AD login help needed
984 views
Skip to first unread message
Ed
Apr 5, 2011, 11:38:10 AM4/5/11
to rundeck-discuss
Hello,
I am trying to setup AD auth for rundeck and I am running into some
issues
My /etc/rundeck/jaas-activedirectory.conf
activedirectory {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule
required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://xxxxxxxxxxxxxxxxxx:389"
port="389"
bindDn="xxxxxxxxxxxxxxxxx"
bindPassword="xxxxxxx"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="xxxxxxxxxxxxxxxxxxxxxxxxx"
userRdnAttribute="cn"
userIdAttribute="cn"
userPasswordAttribute="unicodePwd"
userObjectClass="user"
roleBaseDn="xxxxxxxxxxxxxxxxxxxxxxxxxx"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass="group";
cacheDurationMillis="300000"
reportStatistics="true";
};
The error message I get after trying to login to the rundeck UI.
2011-04-05 11:29:25.878:/:INFO: Initializing Spring FrameworkServlet
'grails'
2011-04-05 11:29:25.889::INFO: Started SocketC...@0.0.0.0:4440
2011-04-05 11:30:44.176::WARN: java.lang.SecurityException:
Configuration Error:
Line 19: expected [controlFlag]
2011-04-05 11:30:44.180::WARN: AUTH FAILURE: user ebailey
Any idea what "Line 19: expected [controlFlag]" means?
Thanks
Ed
I am trying to setup AD auth for rundeck and I am running into some
issues
My /etc/rundeck/jaas-activedirectory.conf
activedirectory {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule
required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://xxxxxxxxxxxxxxxxxx:389"
port="389"
bindDn="xxxxxxxxxxxxxxxxx"
bindPassword="xxxxxxx"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="xxxxxxxxxxxxxxxxxxxxxxxxx"
userRdnAttribute="cn"
userIdAttribute="cn"
userPasswordAttribute="unicodePwd"
userObjectClass="user"
roleBaseDn="xxxxxxxxxxxxxxxxxxxxxxxxxx"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass="group";
cacheDurationMillis="300000"
reportStatistics="true";
};
The error message I get after trying to login to the rundeck UI.
2011-04-05 11:29:25.878:/:INFO: Initializing Spring FrameworkServlet
'grails'
2011-04-05 11:29:25.889::INFO: Started SocketC...@0.0.0.0:4440
2011-04-05 11:30:44.176::WARN: java.lang.SecurityException:
Configuration Error:
Line 19: expected [controlFlag]
2011-04-05 11:30:44.180::WARN: AUTH FAILURE: user ebailey
Any idea what "Line 19: expected [controlFlag]" means?
Thanks
Ed
Ed
Apr 5, 2011, 12:11:24 PM4/5/11
to rundeck-discuss
I made some changes based on some other posts to the list and I now
have a new and hopefully better error message
new /etc/rundeck/jaas-activedirectory.conf
activedirectory {
org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule sufficient
debug="true"
file="/etc/rundeck/realm.properties";
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule
required
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://xxxxxxxxxxxxxxxxx"
port="389"
bindDn="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
bindPassword="xxxxxxxxxxxxxxxxx"
roleMemberAttribute="uniqueMember"
roleObjectClass="groupOfUniqueNames"
cacheDurationMillis="300000"
reportStatistics="true";
};
new error message
2011-04-05 11:51:05.189::INFO: Login attempts: 1, Hits: 0, Ratio: 0%.
2011-04-05 11:51:05.219::WARN:
javax.security.auth.login.LoginException: Error obtaining user info.
2011-04-05 11:51:05.219::WARN: AUTH FAILURE: user ebailey
I assume this means rundeck is hitting the AD server, but the query is
failing? Any ideas?
