Configure LDAP with Rundeck Version 3.4.9 on Windows Server-2019

28 views
Skip to first unread message

Rahul Saxena

unread,
May 17, 2022, 9:57:23 AMMay 17
to rundeck...@googlegroups.com
Hi Team,

I am facing an issue while configuring LDAP with my Rundeck server. I also have an old version of Rundeck 2.11 where LDAP configuration is working but with 3.4 it is not. I tried all possible configurations mentioned on Google but no luck so far.  Below is my configuration:

In profile.bat i added below:
set RDECK_JVM_OPTS=-Dloginmodule.conf.name=jaas-activedirectory.conf -Dloginmodule.name=activedirectory -Dcom.dtolabs.rundeck.jetty.jaas.LEVEL=DEBUG -Drundeck.jaaslogin=true

I also tried with below configuration but that didn't help:
set RDECK_JVM_OPTS=-Drundeck.jaaslogin=true -Djava.security.auth.login.config=C:\rundeck\server\config\jaas-activedirectory.conf -Dloginmodule.name=activedirectory

Here is my Profile.bat file:

set RDECK_BASE=C:\rundeck

set JAVA_HOME=C:\Program Files\Java\jre1.8.0_202

:: Unsetting JRE_HOME to ensure there is no conflict with JAVA_HOME
(set JRE_HOME=)

set Path=%JAVA_HOME%\bin;%RDECK_BASE%\tools\bin;%Path%

set RDECK_SSL_OPTS="-Djavax.net.ssl.trustStore=%RDECK_BASE%\etc\truststore -Djavax.net.ssl.trustStoreType=jks -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol"
set RDECK_CLI_OPTS=-Xms256m -Xmx4096m
set RD_LIBDIR=%RDECK_BASE%\tools\lib
set KUBECONFIG=C:\Users\rsaxena\.kube\config
set AWS_CONFIG_FILE=C:\Users\rsaxena\.aws\config
set AWS_SHARED_CREDENTIALS_FILE=C:\Users\rsaxena\.aws\credentials

set RDECK_JVM_OPTS=-Drundeck.jaaslogin=true -Djava.security.auth.login.config=C:\rundeck\server\config\jaas-activedirectory.conf -Dloginmodule.name=activedirectory

Below is my jass-activedirectory.conf file under C:\rundeck\server\config:


activedirectory {
    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
    debug="true"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    providerUrl="ldap://ADURL1:389 ldap://ADURL2:389 ldap://ADURL3:389"
    bindDn="CN=Connect Service,OU=Service,OU=SA,DC=dma,DC=net"
    bindPassword="XXXXX"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="OU=Users,OU=adbe,DC=dma,DC=net"
    userRdnAttribute="sAMAccountName"
    userIdAttribute="sAMAccountName"
    userPasswordAttribute="unicodePwd"
    userObjectClass="user"
    roleBaseDn="OU=Groups,OU=adbe,DC=dma,DC=net"
    roleNameAttribute="cn"
    roleMemberAttribute="member"
    roleObjectClass="group"
    cacheDurationMillis="300000"
    reportStatistics="true"
supplementalRoles="user";
};

It seems like Rundeck is not even trying to authenticate via LDAP and keeps giving me "Bad Credentials" error.  It is only working with default admin/ admin login.

ERROR Log:

[2022-05-17T13:44:43,795] INFO  rundeckapp.BootStrap - Rundeck is ACTIVE: executions can be run.
[2022-05-17T13:44:43,803] WARN  rundeckapp.BootStrap - The JVM default encoding is not UTF-8: windows-1252, you may not see output as expected for multibyte locales. Specify -Dfile.encoding=UTF-8 in the JVM options.
[2022-05-17T13:44:43,999] WARN  rundeckapp.BootStrap - [Development Mode] Usage of H2 database is recommended only for development and testing
[2022-05-17T13:44:44,222] INFO  rundeckapp.BootStrap - Rundeck startup finished in 740ms
[2022-05-17T13:44:44,350] INFO  rundeckapp.Application - Started Application in 38.4736417 seconds (JVM running for 41.799)
Grails application running at http://0.0.0.0:4440 in environment: production
[2022-05-17T13:44:57,973] DEBUG authentication.GrailsUsernamePasswordAuthenticationFilter - Request is to process authentication
[2022-05-17T13:44:58,024] DEBUG authentication.GrailsUsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
org.springframework.security.authentication.BadCredentialsException: Bad credentials
at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:151) ~[spring-security-core-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175) ~[spring-security-core-5.2.0.RELEASE.jar!/:5.2.0.RELEASE]

Can someone please help?


rac...@rundeck.com

unread,
May 17, 2022, 12:39:46 PMMay 17
to rundeck-discuss
Hi Rahul, could you test using these Active Directory parameters directly in the launch script like this? (or launch rundeck manually using those params).

