LDAP Authorization

[Lauren McDonald]

Hello,

I've been working through this for the past week or so, I think I've hit every blog article and exhausted the topics mentioned on here. I'm able to authenticate using our corporate LDAP, but I am not able to use roles from our LDAP, or even have an external file with roles. 

Here is our configuration example (obviously with some data masked): 

ldap {

      com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required

          debug="true"

          contextFactory="com.sun.jndi.ldap.LdapCtxFactory"

          providerUrl="LDAP://XXX"

          bindDn="XXX"

          bindPassword="XXX"

          authenticationMethod="simple"

          forceBindingLogin="true"

          forceBindingLoginUseRootContextForRoles="true"

          userBaseDn="ou=people,o=COMPANY"

          userRdnAttribute="cn"

          userIdAttribute="cn"

          userPasswordAttribute="unicodePwd"

          userObjectClass="user"

          roleBaseDn="ou=people,o=COMPANY"

          roleNameAttribute="cn"

          roleUsernameMemberAttribute="memberOf"

          roleMemberAttribute="memberOf"

          roleObjectClass="group"

          roleSearchSubtree="true"

          cacheDurationMillis="300000"

          supplementalRoles="user"

          reportStatistics="true"

          timeoutRead="10000"

          timeoutConnect="20000";

};

I am able to authenticate using my ldap credentials, but I only have the supplemental role "user". In ldap, my roles look similar to this:

cn=GROUPNAME1,ou=People,o=COMPANY

cn=GROUPNAME2,ou=People,o=COMPANY

cn=GROUPNAME3,ou=People,o=COMPANY

I am not changing the WEB-INF/web.xml file - , though I have tried. That is still user:

        <security-role>

                <role-name>user</role-name>

        </security-role>

The LDAP group I would like to use (let's say, GROUPNAME1) does not have nested groups / members. 

I have also tried reading roles from a file, adding in (for example)

ignoreRoles="true"
storePass="true"
clearPass="true"
useFirstPass="false"
tryFirstPass="false"
supplementalRoles="upload,user";

org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required
debug="true"
useFirstPass="true"
file="/opt/rundeck/server/config/realm.properties";

to the configuration file, but this does not work as well. 

Here is a sample from the server.log:

2016-01-20 14:29:54.018:INFO:cdrjj.JettyCachingLdapLoginModule:Login attempts: 1, Hits: 0, Ratio: 0%.

2016-01-20 14:29:54.020:DBUG:cdrjj.JettyCachingLdapLoginModule:Cache Miss for USER1.

2016-01-20 14:29:54.020:DBUG:cdrjj.JettyCachingLdapLoginModule:Searching for users with filter: '(&(objectClass={0})({1}={2}))' from base dn: ou=people,o=COMPANY

2016-01-20 14:29:54.029:DBUG:cdrjj.JettyCachingLdapLoginModule:Found user?: true

2016-01-20 14:29:54.029:INFO:cdrjj.JettyCachingLdapLoginModule:Attempting authentication: cn=USER1,ou=People,o=COMPANY

2016-01-20 14:29:54.043:DBUG:cdrjj.JettyCachingLdapLoginModule:Using _rootContext for role lookup.

2016-01-20 14:29:54.047:DBUG:cdrjj.JettyCachingLdapLoginModule:JettyCachingLdapLoginModule: User 'USER1' has roles: [user]

2016-01-20 14:29:54.047:DBUG:cdrjj.JettyCachingLdapLoginModule:Adding USER1 set to expire: 1453318194047300000

Here is the output from rundeck.audit.log:

2016-01-20 14:29:55,852 - Evaluating Decision for: res<type:resource, kind:project> subject<Username:USER1Group:user> action<create> env<http://dtolabs.com/rundeck/env/application:rundeck>: authorized: false:        No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)

2016-01-20 14:29:56,082 - Evaluating Decision for: res<type:resource, kind:system> subject<Username:USER1 Group:user> action<read> env<http://dtolabs.com/rundeck/env/application:rundeck>: authorized: false:   No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)

