Rundeck AD & Local Accounts Simultaneously?

98 views
Skip to first unread message

Sean Patrick Kerrigan

unread,
Jan 30, 2021, 4:40:09 PM1/30/21
to rundeck-discuss
I am running Rundeck 2.8.2-1 with AD authentication working successfully. I want to try the use of local accounts as well, but am having issues doing so. I tried following the guidelines at [1] but I am not sure where I went wrong. I first followed the instructions in the PropertyFileLoginModule section to create a hashed password for the local account I tried to create, and added that info to the realm.properties file. I also tried in plaintext in case that was the issue but no change there. 

I then followed the instructions in the Multiple Authentication Modules section, and changed the contents of the jaas-activedirectory.conf to read 'multiauth {' instead of 'activedirectory {' and added the snippet at the end regarding the realm.properties file.

I then restarted the rundeck service but no luck. Below are redacted versions of the relevant config files. I am still able to log in through my AD account without issue. Can anyone see what I might be missing? Any help would be appreciated. Thank you.

jaas-activedirectory.conf:

multiauth {

    org.eclipse.jetty.jaas.spi.PropertyFileLoginModule sufficient
    debug="true"
    file="/etc/rundeck/realm.properties";

    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
    debug="true"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    providerUrl="ldaps://REDACTED:636"
    bindDn="CN=LDAP User,CN=Users,DC=bobst,DC=lib"
    bindPassword="REDACTED"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="OU=Departments,OU=Departmental Computing,OU=Bobst Library,OU=Division of Libraries,DC=bobst,DC=lib"
    userRdnAttribute="sAMAccountName"
    userIdAttribute="sAMAccountName"
    userPasswordAttribute="userPassword"
    userObjectClass="user"
    roleBaseDn="OU=Rundeck,OU=Security Groups,OU=Departmental Computing,OU=Bobst Library,OU=Division of Libraries,DC=bobst,DC=lib"
    roleNameAttribute="cn"
    roleMemberAttribute="member"
    roleObjectClass="group"
    supplementalRoles="user"
    nestedGroups="true"
    cacheDurationMillis="300000"
    reportStatistics="true";

  org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
    debug="true"
    file="/etc/rundeck/realm.properties";
};

jaas-loginmodule.conf:

RDpropertyfilelogin {
org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required
debug="true"
file="/etc/rundeck/realm.properties";
};

realm-properties:

#
# This file defines users passwords and roles for a HashUserRealm
#
# The format is
#  <username>: <password>[,<rolename> ...]
#
# Passwords may be clear text, obfuscated or checksummed.  The class 
# org.mortbay.util.Password should be used to generate obfuscated
# passwords or password checksums
#
# If DIGEST Authentication is used, the password must be in a recoverable
# format, either plain text or OBF:.
#
#jetty: MD5:REDACTED,user

#other: OBF:REDACTED
#plain: plain
#user: password
# This entry is for digest auth.  The credential is a MD5 hash of username:realmname:password
#digest: MD5:REDACTED
seantest: MD5:REDACTED,admin
#
# This sets the default user accounts for the Rundeck app
#
#admin:admin,user,admin,architect,deploy,build
admin:MD5:REDACTED,Rundeck Users,Rundeck Administrators
wsops:MD5:REDACTED,user,Local Web Administrators

rac...@rundeck.com

unread,
Feb 1, 2021, 7:42:10 AM2/1/21
to rundeck-discuss

Hi Sean,

Can you see any clue on the service.log? Anyway, the best advice is to move to the latest Rundeck version, it’s easier to set up this kind of environment (for example, the web.xml file isn’t longer relevant).

Regards!

Reply all
Reply to author
Forward
0 new messages