Rundeck - Open Source - LDAP - How to pass bindUser and bindPassword as encrypted values

60 views
Skip to first unread message

naveen krishna vadakoppula

unread,
Oct 13, 2020, 4:40:19 AM10/13/20
to rundeck-discuss
Hi Team,

I have successfully configured our Active Directory integrated login into Rundeck.

However due to security reasons, I need to insert encrypted values for bindUser and bindPassword parameters for jaas-activedirectory.conf file

Below is for your ref:
activedirectory {
    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
    debug="true"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    providerUrl="ldap://X.X.X.X:389"
    bindDn="ab...@xyz.com"
    bindPassword="password@123"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="DC=xyz,DC=com"
    userRdnAttribute="sAMAccountName"
    userIdAttribute="sAMAccountName"
    userPasswordAttribute="unicodePwd"
    userObjectClass="user"
    roleBaseDn="OU=Service Accounts,DC=xyz,DC=com"
    roleNameAttribute="cn"
    roleMemberAttribute="member"
    roleObjectClass="group"
    cacheDurationMillis="300000"
    reportStatistics="true";
};

Please have a look and help me

Thank you
Naveen Krishna

rac...@rundeck.com

unread,
Oct 13, 2020, 8:02:04 AM10/13/20
to rundeck-discuss
Hi Naveen,

That's possible on Rundeck Enterprise, take a look at this thread and this documentation link

Regards!

naveen krishna vadakoppula

unread,
Oct 13, 2020, 8:25:07 AM10/13/20
to rundeck...@googlegroups.com
Hi Team 

Can’t we use MD5 or Crypt values generated by password utility?

Thank you 
Naveen Krishna 

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/2f1f45d6-4361-44bd-a635-98fbd6c2ac2bn%40googlegroups.com.

naveen krishna vadakoppula

unread,
Oct 14, 2020, 12:23:34 AM10/14/20
to rundeck...@googlegroups.com
Team,

This is the only blocker to proceed for implementation in our organization.

Able to cross all the obstacles to use Rundeck. Since more than 3 months we were fighting with IT-Security TSR review process and now finally at this blocker and only blocker.
And we are trying hard to push Rundeck in to our environment and have plans for enterprise versions subscriptions as well

But for we need to prove its worth with this open source version

Can you please reply with some alternatives, With which we can eliminate entering raw text password in bindPassword for jaas-activedirectory.conf

And not sure if we can use MD5 and CRYPT values generated by Rundeck-Password Utility Tool

Thank you in advance

Naveen Krishna

rac...@rundeck.com

unread,
Oct 14, 2020, 8:52:49 AM10/14/20
to rundeck-discuss

Hi Naveen,

It is not possible to crypt the password using MD5 for the bindPassword parameter. The bindPassword is used to directly authenticate to LDAP, so must be cleartext. To avoid that, on Enterprise you can use rundeck.security.ldap.bindPassword parameter on the rundeck-config.properties file after using the Jasypt encryption tool, following this. On Community, you can use the encryption tool to encrypt the realm.properties users passwords, take a look at this.

Alternatively, you can “secure” the jaas-ldap.conf file only readable by rundeck user on your operating system.

Regards!

Reply all
Reply to author
Forward
0 new messages