No LoginModules configured for activedirectory

53 views
Skip to first unread message

Krishna Chaitanya

unread,
Feb 4, 2020, 7:16:31 AM2/4/20
to rundeck-discuss
Hi,

I am trying LDAP integration, below are my config. Not sure what is wrong

/etc/rundeck/jaas-activedirectory.conf


activedirectory {

    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required

    debug="true"

    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"

    providerUrl="ldap://LDAP_SERVER:636"

    bindDn="CN=user_id,CN=myorg,DC=myorg,DC=myorg,DC=myorg,DC=myorg"

    bindPassword="pSpE8kCv<8$~*fNL"

    authenticationMethod="simple"

    forceBindingLogin="true"

    userBaseDn="CN=myorg,DC=myorg,DC=myorg,DC=myorg,DC=myorg"

    userRdnAttribute="sAMAccountName"

    userIdAttribute="sAMAccountName"

    userPasswordAttribute="unicodePwd"

    userObjectClass="user"

    roleBaseDn="CN=myorg,DC=myorg,DC=myorg,DC=myorg,DC=myorg"

    roleNameAttribute="cn"

    roleMemberAttribute="member"

    roleObjectClass="group"

    cacheDurationMillis="300000"

    reportStatistics="true";

};



/etc/rundeck/profile


RDECK_JVM="-Drundeck.jaaslogin=/etc/rundeck/jaas-activedirectory.conf \


           -Djava.security.auth.login.config=$JAAS_CONF \


           -Dloginmodule.name=activedirectory \


           -Drdeck.config=$RDECK_CONFIG \


           -Drundeck.server.configDir=$RDECK_SERVER_CONFIG \


           -Dserver.datastore.path=$RDECK_SERVER_DATA/rundeck \


           -Drundeck.server.serverDir=$RDECK_INSTALL \


           -Drdeck.projects=$RDECK_PROJECTS \


           -Drdeck.runlogs=$RUNDECK_LOGDIR \


           -Drundeck.config.location=$RDECK_CONFIG_FILE \


           -Djava.io.tmpdir=$RUNDECK_TEMPDIR \


           -Drundeck.server.workDir=$RUNDECK_WORKDIR \


           -Dserver.http.port=$RDECK_HTTP_PORT \


           -Drdeck.base=$RDECK_BASE"


Created manually /var/lib/rundeck/exp/webapp/WEB-INF/web.xml

<security-role>

    <role-name>admin_group</role-name>

</security-role>

<security-role>

     <role-name>user_group</role-name>

</security-role>



Error:


[2020-02-04 12:05:03.679] DEBUG GrailsUsernamePasswordAuthenticationFilter --- [tp1289350700-39] Request is to process authentication

[2020-02-04 12:05:03.686] DEBUG GrailsUsernamePasswordAuthenticationFilter --- [tp1289350700-39] Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: No LoginModules configured for activedirectory


org.springframework.security.authentication.AuthenticationServiceException: No LoginModules configured for activedirectory

at org.springframework.security.authentication.jaas.DefaultLoginExceptionResolver.resolveException(DefaultLoginExceptionResolver.java:35)

at org.springframework.security.authentication.jaas.AbstractJaasAuthenticationProvider.authenticate(AbstractJaasAuthenticationProvider.java:217)

at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)

at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)

at grails.plugin.springsecurity.web.authentication.GrailsUsernamePasswordAuthenticationFilter.attemptAuthentication(GrailsUsernamePasswordAuthenticationFilter.groovy:53)

at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.groovy:64)

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

at grails.plugin.springsecurity.web.SecurityRequestHolderFilter.doFilter(SecurityRequestHolderFilter.groovy:58)

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)

at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)

at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1591)

at org.grails.web.servlet.mvc.GrailsWebRequestFilter.doFilterInternal(GrailsWebRequestFilter.java:77)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1591)

at org.grails.web.filters.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:67)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1591)

at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1591)

at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:96)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1591)

at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:103)

at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1591)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:542)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:536)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1581)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1307)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:482)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1549)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1204)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

at org.eclipse.jetty.server.Server.handle(Server.java:494)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:374)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:268)

