Rundeck is a simple & easy product to setup workflow and automation tool. By default, it comes with the default local user accounts. Rundeck supports LDAP, AD, PAM and Pre-Auth methods. But the downside is Rundeck’s documentation which is not that great to configure LDAP/AD based authentication.
After multiple attempts and spending a whole day searching on the internet; able to configure AD authentication… Here are the simple steps for Rundeck AD auth configuration.
1. Create AD auth configuration file “jaas-activedirectory.conf” in /etc/rundeck {Rundeck configuration directory path}
activedirectory { com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required debug="true" contextFactory="com.sun.jndi.ldap.LdapCtxFactory" providerUrl="ldap://s01.test.com:389" bindDn="username@s01.test.com" bindPassword="yourpassword" authenticationMethod="simple" forceBindingLogin="true" userBaseDn="DC=s01,DC=test,DC=com" userRdnAttribute="sAMAccountName" userIdAttribute="sAMAccountName" userPasswordAttribute="unicodePwd" userObjectClass="user" roleBaseDn="DC=s01,DC=test,DC=com" roleNameAttribute="cn" roleMemberAttribute="member" roleObjectClass="group" cacheDurationMillis="300000" reportStatistics="true"; };
Change the above highlighted text according to your environment
2. Update “/etc/rundeck/profile” to refer new AD auth conf
BEFORE
RDECK_INSTALL="${RDECK_INSTALL:-/var/lib/rundeck}" RDECK_BASE="${RDECK_BASE:-/var/lib/rundeck}" RDECK_CONFIG="${RDECK_CONFIG:-/etc/rundeck}" RDECK_CONFIG_FILE="${RDECK_CONFIG_FILE:-$RDECK_CONFIG/rundeck-config.properties}" RDECK_SERVER_BASE="${RDECK_SERVER_BASE:-$RDECK_BASE}" RDECK_SERVER_CONFIG="${RDECK_SERVER_CONFIG:-$RDECK_CONFIG}" RDECK_SERVER_DATA="${RDECK_SERVER_DATA:-$RDECK_BASE/data}" RDECK_PROJECTS="${RDECK_PROJECTS:-$RDECK_BASE/projects}" RUNDECK_TEMPDIR="${RUNDECK_TEMPDIR:-/tmp/rundeck}" RUNDECK_WORKDIR="${RUNDECK_TEMPDIR:-$RDECK_BASE/work}" RUNDECK_LOGDIR="${RUNDECK_LOGDIR:-$RDECK_BASE/logs}" RDECK_JVM_SETTINGS="${RDECK_JVM_SETTINGS:- -Xmx1024m -Xms256m -XX:MaxMetaspaceSize=256m -server}" RDECK_TRUSTSTORE_FILE="${RDECK_TRUSTSTORE_FILE:-$RDECK_CONFIG/ssl/truststore}" RDECK_TRUSTSTORE_TYPE="${RDECK_TRUSTSTORE_TYPE:-jks}" JAAS_CONF="${JAAS_CONF:-$RDECK_CONFIG/jaas-loginmodule.conf}" LOGIN_MODULE="${LOGIN_MODULE:-RDpropertyfilelogin}" RDECK_HTTP_PORT=${RDECK_HTTP_PORT:-4440} RDECK_HTTPS_PORT=${RDECK_HTTPS_PORT:-4443} # If no JAVA_CMD, try to find it in $JAVA_HOME if [ -z "$JAVA_CMD" ] && [ -n "$JAVA_HOME" ] && [ -x "$JAVA_HOME/bin/java" ] ; then JAVA_CMD=$JAVA_HOME/bin/java PATH=$PATH:$JAVA_HOME/bin export JAVA_HOME elif [ -z "$JAVA_CMD" ] ; then JAVA_CMD=java fi # build classpath without lone : that includes . for jar in $(find $RDECK_INSTALL/cli -name '*.jar') ; do CLI_CP=${CLI_CP:+$CLI_CP:}$jar done for jar in $(find $RDECK_INSTALL/bootstrap -name '*.jar') ; do BOOTSTRAP_CP=${BOOTSTRAP_CP:+$BOOTSTRAP_CP:}$jar done RDECK_JVM="-Djava.security.auth.login.config=$JAAS_CONF \ -Dloginmodule.name=$LOGIN_MODULE \ -Drdeck.config=$RDECK_CONFIG \ -Drundeck.server.configDir=$RDECK_SERVER_CONFIG \ -Dserver.datastore.path=$RDECK_SERVER_DATA/rundeck \ -Drundeck.server.serverDir=$RDECK_INSTALL \ -Drdeck.projects=$RDECK_PROJECTS \ -Drdeck.runlogs=$RUNDECK_LOGDIR \ -Drundeck.config.location=$RDECK_CONFIG_FILE \ -Djava.io.tmpdir=$RUNDECK_TEMPDIR \ -Drundeck.server.workDir=$RUNDECK_WORKDIR \ -Dserver.http.port=$RDECK_HTTP_PORT" # # Set min/max heap size # RDECK_JVM="$RDECK_JVM $RDECK_JVM_SETTINGS" # # SSL Configuration - Uncomment the following to enable. Check SSL.properties for details. # if [ -n "$RUNDECK_WITH_SSL" ] ; then RDECK_SSL_OPTS="${RDECK_SSL_OPTS:- -Djavax.net.ssl.trustStore=$RDECK_TRUSTSTORE_FILE -Djavax.net.ssl.trustStoreType=$RDECK_TRUSTSTORE_TYPE -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol}" RDECK_JVM="$RDECK_JVM -Drundeck.ssl.config=$RDECK_SERVER_CONFIG/ssl/ssl.properties -Dserver.https.port=${RDECK_HTTPS_PORT} ${RDECK_SSL_OPTS}" fi unset JRE_HOME umask 002 rundeckd="$JAVA_CMD $RDECK_JVM $RDECK_JVM_OPTS -cp $BOOTSTRAP_CP com.dtolabs.rundeck.RunServer $RDECK_BASE"
AFTER
RDECK_INSTALL="${RDECK_INSTALL:-/var/lib/rundeck}" RDECK_BASE="${RDECK_BASE:-/var/lib/rundeck}" RDECK_CONFIG="${RDECK_CONFIG:-/etc/rundeck}" RDECK_CONFIG_FILE="${RDECK_CONFIG_FILE:-$RDECK_CONFIG/rundeck-config.properties}" RDECK_SERVER_BASE="${RDECK_SERVER_BASE:-$RDECK_BASE}" RDECK_SERVER_CONFIG="${RDECK_SERVER_CONFIG:-$RDECK_CONFIG}" RDECK_SERVER_DATA="${RDECK_SERVER_DATA:-$RDECK_BASE/data}" RDECK_PROJECTS="${RDECK_PROJECTS:-$RDECK_BASE/projects}" RUNDECK_TEMPDIR="${RUNDECK_TEMPDIR:-/tmp/rundeck}" RUNDECK_WORKDIR="${RUNDECK_TEMPDIR:-$RDECK_BASE/work}" RUNDECK_LOGDIR="${RUNDECK_LOGDIR:-$RDECK_BASE/logs}" RDECK_JVM_SETTINGS="${RDECK_JVM_SETTINGS:- -Xmx1024m -Xms256m -XX:MaxMetaspaceSize=256m -server}" RDECK_TRUSTSTORE_FILE="${RDECK_TRUSTSTORE_FILE:-$RDECK_CONFIG/ssl/truststore}" RDECK_TRUSTSTORE_TYPE="${RDECK_TRUSTSTORE_TYPE:-jks}" JAAS_CONF="${JAAS_CONF:-$RDECK_CONFIG/jaas-loginmodule.conf}" LOGIN_MODULE="${LOGIN_MODULE:-RDpropertyfilelogin}" RDECK_HTTP_PORT=${RDECK_HTTP_PORT:-4440} RDECK_HTTPS_PORT=${RDECK_HTTPS_PORT:-4443} # If no JAVA_CMD, try to find it in $JAVA_HOME if [ -z "$JAVA_CMD" ] && [ -n "$JAVA_HOME" ] && [ -x "$JAVA_HOME/bin/java" ] ; then JAVA_CMD=$JAVA_HOME/bin/java PATH=$PATH:$JAVA_HOME/bin export JAVA_HOME elif [ -z "$JAVA_CMD" ] ; then JAVA_CMD=java fi # build classpath without lone : that includes . for jar in $(find $RDECK_INSTALL/cli -name '*.jar') ; do CLI_CP=${CLI_CP:+$CLI_CP:}$jar done for jar in $(find $RDECK_INSTALL/bootstrap -name '*.jar') ; do BOOTSTRAP_CP=${BOOTSTRAP_CP:+$BOOTSTRAP_CP:}$jar done RDECK_JVM="-Djava.security.auth.login.config=/etc/rundeck/jaas-activedirectory.conf \ -Dloginmodule.name=activedirectory \ -Drdeck.config=$RDECK_CONFIG \ -Drundeck.server.configDir=$RDECK_SERVER_CONFIG \ -Dserver.datastore.path=$RDECK_SERVER_DATA/rundeck \ -Drundeck.server.serverDir=$RDECK_INSTALL \ -Drdeck.projects=$RDECK_PROJECTS \ -Drdeck.runlogs=$RUNDECK_LOGDIR \ -Drundeck.config.location=$RDECK_CONFIG_FILE \ -Djava.io.tmpdir=$RUNDECK_TEMPDIR \ -Drundeck.server.workDir=$RUNDECK_WORKDIR \ -Dserver.http.port=$RDECK_HTTP_PORT" # # Set min/max heap size # RDECK_JVM="$RDECK_JVM $RDECK_JVM_SETTINGS" # # SSL Configuration - Uncomment the following to enable. Check SSL.properties for details. # if [ -n "$RUNDECK_WITH_SSL" ] ; then RDECK_SSL_OPTS="${RDECK_SSL_OPTS:- -Djavax.net.ssl.trustStore=$RDECK_TRUSTSTORE_FILE -Djavax.net.ssl.trustStoreType=$RDECK_TRUSTSTORE_TYPE -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol}" RDECK_JVM="$RDECK_JVM -Drundeck.ssl.config=$RDECK_SERVER_CONFIG/ssl/ssl.properties -Dserver.https.port=${RDECK_HTTPS_PORT} ${RDECK_SSL_OPTS}" fi unset JRE_HOME umask 002 rundeckd="$JAVA_CMD $RDECK_JVM $RDECK_JVM_OPTS -cp $BOOTSTRAP_CP com.dtolabs.rundeck.RunServer $RDECK_BASE" Here, local login configuration was replaced with the newly created AD Auth configuration file
3. Update “/var/lib/rundeck/exp/webapp/WEB-INF/web.xml”
IMPORTANT: In most of the blogs or sites, only one entry made to add domain user group. In this case, requirement was to add 2 groups,
- Admin group with full access @ Rundeck – Create, Modify & Kill jobs
- User group with limited/read-only access, specific to projects @ Rundeck – View & Run jobs of that particular project
Search for
<security-role> <role-name>user</role-name> </security-role>
Replace with
<security-role> <role-name>rundeck_admins</role-name> </security-role> <security-role> <role-name>rundeck_users</role-name> </security-role>
rundeck_admins {users added to this group would have admin level access in Rundeck} and rundeck_users {users added to this group would have limited/read-only level access in Rundeck} are two domain groups created in s01.test.com.
4. Create ACL policy files for the above groups and place them in /etc/rundeck
- rundeck_admins.aclpolicy
description: Admin, all access. context: application: 'rundeck' for: resource: - allow: '*' # allow create of projects project: - allow: '*' # allow view/admin of all projects by: group: admin description: Full access. context: project: '.*' # all projects for: resource: - allow: '*' # allow read/create all kinds adhoc: - allow: '*' # allow read/running/killing adhoc jobs job: - allow: '*' # allow read/write/delete/run/kill of all jobs node: - allow: '*' # allow read/run for all nodes by: group: rundeck_admins --- description: Admin, all access. context: application: 'rundeck' for: resource: - allow: '*' # allow create of projects project: - allow: '*' # allow view/admin of all projects by: group: rundeck_admins
- rundeck_users.aclpolicy
--- description: "Ops Engineers can launch jobs but not edit them" context: project: * for: resource: - equals: kind: 'node' allow: [read,update,refresh] - equals: kind: 'job' allow: [read,run,kill] - equals: kind: 'adhoc' allow: [read,run,kill] - equals: kind: 'event' allow: [read,create] job: - match: name: '.*' allow: [read,run,kill] adhoc: - match: name: '.*' allow: [read,run,kill] node: - match: nodename: '.*' allow: [read,run,refresh] by: group: - rundeck_users --- context: application: rundeck description: "Ops Engineers can launch jobs but not edit them" for: project: - match: name: '*' allow: [read] system: - match: name: '.*' allow: [read] by: group: - rundeck_users
Rundeck accesses the above configuration files and applies ACL policy accordingly based on the user’s group.
5. Restart Rundeck service
/etc/init.d/rundeckd restart {OR} service rundeckd restart {OR} systemctl restart rundeckd.service
Troubleshooting:
Check Rundeck service logs for any configuration related errors messages.
tail -200 /var/log/rundeck/service.log
NOTE:
This configuration tested on the version “Rundeck 2.8.4-1 cafe cubano purple gift 2017-07-12″. I do not guarantee that whether this configuration works on the newer versions of Rundeck 🙂
BELLISIMO!!! You’ve configured AD auth for Rundeck and should be able to access it from your domain account.
Thanks for stopping by… Please leave your comments/suggestions below.
First off, thanks for this informative instructions for integrating AD with Rundeck. For whatever reason, Im stuck on 2 items.
1. I’m unable to login with an AD user. Although I add this user to the “rundeck_admin” group (in AD), I still cannot login and not sure what the issue is. The log in /var/log/rundeck/service/log is:
2018-12-14 09:17:00.319 DEBUG — [tp1465511423-27] ailsUsernamePasswordAuthenticationFilter : Updated SecurityContextHolder to contain null Authentication
2018-12-14 09:17:00.319 DEBUG — [tp1465511423-27] ailsUsernamePasswordAuthenticationFilter : Delegating to authentication failure handler grails.plugin.springsecurity.web.authentication.AjaxAwareAuthenticationFailureHandler@51aaa9d4
2. The other issue is the yaml syntax for the “rundeck_users.aclpolicy” file. Is there a way you can post the syntax in a way it doesnt distort the yaml file?
Thanks in advance
Hi Ruffin,
As per the latest version we don’t have to update /etc/rundeck/profile please see the comments from Reiner for now till I update the blog.
Best,
Vinay
Hi!
Please update this awesome guide, right now is not necessary (and not recommended) edit the /etc/rundeck/profile file. Instead, you can create/edit /etc/sysconfig/rundeckd file with this params:
export LOGIN_MODULE=”activedirectory”
export JAAS_CONF=”/etc/rundeck/jaas-activedirectory.conf”
or
LOGIN_MODULE=activedirectory
AAS_CONF=/etc/rundeck/jaas-activedirectory.conf
Thanks a lot.
Best Regards!
Hi Reiner,
Thanks much. I’ll update the blog as per above.
Best,
Vinay