RD 4.8 CE and Active Directory integration not working

91 views
Skip to first unread message

mezam

unread,
Dec 22, 2022, 3:13:03 PM12/22/22
to rundeck-discuss
Hello, I have installed RD 4.8 CE on a Windows 2019 server + MariaDB. The application is up and I can login with the admin account. Service is a Windows integrated.

I'm trying now to allow AD users to login and perform activities. I haven't found much documentation on how to configure RD on Windows. So I'm grabbing from here and there. So far I have done the following:

Created a file called jass-multi-auth.conf in server/config/ folder as listed below:

<pre>multi-auth {
    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient
    debug="true"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    providerUrl="ldaps://xxxxxxxxxxx:636"
    bindDn="CN=xxxxxx,OU=Admin Users,OU=Admin Users and Groups,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
    bindPassword="x$xx<x>xx"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="OU=Admin Users,OU=Admin Users and Groups,OU=xxx,DC=xxx,DC=xxx,DC=xxx"
    userRdnAttribute="cn"
    userIdAttribute="sAMAccountName"
    userPasswordAttribute="userPassword"
    userObjectClass="userClass"
    roleBaseDn="OU=Groups,OU=Admin Users and Groups,OU=xxxx,DC=xxx,DC=xxx,DC=xxx"
    roleNameAttribute="cn"
    roleMemberAttribute="member"
    roleObjectClass="group"
    cacheDurationMillis="300000"
    timeoutRead="10000"
    reportStatistics="true"
    supplementalRoles="user";

    org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
    debug="true"
    file="E:/rundeck/server/config/realm.properties";
};</pre>

when I restart rundeck service the AD users are not recognized and no error at all is displayed in the log. I can however login with the admin account. So to troubleshoot this I added:

java %RDECK_CLI_OPTS% %RDECK_SSL_OPTS% -Drundeck.jaaslogin=true -Dloginmodule.conf.name=jaas-multi-auth.conf -Djava.security.auth.login.config=E:\rundeck\server\config\jaas-multi-auth.conf -Dloginmodule.name=multiauth -jar rundeck.war --skipinstall -d  >> %CURDIR%\var\logs\service.log  2>&1

to the start-rundeck.bat file and in fact I see an error which is quite weird:

[2022-12-22T18:58:09,409] ERROR config.GrailsApplicationPostProcessor - Error loading spring/resources.groovy file: java.io.IOException: E:\rundeck\server\config\jaas-multi-auth.conf (No such file or directory)
java.lang.SecurityException: java.io.IOException: E:\rundeck\server\config\jaas-multi-auth.conf (No such file or directory)

the file is there 100%, path is correct and permission is set as on any other file in same directory. 
Also, I understand that I should not edit the profile file. But if in my case the rundeck service is Windows integrated, where shall I enter the line:

java %RDECK_CLI_OPTS% %RDECK_SSL_OPTS% -Drundeck.jaaslogin=true -Dloginmodule.conf.name=jaas-multi-auth.conf -Djava.security.auth.login.config=E:\rundeck\server\config\jaas-multi-auth.conf -Dloginmodule.name=multiauth -jar rundeck.war --skipinstall -d  >> %CURDIR%\var\logs\service.log  2>&1

to refer the jass-multi-auth.conf file ?

mezam

unread,
Dec 22, 2022, 4:58:40 PM12/22/22
to rundeck-discuss
the tag <pre></pre> was just a try to format the code, it is not in the conf file.

mezam

unread,
Dec 22, 2022, 6:54:05 PM12/22/22
to rundeck-discuss
I've tried all possible options viewed at https://docs.rundeck.com/docs/administration/security/authentication.html#multiple-authentication-modules. I've tried also the --testauth but the error remains the same. Obviously the file is there, so for some reasons it is not readable? Properly formatted? I can't find the reason.. 

rac...@rundeck.com

unread,
Dec 23, 2022, 7:42:31 AM12/23/22
to rundeck-discuss
Hi!

Could you post the full profile.bat file to take a look? (please ommit any sensitive data).

Regards!

rac...@rundeck.com

unread,
Dec 23, 2022, 8:18:52 AM12/23/22
to rundeck-discuss

Alternatively, try with this launcher (bat):

java %RDECK_CLI_OPTS% %RDECK_SSL_OPTS% -Drundeck.jaaslogin=true -Dloginmodule.conf.name=jaas-multiauth.conf -Dloginmodule.name=multiauth -jar rundeck-4.8.0-20221110.war

rac...@rundeck.com

unread,
Dec 23, 2022, 9:01:21 AM12/23/22
to rundeck-discuss
Also, check my last comment in your StackOverflow question, your AD conf file is saved as "jass-multiauth.conf" but the launcher is looking for "jaas-multiuath.conf" file (jass vs jaas), check this carefully.

Hope it helps!

mezam

unread,
Dec 23, 2022, 10:04:54 AM12/23/22
to rundeck-discuss
yes, I can't believe I missed such a typo... as I said in SO I believe I need rest..  thanks anyway! By any chance would you have an answer to my second question?


where shall I enter the line:

java %RDECK_CLI_OPTS% %RDECK_SSL_OPTS% -Drundeck.jaaslogin=true -Dloginmodule.conf.name=jaas-multi-auth.conf -Djava.security.auth.login.config=E:\rundeck\server\config\jaas-multi-auth.conf -Dloginmodule.name=multiauth -jar rundeck.war --skipinstall -d  >> %CURDIR%\var\logs\service.log  2>&1

to refer the jaas-multi-auth.conf file? Considering that on this Windows server I made the rundeck service Windows integrated. I would prefer to keep it that way rather than using a batch file start/stop the service.

rac...@rundeck.com

unread,
Dec 23, 2022, 10:37:51 AM12/23/22
to rundeck-discuss
Hi, you can use your launching script and install rundeck as a service using the nssm app.

Basically put the launching script on the "path" textbox.

Take a look at this.

Hope it helps!

mezam

unread,
Dec 23, 2022, 11:21:02 AM12/23/22
to rundeck-discuss
many thanks again!
Reply all
Reply to author
Forward
0 new messages