Rundeck Yaml file formatting issue and issue with logging into Rundeck with AD user

Question

I'm trying to allow domain users to log into my rundeck instance by following the guide https://vinusumi.wordpress.com/2017/12/28/setup-active-directory-authentication-for-rundeck/ . However, I'm running into 2 issues.

1. For some reason, I'm unable to log into rundeck with a user thats added to the "rundeck_admins" group. I confirmed that the credentials are correct and I believe that the info I added to the "jaas-activedirectory.conf" is syntactically correct and accurate based on my AD settings. According to the "/var/log/rundeck/service.log" it says the following:

    2018-12-13 20:13:29.689 DEBUG --- [tp1465511423-25] ailsUsernamePasswordAuthenticationFilter : Updated SecurityContextHolder to contain null Authentication 2018-12-13 20:13:29.689 DEBUG --- [tp1465511423-25] ailsUsernamePasswordAuthenticationFilter : Delegating to authentication failure handler grails.plugin.springsecurity.web.authentication.AjaxAwareAuthenticationFailureHandler@51aaa9d4 

2. I'm having trouble figuring out the proper syntax regarding the yaml file used for my "rundeck_users" group

    description: "Ops Engineers can launch jobs but not edit them" context: project: * for: resource: - equals: kind: 'node' allow: [read,update,refresh] - equals: kind: 'job' allow: [read,run,kill] - equals: kind: 'adhoc' allow: [read,run,kill] - equals: kind: 'event' allow: [read,create] job: - match: name: '.*' allow: [read,run,kill] adhoc: - match: name: '.*' allow: [read,run,kill] node: - match: nodename: '.*' allow: [read,run,refresh] by: group: - rundeck_users --- context: application: rundeck description: "Ops Engineers can launch jobs but not edit them" for: project: - match: name: '*' allow: [read] system: - match: name: '.*' allow: [read] by: group: - rundeck_users 

Answer 1

1.- Make sure the authentication is being read. When rundeck is starting <..> 2018-12-14 01:52:57.186 INFO --- [ main] rundeckapp.BootStrap : RSS feeds disabled 2018-12-14 01:52:57.187 INFO --- [ main] rundeckapp.BootStrap : Using jaas authentication <<<<<<<<< <..>

2.- Verify the yaml content is correct for example using http://www.yamllint.com/

3.- Use an existing/working aclpolicy and use your group for testing purpose and check if the acl policy is causing the issue.

Hope it helps

Answer 2

1. AD authentication - These steps are relevant for rundeck version 3 and up on centos7. For older rundeck version see procedure I posted here: https://groups.google.com/forum/#!msg/rundeck-discuss/P2qQHNpDct4/aP0ot7V2BAAJ

Create AD config file with the following content:

AD {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://<ip>:389 ldap://<ip>:389"
bindDn="CN=authUser,CN=Users,DC=your,DC=domain,DC=com"
bindPassword="<authUserPassword>"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="CN=Users,DC=your,DC=domain,DC=com"
userRdnAttribute="sAMAccountName"
userIdAttribute="sAMAccountName"
userPasswordAttribute="unicodePwd"
userObjectClass="person"
roleBaseDn="CN=Users,DC=your,DC=domain,DC=com"
roleNameAttribute="sAMAccountName"
roleMemberAttribute="member"
roleObjectClass="group"
cacheDurationMillis="300000"
reportStatistics="true";
};

Create file /etc/sysconfig/rundeckd with the following lines.

Note that LOGIN_MODULE value should be the same as what you set in your file.

export JAAS_CONF=/path/to/file/jaas-AD.conf
export LOGIN_MODULE=AD

2. I recommend creating full control yaml at first so you can test AD authentication, and then remove permissions as necessary. Note groups in yaml should be the same as in your AD.