Example admin.aclepolicy:

description: Admin, all access.

context:

  project: '.*' # all projects

for:

  resource:

    - allow: '*' # allow read/create all kinds

  adhoc:

    - allow: '*' # allow read/running/killing adhoc jobs

  job:

    - allow: '*' # allow read/write/delete/run/kill of all jobs

  node:

    - allow: '*' # allow read/run for all nodes

by:

  group: GROUPNAME1

---

description: Admin, all access.

context:

  project: '.*' # all projects

for:

  resource:

    - allow: '*' # allow read/create all kinds

  adhoc:

    - allow: '*' # allow read/running/killing adhoc jobs

  job:

    - allow: '*' # allow read/write/delete/run/kill of all jobs

  node:

    - allow: '*' # allow read/run for all nodes

by:

  group: [GROUPNAME2]

---

description: Admin, all access.

context:

  application: 'rundeck'

for:

  resource:

    - allow: '*' # allow create of projects

  project:

    - allow: '*' # allow view/admin of all projects

  project_acl:

    - allow: '*' # allow admin of all project-level ACL policies

  storage:

    - allow: '*' # allow read/create/update/delete for all /keys/* storage content

by:

  group: admin

Any idea of what I could be missing? Questions to ask our corporate LDAP team? Other areas to troubleshoot? 

Thanks for your help!

Lauren

[Lauren McDonald]

Quick addition - I saw the post about JettyCombinedLdapLoginModule and now it works for file-based authorization, which at least allows us to start using rundeck in our organization. But I would still love some input on how to have it work with LDAP groups. Thanks!

[Greg Schueler]

What kind of attributes do the group entries have?

The two properties `roleMemberAttribute` and `roleUsernameMemberAttribute` are mutually exclusive, with `roleUsernameMemberAttribute` taking precedence.

if a group entry has attributes like:

    memberOf: username

then use roleUsernameMemberAttribute.  

If it is using a DN:

    memberOf: CN=username,ou=people,o=COMPANY

then you should use roleMemberAttribute.

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/4d49099c-8041-4380-93d1-08bcf0b57d84%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Lauren Ward]

Thanks for the quick response! I tried removing roleUserNameMemberAttribute from the config, since the group entries use the full DN, but it still is not recognizing any roles from LDAP. 

To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/6C9740F9-4C1B-4609-81D8-6A3B693A21F4%40simplifyops.com.

[Kris Musard]

Have you tried

roleMemberAttribute="member"

instead of

roleMemberAttribute="member"

It is my understanding that "memberOf" is implementation specific and may or may not exist depending on which LDAP server you are using.  The "member" attribute is defined in RFC 4519: https://tools.ietf.org/html/rfc4519#section-2.17

[Sachin Jadhav]

Hi Lauren,

I am getting similar kind of issue. can you please share how you fixed it ?

 

Thanks & Regards,

Sachin Jadhav

[Lauren McDonald]

We were never able to fix it. I tried every variable I could think of and it never worked. We just use LDAP for authentication for the moment, and build local groups in the acl file for authorization. :-( Sorry!

[Darren K]

How are the members mapped to your LDAP groups? Are the groups part of the user definition or part of the group definition?

In the LDAP directory I use, we have groups defined and users are added as part of the LDAP group config.  Our groups are defined as "cn=GROUPNAME1,ou=Groups,dc=domain,dc=domain".  The group object class is a "groupofuniquenames" and each name is listed as "uniquemember"

here are the lines from my ldap config:

  roleBaseDn="ou=Groups,dc=domain,dc=domain"
  roleNameAttribute="cn"
  roleMemberAttribute="uniquemember"
  roleObjectClass="groupofuniquenames"
  supplementalRoles="user"

when people login in they are in the psuedo group "user" and also in all the other LDAP groups they are in.  then I have it the acl config to grant permissions based on the ldap group name.

I have not figured out how to do nested groups with my ldap setup though I suspect it might be the LDAP schema that I am using.