Regards!

Rahul Saxena

unread,
May 17, 2022, 12:54:56 PMMay 17
to rundeck...@googlegroups.com
I added below to my profile.bat file:

set RDECK_JVM_="-Drundeck.jaaslogin=true -Dloginmodule.name=ldap -Dloginmodule.conf.name=C:\rundeck\server\config\jaas-activedirectory.conf"

Is it what you were suggesting?

I tried this but it didn't help and I am still getting the same error message.

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/b9e69d15-f0a3-4320-b534-7cab8e41e92bn%40googlegroups.com.

rac...@rundeck.com

unread,
May 17, 2022, 2:17:59 PMMay 17
to rundeck-discuss

Hi Rahul,

I mean, passing those AD params directly launching Rundeck manually, that’s a good way to discard any conf issue in your environment, something like: java -Drundeck.jaaslogin=true -Dloginmodule.conf.name=jaas-activedirectory.conf -Dloginmodule.name=activedirectory -jar rundeck-4.2.1-20220511.war and see the behavior.

And then do the same in the startup script, the “start_rundeck.bat” file in this guide.

Greetings.

Rahul Saxena

unread,
May 18, 2022, 9:30:45 AMMay 18
to rundeck...@googlegroups.com

I used below parameter from command prompt to start Rundeck service and i could login with LDAP successfully:

c:\rundeck>java -Drundeck.jaaslogin=true -Dloginmodule.conf.name=jaas-activedirectory.conf -Dloginmodule.name=activedirectory -jar rundeck-3.4.9-20211221.war

Do you want me to add the same command in start_rundeck.bat file like below:

set CURDIR=%~dp0
call %CURDIR%etc\profile.bat
java %RDECK_CLI_OPTS% %RDECK_SSL_OPTS% -jar rundeck-3.4.9-20211221.war --skipinstall -d  >> %CURDIR%\var\logs\service.log  2>&1
java -Drundeck.jaaslogin=true -Dloginmodule.conf.name=jaas-activedirectory.conf -Dloginmodule.name=activedirectory -jar rundeck-3.4.9-20211221.war

Please confirm.

Thanks,
Rahul

rac...@rundeck.com

unread,
May 18, 2022, 9:57:07 AMMay 18
to rundeck-discuss

Hi Rahul,

Right, this is a good way to avoid upgrading problems, take a look.

But in your script, you have two java calls, this example looks more accurate:

set CURDIR=%~dp0
call %CURDIR%etc\profile.bat
java %RDECK_CLI_OPTS% %RDECK_SSL_OPTS% -Drundeck.jaaslogin=true -Dloginmodule.conf.name=jaas-activedirectory.conf -Dloginmodule.name=activedirectory -jar rundeck-4.2.0-20220509.war --skipinstall -d  >> %CURDIR%\var\logs\service.log  2>&1

You can see this on the documentation.

Greetings.

Rahul Saxena

unread,
May 18, 2022, 9:59:55 AMMay 18
to rundeck...@googlegroups.com
Thanks for the swift response. I had already made the required changes and successfully authenticated via LDAP.  I figured out when the log file wasn't created so i had commented out the last java call.

set CURDIR=%~dp0
call %CURDIR%etc\profile.bat
java -Drundeck.jaaslogin=true -Dloginmodule.conf.name=jaas-activedirectory.conf -Dloginmodule.name=activedirectory -jar rundeck-3.4.9-20211221.war >> %CURDIR%\var\logs\service.log  2>&1
::java %RDECK_CLI_OPTS% %RDECK_SSL_OPTS% -jar rundeck-3.4.9-20211221.war --skipinstall -d  >> %CURDIR%\var\logs\service.log  2>&1


rac...@rundeck.com

unread,
May 18, 2022, 10:13:05 AMMay 18
to rundeck-discuss
Great news Rahul! :-)

Rahul Saxena

unread,
May 18, 2022, 10:14:39 AMMay 18
to rundeck...@googlegroups.com
Thanks for all your help in getting this sorted out.  Much appreciated.

Reply all
Reply to author
Forward
0 new messages