Thanks
Ed
> 2011-04-05 11:29:25.889::INFO: Started SocketConnec...@0.0.0.0:4440
have a new and hopefully better error message
new /etc/rundeck/jaas-activedirectory.conf
activedirectory {
org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule sufficient
debug="true"
file="/etc/rundeck/realm.properties";
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule
required
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://xxxxxxxxxxxxxxxxx"
port="389"
bindDn="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
bindPassword="xxxxxxxxxxxxxxxxx"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="xxxxxxxxxxxxxxxxxxxx"
forceBindingLogin="true"
userBaseDn="xxxxxxxxxxxxxxxxxxxx"
userRdnAttribute="cn"
userIdAttribute="cn"
userPasswordAttribute="unicodePwd"
userObjectClass="user"
roleBaseDn="xxxxxxxxxxxxxxxxxxxxxxxxx"
roleNameAttribute="cn"
userIdAttribute="cn"
userPasswordAttribute="unicodePwd"
userObjectClass="user"
roleBaseDn="xxxxxxxxxxxxxxxxxxxxxxxxx"
roleMemberAttribute="uniqueMember"
roleObjectClass="groupOfUniqueNames"
cacheDurationMillis="300000"
reportStatistics="true";
};
new error message
2011-04-05 11:51:05.189::INFO: Login attempts: 1, Hits: 0, Ratio: 0%.
2011-04-05 11:51:05.219::WARN:
javax.security.auth.login.LoginException: Error obtaining user info.
2011-04-05 11:51:05.219::WARN: AUTH FAILURE: user ebailey
I assume this means rundeck is hitting the AD server, but the query is
failing? Any ideas?
Thanks
Ed
Ed
Apr 5, 2011, 12:04:52 PM4/5/11
to rundeck-discuss
I made some changes based on what I found in the mailing list
new /etc/rundeck/jaas-activedirectory.conf
activedirectory {
org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule sufficient
debug="true"
file="/etc/rundeck/realm.properties";
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule
required
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="xxxxxxxxxxxxxxxxx"
port="389"
bindDn="xxxxxxxxxxxxxxxxx"
bindPassword="xxxxxxxxxxxxxxx"
2011-04-05 11:51:05.189::INFO: Login attempts: 1, Hits: 0, Ratio: 0%.
2011-04-05 11:51:05.219::WARN:
javax.security.auth.login.LoginException: Error obtaining user info.
2011-04-05 11:51:05.219::WARN: AUTH FAILURE: user ebailey
I assume this means I am hitting the AD server but rundeck is not able
to find properly?
I will play with the various attributes and see if I can figure
something out.
> 2011-04-05 11:29:25.889::INFO: Started SocketConnec...@0.0.0.0:4440
new /etc/rundeck/jaas-activedirectory.conf
activedirectory {
org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule sufficient
debug="true"
file="/etc/rundeck/realm.properties";
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule
required
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
port="389"
bindDn="xxxxxxxxxxxxxxxxx"
bindPassword="xxxxxxxxxxxxxxx"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="xxxxxxxxxxxx"
forceBindingLogin="true"
userBaseDn="xxxxxxxxxxxx"
userRdnAttribute="cn"
userIdAttribute="cn"
userPasswordAttribute="unicodePwd"
userObjectClass="user"
roleBaseDn="xxxxxxxxxxxxxx"
userIdAttribute="cn"
userPasswordAttribute="unicodePwd"
userObjectClass="user"
roleBaseDn="xxxxxxxxxxxxxx"
roleNameAttribute="cn"
roleMemberAttribute="uniqueMember"
roleObjectClass="groupOfUniqueNames"
cacheDurationMillis="300000"
reportStatistics="true";
};
Now I am getting a new error message
roleMemberAttribute="uniqueMember"
roleObjectClass="groupOfUniqueNames"
cacheDurationMillis="300000"
reportStatistics="true";
};
2011-04-05 11:51:05.189::INFO: Login attempts: 1, Hits: 0, Ratio: 0%.
2011-04-05 11:51:05.219::WARN:
javax.security.auth.login.LoginException: Error obtaining user info.
I assume this means I am hitting the AD server but rundeck is not able
to find properly?
I will play with the various attributes and see if I can figure
something out.
Noah Campbell
Apr 5, 2011, 12:20:57 PM4/5/11
to rundeck...@googlegroups.com
Are you intending to use PropertyFileLoginModule? This was a specific use case where the user password is stored on the local filesystem.
Are you on a linux box? Try running the following:
ldapsearch -H ldap://host -D "BINDDN" -x -w 'PASSWORD' -b ROLEBASEDN -a always objectClass=group
You can substitute your BINDDN and PASSWORD with the bind user or the user that's trying to log in, ebailey for example. If you can get that to return results...then you've diagnosed what values should be configured in the jaas-activedirectory.conf.