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)

at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)

at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:367)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:782)

at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:918)

at java.lang.Thread.run(Thread.java:748)

Caused by: javax.security.auth.login.LoginException: No LoginModules configured for activedirectory

at javax.security.auth.login.LoginContext.init(LoginContext.java:264)

at javax.security.auth.login.LoginContext.<init>(LoginContext.java:512)

at org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider.createLoginContext(DefaultJaasAuthenticationProvider.java:110)

at org.springframework.security.authentication.jaas.AbstractJaasAuthenticationProvider.authenticate(AbstractJaasAuthenticationProvider.java:175)

... 58 common frames omitted


[2020-02-04 12:05:03.686] DEBUG GrailsUsernamePasswordAuthenticationFilter --- [tp1289350700-39] Updated SecurityContextHolder to contain null Authentication

[2020-02-04 12:05:03.686] DEBUG GrailsUsernamePasswordAuthenticationFilter --- [tp1289350700-39] Delegating to authentication failure handler grails.plugin.springsecurity.web.authentication.AjaxAwareAuthenticationFailureHandler@68b3de47

Reiner Acuña

unread,
Feb 4, 2020, 7:38:41 AM2/4/20
to rundeck-discuss
Hi Khrisna,

To complement the last thread message (https://groups.google.com/d/msg/rundeck-discuss/Wnj0MHsgV1U/JCSJgxm6AAAJ) As advice don't edit /etc/rundeck/profile file. You can edit/create the /etc/defaults/rundeckd file (DEB based installation for Ubuntu/Debian) and /etc/sysconfig/rundeckd (RPM based installation for CentOS/RedHat) to override the launch parameters, please take a look at this:


I leave my AD configuration with my rundeckd file:

jaas-activedirectory.conf:

activedirectory {
  com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
  debug="true"
  contextFactory="com.sun.jndi.ldap.LdapCtxFactory"

  providerUrl="ldap://dc1.xxx.xxx.xxx:389"
  bindDn="cn=xxxx,ou=xxxxxxx,dc=xxx,dc=xxx,dc=xxx"
  bindPassword="password"
  authenticationMethod="simple"
  forceBindingLogin="true"
  userBaseDn="ou=people,dc=xxx,dc=xxx,dc=xxx"

  userRdnAttribute="sAMAccountName"
  userIdAttribute="sAMAccountName"
  userPasswordAttribute="unicodePwd"
  userObjectClass="user"

  roleBaseDn="ou=groups,dc=xxx,dc=xxx,dc=xxx"

  roleNameAttribute="cn"
  roleMemberAttribute="member"
  roleObjectClass="group"
  cacheDurationMillis="300000"
  reportStatistics="true"

  ignoreRoles="true"
  storePass="true"
  clearPass="true"
  useFirstPass="false"
  tryFirstPass="false";
};

rundeckd file:

RDECK_JVM_OPTS="-Drundeck.jaaslogin=true \
       -Djava.security.auth.login.config=/etc/rundeck/jaas-activedirectory.conf \
       -Dloginmodule.name=activedirectory"

Make sure that you're using -Drundeck.jaaslogin=true

Yoy can learn more checking the following link:


Hope it helps!

Krishna Chaitanya

unread,
Feb 5, 2020, 4:34:39 AM2/5/20
to rundeck-discuss
Hi Reiner,

I followed the document and the video. Seems i was able to fix LDAP communication, but i am not able to login with LDAP (default account works fine)

Below are the configs

/etc/rundeck/jaas-multi-auth.conf


multiauth {


  com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient

    debug="true"

    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"

    providerUrl="ldaps://LDAP_SERVER:636"

    bindDn="CN=user,CN=myorg,DC=myorg,DC=myorg,DC=myorg,DC=myorg"

    bindPassword="secret"

    authenticationMethod="simple"

    forceBindingLogin="false"

    userBaseDn="CN=myorg,DC=myorg,DC=myorg,DC=myorg,DC=myorg"

    userRdnAttribute="uid"

    userIdAttribute="sAMAccountName={0}"

    userPasswordAttribute="userPassword"

    userObjectClass="userClass"

    roleBaseDn="CN=myorg,DC=myorg,DC=myorg,DC=myorg,DC=myorg"

    roleNameAttribute="cn"

    roleUsernameMemberAttribute="memberUid"

    roleMemberAttribute="member"

    roleObjectClass="group"

    cacheDurationMillis="300000"

    reportStatistics="true";