Hope this helps,

-Darren

[Michael Jenulis]

I have AD groups provisioning restricted access to Rundeck.  I have one admin.aclpolicy file for admins which is working fine.  I don't touch that one.  For an AD group to get execute (read, run and kill) to all jobs in a single project I have a separate policy file that looks like:

description: Operator Access to Single Project

context:

  application: rundeck

for:

  project:

    - allow: read 

      equals:

        name: MainProject

  storage:

    - allow: [read] 

by:

  group: CorpGroup # Case sensitive

  

---

description: execute access to single project

context:

  project: MainProject

for:

  job:

  - allow: [read, run, kill]

  resource:

    - allow: [read] 

  node:

    - allow: [read,run] 

by:

  group: CorpGroup  # Case sensitive

---

For each group, I need to set permissions at the application and project context.  

Mike

[Dwayne Kuan]

Lauren, I have been looking for a solution to the same problem. as far as i can tell, i havent seen anyone posting a solution to this. and i mean true role differentiation. what most people seem to post is the usage of supplementalroles parameter which isnt a solution because it assigns an all purpose role to every id rather than matching up ids with specific roles and permissions. how did you manage to use file-based authorization with LDAP? i never managed to get that to work. very frustrated with this whole thing.

[MaayanA]

Hi all,

I hope I understood your problem correctly.

I've managed to authenticate with LDAP (in my case Active Directory) and set permissions per groups in my AD.

Attached a procedure of how to authenticate with AD and set permissions.

Please note keys like "userRdnAttribute" might require different values if you're authenticating with different LDAP than AD.

Also - you might need to restart rundeck service to apply configuration.

Please let me know if it worked for you.

[Willem D'Haese]

MaayanA,

I have tried your procedure, but I'm stuck now. I created the group L_APPL_RunDeck_Admins. When my user logs in, I get:

2016-06-28 17:17:37.976:WARN:cdrjj.JettyCachingLdapLoginModule:JettyCachingLdapLoginModule: User 'myuser' has no role membership; role query configuration may be incorrect

I have tried to add

        <security-role>

                <role-name>L_APPL_RunDeck_Admins</role-name>

        </security-role>

After

        <security-role>

                <role-name>user</role-name>

        </security-role>

And also tried replacing it but I keep getting that error.

My admin.aclpolicy looks like thios:

description: Admin, all access.

context:

  project: '.*' # all projects

for:

  resource:

    - allow: '*' # allow read/create all kinds

  adhoc:

    - allow: '*' # allow read/running/killing adhoc jobs

  job:

    - allow: '*' # allow read/write/delete/run/kill of all jobs

  node:

    - allow: '*' # allow read/run for all nodes

by:

  group: admin

---

description: Admin, all access.

context:

  application: 'rundeck'

for:

  resource:

    - allow: '*' # allow create of projects

  project:

    - allow: '*' # allow view/admin of all projects

  project_acl:

    - allow: '*' # allow admin of all project-level ACL policies

  storage:

    - allow: '*' # allow read/create/update/delete for all /keys/* storage content

by:

  group: admin

---

context:

  project: '.*' # all projects

for:

  resource:

    - allow: '*' # allow read/create all kinds

  adhoc:

    - allow: '*' # allow read/running/killing adhoc jobs

  job:

    - allow: '*'

  node:

    - allow: '*' # allow read/run for all nodes

by:

  group: L_APPL_RunDeck_Admins

---

description: Admin, all access.

context:

  application: 'rundeck'

for:

  resource:

    - allow: '*' # allow create of projects

  project:

    - allow: '*' # allow view/admin of all projects

  project_acl:

    - allow: '*' # allow admin of all project-level ACL policies

  storage:

    - allow: '*' # allow read/create/update/delete for all /keys/* storage content

by:

  group: L_APPL_RunDeck_Admins

Thanks for any advice you can give me.

Willem

[Maayan Apelboim]

No need to replace it.

