rundeck with LDAP using groups authentication doesn't work

[M Sch]

Hi Guys,

I really need help. I wasn't using rundeck before so I had to google a lot of stuff 

I've setup rundeck (3.0.2.) with LDAP authentication. 

The authentication against LDAP is working. So I'm able to login with my user which got the group rundeck_admins.

I also have a group rundeck_users but at the moment there is no user assigned to this group. 

The user which has the rundeck_admins group assigned can't see anything on the dashboard (You have no authorized access to projects.Contact your administrator. (User roles: ROLE_username, ROLE_user))

service.log says

DEBUG --- [tp1823752147-24] ailsUsernamePasswordAuthenticationFilter : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.jaas.JaasAuthenticationToken@e34f0ec4: Principal: username; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@3bcc: RemoteIpAddress: 10.8.0.242; SessionId: null; Granted Authorities: Jaas Authority [ROLE_user,user], Jaas Authority [ROLE_username,username]

my jaas-ldap.conf

ldap {

com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required

debug="true"

contextFactory="com.sun.jndi.ldap.LdapCtxFactory"

providerUrl="ldap://x.y.z.de:389"

bindDn="us...@y.z.de"

bindPassword="passwd"

authenticationMethod="simple"

forceBindingLogin="true"

userBaseDn="ou=x,dc=y,dc=z,dc=de"

userRdnAttribute="sAMAccountName"

userIdAttribute="sAMAccountName"

userPasswordAttribute="unicodePwd"

userObjectClass="user"

roleBaseDn="ou=Groups,dc=y,dc=z,dc=de"

roleNameAttribute="cn"

roleUsernameMemberAttribute="member"

roleMemberAttribute="uniqueMember"

roleObjectClass="groupOfUniqueMember"

cacheDurationMillis="300000"

supplementalRoles="user"

reportStatistics="true"

timeoutRead="10000"

timeoutConnect="20000"

nestedGroups="true";

};

I've two aclpolicys named rundeck_admins and rundeck_users with the correct groups

description: Admin, all access.

context:

application: 'rundeck'

for:

resource:

- allow: '*' # allow create of projects

project:

- allow: '*' # allow view/admin of all projects

by:

group: admin

description: Full access.

context:

project: '.*' # all projects

for:

resource:

- allow: '*' # allow read/create all kinds

adhoc:

- allow: '*' # allow read/running/killing adhoc jobs

job:

- allow: '*' # allow read/write/delete/run/kill of all jobs

node:

- allow: '*' # allow read/run for all nodes

by:

group: rundeck_admins

---

description: Admin, all access.

context:

application: 'rundeck'

for:

resource:

- allow: '*' # allow create of projects

project:

- allow: '*' # allow view/admin of all projects

by:

group: rundeck_admins

My web.xml (I'm not sure if rundeck is using it in this version. I saw nothing about this in the documentation)

        <security-role>

                <role-name>rundeck_admins</role-name>

        </security-role>

        <security-role>

                <role-name>rundeck_users</role-name>

        </security-role> 

I hope these information helps to find the problem.

If you need any further information don't hesitate to ask me.

Thanks in advance 

[za...@rundeck.com]

Hello,

It appears that the user's group is not being picked up from ldap.

To break this down:

 (User roles: ROLE_username, ROLE_user)

• ROLE_username is an automatically assigned group that matches the username, this has been patched out for the next release
  
• ROLE_user is most likely being assigned from the supplementalRoles="user" in the jaas config
  

If username has been assigned additional roles in ldap I would double check that the role* settings in the jaas config match the ldap attributes.

Also, currently a role prefix of "ROLE_" is being applied to everything. I'm not sure ATM if there is a way to blank that out, however that has been removed for the next release as well.

-Greg

[M Sch]

But that is not the fix for my problem. The user for example Tom which login into rundeck got rundeck_admins group assigned with full admin rights.

But he don't see anything on the dashboard as you see in my first post.

So I think that the ldap group and the aclpolicy are not "connected" because rundeck don't find the correct group with the correct rights.

That is the reason why I see this line in the log

DEBUG --- [tp1823752147-24] ailsUsernamePasswordAuthenticationFilter : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.jaas.JaasAuthenticationToken@e34f0ec4: Principal: tom; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@3bcc: RemoteIpAddress: 10.8.0.242; SessionId: null; Granted Authorities: Jaas Authority [ROLE_user,user], Jaas Authority [ROLE_tom,tom]

Can anyone help me with this?

[edu...@rundeck.com]

Hi!

Rundeck 3.0.3 has just been released! Which includes the following bug fix:

Rundeck LDAP Group Synchronization

Would you mind please testing this version and verify the fix for your issue

Hope it helps!

Eduardo.

[M Sch]

Hi!

I have updated to the latest version but I think there is some other error in my configuration. 

Error message changed in some ways

DEBUG --- [qtp689393150-27] ailsUsernamePasswordAuthenticationFilter : Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.jaas.JaasAuthenticationToken@9146b69: Principal: MYUSERNAME; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe9938: RemoteIpAddress: 10.8.0.242; SessionId: node0152vbocbns5jn12iheddqaio9b0; Granted Authorities: Jaas Authority [user,user]

Some other ideas?

[M Sch]

I found out that the web.xml is no longer supported.

So is there any other possibility to hand over the two aclpolicys which I created for my two groups (rundeck_admins and rundeck_users)