Help required to configure LDAP/AD authentication in community version
2,208 views
Skip to first unread message
ritesh....@gmail.com
Oct 22, 2020, 1:18:49 AM10/22/20
to rundeck-discuss
Hi All,
I am new to Rundeck and found its possible to do authentication using AD/LDAP.
I went thru the documentation, but it is not very clear to me.
can someone please help me with steps i need to perform to configure and test the AD/LDAP authentication.
Thanks a lot.
Regards,
Ritesh Garg
rac...@rundeck.com
Oct 22, 2020, 8:09:05 AM10/22/20
to rundeck-discuss
Hi Ritesh,
First of all, stop your Rundeck service to start to add some files and edit the configuration. So, the first step is to create the jaas-ldap.conf file on /etc/rundeck path with your LDAP configuration information (here you can check a good example). I have this one for testing:
ldap {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://your-ldap-host:389"
bindDn="cn=admin,dc=example,dc=net"
bindPassword="admin"
authenticationMethod="simple"
forceBindingLogin="false"
userBaseDn="ou=Users,dc=example,dc=net"
userRdnAttribute="uid"
userIdAttribute="uid"
userPasswordAttribute="userPassword"
userObjectClass="posixAccount"
roleBaseDn="cn=Roles,dc=example,dc=net"
roleNameAttribute="cn"
roleUsernameMemberAttribute="memberUid"
roleMemberAttribute="memberUid"
roleObjectClass="posixGroup"
cacheDurationMillis="300000"
supplementalRoles="user"
reportStatistics="true"
timeoutRead="10000"
timeoutConnect="20000"
nestedGroups="false";
};
Keep in mind that the attributes must match with your LDAP server (for example, the providerUrl, bindDn, bindPassword, userBaseDn, userPasswordAttribute, and roleBaseDn attributes ). Also, make sure that the file is readable by rundeck user.
Now, it’s important to tell to Rundeck about your new LDAP configuration, for that, you need to create or edit the rundeckd file located at /etc/sysconfig path on RedHat/CentOS based distros or /etc/defaults on Debian/Ubuntu based distros (on some web guides you can see that some users edit the /etc/rundeck/profile file, that’s a bad practice because can generate problems at the moment of upgrade your Rundeck instance in the future, so, do no edit the /etc/rundeck/profile file). I have this one:
RDECK_JVM_OPTS="-Drundeck.jaaslogin=true \
-Djava.security.auth.login.config=/etc/rundeck/jaas-ldap.conf \
-Dloginmodule.name=ldap"
Now you can start the Rundeck service and if all is well configured, you can log in with users defined at userBaseDn. So, now you need to focus to create a basic ACL rule for your new users and roles to give access to your projects and jobs, please take a look at this and this ACL example.
If you like to test in a safe environment you can use the Osixia docker image and Apache Directory Studio to access and populate it. Anyway, here you can check the same process for Active Directory, and here an amazing docker example to see how works.
Hope it helps!
Ritesh Garg
Oct 23, 2020, 5:50:27 AM10/23/20
to rundeck...@googlegroups.com
Thanks for your support.
I am getting below error while authentication. Can you please help further on it.
