms64m -Xmx128m -Dloginmodule.conf.name=%RDECK_BASE%\server\config\jaas-ldap.conf  -Dloginmodule.name=ldap -Dcom.dtolabs.rundeck.jetty.jaas.LEVEL=DEBUG

set RD_LIBDIR=%RDECK_BASE%\tools\lib 

************************************************************************************************

4: In web.xml file i updated the role-name to something that is there in AD:

<security-role>

<role-name>connect_SRE</role-name>

</security-role>

************************************************************************************************ 

I tried to login with my user but still get the same error:

2018-04-23 07:51:09.637:INFO:oejs.ServerConnector:main: Started ServerConnector@220d7eb7{HTTP/1.1}{0.0.0.0:4440}

2018-04-23 08:02:06.989:WARN:oejj.JAASLoginService:qtp1199823423-85: 

*******************************************************************************************************

At this point i have no idea what am i missing. I connected with AD using LDAP browser with the login details mentioned in jass-ldap.conf successfully so ideally the configuration should work. Since logs are not in detail i find it hard to figure out the problem.

As you can see from the below screenshot that AD connectivity works without an issue but i still feel that something is not correct in my configuration.

Any other thing that you find wrong please let me know.

Thanks,
Rahul

--

You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to rundeck-discuss@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/27f6a741-ae94-4e93-ad66-8b226e0071be%40googlegroups.com.

[Rahul Saxena]

Hi Team,

Any suggestions?

Thanks,

Rahul

To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To post to this group, send email to rundeck...@googlegroups.com.

[Rahul Saxena]

I am attaching the files as requested.

To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to rundeck-discuss@googlegroups.com.

[Rahul Saxena]

Since it couldn't attach the profile.bat file i am sharing the details of that file.

set RDECK_BASE=C:\rundeck

set JAVA_HOME=c:\Program Files\Java\jre1.8.0_71

:: Unsetting JRE_HOME to ensure there is no conflict with JAVA_HOME

(set JRE_HOME=)

set Path=%JAVA_HOME%\bin;%RDECK_BASE%\tools\bin;%Path%

set RDECK_SSL_OPTS="-Djavax.net.ssl.trustStore=%RDECK_BASE%\etc\truststore -Djavax.net.ssl.trustStoreType=jks -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol"

set RDECK_CLI_OPTS=-Xms64m -Xmx128m -Dloginmodule.conf.name=%RDECK_BASE%\server\config\jaas-ldap.conf  -Dloginmodule.name=ldap -Dcom.dtolabs.rundeck.jetty.jaas.LEVEL=DEBUG

set RD_LIBDIR=%RDECK_BASE%\tools\lib

Thanks,
Rahul

[edu...@rundeck.com]

Hi Rahul,

Got them, Thank you! I'll test locally your settings as agreed and let you know the results!

Eduardo Carrasco

[edu...@rundeck.com]

Hi Rahul,

After checking the configuration files, it may be best for you to follow this route:

If you continue to use the start_rundeck.bat file to launch rundeck, please modify your profile.bat  line:

set RDECK_CLI_OPTS=-Xms64m -Xmx128m -Dloginmodule.conf.name=%RDECK_BASE%\server\config\jaas-ldap.conf  -Dloginmodule.name=ldap -Dcom.dtolabs.rundeck.jetty.jaas.LEVEL=DEBUG

to

set RDECK_CLI_OPTS=-Xms64m -Xmx128m -Dloginmodule.conf.name=jaas-ldap.conf  -Dloginmodule.name=ldap -Dcom.dtolabs.rundeck.jetty.jaas.LEVEL=DEBUG

that will load the jaas-ldap.conf you set in %RDECK_BASE%\server\config\ when you run start_rundeck.bat located in %RDECK_BASE% (C:\rundeck). 

Alternatively, you can use the following command to launch Rundeck directly, when located in $RDECK_BASE :

java -Dloginmodule.conf.name=jaas-ldap.conf -Dloginmodule.name=ldap -Dcom.dtolabs.rundeck.jetty.jaas.LEVEL=DEBUG -jar rundeck-launcher-2.10.8.jar --skipinstall -d var\logs\service.log  2>&1

Once Rundeck starts (you can check service.log in %RDECK_BASE\var\logs\service.log  for the output), please test with your current jaas-ldap.conf configuration, debug logs will be available from the authentication module in the service.log file. Furthermore, while reviewing that configuration noticed a duplicated property:

supplementalRoles="user"

Albeit harmless, and due to the fact that I’m not completely certain what are the current attributes set in your AD, I would advise you to create a fresh AD login module configuration file in %RDECK_BASE%\server\config\; e.g jaas-activedirectory.conf. 

