LDAP integration with FreeIPA = nightmare

[Andrea Favero]

LDAP issue with FreeIPA

Hello guys,

I've been banging my head on LDAP integration with FreeIPA.

The problem I'm having is that, no matter what I try, Rundeck never manages to make a successful query that results in a response with roles or groups associated with that account, and this results in the following error:

2018-05-17 18:45:40.978:WARN:cdrjj.JettyCachingLdapLoginModule:qtp1867083167-80: JettyCachingLdapLoginModule: User 'jsmith' has no role membership; role query configuration may be incorrect

This is my configuration:

ldap {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://192.168.42.144:389"
bindDn="uid=admin,cn=users,cn=accounts,dc=xxxx,dc=xxxx"
bindPassword="mypassword"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="cn=users,cn=accounts,dc=xxxx,dc=xxxx"
userRdnAttribute="uid"
userIdAttribute="uid"
userPasswordAttribute="userPassword"
userObjectClass="posixaccount"
roleBaseDn="cn=groups,cn=accounts,dc=xxxx,dc=xxxx"
roleNameAttribute="cn"
roleUsernameMemberAttribute="member"
roleMemberAttribute="member"
roleObjectClass="groupofnames"
cacheDurationMillis="60000"
reportStatistics="true"
timeoutRead="10000"
timeoutConnect="20000"
nestedGroups="false";
};

And:

export RDECK_JVM="-Djava.security.auth.login.config=/etc/rundeck/jaas-ldap.conf \
 -Dloginmodule.name=activedirectory \
 -Drdeck.config=$RDECK_CONFIG \
 -Drundeck.server.configDir=$RDECK_SERVER_CONFIG \
 -Dserver.datastore.path=$RDECK_SERVER_DATA/rundeck \
 -Drundeck.server.serverDir=$RDECK_INSTALL \
 -Drdeck.projects=$RDECK_PROJECTS \
 -Drdeck.runlogs=$RUNDECK_LOGDIR \
 -Drundeck.config.location=$RDECK_CONFIG/rundeck-config.properties \
 -Djava.io.tmpdir=$RUNDECK_TEMPDIR \
 -Drundeck.server.workDir=$RUNDECK_WORKDIR \
 -Dserver.http.port=$RDECK_HTTP_PORT"

Whit this config, I've tried capturing the traffic, and I have realized that the query being sent is the following:

(&(objectClass=groupofnames)(member=jsmith))

The problem is that in my group schema, the field "member" of each group contains the full DN value, like this: "member=uid=jsmith,cn=users,cn=accounts,dc=xxx,dc=xxx"  Infact, if I run ldapsearch with this the filter being something like (&(objectClass=groupofnames)(member=uid=jsmith,cn=users,cn=accounts,dc=xxx,dc=xxx)), it does work.

So, instead of "member" I could use memberUid, but this field is empty on all my groups created with the FreeIPA GUI. If I add "memberUid=jsmith" manually with a ldap browser, then Rundeck is able to work properly, however I don't think that this is what I'm supposed to do.

I've been looking in all forums but to no avail... I hope someone here was able to get Rundeck to talk with FreeIPA and can give me a suggestion on how to solve this problem. Thank you!

[Niall Munnelly]

Heya, Andrea,

Try adding supplementalRoles="user" to your jaas config file, as seen here, and restart.

supplementalRoles

Comma-separated list of role names. All of the given role names will be automatically added to authenticated users. You can use this to provide a "default" role or roles for all users.

It may not be your desired configuration, but it'll definitely address that error.