-Noah
Ed
Apr 5, 2011, 12:36:32 PM4/5/11
to rundeck-discuss
Actually - I want to be able to use the default admin account to
access rundeck. I can use LDAP unless I have a way to get into the
application if ldap is down. I have a working config now. I can login
as myself. I am using the following jaas config if anyone is
interested
activedirectory {
org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule sufficient
debug="true"
file="/etc/rundeck/realm.properties";
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule
required
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://xxxxxxxxxxxxxxxxx"
port="389"
bindDn="xxxxxxxxxxxxxxxxxxxxx"
bindPassword="xxxxxxxxxxxx"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="xxxxxxxxxxxxxxxxxxxxxxxx"
userRdnAttribute="cn"
userIdAttribute="sAMAccountName"
roleMemberAttribute="sAMAccountName"
error message
WARN AuthorizationFilters: User ebailey has no role membership in
mapped roles
[Fatal Error] admin.aclpolicy:1:1: Content is not allowed in prolog.
WARN AuthorizationFilters: User ebailey has no role membership in
mapped roles
ERROR AuthorizationFilters: User ebailey UNAUTHORIZED for framework/
nodes
2011-04-05 12:25:37.867:/:INFO: Initializing Spring FrameworkServlet
'gsp'
2011-04-05 12:25:37.867:/:INFO: GSP servlet initialized
[Fatal Error] admin.aclpolicy:1:1: Content is not allowed in prolog.
[Fatal Error] admin.aclpolicy:1:1: Content is not allowed in prolog.
I am going to take a look at the manual for answers. I assume I need
to do some mapping in one of the config files to authorize my login or
do I need to change my jass config?
Thanks
Ed
access rundeck. I can use LDAP unless I have a way to get into the
application if ldap is down. I have a working config now. I can login
as myself. I am using the following jaas config if anyone is
interested
activedirectory {
org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule sufficient
debug="true"
file="/etc/rundeck/realm.properties";
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule
required
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://xxxxxxxxxxxxxxxxx"
port="389"
bindDn="xxxxxxxxxxxxxxxxxxxxx"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="xxxxxxxxxxxxxxxxxxxxxxxx"
userRdnAttribute="cn"
userIdAttribute="sAMAccountName"
userPasswordAttribute="unicodePwd"
userObjectClass="user"
roleBaseDn="xxxxxxxxxxxxxxxxxxxx"
roleNameAttribute="cn"
userObjectClass="user"
roleBaseDn="xxxxxxxxxxxxxxxxxxxx"
roleMemberAttribute="sAMAccountName"
roleObjectClass="groupOfUniqueNames"
cacheDurationMillis="300000"
reportStatistics="true";
};
I get a not authorized error when I login as myself with the following
cacheDurationMillis="300000"
reportStatistics="true";
};
error message
WARN AuthorizationFilters: User ebailey has no role membership in
mapped roles
[Fatal Error] admin.aclpolicy:1:1: Content is not allowed in prolog.
WARN AuthorizationFilters: User ebailey has no role membership in
mapped roles
ERROR AuthorizationFilters: User ebailey UNAUTHORIZED for framework/
nodes
2011-04-05 12:25:37.867:/:INFO: Initializing Spring FrameworkServlet
'gsp'
2011-04-05 12:25:37.867:/:INFO: GSP servlet initialized
[Fatal Error] admin.aclpolicy:1:1: Content is not allowed in prolog.
[Fatal Error] admin.aclpolicy:1:1: Content is not allowed in prolog.
I am going to take a look at the manual for answers. I assume I need
to do some mapping in one of the config files to authorize my login or
do I need to change my jass config?
Thanks
Ed
Noah Campbell
Apr 5, 2011, 12:42:17 PM4/5/11
to rundeck...@googlegroups.com
You can safely ignore these:
[Fatal Error] admin.aclpolicy:1:1: Content is not allowed in prolog.
To address the mapped roles issue,
look at
/etc/rundeck/rundeck-config.properties and be sure to add your role to all the mappings.
-Noah
Reply all
Reply to author
Forward
0 new messages