Setup Active Directory Authentication for Rundeck

Rundeck is a simple & easy product to setup workflow and automation tool. By default, it comes with the default local user accounts. Rundeck supports LDAP, AD, PAM and Pre-Auth methods. But the downside is Rundeck’s documentation which is not that great to configure LDAP/AD based authentication.

After multiple attempts and spending a whole day searching on the internet; able to configure AD authentication… Here are the simple steps for Rundeck AD auth configuration.

1. Create AD auth configuration file “jaas-activedirectory.conf”  in /etc/rundeck  {Rundeck configuration directory path}

activedirectory {
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://s01.test.com:389"
bindDn="username@s01.test.com"
bindPassword="yourpassword"
authenticationMethod="simple"
forceBindingLogin="true"
userBaseDn="DC=s01,DC=test,DC=com"
userRdnAttribute="sAMAccountName"
userIdAttribute="sAMAccountName"
userPasswordAttribute="unicodePwd"
userObjectClass="user"
roleBaseDn="DC=s01,DC=test,DC=com"
roleNameAttribute="cn"
roleMemberAttribute="member"
roleObjectClass="group"
cacheDurationMillis="300000"
reportStatistics="true";
};

Change the above highlighted text according to your environment

2. Update “/etc/rundeck/profile” to refer new AD auth conf

BEFORE

RDECK_INSTALL="${RDECK_INSTALL:-/var/lib/rundeck}"
RDECK_BASE="${RDECK_BASE:-/var/lib/rundeck}"
RDECK_CONFIG="${RDECK_CONFIG:-/etc/rundeck}"
RDECK_CONFIG_FILE="${RDECK_CONFIG_FILE:-$RDECK_CONFIG/rundeck-config.properties}"
RDECK_SERVER_BASE="${RDECK_SERVER_BASE:-$RDECK_BASE}"
RDECK_SERVER_CONFIG="${RDECK_SERVER_CONFIG:-$RDECK_CONFIG}"
RDECK_SERVER_DATA="${RDECK_SERVER_DATA:-$RDECK_BASE/data}"
RDECK_PROJECTS="${RDECK_PROJECTS:-$RDECK_BASE/projects}"
RUNDECK_TEMPDIR="${RUNDECK_TEMPDIR:-/tmp/rundeck}"
RUNDECK_WORKDIR="${RUNDECK_TEMPDIR:-$RDECK_BASE/work}"
RUNDECK_LOGDIR="${RUNDECK_LOGDIR:-$RDECK_BASE/logs}"
RDECK_JVM_SETTINGS="${RDECK_JVM_SETTINGS:- -Xmx1024m -Xms256m -XX:MaxMetaspaceSize=256m -server}"
RDECK_TRUSTSTORE_FILE="${RDECK_TRUSTSTORE_FILE:-$RDECK_CONFIG/ssl/truststore}"
RDECK_TRUSTSTORE_TYPE="${RDECK_TRUSTSTORE_TYPE:-jks}"
JAAS_CONF="${JAAS_CONF:-$RDECK_CONFIG/jaas-loginmodule.conf}"
LOGIN_MODULE="${LOGIN_MODULE:-RDpropertyfilelogin}"
RDECK_HTTP_PORT=${RDECK_HTTP_PORT:-4440}
RDECK_HTTPS_PORT=${RDECK_HTTPS_PORT:-4443}




# If no JAVA_CMD, try to find it in $JAVA_HOME
if [ -z "$JAVA_CMD" ] && [ -n "$JAVA_HOME" ] && [ -x "$JAVA_HOME/bin/java" ] ; then
JAVA_CMD=$JAVA_HOME/bin/java
PATH=$PATH:$JAVA_HOME/bin
export JAVA_HOME
elif [ -z "$JAVA_CMD" ] ; then
JAVA_CMD=java
fi

# build classpath without lone : that includes .
for jar in $(find $RDECK_INSTALL/cli -name '*.jar') ; do
CLI_CP=${CLI_CP:+$CLI_CP:}$jar
done
for jar in $(find $RDECK_INSTALL/bootstrap -name '*.jar') ; do
BOOTSTRAP_CP=${BOOTSTRAP_CP:+$BOOTSTRAP_CP:}$jar
done