My web.xml looks like this:

        <security-role>

                <role-name>user</role-name>

        </security-role>

        <security-role>

                <role-name>Group1</role-name>

        </security-role>

        <security-role>

                <role-name>Group2</role-name>

        </security-role>

Make sure "myuser" is in your group  "L_APPL_RunDeck_Admins" (you said you created the user, but you didn't mention if you added it to the group or not...)

I assume rundeck can support multiple permission sets in one file, but I used different files per different permissions sets ,so I don't know if the problem is you're using 2 sets of permissions in one file or not...

You can try delete the permissions sections of "L_APPL_RunDeck_Admins" from your admin aclpolicy  and use this convention instead (note the bold line) although I removed admin completely:

description: Admin, all access.

context:

  application: 'rundeck'

for:

  resource:

    - allow: [read] # allow create of projects

  project:

    - allow: [read] # allow view/admin of all projects

  project_acl:

    - allow: '*' # allow admin of all project-level ACL policies

  storage:

    - allow: '*' # allow read/create/update/delete for all /keys/* storage content

by:

  group: [L_APPL_RunDeck_Admins,admin]

or replace group:admin with group: L_APPL_RunDeck_Admins

You will need to restart rundeck service as well...

--
You received this message because you are subscribed to a topic in the Google Groups "rundeck-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rundeck-discuss/P2qQHNpDct4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/e812b2ed-1498-496d-9383-4379b3dfbc61%40googlegroups.com.

[Willem D'Haese]

Ok, seem I got it working for one AD group! :) My group dn in /etc/rundeck/jaas-AD.conf
 was a  bit wrong. :)

Now on to the next group. Cheerz all!

[Lauren Ward]

Hi all,

Back over a year later working on this again. We had some success this morning of retrieving the roles from ldap, FINALLY. The key difference was confirming with the enterprise ldap architect on our query parameters, and setting forceBindingLoginUseRootContextForRoles = true. We actually did NOT have to update web.xml for it to recognize the groups either. We tested this in a non-prod LDAP instance with just 3 users and 2 groups. Rundeck recognized both groups regardless if they were set up in web.xml or in an acl policy. 

Here is where I'm running into an issue now. When connecting to production LDAP, I believe this component is getting overwhelmed. It takes probably 5+ seconds for the login to process, and in the logs for debug mode for the jetty component, I can see it is taking a long time waiting for the return of the roles. In production, looking up my username, I have over 100 role memberships for applications across the enterprise. It only ends up returning 2-3 roles, always the same ones, and sometimes 2 and sometimes 3. Example (I changed the actual  names of the roles it returned):

2017-02-23 11:00:22.502:DBUG:cdrjj.JettyCachingLdapLoginModule:qtp809466180-13: Using _rootContext for role lookup.

2017-02-23 11:00:43.474:DBUG:cdrjj.JettyCachingLdapLoginModule:qtp809466180-13: JettyCachingLdapLoginModule: User 'kon9654' has roles: [role1, role2]

2017-02-23 10:57:42.282:DBUG:cdrjj.JettyCachingLdapLoginModule:qtp809466180-15: Using _rootContext for role lookup.

2017-02-23 10:58:00.506:DBUG:cdrjj.JettyCachingLdapLoginModule:qtp809466180-15: JettyCachingLdapLoginModule: User 'kon9654' has roles: [role3, role1, role2]

I obviously don't need rundeck to return everything just for the few roles that may be relevant to the application anyways. I could see if the ldap team would entertain setting up a specific OU for rundeck. However, why is rundeck not returning all the ldap roles? Why is it taking so long to return and process? (see time stamps). 

Again, I did NOT need to modify web.xml for it to recognize the groups it does acknowledge from ldap. Once I set up an acl policy with the group name, it worked just fine. It shows all the groups I belong to when I view my profile (another reason why I don't need rundeck retrieving 100+ roles...)

Thoughts?