rails application running at http://localhost:4440 in environment: production
[2020-10-23 09:03:55.514] DEBUG GrailsUsernamePasswordAuthenticationFilter --- [qtp305047772-39] Request is to process authentication
[2020-10-23 09:03:55.641] ERROR JettyCachingLdapLoginModule --- [qtp305047772-39] Naming error
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v4563]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.InitialContext.<init>(InitialContext.java:216)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule.initialize(JettyCachingLdapLoginModule.java:913)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:736)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.springframework.security.authentication.jaas.AbstractJaasAuthenticationProvider.authenticate(AbstractJaasAuthenticationProvider.java:180)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
at grails.plugin.springsecurity.web.authentication.GrailsUsernamePasswordAuthenticationFilter.attemptAuthentication(GrailsUsernamePasswordAuthenticationFilter.groovy:53)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.groovy:64)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at grails.plugin.springsecurity.web.SecurityRequestHolderFilter.doFilter(SecurityRequestHolderFilter.groovy:58)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1591)
at org.grails.web.servlet.mvc.GrailsWebRequestFilter.doFilterInternal(GrailsWebRequestFilter.java:77)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1591)
at org.grails.web.filters.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:67)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1591)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1591)
at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:96)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1591)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:542)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:536)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1581)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1307)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:482)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1549)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1204)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:494)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:374)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:268)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:367)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:782)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:918)
at java.lang.Thread.run(Thread.java:748)
[2020-10-23 09:03:55.674] DEBUG GrailsUsernamePasswordAuthenticationFilter --- [qtp305047772-39] Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException
org.springframework.security.authentication.AuthenticationServiceException: null
[2020-10-23 09:03:55.514] DEBUG GrailsUsernamePasswordAuthenticationFilter --- [qtp305047772-39] Request is to process authentication
[2020-10-23 09:03:55.641] ERROR JettyCachingLdapLoginModule --- [qtp305047772-39] Naming error
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v4563]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3154)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3100)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2886)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2800)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.InitialContext.<init>(InitialContext.java:216)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
at com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule.initialize(JettyCachingLdapLoginModule.java:913)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:736)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.springframework.security.authentication.jaas.AbstractJaasAuthenticationProvider.authenticate(AbstractJaasAuthenticationProvider.java:180)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
at grails.plugin.springsecurity.web.authentication.GrailsUsernamePasswordAuthenticationFilter.attemptAuthentication(GrailsUsernamePasswordAuthenticationFilter.groovy:53)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.groovy:64)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at grails.plugin.springsecurity.web.SecurityRequestHolderFilter.doFilter(SecurityRequestHolderFilter.groovy:58)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1591)
at org.grails.web.servlet.mvc.GrailsWebRequestFilter.doFilterInternal(GrailsWebRequestFilter.java:77)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1591)
at org.grails.web.filters.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:67)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1591)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1591)
at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:96)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1591)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:542)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:536)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1581)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1307)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:482)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1549)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1204)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:494)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:374)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:268)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:367)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:782)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:918)
at java.lang.Thread.run(Thread.java:748)
[2020-10-23 09:03:55.674] DEBUG GrailsUsernamePasswordAuthenticationFilter --- [qtp305047772-39] Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException
org.springframework.security.authentication.AuthenticationServiceException: null
--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/dc1beb11-594f-4cc5-aa1a-99681bb5c0fan%40googlegroups.com.
rac...@rundeck.com
Oct 23, 2020, 8:47:11 AM10/23/20
to rundeck-discuss
Hi Ritesh,
Make sure that you’re pointing bindDn and userBaseDn attributes well, probably you’re set reversed (same issue). You can use Apache Directory Studio tool to browse and check your LDAP server.
Hope it helps!
Ritesh Garg
Oct 26, 2020, 6:01:39 AM10/26/20
to rundeck...@googlegroups.com
Hi Team,
Thanks a lot. I am able to use AD for authentication. There was some issue in parameters like you suggested.
My authentication is working now.
Configuration file: jaas-multi-auth.conf
Configuration:
multiauth {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://xxxxxxxxxxxx.xxx.xxx.xxxx:389"
bindDn=" OU=User,DC=xxxx,DC=xxx,DC=xx "
bindPassword="xxxxx"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="OU=User,DC=xxxx,DC=xxxx,DC=xxxx"
userRdnAttribute="sAMAccountName"
userIdAttribute="sAMAccountName"
userPasswordAttribute="userPassword"
userObjectClass="user"
roleBaseDn="OU=User,DC=xxxx,DC=xxxx,DC=xxxx"
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://xxxxxxxxxxxx.xxx.xxx.xxxx:389"
bindDn=" OU=User,DC=xxxx,DC=xxx,DC=xx "
bindPassword="xxxxx"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="OU=User,DC=xxxx,DC=xxxx,DC=xxxx"
userRdnAttribute="sAMAccountName"
userIdAttribute="sAMAccountName"
userPasswordAttribute="userPassword"
userObjectClass="user"
roleBaseDn="OU=User,DC=xxxx,DC=xxxx,DC=xxxx"
roleNameAttribute="cn"
roleUsernameMemberAttribute="memberUid"
roleMemberAttribute="member"
roleObjectClass="group"
cacheDurationMillis="300000"
reportStatistics="true"
ignoreRoles="true"
nestedGroups="true";
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
debug="true"
file="/etc/rundeck/realm.properties";
};
cacheDurationMillis="300000"
reportStatistics="true"
ignoreRoles="true"
nestedGroups="true";
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
debug="true"
file="/etc/rundeck/realm.properties";
};
After login, other parts of the roles are not working.
