Rundeck ldap integration
186 views
Skip to first unread message
devops tools
Nov 24, 2020, 4:26:06 PM11/24/20
to rundeck-discuss
Hi all,
I'm trying to test the integration between Rundeck and LDAP
I have installed Rundeck and ldap,
I created the jaas-ldap.conf file
--------
ldap {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://localhost:389"
bindDn="cn=ldapadm,dc=rundeck,dc=fr"
bindPassword="ldppassword"
authenticationMethod="simple"
forceBindingLogin="false"
userBaseDn="ou=People,dc=rundeck,dc=fr"
userRdnAttribute="cn"
userIdAttribute="uid"
userPasswordAttribute="userPassword"
userObjectClass="posixAccount"
userLastNameAttribute="sn"
userFirstNameAttribute="givenName"
userEmailAttribute="mail"
roleBaseDn="ou=Groups,dc=rundeck,dc=fr"
roleNameAttribute="cn"
roleUsernameMemberAttribute="memberUid"
roleMemberAttribute="memberUid"
roleObjectClass="posixGroup"
cacheDurationMillis="300000"
reportStatistics="true"
timeoutRead="10000"
timeoutConnect="20000"
nestedGroups="false";
};
-----
in /var/log/rundeck/services
[2020-11-24T22:08:06,224] DEBUG authentication.GrailsUsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
[2020-11-24T22:08:06,224] DEBUG authentication.GrailsUsernamePasswordAuthenticationFilter - Delegating to authentication failure handler grails.plugin.springsecurity.web.authentication.AjaxAwareAuthenticationFailureHandler@6442c2dd
And in Ldap log /var/log/ldap :
-----
Nov 24 22:08:06 localhost slapd[4555]: conn=1017 fd=11 ACCEPT from IP=127.0.0.1:52942 (IP=0.0.0.0:389)
Nov 24 22:08:06 localhost slapd[4555]: conn=1017 op=0 BIND dn="cn=ldapadm,dc=rundeck,dc=fr" method=128
Nov 24 22:08:06 localhost slapd[4555]: conn=1017 op=0 BIND dn="cn=ldapadm,dc=rundeck,dc=fr" mech=SIMPLE ssf=0
Nov 24 22:08:06 localhost slapd[4555]: conn=1017 op=0 RESULT tag=97 err=0 text=
Nov 24 22:08:06 localhost slapd[4555]: conn=1017 op=1 SRCH base="ou=People,dc=rundeck,dc=fr" scope=2 deref=3 filter="(&(objectClass=posixAccount)(uid=user2))"
Nov 24 22:08:06 localhost slapd[4555]: <= bdb_equality_candidates: (uid) not indexed
Nov 24 22:08:06 localhost slapd[4555]: conn=1017 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 24 22:08:06 localhost slapd[4555]: conn=1017 op=2 SRCH base="ou=People,dc=rundeck,dc=fr" scope=2 deref=3 filter="(&(objectClass=posixAccount)(uid=user2))"
Nov 24 22:08:06 localhost slapd[4555]: <= bdb_equality_candidates: (uid) not indexed
Nov 24 22:08:06 localhost slapd[4555]: conn=1017 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 24 22:08:06 localhost slapd[4555]: conn=1017 op=3 SRCH base="ou=Groups,dc=rundeck,dc=fr" scope=2 deref=3 filter="(&(objectClass=posixGroup)(memberUid=user2))"
Nov 24 22:08:06 localhost slapd[4555]: conn=1017 op=3 SRCH attr=cn
Nov 24 22:08:06 localhost slapd[4555]: conn=1017 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text=
Is there any extra config to do ?
but unfortunately I still find connection errors
rac...@rundeck.com
Nov 24, 2020, 4:29:53 PM11/24/20
to rundeck-discuss
Hi,
Can you post the full service.log content at the moment of connection? (please change any potentially sensitive information). Also, check this little step by step guide.
Regards!
devops tools
Nov 24, 2020, 4:39:38 PM11/24/20
to rundeck-discuss
[2020-11-24T22:38:33,858] DEBUG authentication.GrailsUsernamePasswordAuthenticationFilter - Request is to process authentication
[2020-11-24T22:38:33,878] INFO jaas.JettyCachingLdapLoginModule - Login attempts: 2, Hits: 0, Ratio: 0%.
