Ping a Specific Port

Question

spuder

Asked: 2016-02-26 15:11:25 +0800 CST2016-02-26 15:11:25 +0800 CST 2016-02-26 15:11:25 +0800 CST

rundeck unable to auth against Active Directory

772

I'm trying to setup rundeck so that it authenticates against Active Directory

I keep getting this error

The wiki contains information about the 403. Reason: !role error https://github.com/rundeck/rundeck/wiki/FAQ#i-get-an-error-logging-in-http-error-403--reason-role

Rundeck 2.6.2-1 (installed from .deb)
Ubuntu 14.04

jaas-ldap.conf

ldap {
    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
    debug="true"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    providerUrl="ldap://DC01.example.com:389"
    bindDn="cn=rundeck,OU=MyOU,DC=example,DC=com"
    bindPassword="correct-horse-battery-staple"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="DC=example,DC=com"
    userRdnAttribute="sAMAccountName"
    userIdAttribute="sAMAccountName"
    userPasswordAttribute="unicodePwd"
    userObjectClass="user"
    roleBaseDn="DC=example,DC=com"
    roleNameAttribute="sAMAccountName"
    roleUsernameMemberAttribute="cn"
    roleMemberAttribute="member"
    roleObjectClass="group"
    cacheDurationMillis="300000"
    supplementalRoles="user"
    reportStatistics="true"
    timeoutRead="10000"
    timeoutConnect="20000"
    nestedGroups="true";
};

/var/lib/rundeck/exp/webapp/WEB-INF/web.xml

    ...
    <security-role>
            <role-name>Enterprise Admins</role-name>
    </security-role>
    ...

profile

...
export RDECK_JVM="-Djava.security.auth.login.config=/etc/rundeck/jaas-ldap.conf \
    -Dloginmodule.name=ldap \
...

I'm aware this is goes against best practices for the following reasons:

Uses "simple" authentication and port 389. All passwords sent in plain text!!!
baseDN are way too broad, should be narrowed down to speed up ldap search
Don't need a bindDN if using forceBindingLogin

Additional resources:

https://github.com/rundeck/rundeck/issues/590
https://github.com/rundeck/rundeck/issues/620
http://www.bitester.com/2015/12/ldap-authentication-with-rundeck.html

1 Answers

Voted

spuder · Answer 1 · 2016-02-26T15:11:25+08:00

Figured out that at least in my use case I had to remove roleUsernameMemberAttribute

It is also important to have supplementalRoles defined

The final working example (unoptimized)

ldap {
    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
    debug="true"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    providerUrl="ldap://DC01.example.com:389"
    bindDn="cn=rundeck,OU=MyOU,DC=example,DC=com"
    bindPassword="correct-horse-battery-staple"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="DC=example,DC=com"
    userRdnAttribute="sAMAccountName"
    userIdAttribute="sAMAccountName"
    userPasswordAttribute="unicodePwd"
    userObjectClass="user"
    roleBaseDn="DC=example,DC=com"
    roleNameAttribute="sAMAccountName"
    roleMemberAttribute="member"
    roleObjectClass="group"
    cacheDurationMillis="300000"
    supplementalRoles="user"
    reportStatistics="true"
    timeoutRead="10000"
    timeoutConnect="20000"
    nestedGroups="true";
};

Note: This only does ldap authentication. You can also have a hybrid of local accounts and ldap accounts.

Update

Additional documentation & information in this github issue

rundeck unable to auth against Active Directory

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?