LDAP integration with FreeIPA = nightmare

623 views
Skip to first unread message

Andrea Favero

unread,
May 18, 2018, 12:38:35 PM5/18/18
to rundeck-discuss
LDAP issue with FreeIPA

Hello guys,
I've been banging my head on LDAP integration with FreeIPA.
The problem I'm having is that, no matter what I try, Rundeck never manages to make a successful query that results in a response with roles or groups associated with that account, and this results in the following error:
2018-05-17 18:45:40.978:WARN:cdrjj.JettyCachingLdapLoginModule:qtp1867083167-80: JettyCachingLdapLoginModule: User 'jsmith' has no role membership; role query configuration may be incorrect

This is my configuration:

ldap {
com
.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
debug
="true"
contextFactory
="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl
="ldap://192.168.42.144:389"
bindDn
="uid=admin,cn=users,cn=accounts,dc=xxxx,dc=xxxx"
bindPassword
="mypassword"
authenticationMethod
="simple"
forceBindingLogin
="true"
userBaseDn
="cn=users,cn=accounts,dc=xxxx,dc=xxxx"
userRdnAttribute
="uid"
userIdAttribute
="uid"
userPasswordAttribute
="userPassword"
userObjectClass
="posixaccount"
roleBaseDn
="cn=groups,cn=accounts,dc=xxxx,dc=xxxx"
roleNameAttribute
="cn"
roleUsernameMemberAttribute
="member"
roleMemberAttribute
="member"
roleObjectClass
="groupofnames"
cacheDurationMillis
="60000"
reportStatistics
="true"
timeoutRead
="10000"
timeoutConnect
="20000"
nestedGroups
="false";
};



And:

export RDECK_JVM="-Djava.security.auth.login.config=/etc/rundeck/jaas-ldap.conf \
 -Dloginmodule.name=activedirectory \
 -Drdeck.config=$RDECK_CONFIG \
 -Drundeck.server.configDir=$RDECK_SERVER_CONFIG \
 -Dserver.datastore.path=$RDECK_SERVER_DATA/rundeck \
 -Drundeck.server.serverDir=$RDECK_INSTALL \
 -Drdeck.projects=$RDECK_PROJECTS \
 -Drdeck.runlogs=$RUNDECK_LOGDIR \
 -Drundeck.config.location=$RDECK_CONFIG/rundeck-config.properties \
 -Djava.io.tmpdir=$RUNDECK_TEMPDIR \
 -Drundeck.server.workDir=$RUNDECK_WORKDIR \
 -Dserver.http.port=$RDECK_HTTP_PORT"




Whit this config, I've tried capturing the traffic, and I have realized that the query being sent is the following:
(&(objectClass=groupofnames)(member=jsmith))

The problem is that in my group schema, the field "member" of each group contains the full DN value, like this: "member=uid=jsmith,cn=users,cn=accounts,dc=xxx,dc=xxx"  Infact, if I run ldapsearch with this the filter being something like (&(objectClass=groupofnames)(member=uid=jsmith,cn=users,cn=accounts,dc=xxx,dc=xxx)), it does work.

So, instead of "member" I could use memberUid, but this field is empty on all my groups created with the FreeIPA GUI. If I add "memberUid=jsmith" manually with a ldap browser, then Rundeck is able to work properly, however I don't think that this is what I'm supposed to do.

I've been looking in all forums but to no avail... I hope someone here was able to get Rundeck to talk with FreeIPA and can give me a suggestion on how to solve this problem. Thank you!

Niall Munnelly

unread,
Jun 20, 2018, 10:33:15 AM6/20/18
to rundeck-discuss
Heya, Andrea,

Try adding supplementalRoles="user" to your jaas config file, as seen here, and restart.

supplementalRoles

Comma-separated list of role names. All of the given role names will be automatically added to authenticated users. You can use this to provide a "default" role or roles for all users.


It may not be your desired configuration, but it'll definitely address that error.
Reply all
Reply to author
Forward
0 new messages