I think I have not configured it correctly.
Below is a message coming on the rundeck screen.
You have no authorized access to projects.
Contact your administrator. (User roles: )
I need to get the roles read from file which is configured in rundeck instead of AD provide roles as well.
can you please help me to get the same configured.
Thanks,
Ritesh Garg
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/1113424c-0c6b-4ee0-994f-01404c3739dbn%40googlegroups.com.
rac...@rundeck.com
Oct 26, 2020, 8:26:41 AM10/26/20
to rundeck-discuss
Hi Ritesh,
Now, you need to define the ACL rules for your new users and roles (groups) to grant or deny access to your projects and jobs. Here you can see a good example to play, you can add it on Gear Icon > Access Control to global ACL definition or focus on projects (Project Settings > Access Control).
Another way to learn and do your ACL's is to check the default templates (.aclpolicy files) at `/etc/rundeck` directory but focused on your LDAP groups.
Greetings!
Now, you need to define the ACL rules for your new users and roles (groups) to grant or deny access to your projects and jobs. Here you can see a good example to play, you can add it on Gear Icon > Access Control to global ACL definition or focus on projects (Project Settings > Access Control).
Another way to learn and do your ACL's is to check the default templates (.aclpolicy files) at `/etc/rundeck` directory but focused on your LDAP groups.
Greetings!
Ritesh Garg
Oct 26, 2020, 8:45:09 AM10/26/20
to rundeck...@googlegroups.com
Hi Rac,
I already have ACL configued, because till now i am using relam.properties for authentication and different roles association.
How will role being read after ldap authentication? I like to get the same role groups used for same users.
Please help me ..
admin:admin,user,admin,architect,deploy,build
user:user,user
riteshgarg:admin,user,architect,deploy,build,colt
user1:user1,user,myorg,build,deploy
user2: user2,user, myorg ,build,deploy
user3: user3,user, myorg_job_execution
user:user,user
riteshgarg:admin,user,architect,deploy,build,colt
user1:user1,user,myorg,build,deploy
user2: user2,user, myorg ,build,deploy
user3: user3,user, myorg_job_execution
Is it possible to read the roles from here and accordingly acl policy applied and role granted to specific user.
Thanks,
Ritesh Garg
You received this message because you are subscribed to a topic in the Google Groups "rundeck-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rundeck-discuss/tSOw6cBmexM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/e5fc7596-92f3-440f-ad97-6bb723372995n%40googlegroups.com.
rac...@rundeck.com
Oct 26, 2020, 9:27:17 AM10/26/20
to rundeck-discuss
Hi Ritesh,
About LDAP configuration, Rundeck takes the roles from roleBaseDn attribute (make sure that is well pointed to your LDAP tree, in your case, just change the groups on your ACL definition accordingly with your LDAP roleBaseDn). About ACLs, you can define your rules against individual users (username: myusername at the end of the ACL definition) and roles (group: mygroup at the end of the ACL definition). Take a look at this.
Regards!
ritesh....@gmail.com
Oct 27, 2020, 4:23:25 AM10/27/20
to rundeck-discuss
Hi Rac,
I am not able to make it.
I checked with my infra team and as per them we don't have specific groups define for identification of roles.
