rundeck & AD authentication

[Andi Causemaker]

Hello all.

I've been fighting with rundeck trying to get it to talk to AD for the better part of a day now, and it's refusing to cooperate.  I've found the documentation on rundeck's site, as well as numerous other sites, but my config refuses to work.   

Here is my configuration file (important bits have been obfuscated, of course):

/etc/rundeck/jaas-ldap.conf   :

ActiveDirectory {

com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required

debug="true"

contextFactory="com.sun.jndi.ldap.LdapCtxFactory"

providerUrl="ldap://<domaincontroller>:389"

bindDn="us...@domain.com"

bindPassword="password"

authenticationMethod="simple"

forceBindingLogin="true"

userBaseDn="ou=Managed_Objects,dc=domain,dc=com"

userRdnAttribute="sAMAccountName"

userIdAttribute="sAMAccountName"

userPasswordAttribute="unicodePwd"

userObjectClass="user"

roleBaseDn="ou=Managed_Objects,dc=domain,dc=com"

roleNameAttribute="cn"

roleMemberAttribute="member"

roleObjectClass="group"

cacheDurationMillis="300000"

reportStatistics="true";

};

if I do a packet capture on the domain controller, I see the authentication request come in, so it's *trying* to connect.  But I get errors in service.log as follows:

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1?]

error 52e means invalid credentials, but I know for a fact that they are good, as I can log in with them on a workstation/server with no errors.  so I have a feeling my syntax is incorrect.  Can somebody help me out?  I've looked at this until my eyes are crossing :)

thanks!

[Fred Ellenberger]

Struggled a bit with this myself but ultimately got it working.

I don't think your bindDn is in the right format.   Here are my working settings for successful AD authentication.  You'll notice I have multiple authentication modes defined.

1. Rundeck File-based authentication (sufficient)
2. AD/LDAP (also supports pulling role membership info from AD) (required)
3. Supplemental Rundeck File-based role membership (required)

multiauth {

    org.eclipse.jetty.plus.jaas.spi.PropertyFileLoginModule sufficient
      debug="true"
      file="/etc/rundeck/realm.properties";

    com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule required
    debug="true"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    providerUrl="ldap://<server>:389"
    bindDn="CN=<user>,CN=Users,DC=ms,DC=domain,DC=com"

    bindPassword="<password>"
    authenticationMethod="simple"
    forceBindingLogin="true"

    userBaseDn="DC=ms,DC=domain,DC=com"

    userRdnAttribute="sAMAccountName"
    userIdAttribute="sAMAccountName"
    userPasswordAttribute="unicodePwd"
    userObjectClass="user"

    roleBaseDn="DC=ms,DC=domain,DC=com"

    roleNameAttribute="cn"
    roleMemberAttribute="member"
    roleObjectClass="group"
    cacheDurationMillis="300000"
    reportStatistics="true"

    ignoreRoles="true"
    storePass="true"
    clearPass="true"
    useFirstPass="false"
    tryFirstPass="false"
    supplementalRoles="user";

    org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required
        debug="true"
        useFirstPass="true"
        file="/etc/rundeck/realm.properties";
};