With AD server, LDAP: error code 49, data 52e, v1db1

[Baron Von J]

I'm running RunDeck 2.1.0 and having issues authenticating to AD via LDAP.

The full error is 

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1?]

I see this when I have the bind credentials configured and forceBindingLogin to false. What I can't decipher is does that mean it can't bind, or it can't authenticate the user logging in after successfully binding? If I take the bind credentials out and set forceBindingLogin to true the server returns this error

[LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1];

So I'm fairly certain I'm in the right track with setting up binding credentials on forceBindingLogin to false. In other services we use which bind to AD over LDAP, I generally only have to set the bind username and password, not an explicit bindDn. I've tried setting the bindDn with no OUs (cn=username,dc=example,dc=com), just the top-level OU (cn=username,ou=MyUnit,dc=example,dc=com), and all the OUs from the root to the user (cn=username,ou=MyUnit,ou=SubUnit1,ou=SubUnit2,dc=example,dc=com) with no impact on the error.

In those same services they have these two fields to configure

Search Base: ou=MyUnit,dc=example,dc=com

Search Filter: (&(sAMAccountName={0})(objectclass=person))

So in my jaas-activedirectory.conf I'm setting

    userBaseDn="ou=MyUnit,dc=example,dc=com"

    userRdnAttribute="sAMAccountName"

    userIdAttribute="cn"

    userPasswordAttribute="unicodePwd"
    userObjectClass="person"

 

I've tried swapping the userRdnAttribute and userIdAttribute values with no effect. I've tried logging in with and without the domain (username vs domain\username). No effect. 

We've been able to configure Apache, Jenkins, SVN, FishEye, Tomcat, and several other OSS services to authenticate to the AD controllers so I know the servers themselves a functional for LDAP binding/authentication like this.

[Tony Feldmann]

This setup works for me.  Also make sure your CA is in the ssl/truststore.

com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient
    debug="true"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    providerUrl="ldaps://gcdsm.ad.mdp.com"
    bindDn="cn=username,ou=MyUnit,ou=SubUnit1,ou=SubUnit2,dc=example,dc=com"
    bindPassword="<password>"
    referrals="no"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="dc=example,dc=com"
    userRdnAttribute="cn"
    userIdAttribute="sAMAccountName"
    userPasswordAttribute="userpassword"
    userObjectClass="person"
    roleBaseDn="dc=example,dc=com"
    roleNameAttribute="cn"
    roleMemberAttribute="member"
    roleObjectClass="group"
    cacheDurationMillis="300000"
    reportStatistics="true"
    supplementalRoles="readonly";

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Baron Von J]

Thanks for your example config Tony. I still can't get the bind to work. Using jXplorer I copied/pasted the baseDn of the bind account into my conf file that changes the error to this

2014-05-21 09:59:02.051:INFO:cdrjj.JettyCachingLdapLoginModule:Login attempts: 1, Hits: 0, Ratio: 0%.

2014-05-21 09:59:03.546:WARN:oejpj.JAASLoginService:

javax.security.auth.login.LoginException: Login Failure: all modules ignored

[Tony Feldmann]

Did you modify the user attributes to what I have in the config?  Can you send your whole config that is getting you the new error?

[Baron Von J]

Current config:

activedirectory {

    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required

    debug="true"

    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"

    providerUrl="ldap://corp.example.com:389"

    bindDn="CN=CMLDAP,OU=Generic,OU=Functionals,OU=Americas - North,OU=HalUsers,dc=corp,dc=example,dc=com"

    bindPassword="secret"

    referrals="no"

    authenticationMethod="simple"

    forceBindingLogin="false"

    userBaseDn="dc=corp,dc=example,dc=com"

    userRdnAttribute="cn"

    userIdAttribute="sAMAccountName"

    userPasswordAttribute="userpassword"

    userObjectClass="person"

    roleBaseDn="dc=corp,dc=example,dc=com"

    roleNameAttribute="cn"

    roleMemberAttribute="member"

    roleObjectClass="group"

    cacheDurationMillis="300000"

    reportStatistics="true";

};

Note that I get the same errors with I have an OU in the {user,role}BaseDN or not.Taking all the OU entries out of the bindDn puts me back to the original 49/52e/v1db1 error.

And RDECK_JVM in my /etc/rundeck/profile

export RDECK_JVM="-Djava.security.auth.login.config=/etc/rundeck/jaas-activedirectory.conf \

        -Dloginmodule.name=activedirectory \

        -Drdeck.config=/etc/rundeck \

        -Drdeck.base=/var/lib/rundeck \

        -Drundeck.server.configDir=/etc/rundeck \

        -Dserver.datastore.path=/var/lib/rundeck/data \

        -Drundeck.server.serverDir=/var/lib/rundeck \

        -Drdeck.projects=/var/rundeck/projects \

        -Drdeck.runlogs=/var/lib/rundeck/logs \

        -Drundeck.config.location=/etc/rundeck/rundeck-config.properties \

        -Djava.io.tmpdir=$RUNDECK_TEMPDIR"

#

# Set min/max heap size

#

export RDECK_JVM="$RDECK_JVM -Xmx1024m -Xms256m -server"

[Tony Feldmann]

The only difference I see is the forceBindingLogin on my config is set to true (that and I am using ldaps).  I also assume your bind account has the proper read/auth permissions.  What does the webpage show when you get the new error?

[Baron Von J]

with the original bindDn setting forceBindingLogin returned an error that I had to bind first. Now with the bindDn copied from jXplorer, setting forceBindingLogin to true seems to be the final piece. I now see in the service.log "Attempting authentication: ..." and it gives the full DN to my account in AD (including all the OUs not listed in the userBaseDn).

No I am seeing this

https://github.com/rundeck/rundeck/issues/590

https://github.com/rundeck/rundeck/issues/620

https://github.com/rundeck/rundeck/issues/760

So I'm pretty sure it's binding and authenticating now! So thanks for your help!

I'll mull over these new issues and see if I can figure it out, if not it will be a new post.

[Tony Feldmann]

It was pretty simple for me, and another thing I found out is that you can use multiple roles with different groups.  Here is what I am doing in the web.xml:

<security-role>
        <role-name>Group name from AD under the role basedn set in config</role-name>
    </security-role>
    <security-role>
        <role-name>Group 2 name from AD under the role basedn set in config</role-name>
    </security-role>

You can just use the group name, it doesn't need to be the full dn.

Note, you can not use groups that have nested groups under it.  That is another bug/feature request.

[Azamat Khalilov]

You can avoid modifying web.xml if you use improved version of LDAP module

https://groups.google.com/forum/#!topic/rundeck-discuss/CJ7BehbmQq0