Please copy the default configuration from the AD template. Edit those properties to reflect your AD, verify that the credentials for the user set in “bindDn=” are sufficient, add supplementalRoles="user"  in order to avoid modifying your current web.xml file. 

You can then launch rundeck directly with  

java -Dloginmodule.conf.name=jaas-activedirectory.conf -Dloginmodule.name=activedirectory -Dcom.dtolabs.rundeck.jetty.jaas.LEVEL=DEBUG -jar rundeck-launcher-2.10.8.jar --skipinstall -d var\logs\service.log  2>&1

Or by modifying your profile.bat file accordingly:

set RDECK_CLI_OPTS=-Xms64m -Xmx128m -Dloginmodule.conf.name=jaas-activedirectory.conf  -Dloginmodule.name=activedirectory -Dcom.dtolabs.rundeck.jetty.jaas.LEVEL=DEBUG

Please keep in mind to remove -Dcom.dtolabs.rundeck.jetty.jaas.LEVEL=DEBUG once your troubleshooting is completed, to avoid unnecessary logging.

[edu...@rundeck.com]

Rahul,

Noticed I missed the link for the AD login module template : http://rundeck.org/docs/administration/authenticating-users.html#active-directory

Looking forward to your feedback!

Eduardo Carrasco

[Rahul Saxena]

I configured my conf file after going through this link. I shared the file with you as well. Is there anything wrong in the configuration?

Thanks,

Rahul

--

You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To post to this group, send email to rundeck...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/94fe0753-fb9c-4d0c-b994-658d68ffd15d%40googlegroups.com.

[Rahul Saxena]

Sorry i missed your earlier email. I will make the necessary changes you suggested and update you with the outcome.

Thanks,

Rahul

On Wednesday, 25 April 2018 10:09:28 UTC+5:30, Rahul Saxena wrote:

I configured my conf file after going through this link. I shared the file with you as well. Is there anything wrong in the configuration?

Thanks,

Rahul

On Wed, 25 Apr 2018, 7:44 am , <edu...@rundeck.com> wrote:

Rahul,

Noticed I missed the link for the AD login module template : http://rundeck.org/docs/administration/authenticating-users.html#active-directory

Looking forward to your feedback!

Eduardo Carrasco

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discuss+unsubscribe@googlegroups.com.
To post to this group, send email to rundeck-discuss@googlegroups.com.

[Rahul Saxena]

Hi Eduardo,

After going through all the steps shared by you, i managed to make LDAP work with Rundeck.  Thanks for all the help and support.

I have an issue though. If i start Rundeck as a windows Service i can't make LDAP authentication to work but if i execute the below command i can login via my LDAP user:

java -Dloginmodule.conf.name=jaas-activedirectory.conf -Dloginmodule.name=activedirectory -Dcom.dtolabs.rundeck.jetty.jaas.LEVEL=DEBUG -jar rundeck-launcher-2.10.8.jar --skipinstall -d var\logs\service.log  2>&1

Do you know what could have caused this?  I am still trying to figure out this but in the mean while i am responding to your email.

Thanks,
Rahul

[Rahul Saxena]

Hi Eduardo,

I figured out why i couldn't login with LDAP when Rundeck was started as a windows service. I was using a service account as a logon to start Rundeck service and later realized that service account was not there in AD. I changed logon for the service to my user and now i can login with my LDAP even when Rundeck was started as a windows service.

Looks like i am good for now.

Once again many thanks for all your diligence and help. You are really awesome to work with.

Regards,
Rahul

To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/e6fdf027-c69b-40f7-9e95-07ea35cc17e6%40googlegroups.com.

[edu...@rundeck.com]

Hi Rahul,

Great News!

I'm glad you managed to work out the account issue in the end. Great working with you as well! 

Warmest regards and feel free to create a new topic if you have any other questions.

Eduardo Carrasco