[2020-11-24T22:38:33,886] DEBUG jaas.JettyCachingLdapLoginModule - Found user?: true
[2020-11-24T22:38:33,886] DEBUG jaas.JettyCachingLdapLoginModule - Searching for users with filter: '(&(objectClass={0})({1}={2}))' from base dn: ou=People,dc=rundeck,dc=fr
[2020-11-24T22:38:33,892] DEBUG jaas.JettyCachingLdapLoginModule - Found user?: true
[2020-11-24T22:38:33,894] DEBUG jaas.JettyCachingLdapLoginModule - user cred is present: true
[2020-11-24T22:38:33,906] WARN jaas.JettyCachingLdapLoginModule - JettyCachingLdapLoginModule: User 'user1' has no role membership; role query configuration may be incorrect
[2020-11-24T22:38:33,908] DEBUG authentication.GrailsUsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException
org.springframework.security.authentication.AuthenticationServiceException: null
at org.springframework.security.authentication.jaas.DefaultLoginExceptionResolver.resolveException(DefaultLoginExceptionResolver.java:35) ~[spring-security-core-5.1.11.RELEASE.jar!/:5.1.11.RELEASE]
at org.springframework.security.authentication.jaas.AbstractJaasAuthenticationProvider.authenticate(AbstractJaasAuthenticationProvider.java:217) ~[spring-security-core-5.1.11.RELEASE.jar!/:5.1.11.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175) ~[spring-security-core-5.1.11.RELEASE.jar!/:5.1.11.RELEASE]
at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94) ~[spring-security-web-5.1.11.RELEASE.jar!/:5.1.11.RELEASE]
at grails.plugin.springsecurity.web.authentication.GrailsUsernamePasswordAuthenticationFilter.attemptAuthentication(GrailsUsernamePasswordAuthenticationFilter.groovy:53) ~[spring-security-core-4.0.2.jar!/:?]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.1.11.RELEASE.jar!/:5.1.11.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.11.RELEASE.jar!/:5.1.11.RELEASE]
at grails.plugin.springsecurity.web.authentication.logout.MutableLogoutFilter.doFilter(MutableLogoutFilter.groovy:64) ~[spring-security-core-4.0.2.jar!/:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.11.RELEASE.jar!/:5.1.11.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) ~[spring-security-web-5.1.11.RELEASE.jar!/:5.1.11.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.11.RELEASE.jar!/:5.1.11.RELEASE]
at grails.plugin.springsecurity.web.SecurityRequestHolderFilter.doFilter(SecurityRequestHolderFilter.groovy:58) ~[spring-security-core-4.0.2.jar!/:?]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) ~[spring-security-web-5.1.11.RELEASE.jar!/:5.1.11.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) ~[spring-security-web-5.1.11.RELEASE.jar!/:5.1.11.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) ~[spring-security-web-5.1.11.RELEASE.jar!/:5.1.11.RELEASE]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.grails.web.servlet.mvc.GrailsWebRequestFilter.doFilterInternal(GrailsWebRequestFilter.java:77) ~[grails-web-mvc-4.0.3.jar!/:4.0.3]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.1.18.RELEASE.jar!/:5.1.18.RELEASE]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.grails.web.filters.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:67) ~[grails-web-mvc-4.0.3.jar!/:4.0.3]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.1.18.RELEASE.jar!/:5.1.18.RELEASE]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.1.18.RELEASE.jar!/:5.1.18.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.1.18.RELEASE.jar!/:5.1.18.RELEASE]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:114) ~[spring-boot-actuator-2.1.13.RELEASE.jar!/:2.1.13.RELEASE]
at org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:104) ~[spring-boot-actuator-2.1.13.RELEASE.jar!/:2.1.13.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.1.18.RELEASE.jar!/:5.1.18.RELEASE]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:97) ~[spring-web-5.1.18.RELEASE.jar!/:5.1.18.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.1.18.RELEASE.jar!/:5.1.18.RELEASE]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604) ~[jetty-servlet-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545) ~[jetty-servlet-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) ~[jetty-server-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:590) ~[jetty-security-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) ~[jetty-server-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1607) ~[jetty-server-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) ~[jetty-server-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1297) ~[jetty-server-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) ~[jetty-server-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485) ~[jetty-servlet-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1577) ~[jetty-server-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) ~[jetty-server-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1212) ~[jetty-server-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) ~[jetty-server-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) ~[jetty-server-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.server.Server.handle(Server.java:500) ~[jetty-server-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383) ~[jetty-server-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547) [jetty-server-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375) [jetty-server-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270) [jetty-server-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) [jetty-io-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117) [jetty-io-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336) [jetty-util-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313) [jetty-util-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171) [jetty-util-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129) [jetty-util-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388) [jetty-util-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806) [jetty-util-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938) [jetty-util-9.4.26.v20200117.jar!/:9.4.26.v20200117]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_272]
Caused by: javax.security.auth.login.FailedLoginException
at com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule.login(JettyCachingLdapLoginModule.java:667) ~[classes!/:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_272]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_272]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_272]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_272]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) ~[?:1.8.0_272]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) ~[?:1.8.0_272]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) ~[?:1.8.0_272]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) ~[?:1.8.0_272]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_272]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) ~[?:1.8.0_272]
at javax.security.auth.login.LoginContext.login(LoginContext.java:587) ~[?:1.8.0_272]
at org.springframework.security.authentication.jaas.AbstractJaasAuthenticationProvider.authenticate(AbstractJaasAuthenticationProvider.java:180) ~[spring-security-core-5.1.11.RELEASE.jar!/:5.1.11.RELEASE]
... 61 more
[2020-11-24T22:38:33,911] DEBUG authentication.GrailsUsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
[2020-11-24T22:38:33,911] DEBUG authentication.GrailsUsernamePasswordAuthenticationFilter - Delegating to authentication failure handler grails.plugin.springsecurity.web.authentication.AjaxAwareAuthenticationFailureHandler@4ce4c097
rac...@rundeck.com
Nov 24, 2020, 7:06:30 PM11/24/20
to rundeck-discuss
Hi,
Checking this line:
[2020-11-24T22:38:33,906] WARN jaas.JettyCachingLdapLoginModule - JettyCachingLdapLoginModule: User 'user1' has no role membership; role query configuration may be incorrect
Seems that your LDAP config didin’t takes the group (roles), make sure that your LDAP configuration (roleBaseDn, roleNameAttribute, roleUsernameMemberAttribute, roleMemberAttribute and roleObjectClass attributes) matches with your AD/LDAP tree.
Maybe this thread helps you as the first contact.
Also, you can test auth following this.
Hope it helps!
Reply all
Reply to author
Forward
0 new messages