I am getting the below issue:
--------------------------------------------------------------------------------------
service.log:[2020-10-27 07:12:33.206] WARN JettyCachingLdapLoginModule --- [qtp305047772-39] JettyCachingLdapLoginModule: User 'rgarg' has no role membership; role query configuration may be incorrect
----------------------------------------------------------------
i checked more in access logs and see the logs here:-[2020-10-27 08:19:28,548] authorization.RuleEvaluator - Evaluating Decision for: res<name:KBA, type:project> subject<Username:rgarg> action<admin> env<rundeck:auth:env:application:rundeck>: authorized: false: No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)
[2020-10-27 08:19:28,548] authorization.RuleEvaluator - Evaluating Decision for: res<name:SAPHanaAutomation, type:project> subject<Username:rgarg> action<read> env<rundeck:auth:env:application:rundeck>: authorized: false: No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)
[2020-10-27 08:19:28,548] authorization.RuleEvaluator - Evaluating Decision for: res<name:SAPHanaAutomation, type:project> subject<Username:rgarg> action<admin> env<rundeck:auth:env:application:rundeck>: authorized: false: No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)
[2020-10-27 08:19:28,551] authorization.RuleEvaluator - ACLRule</etc/rundeck/apitoken.aclpolicy[1][type:resource][rule: 1]>{'API project level access control' context={project='.*'} type='resource' equals , resource={kind=job} for: { group='api_token_group'} allow=[create, delete]}: environment not matched: {project='.*'}
[2020-10-27 08:19:28,551] authorization.RuleEvaluator - ACLRule</etc/rundeck/admin.aclpolicy[1][type:job][rule: 1]>{'Admin, all access.' context={project='.*'} type='job' for: { group='admin'} allow=[*]}: environment not matched: {project='.*'}
[2020-10-27 08:19:28,551] authorization.RuleEvaluator - ACLRule</etc/rundeck/apitoken.aclpolicy[1][type:job][rule: 1]>{'API project level access control' context={project='.*'} type='job' for: { group='api_token_group'} allow=[read, create, update, run, kill, delete]}: environment not matched: {project='.*'}
[2020-10-27 08:19:28,551] authorization.RuleEvaluator - ACLRule</etc/rundeck/apitoken.aclpolicy[1][type:node][rule: 1]>{'API project level access control' context={project='.*'} type='node' for: { group='api_token_group'} allow=[read, run]}: environment not matched: {project='.*'}
[2020-10-27 08:19:28,551] authorization.RuleEvaluator - ACLRule</etc/rundeck/apitoken.aclpolicy[1][type:resource][rule: 3]>{'API project level access control' context={project='.*'} type='resource' equals , resource={kind=event} for: { group='api_token_group'} allow=[read, create]}: environment not matched: {project='.*'}
[2020-10-27 08:19:28,551] authorization.RuleEvaluator - ACLRule</etc/rundeck/admin.aclpolicy[1][type:resource][rule: 1]>{'Admin, all access.' context={project='.*'} type='resource' for: { group='admin'} allow=[*]}: environment not matched: {project='.*'}
[2020-10-27 08:19:28,551] authorization.RuleEvaluator - ACLRule</etc/rundeck/apitoken.aclpolicy[1][type:resource][rule: 2]>{'API project level access control' context={project='.*'} type='resource' equals , resource={kind=node} for: { group='api_token_group'} allow=[read, create, update, refresh]}: environment not matched: {project='.*'}
[2020-10-27 08:19:28,551] authorization.RuleEvaluator - ACLRule</etc/rundeck/admin.aclpolicy[1][type:node][rule: 1]>{'Admin, all access.' context={project='.*'} type='node' for: { group='admin'} allow=[*]}: environment not matched: {project='.*'}
[2020-10-27 08:19:28,551] authorization.RuleEvaluator - ACLRule</etc/rundeck/admin.aclpolicy[1][type:adhoc][rule: 1]>{'Admin, all access.' context={project='.*'} type='adhoc' for: { group='admin'} allow=[*]}: environment not matched: {project='.*'}
[2020-10-27 08:19:28,551] authorization.RuleEvaluator - ACLRule</etc/rundeck/apitoken.aclpolicy[1][type:adhoc][rule: 1]>{'API project level access control' context={project='.*'} type='adhoc' for: { group='api_token_group'} allow=[read, run, kill]}: environment not matched: {project='.*'}
[2020-10-27 08:19:28,551] authorization.RuleEvaluator - Evaluating Decision for: res<name:KBA, type:project> subject<Username:rgarg> action<read> env<rundeck:auth:env:application:rundeck>: authorized: false: No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)
[2020-10-27 08:19:28,551] authorization.RuleEvaluator - Evaluating Decision for: res<name:KBA, type:project> subject<Username:rgarg> action<admin> env<rundeck:auth:env:application:rundeck>: authorized: false: No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)
[2020-10-27 08:19:28,551] authorization.RuleEvaluator - Evaluating Decision for: res<name:SAPHanaAutomation, type:project> subject<Username:rgarg> action<admin> env<rundeck:auth:env:application:rundeck>: authorized: false: No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)
[2020-10-27 08:19:28,551] authorization.RuleEvaluator - Evaluating Decision for: res<name:SAPHanaAutomation, type:project> subject<Username:rgarg> action<read> env<rundeck:auth:env:application:rundeck>: authorized: false: No context matches subject or environment => REJECTED_NO_SUBJECT_OR_ENV_FOUND (0ms)
-------------------------------------------------------------------------------------------------------------------------------------
ACL policy created:
description: rgarg, all access.
