Rundeck is a simple & easy product to setup workflow and automation tool. By default, it comes with the default local user accounts. Rundeck supports LDAP, AD, PAM and Pre-Auth methods. But the downside is Rundeck’s documentation which is not that great to configure LDAP/AD based authentication.
After multiple attempts and spending a whole day searching on the internet; able to configure AD authentication… Here are the simple steps for Rundeck AD auth configuration.
1. Create AD auth configuration file “jaas-activedirectory.conf” in /etc/rundeck {Rundeck configuration directory path}
activedirectory {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://s01.test.com:389"
bindDn="username@s01.test.com"
bindPassword="yourpassword"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="DC=s01,DC=test,DC=com"
userRdnAttribute="sAMAccountName"
userIdAttribute="sAMAccountName"
userPasswordAttribute="unicodePwd"
userObjectClass="user"
roleBaseDn="DC=s01,DC=test,DC=com"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass="group"
cacheDurationMillis="300000"
reportStatistics="true";
};
Change the above highlighted text according to your environment
2. Update “/etc/rundeck/profile” to refer new AD auth conf
BEFORE
RDECK_INSTALL="${RDECK_INSTALL:-/var/lib/rundeck}"
RDECK_BASE="${RDECK_BASE:-/var/lib/rundeck}"
RDECK_CONFIG="${RDECK_CONFIG:-/etc/rundeck}"
RDECK_CONFIG_FILE="${RDECK_CONFIG_FILE:-$RDECK_CONFIG/rundeck-config.properties}"
RDECK_SERVER_BASE="${RDECK_SERVER_BASE:-$RDECK_BASE}"
RDECK_SERVER_CONFIG="${RDECK_SERVER_CONFIG:-$RDECK_CONFIG}"
RDECK_SERVER_DATA="${RDECK_SERVER_DATA:-$RDECK_BASE/data}"
RDECK_PROJECTS="${RDECK_PROJECTS:-$RDECK_BASE/projects}"
RUNDECK_TEMPDIR="${RUNDECK_TEMPDIR:-/tmp/rundeck}"
RUNDECK_WORKDIR="${RUNDECK_TEMPDIR:-$RDECK_BASE/work}"
RUNDECK_LOGDIR="${RUNDECK_LOGDIR:-$RDECK_BASE/logs}"
RDECK_JVM_SETTINGS="${RDECK_JVM_SETTINGS:- -Xmx1024m -Xms256m -XX:MaxMetaspaceSize=256m -server}"
RDECK_TRUSTSTORE_FILE="${RDECK_TRUSTSTORE_FILE:-$RDECK_CONFIG/ssl/truststore}"
RDECK_TRUSTSTORE_TYPE="${RDECK_TRUSTSTORE_TYPE:-jks}"
JAAS_CONF="${JAAS_CONF:-$RDECK_CONFIG/jaas-loginmodule.conf}"
LOGIN_MODULE="${LOGIN_MODULE:-RDpropertyfilelogin}"
RDECK_HTTP_PORT=${RDECK_HTTP_PORT:-4440}
RDECK_HTTPS_PORT=${RDECK_HTTPS_PORT:-4443}
# If no JAVA_CMD, try to find it in $JAVA_HOME
if [ -z "$JAVA_CMD" ] && [ -n "$JAVA_HOME" ] && [ -x "$JAVA_HOME/bin/java" ] ; then