Thanks!
Lauren

[vivek....@gmail.com]

finally, after a long time, I found the solution and what actually was causing the issue,

while creating groups in LDAP , OU=groups cn=rundeck-roles
create "cn" entry as groupOfUniqueNames not as group

After creating the cn entry with groupOfUniqueNames object class ahnge the Jaas-ldap.conf configuration to

roleBaseDn="ou=Groups,dc=dev,dc=san,dc=com" -
roleNameAttribute="cn"-this is correct
roleMemberAttribute="memberUid" -change to "uniqueMember"
roleObjectClass="posixGroup"- change to "groupOfUniqueMember"

changing the object class and entry to groupOfUniqueMember adds "dn" to roleMemberAttribute in to add groups to user in LDAP

Hope this helps others to resolve the issue

[daas...@gmail.com]

Please can someone help to determine whats going wrong here,

I want to provide rundeck project access using AD(ldap) groups, this setup was done by reading various posts on this topic.

So far ldap users are able to login to rundeck but do not get any roles associated with it ,i.e they get  "You have no authorized access to projects.

Contact your administrator. (User roles: )"

Audit log 

Evaluating Decision for: res<name:Project_test, type:project> subject<Username:myldapaduser> action<read> env<rundeck:auth:env:application:rundeck>: authorized: false: No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)

20

service log 

ailsUsernamePasswordAuthenticationFilter : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.jaas.JaasAuthenticationToken@20cc4f58: Principal: myldapaduser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 192.168.1.6; SessionId: node09rri74jnzisjsyswsnha887x8; Not granted any authorities

i am using rundeck --> 3.0.11.20181221-1.201 

config files 

jaas-ad.conf 

ad {

  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient

    debug="true"

    file="/etc/rundeck/realm.properties"

    refreshInterval="60"

    caseInsensitive="true";

  com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required

    debug="true"

    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"

    providerUrl="ldap://{ldaphost}:389"

    bindDn="cn={authuserforsvc},ou={},dc={},dc={}"

    bindPassword="{bindit}"

    authenticationMethod="simple"

    forceBindingLogin="true"

    forceBindingLoginUseRootContextForRoles="true"

    userBaseDn="dc={},dc={}"

    userRdnAttribute="cn"

    userIdAttribute="sAMAccountName"

    userPasswordAttribute="unicodePwd"

    userObjectClass="user"

    roleBaseDn="dc={},dc={}"

    roleNameAttribute="cn"

    roleMemberAttribute="uniqueMember"

    roleUsernameMemberAttribute="uniqueMember"

    roleObjectClass="group"

    cacheDurationMillis="30000"

    reportStatistics="true"

    timeoutRead="10000"

    timeoutConnect="20000"

    nestedGroups="true"

    storePass="true";

};

snippet from profile 

RDECK_JVM="-Drundeck.jaaslogin=$JAAS_LOGIN \

           -Djava.security.auth.login.config=/etc/rundeck/jaas-ad.conf \

           -Dloginmodule.name=ad \

           -Drdeck.config=$RDECK_CONFIG \

           -Drundeck.server.configDir=$RDECK_SERVER_CONFIG \

           -Dserver.datastore.path=$RDECK_SERVER_DATA/rundeck \

           -Drundeck.server.serverDir=$RDECK_INSTALL \

           -Drdeck.projects=$RDECK_PROJECTS \

           -Drdeck.runlogs=$RUNDECK_LOGDIR \

           -Drundeck.config.location=$RDECK_CONFIG_FILE \

           -Djava.io.tmpdir=$RUNDECK_TEMPDIR \

           -Drundeck.server.workDir=$RUNDECK_WORKDIR \

           -Dserver.http.port=$RDECK_HTTP_PORT \

           -Drdeck.base=$RDECK_BASE"

admin acl for ldap , rundeck-users-group-in-ad is the group i want to use for user authentication

description: Admin, all access.

context:

  project: '.*' # all projects

for:

  resource:

    - allow: '*' # allow read/create all kinds

  adhoc:

    - allow: '*' # allow read/running/killing adhoc jobs

  job:

    - allow: '*' # allow read/write/delete/run/kill of all jobs

  node:

    - allow: '*' # allow read/run for all nodes

by:

  group: [rundeck-users-group-in-ad]

---

description: Admin, all access.

context:

  application: 'rundeck'

for:

  resource:

    - allow: '*' # allow create of projects

  project:

    - allow: '*' # allow view/admin of all projects

  project_acl:

    - allow: '*' # allow admin of all project-level ACL policies

  storage:

    - allow: '*' # allow read/create/update/delete for all /keys/* storage content

by:

  group: [rundeck-users-group-in-ad]

How can i map ad group with the projects ? if i use supplementalRoles="user" then the ldap user only gets user role and nothing else 

i did try the recommended settings by Vivek but got the same results.

[rac...@rundeck.com]

Hi Kaushal,

Right now some tips about configure Rundeck maybe look old, for example, to avoid upgrade problems is better create or edit /etc/sysconfig/rundeckd file (/etc/default/rundeckd on Debian based distros) instead edit /etc/rundeck/profile directly.

To configure Rundeck with AD  you can see this:

https://docs.rundeck.com/docs/administration/security/authenticating-users.html#active-directory

Maybe this a useful for your issue:

https://github.com/rundeck/rundeck/issues/2810#issuecomment-342866239

Hope it helps!

[Kaushal]

Hi Racuna, 

Thanks for the links, where can i find more information on what should go in the /etc/sysconfig/rundeckd file ?

Update on the LDAP configuration. 

i was able to get ldap working with the following settings 

multipleauth {

  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient

    file="/etc/rundeck/realm.properties"

    refreshInterval="60"

    caseInsensitive="true";

  com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required

    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"

    providerUrl="ldap://{}:389"

    bindDn="cn={},ou={},ou={},dc={}"

    bindPassword="{}"

    authenticationMethod="simple"

    forceBindingLogin="true"

    forceBindingLoginUseRootContextForRoles="true"

    userBaseDn="dc={},dc={}"

    userRdnAttribute="sAMAccountName"

    userIdAttribute="sAMAccountName"

    userPasswordAttribute="unicodePwd"

    userObjectClass="user"

    roleBaseDn="dc={},dc={}"

    roleNameAttribute="sAMAccountName"

    roleMemberAttribute="member"

    roleObjectClass="group"

    cacheDurationMillis="30000"

    reportStatistics="true"

    timeoutRead="10000"

    timeoutConnect="20000"

    nestedGroups="true"

    supplementalRoles="user"

    storePass="true";

};

Thanks,

Kaushal. 

[rac...@rundeck.com]

Hi Kaushal,

In the Multiauth/LDAP configuration link you have an explanation about how to set up rundeckd file:

http://timothyfitz.com/2009/02/09/what-webhooks-are-and-why-you-should-care/ (see the line "Declare RDECK_JVM_OPTS in /etc/sysconfig/rundeckd (rpm) or /etc/default/rundeckd (deb):").

Basically, the idea is pass JVM parameters to this file instead use /etc/rundeck/profile file to avoid problems in case if you want to upgrade Rundeck.

Hope it helps!

[rac...@rundeck.com]

Hi Kaushal,

Sorry for the wrong link, the right link is: https://docs.rundeck.com/docs/administration/security/authenticating-users.html#ldap

Regards!

[MaayanA]

After upgrade from 2.X to 3.X I needed to do the following changes:

1. replace my old profile file with the new profile from 3.X

2. created file /etc/sysconfig/rundeckd with the following lines:

export JAAS_CONF=/path/to/jaas-AD.conf

export LOGIN_MODULE=AD 

web.xml file is not relevant anymore.

[Kaushal]

thanks Maayana, i will make these changes to my configuration.

--

You received this message because you are subscribed to a topic in the Google Groups "rundeck-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rundeck-discuss/P2qQHNpDct4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rundeck-discu...@googlegroups.com.

To post to this group, send email to rundeck...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/da6b407b-ae24-44dc-b084-6c360ec95c72%40googlegroups.com.