context:
project: '.*' # all projects
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
user: rgarg
---
description: Admin, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
project_acl:
- allow: '*' # allow admin of all project-level ACL policies
storage:
- allow: '*' # allow read/create/update/delete for all /keys/* storage content
by:
user: rgarg
------------------------------------------------------------------------------------------------------------------------------------
jass-multi-auth.conf
multiauth {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://xxxxxxx:389"
bindDn="xxxx"
bindPassword="xxx"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="OU=xx,DC=xx,DC=xx,DC=xx"
userRdnAttribute="sAMAccountName"
userIdAttribute="sAMAccountName"
userPasswordAttribute="userPassword"
userObjectClass="user"
roleBaseDn="OU=xx,DC=xx,DC=xx,DC=xx"
roleNameAttribute="cn"
roleUsernameMemberAttribute="memberUid"
roleMemberAttribute="memberUid"
roleObjectClass="group"
cacheDurationMillis="300000"
reportStatistics="true"
ignoreRoles="true"
nestedGroups="true"
storePass="true";
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
debug="true"
file="/etc/rundeck/realm.properties";
org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required
debug="true"
useFirstPass="true"
file="/etc/rundeck/realm.properties"
refreshInterval="60"
caseInsensitive="true";
};
Many thanks in advance to get this achieved.
Thanks,
Ritesh Garg
ritesh....@gmail.com
Oct 27, 2020, 4:42:56 AM10/27/20
to rundeck-discuss
#
# This file defines users passwords and roles for a HashUserRealm
#
# The format is
# <username>: <password>[,<rolename> ...]
#
# Passwords may be clear text, obfuscated or checksummed. The class
# org.mortbay.util.Password should be used to generate obfuscated
# passwords or password checksums
#
# If DIGEST Authentication is used, the password must be in a recoverable
# format, either plain text or OBF:.
#
#jetty: MD5:164c88b302622e17050af52c89945d44,user
#admin: CRYPT:ad1ks..kc.1Ug,server-administrator,content-administrator,admin
#other: OBF:1xmk1w261u9r1w1c1xmq
#plain: plain
#user: password
# This entry is for digest auth. The credential is a MD5 hash of username:realmname:password
#digest: MD5:6e120743ad67abfbc385bc2bb754e297
#
# This sets the default user accounts for the Rundeck app
#
admin:admin,user,admin,architect,deploy,build
rgarg:-,rgarg,admin
#
# example users matching the example aclpolicy template roles
#
#job-runner:admin,user,job_runner
#job-writer:admin,user,job_writer
#job-reader:admin,user,job_reader
#job-viewer:admin,user,job_viewer
rgarg:admin,user,rgarg
ritesh....@gmail.com
Oct 27, 2020, 7:08:52 AM10/27/20
to rundeck-discuss
Hi All,
Thanks for support. I am able to fix it with a small change.
I removed property "roleUsernameMemberAttribute" and its started picking roles for me. ACL defined for role and its giving me the needed result.
I still need to check user based ACL files and see if I can restrict something for user specific.
Thanks,
Ritesh Garg
rac...@rundeck.com
Oct 27, 2020, 7:42:02 AM10/27/20
to rundeck-discuss
ritesh....@gmail.com
Oct 27, 2020, 11:18:20 AM10/27/20
to rundeck-discuss
Thanks Rac. This is setup good now and working well.
Only issue I am facing is this is taking apprx 2 min to login. Every user has more than 20-25 groups. I think fetching is taking lot of time.
can you please suggest something to make it fast?
Thanks,
Ritesh Garg
rac...@rundeck.com
Oct 27, 2020, 12:06:48 PM10/27/20
to rundeck-discuss
Reply all
Reply to author
Forward
0 new messages