JAVA_CMD=$JAVA_HOME/bin/java
PATH=$PATH:$JAVA_HOME/bin
export JAVA_HOME
elif [ -z "$JAVA_CMD" ] ; then
JAVA_CMD=java
fi
# build classpath without lone : that includes .
for jar in $(find $RDECK_INSTALL/cli -name '*.jar') ; do
CLI_CP=${CLI_CP:+$CLI_CP:}$jar
done
for jar in $(find $RDECK_INSTALL/bootstrap -name '*.jar') ; do
BOOTSTRAP_CP=${BOOTSTRAP_CP:+$BOOTSTRAP_CP:}$jar
done
RDECK_JVM="-Djava.security.auth.login.config=$JAAS_CONF \
-Dloginmodule.name=$LOGIN_MODULE \
-Drdeck.config=$RDECK_CONFIG \
-Drundeck.server.configDir=$RDECK_SERVER_CONFIG \
-Dserver.datastore.path=$RDECK_SERVER_DATA/rundeck \
-Drundeck.server.serverDir=$RDECK_INSTALL \
-Drdeck.projects=$RDECK_PROJECTS \
-Drdeck.runlogs=$RUNDECK_LOGDIR \
-Drundeck.config.location=$RDECK_CONFIG_FILE \
-Djava.io.tmpdir=$RUNDECK_TEMPDIR \
-Drundeck.server.workDir=$RUNDECK_WORKDIR \
-Dserver.http.port=$RDECK_HTTP_PORT"
#
# Set min/max heap size
#
RDECK_JVM="$RDECK_JVM $RDECK_JVM_SETTINGS"
#
# SSL Configuration - Uncomment the following to enable. Check SSL.properties for details.
#
if [ -n "$RUNDECK_WITH_SSL" ] ; then
RDECK_SSL_OPTS="${RDECK_SSL_OPTS:- -Djavax.net.ssl.trustStore=$RDECK_TRUSTSTORE_FILE -Djavax.net.ssl.trustStoreType=$RDECK_TRUSTSTORE_TYPE -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol}"
RDECK_JVM="$RDECK_JVM -Drundeck.ssl.config=$RDECK_SERVER_CONFIG/ssl/ssl.properties -Dserver.https.port=${RDECK_HTTPS_PORT} ${RDECK_SSL_OPTS}"
fi
unset JRE_HOME
umask 002
rundeckd="$JAVA_CMD $RDECK_JVM $RDECK_JVM_OPTS -cp $BOOTSTRAP_CP com.dtolabs.rundeck.RunServer $RDECK_BASE"
AFTER
RDECK_INSTALL="${RDECK_INSTALL:-/var/lib/rundeck}"
RDECK_BASE="${RDECK_BASE:-/var/lib/rundeck}"
RDECK_CONFIG="${RDECK_CONFIG:-/etc/rundeck}"
RDECK_CONFIG_FILE="${RDECK_CONFIG_FILE:-$RDECK_CONFIG/rundeck-config.properties}"
RDECK_SERVER_BASE="${RDECK_SERVER_BASE:-$RDECK_BASE}"
RDECK_SERVER_CONFIG="${RDECK_SERVER_CONFIG:-$RDECK_CONFIG}"
RDECK_SERVER_DATA="${RDECK_SERVER_DATA:-$RDECK_BASE/data}"
RDECK_PROJECTS="${RDECK_PROJECTS:-$RDECK_BASE/projects}"
RUNDECK_TEMPDIR="${RUNDECK_TEMPDIR:-/tmp/rundeck}"
RUNDECK_WORKDIR="${RUNDECK_TEMPDIR:-$RDECK_BASE/work}"
RUNDECK_LOGDIR="${RUNDECK_LOGDIR:-$RDECK_BASE/logs}"
RDECK_JVM_SETTINGS="${RDECK_JVM_SETTINGS:- -Xmx1024m -Xms256m -XX:MaxMetaspaceSize=256m -server}"
RDECK_TRUSTSTORE_FILE="${RDECK_TRUSTSTORE_FILE:-$RDECK_CONFIG/ssl/truststore}"
RDECK_TRUSTSTORE_TYPE="${RDECK_TRUSTSTORE_TYPE:-jks}"
JAAS_CONF="${JAAS_CONF:-$RDECK_CONFIG/jaas-loginmodule.conf}"
LOGIN_MODULE="${LOGIN_MODULE:-RDpropertyfilelogin}"
RDECK_HTTP_PORT=${RDECK_HTTP_PORT:-4440}
RDECK_HTTPS_PORT=${RDECK_HTTPS_PORT:-4443}
# If no JAVA_CMD, try to find it in $JAVA_HOME
if [ -z "$JAVA_CMD" ] && [ -n "$JAVA_HOME" ] && [ -x "$JAVA_HOME/bin/java" ] ; then
