StartTLS support

68 views
Skip to first unread message

JMAO

unread,
Jul 23, 2022, 9:24:37 PM7/23/22
to rundeck-discuss
Does anyone have a working configuration to let Rundeck authenticate an OpenLdap service enforcing startTLS?

I don't really see a direct or indirect way to configure. Thanks!

rac...@rundeck.com

unread,
Jul 25, 2022, 10:38:19 AM7/25/22
to rundeck-discuss

Hi!

Following this (and this) I tested using this example Docker image against Rundeck 4.4.0 and it works with a regular config:

To run the test LDAP STARTTLS container:

docker run --rm -p 10389:10389 -p 10636:10636 rroemhild/test-openldap

The Rundeck jaas-ldaps.conf file: content

ldaps {
  com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
      # Connection section
debug="true" contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
# just for testing: I added the planetexpress.com name to /etc/hosts local file. providerUrl="ldaps://planetexpress.com:10636" bindDn="cn=admin,dc=planetexpress,dc=com" bindPassword="GoodNewsEveryone" authenticationMethod="simple" forceBindingLogin="true"
# Users section userBaseDn="ou=people,dc=planetexpress,dc=com" userRdnAttribute="uid" userIdAttribute="uid" userPasswordAttribute="userPassword" userObjectClass="inetOrgPerson" userLastNameAttribute="sn" userFirstNameAttribute="givenName" userEmailAttribute="mail"

# Roles section # I added a "rdeck_roles" posixGroup on LDAP server using Apache Directory Studio
# and then I added some users on that group :-) roleBaseDn="cn=rdeck_roles,dc=planetexpress,dc=com" roleNameAttribute="cn" roleUsernameMemberAttribute="memberUid" roleMemberAttribute="memberUid" roleObjectClass="posixGroup" cacheDurationMillis="300000" supplementalRoles="user" reportStatistics="true" timeoutRead="10000" timeoutConnect="20000" nestedGroups="false"; };

A war launcher (My test envioroment is under Rundeck SSL, take a look):

#!/bin/bash

# rundeck version
version=rundeck-4.4.0-20220714.war
path="/path/to/my/rundeck/war/server/config"
min=1024m
max=2048m

# rundeck ssl + ldaps starttls test docker container
java -server -Xms$min -Xmx$max -Drundeck.jaaslogin=true -Dloginmodule.conf.name=jaas-ldaps.conf -Dloginmodule.name=ldaps -Drundeck.ssl.config=$path/ssl.properties -jar $version

Regards!

JMAO

unread,
Jul 25, 2022, 11:01:56 AM7/25/22
to rundeck-discuss
First of all, thanks for looking into this. 

This sample looks like a demo showing that Rundeck supports LDAPS. If I understand correctly, to use LDAP with starttls, the client starts the initial conversation over the unencrypted port at ldap://LDAP_SERVER:389. Then the LDAP server and client will negotiate and start an encrypted channel using port 389.

My configuration looks like this. It does not work with LDAP but works with basic authentication with realm.properties.
multiauth {
  com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient
      contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
      debug="true"
      providerUrl="ldap://LDAP_SERVER"
      useLdaps="false"
      useStartTLS="true"
      credentialConfig="{trustCertificates=file:/etc/ssl/certs/root_ca.pem}"
      bindDn="cn=ldap_binding_user,dc=company,dc=com"
      bindPassword="secret"
      authenticationMethod="simple"
      forceBindingLogin="true"
      userBaseDn="ou=people,dc=company,dc=com"
      userRdnAttribute="cn"
      userIdAttribute="cn"

      userPasswordAttribute="userPassword"
      userObjectClass="inetOrgPerson"
      userLastNameAttribute="sn"
      userFirstNameAttribute="givenName"
      userEmailAttribute="mail"
      roleBaseDn="dc=company,dc=com"
      roleNameAttribute="cn"
      roleMemberAttribute="uniqueMember"
      roleObjectClass="groupOfUniqueNames"
      supplementalRoles="admin, user";

  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
      debug="true"
      file="/etc/rundeck/realm.properties";
};

The error is:
[2021-12-25T23:01:31,077] DEBUG authentication.GrailsUsernamePasswordAuthenticationFilter - Request is to process authentication
[2021-12-25T23:01:31,228] ERROR jaas.JettyCachingLdapLoginModule - Naming error
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 13 - TLS confidentiality required]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3250) ~[?:?]
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3205) ~[?:?]



The same LDAP server with starttls works with openldap client running on the same Ubuntu server and other servers. It also supports other open source software we used in-house.

Not sure if this is helpful. 


Thank you.

rac...@rundeck.com

unread,
Jul 25, 2022, 11:22:17 AM7/25/22
to rundeck-discuss
You're right, I tested using both (LDAP 389 and LDAPS 636, defined as 10389 and 10636) but I didn't use the useLdaps/useStartTLS/credentialConfig attributes.

Let me give a second look at the whole config.

Regards.

rac...@rundeck.com

unread,
Jul 25, 2022, 3:17:20 PM7/25/22
to rundeck-discuss
Hi!

After researching the config and the login module explanation, I think that my config only connects to the LDAP server using LDAP/LDAPS (not via StartTLS -_-), it seems that the module requires to be implemented explicitly in Rundeck.

The issue was opened here, sounds good for an enhancement.

Anyway, I'll keep researching this.

Greetings.

Jin Mao

unread,
Jul 25, 2022, 3:27:07 PM7/25/22
to rundeck...@googlegroups.com
Great, it will be nice to see this feature in a near-future release. It is kind of the commonly used way to configure an LDAP server now.

Thanks!

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/73d7545d-fef1-4ca3-86bc-807462bfd9f2n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages