jaas authentication for multiple groups in active directory
175 views
Skip to first unread message
mezam
Mar 2, 2023, 11:29:56 AM3/2/23
to rundeck-discuss
Hello,
I have the following jaas-ldap.conf file, which works:
multiauth {
com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule sufficient
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldaps://[redacted]"
bindDn="CN=[redacted],OU=Service Accounts,OU=Admin Users and Groups,[redacted]"
bindPassword="[redacted]"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="OU=Admin Users,OU=Admin Users and Groups,[redacted]"
userRdnAttribute="sAMAccountName"
userIdAttribute="sAMAccountName"
userPasswordAttribute="unicodePwd"
userObjectClass="user"
roleBaseDn="OU=Groups,OU=Admin Users and Groups,[redacted]"
roleUsernameMemberAttribute="memberUid"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass="group"
cacheDurationMillis="300000"
reportStatistics="true"
nestedGroups="false"
userLastNameAttribute="sn"
userFirstNameAttribute="givenName"
userEmailAttribute="mail"
supplementalRoles="[redacted:ADgroupname]";
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient
debug="true"
file="E:/rundeck/server/config/realm.properties";
};
this configuration and AD group access one Project. Now I have a second project, and I would like a second and different AD group to access it. So I have to ensure that their access is set properly. I appended to the file above the following new section:
It is identical to the fist section as the second group resides exactly in the same OU. The only difference is the new AD Group name in the supplementalRoles field. Now the users in the second group are able to login but see no jobs at all. The service log shows:
for some reasons he's getting mapped to the other AD group, and not the group he belongs.
multiauth_new {
com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule sufficient
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldaps://[redacted]"
bindDn="CN=[redacted],OU=Service Accounts,OU=Admin Users and Groups,[redacted]"
bindPassword="[redacted]"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="OU=Admin Users,OU=Admin Users and Groups,[redacted]"
userRdnAttribute="sAMAccountName"
userIdAttribute="sAMAccountName"
userPasswordAttribute="unicodePwd"
userObjectClass="user"
roleBaseDn="OU=Groups,OU=Admin Users and Groups,[redacted]"
roleUsernameMemberAttribute="memberUid"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass="group"
cacheDurationMillis="300000"
reportStatistics="true"
nestedGroups="false"
userLastNameAttribute="sn"
userFirstNameAttribute="givenName"
userEmailAttribute="mail"
supplementalRoles="[redacted:ADgroupname2]";
};
It is identical to the fist section as the second group resides exactly in the same OU. The only difference is the new AD Group name in the supplementalRoles field. Now the users in the second group are able to login but see no jobs at all. The service log shows:
[2023-03-02T17:21:18,380] INFO jaas.JettyCachingLdapLoginModule - Login attempts: 6, Hits: 0, Ratio: 0%.
[2023-03-02T17:21:18,380] DEBUG jaas.JettyCachingLdapLoginModule - Cache Miss for userT.
[2023-03-02T17:21:18,380] DEBUG jaas.JettyCachingLdapLoginModule - Searching for users with filter: '(&(objectClass={0})({1}={2}))' from base dn: OU=Admin Users,OU=Admin Users and Groups,[redacted]
[2023-03-02T17:21:18,380] DEBUG jaas.JettyCachingLdapLoginModule - Found user?: true
[2023-03-02T17:21:18,380] INFO jaas.JettyCachingLdapLoginModule - Attempting authentication: CN=Comuzzi,OU=Admin Users,OU=Admin Users and Groups,[redacted]
[2023-03-02T17:21:18,427] DEBUG jaas.JettyCachingLdapLoginModule - JettyCachingLdapLoginModule: User 'userT' has roles: [redacted:ADgroupname]
[2023-03-02T17:21:18,427] DEBUG jaas.JettyCachingLdapLoginModule - Adding comuzzida set to expire: 1677774078427300000
[2023-03-02T17:21:18,443] DEBUG authentication.GrailsUsernamePasswordAuthenticationFilter - Set SecurityContextHolder to JaasAuthenticationToken [Principal=comuzzida, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=xxxxxxxxx, SessionId=node0ov7tdtmlafff36khxokz44b316], Granted Authorities=[Jaas Authority [[redacted:ADgroupname],[redacted:ADgroupname]]]]
RD 4.8 WAR setup on Windows 2019.
Message has been deleted
rac...@rundeck.com
Mar 2, 2023, 11:44:56 AM3/2/23
to rundeck-discuss
Hi Mezam,
How did you create the supplemental role? the docs definition says:
Comma-separated list of role names. All of the given role names will be automatically added to authenticated users. You can use this to provide a "default" role or roles for all users.
Greetings.
How did you create the supplemental role? the docs definition says:
Comma-separated list of role names. All of the given role names will be automatically added to authenticated users. You can use this to provide a "default" role or roles for all users.
Greetings.
mezam
Mar 2, 2023, 1:53:53 PM3/2/23
to rundeck-discuss
ok thanks, it was much simpler
Reply all
Reply to author
Forward
Message has been deleted
0 new messages