JAVA_CMD=$JAVA_HOME/bin/java
PATH=$PATH:$JAVA_HOME/bin
export JAVA_HOME
elif [ -z "$JAVA_CMD" ] ; then
JAVA_CMD=java
fi
# build classpath without lone : that includes .
for jar in $(find $RDECK_INSTALL/cli -name '*.jar') ; do
CLI_CP=${CLI_CP:+$CLI_CP:}$jar
done
for jar in $(find $RDECK_INSTALL/bootstrap -name '*.jar') ; do
BOOTSTRAP_CP=${BOOTSTRAP_CP:+$BOOTSTRAP_CP:}$jar
done
RDECK_JVM="-Djava.security.auth.login.config=/etc/rundeck/jaas-activedirectory.conf \
-Dloginmodule.name=activedirectory \
-Drdeck.config=$RDECK_CONFIG \
-Drundeck.server.configDir=$RDECK_SERVER_CONFIG \
-Dserver.datastore.path=$RDECK_SERVER_DATA/rundeck \
-Drundeck.server.serverDir=$RDECK_INSTALL \
-Drdeck.projects=$RDECK_PROJECTS \
-Drdeck.runlogs=$RUNDECK_LOGDIR \
-Drundeck.config.location=$RDECK_CONFIG_FILE \
-Djava.io.tmpdir=$RUNDECK_TEMPDIR \
-Drundeck.server.workDir=$RUNDECK_WORKDIR \
-Dserver.http.port=$RDECK_HTTP_PORT"
#
# Set min/max heap size
#
RDECK_JVM="$RDECK_JVM $RDECK_JVM_SETTINGS"
#
# SSL Configuration - Uncomment the following to enable. Check SSL.properties for details.
#
if [ -n "$RUNDECK_WITH_SSL" ] ; then
RDECK_SSL_OPTS="${RDECK_SSL_OPTS:- -Djavax.net.ssl.trustStore=$RDECK_TRUSTSTORE_FILE -Djavax.net.ssl.trustStoreType=$RDECK_TRUSTSTORE_TYPE -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol}"
RDECK_JVM="$RDECK_JVM -Drundeck.ssl.config=$RDECK_SERVER_CONFIG/ssl/ssl.properties -Dserver.https.port=${RDECK_HTTPS_PORT} ${RDECK_SSL_OPTS}"
fi
unset JRE_HOME
umask 002
rundeckd="$JAVA_CMD $RDECK_JVM $RDECK_JVM_OPTS -cp $BOOTSTRAP_CP com.dtolabs.rundeck.RunServer $RDECK_BASE"
Here, local login configuration was replaced with the newly created AD Auth configuration file
3. Update “/var/lib/rundeck/exp/webapp/WEB-INF/web.xml”
IMPORTANT: In most of the blogs or sites, only one entry made to add domain user group. In this case, requirement was to add 2 groups,
- Admin group with full access @ Rundeck – Create, Modify & Kill jobs
- User group with limited/read-only access, specific to projects @ Rundeck – View & Run jobs of that particular project
Search for
<security-role> <role-name>user</role-name> </security-role>
Replace with
<security-role> <role-name>rundeck_admins</role-name> </security-role> <security-role> <role-name>rundeck_users</role-name> </security-role>
rundeck_admins {users added to this group would have admin level access in Rundeck} and rundeck_users {users added to this group would have limited/read-only level access in Rundeck} are two domain groups created in s01.test.com.