  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required

    debug="true"

    file="/etc/rundeck/realm.properties";

};



/etc/rundeck/profile


RDECK_JVM_OPTS="-Drundeck.jaaslogin=true \

           -Djava.security.auth.login.config=/etc/rundeck/jaas-multi-auth.conf \

           -Dloginmodule.name=multiauth \



Error:

[2020-02-05 09:26:47.211] DEBUG GrailsUsernamePasswordAuthenticationFilter --- [tp1139659498-73] Request is to process authentication

[2020-02-05 09:26:47.301]  INFO JettyCachingLdapLoginModule --- [tp1139659498-73] Login attempts: 2, Hits: 0, Ratio: 0%.

[2020-02-05 09:26:47.302] DEBUG JettyCachingLdapLoginModule --- [tp1139659498-73] Found user?: false

[2020-02-05 09:26:47.309] DEBUG GrailsUsernamePasswordAuthenticationFilter --- [tp1139659498-73] Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException


org.springframework.security.authentication.AuthenticationServiceException: null

Caused by: javax.security.auth.login.FailedLoginException: null

at org.eclipse.jetty.jaas.spi.AbstractLoginModule.login(AbstractLoginModule.java:258)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

at javax.security.auth.login.LoginContext.login(LoginContext.java:587)

at org.springframework.security.authentication.jaas.AbstractJaasAuthenticationProvider.authenticate(AbstractJaasAuthenticationProvider.java:180)

... 58 common frames omitted


[2020-02-05 09:26:47.310] DEBUG GrailsUsernamePasswordAuthenticationFilter --- [tp1139659498-73] Updated SecurityContextHolder to contain null Authentication

[2020-02-05 09:26:47.310] DEBUG GrailsUsernamePasswordAuthenticationFilter --- [tp1139659498-73] Delegating to authentication failure handler grails.plugin.springsecurity.web.authentication.AjaxAwareAuthenticationFailureHandler@169d5567


Thanks

Krishna

Reiner Acuña

unread,
Feb 5, 2020, 8:18:28 AM2/5/20
to rundeck-discuss
Hi Krishna,

Seems that the config file can't get the user (check the message: "Found user?: false").

Make sure that your config is pointing to right user attribute in your AD tree (check your "userIdAttribute"). I leave my jaas-activedirectory.conf to compare (and adapt to your AD tree structure)

multiauth {
  com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule sufficient
    debug="true"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"

    providerUrl="ldap://dc1.xxx.xxx.xxx:389"
    bindDn="cn=xxxx,ou=xxxxxxx,dc=xxx,dc=xxx,dc=xxx"
    bindPassword="password"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="ou=people,dc=xxx,dc=xxx,dc=xxx"
    userRdnAttribute="sAMAccountName"
    userIdAttribute="sAMAccountName"
    userPasswordAttribute="unicodePwd"
    userObjectClass="user"
    roleBaseDn="ou=groups,dc=xxx,dc=xxx,dc=xxx"
    roleNameAttribute="cn"
    roleMemberAttribute="member"
    roleObjectClass="group"
    cacheDurationMillis="300000"
    reportStatistics="true"
    ignoreRoles="true"
    storePass="true"
    clearPass="true"
    useFirstPass="false"
    tryFirstPass="false";


  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
    debug="true"
    file="/etc/rundeck/realm.properties";
}

Hope it helps!

Krishna Chaitanya

unread,
Feb 5, 2020, 12:11:43 PM2/5/20
to rundeck-discuss
Hi Reiner,

It worked. I did a mistake where i mentioned forceBindingLogin="false" in my config. After changing this to true, its working as expected.

Thanks
Krishna

Reiner Acuña

unread,
Feb 5, 2020, 12:18:23 PM2/5/20
to rundeck-discuss
Awesome Krishna!

Cheers!
Reply all
Reply to author
Forward
0 new messages