4. Create ACL policy files for the above groups and place them in /etc/rundeck
- rundeck_admins.aclpolicy
description: Admin, all access. context: application: 'rundeck' for: resource: - allow: '*' # allow create of projects project: - allow: '*' # allow view/admin of all projects by: group: admin description: Full access. context: project: '.*' # all projects for: resource: - allow: '*' # allow read/create all kinds adhoc: - allow: '*' # allow read/running/killing adhoc jobs job: - allow: '*' # allow read/write/delete/run/kill of all jobs node: - allow: '*' # allow read/run for all nodes by: group: rundeck_admins --- description: Admin, all access. context: application: 'rundeck' for: resource: - allow: '*' # allow create of projects project: - allow: '*' # allow view/admin of all projects by: group: rundeck_admins
- rundeck_users.aclpolicy
--- description: "Ops Engineers can launch jobs but not edit them" context: project: * for: resource: - equals: kind: 'node' allow: [read,update,refresh] - equals: kind: 'job' allow: [read,run,kill] - equals: kind: 'adhoc' allow: [read,run,kill] - equals: kind: 'event' allow: [read,create] job: - match: name: '.*' allow: [read,run,kill] adhoc: - match: name: '.*' allow: [read,run,kill] node: - match: nodename: '.*' allow: [read,run,refresh] by: group: - rundeck_users --- context: application: rundeck description: "Ops Engineers can launch jobs but not edit them" for: project: - match: name: '*' allow: [read] system: - match: name: '.*' allow: [read] by: group: - rundeck_users
Rundeck accesses the above configuration files and applies ACL policy accordingly based on the user’s group.
5. Restart Rundeck service
/etc/init.d/rundeckd restart
{OR}
service rundeckd restart
{OR}
systemctl restart rundeckd.service
Troubleshooting:
Check Rundeck service logs for any configuration related errors messages.
tail -200 /var/log/rundeck/service.log
NOTE:
This configuration tested on the version “Rundeck 2.8.4-1 cafe cubano purple gift 2017-07-12″. I do not guarantee that whether this configuration works on the newer versions of Rundeck 🙂
BELLISIMO!!! You’ve configured AD auth for Rundeck and should be able to access it from your domain account.
Thanks for stopping by… Please leave your comments/suggestions below.
First off, thanks for this informative instructions for integrating AD with Rundeck. For whatever reason, Im stuck on 2 items.
1. I’m unable to login with an AD user. Although I add this user to the “rundeck_admin” group (in AD), I still cannot login and not sure what the issue is. The log in /var/log/rundeck/service/log is:
2018-12-14 09:17:00.319 DEBUG — [tp1465511423-27] ailsUsernamePasswordAuthenticationFilter : Updated SecurityContextHolder to contain null Authentication
2018-12-14 09:17:00.319 DEBUG — [tp1465511423-27] ailsUsernamePasswordAuthenticationFilter : Delegating to authentication failure handler grails.plugin.springsecurity.web.authentication.AjaxAwareAuthenticationFailureHandler@51aaa9d4
2. The other issue is the yaml syntax for the “rundeck_users.aclpolicy” file. Is there a way you can post the syntax in a way it doesnt distort the yaml file?
Thanks in advance
Hi Ruffin,
As per the latest version we don’t have to update /etc/rundeck/profile please see the comments from Reiner for now till I update the blog.
Best,
Vinay
Hi!
Please update this awesome guide, right now is not necessary (and not recommended) edit the /etc/rundeck/profile file. Instead, you can create/edit /etc/sysconfig/rundeckd file with this params:
export LOGIN_MODULE=”activedirectory”
export JAAS_CONF=”/etc/rundeck/jaas-activedirectory.conf”
or
LOGIN_MODULE=activedirectory
AAS_CONF=/etc/rundeck/jaas-activedirectory.conf
Thanks a lot.
Best Regards!
Hi Reiner,
Thanks much. I’ll update the blog as per above.
Best,
Vinay
Hi,
I tried to follow this on Debian 9.7. But there’s no file /var/lib/rundeck/exp/webapp/WEB-INF/web.xml
How may do this work please ?
Regards,