RDECK_JVM="-Djava.security.auth.login.config=$JAAS_CONF \
 -Dloginmodule.name=$LOGIN_MODULE \
-Drdeck.config=$RDECK_CONFIG \
-Drundeck.server.configDir=$RDECK_SERVER_CONFIG \
-Dserver.datastore.path=$RDECK_SERVER_DATA/rundeck \
-Drundeck.server.serverDir=$RDECK_INSTALL \
-Drdeck.projects=$RDECK_PROJECTS \
-Drdeck.runlogs=$RUNDECK_LOGDIR \
-Drundeck.config.location=$RDECK_CONFIG_FILE \
-Djava.io.tmpdir=$RUNDECK_TEMPDIR \
-Drundeck.server.workDir=$RUNDECK_WORKDIR \
-Dserver.http.port=$RDECK_HTTP_PORT"
#
# Set min/max heap size
#
RDECK_JVM="$RDECK_JVM $RDECK_JVM_SETTINGS"
#
# SSL Configuration - Uncomment the following to enable. Check SSL.properties for details.
#
if [ -n "$RUNDECK_WITH_SSL" ] ; then
RDECK_SSL_OPTS="${RDECK_SSL_OPTS:- -Djavax.net.ssl.trustStore=$RDECK_TRUSTSTORE_FILE -Djavax.net.ssl.trustStoreType=$RDECK_TRUSTSTORE_TYPE -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol}"
RDECK_JVM="$RDECK_JVM -Drundeck.ssl.config=$RDECK_SERVER_CONFIG/ssl/ssl.properties -Dserver.https.port=${RDECK_HTTPS_PORT} ${RDECK_SSL_OPTS}"
fi

unset JRE_HOME

umask 002

rundeckd="$JAVA_CMD $RDECK_JVM $RDECK_JVM_OPTS -cp $BOOTSTRAP_CP com.dtolabs.rundeck.RunServer $RDECK_BASE"

AFTER

RDECK_INSTALL="${RDECK_INSTALL:-/var/lib/rundeck}"
RDECK_BASE="${RDECK_BASE:-/var/lib/rundeck}"
RDECK_CONFIG="${RDECK_CONFIG:-/etc/rundeck}"
RDECK_CONFIG_FILE="${RDECK_CONFIG_FILE:-$RDECK_CONFIG/rundeck-config.properties}"
RDECK_SERVER_BASE="${RDECK_SERVER_BASE:-$RDECK_BASE}"
RDECK_SERVER_CONFIG="${RDECK_SERVER_CONFIG:-$RDECK_CONFIG}"
RDECK_SERVER_DATA="${RDECK_SERVER_DATA:-$RDECK_BASE/data}"
RDECK_PROJECTS="${RDECK_PROJECTS:-$RDECK_BASE/projects}"
RUNDECK_TEMPDIR="${RUNDECK_TEMPDIR:-/tmp/rundeck}"
RUNDECK_WORKDIR="${RUNDECK_TEMPDIR:-$RDECK_BASE/work}"
RUNDECK_LOGDIR="${RUNDECK_LOGDIR:-$RDECK_BASE/logs}"
RDECK_JVM_SETTINGS="${RDECK_JVM_SETTINGS:- -Xmx1024m -Xms256m -XX:MaxMetaspaceSize=256m -server}"
RDECK_TRUSTSTORE_FILE="${RDECK_TRUSTSTORE_FILE:-$RDECK_CONFIG/ssl/truststore}"
RDECK_TRUSTSTORE_TYPE="${RDECK_TRUSTSTORE_TYPE:-jks}"
JAAS_CONF="${JAAS_CONF:-$RDECK_CONFIG/jaas-loginmodule.conf}"
LOGIN_MODULE="${LOGIN_MODULE:-RDpropertyfilelogin}"
RDECK_HTTP_PORT=${RDECK_HTTP_PORT:-4440}
RDECK_HTTPS_PORT=${RDECK_HTTPS_PORT:-4443}




# If no JAVA_CMD, try to find it in $JAVA_HOME
if [ -z "$JAVA_CMD" ] && [ -n "$JAVA_HOME" ] && [ -x "$JAVA_HOME/bin/java" ] ; then
 JAVA_CMD=$JAVA_HOME/bin/java
 PATH=$PATH:$JAVA_HOME/bin
 export JAVA_HOME
elif [ -z "$JAVA_CMD" ] ; then
 JAVA_CMD=java
fi

# build classpath without lone : that includes .
for jar in $(find $RDECK_INSTALL/cli -name '*.jar') ; do
 CLI_CP=${CLI_CP:+$CLI_CP:}$jar
done
for jar in $(find $RDECK_INSTALL/bootstrap -name '*.jar') ; do
 BOOTSTRAP_CP=${BOOTSTRAP_CP:+$BOOTSTRAP_CP:}$jar
done

RDECK_JVM="-Djava.security.auth.login.config=/etc/rundeck/jaas-activedirectory.conf \
 -Dloginmodule.name=activedirectory \
 -Drdeck.config=$RDECK_CONFIG \
 -Drundeck.server.configDir=$RDECK_SERVER_CONFIG \
 -Dserver.datastore.path=$RDECK_SERVER_DATA/rundeck \
 -Drundeck.server.serverDir=$RDECK_INSTALL \
 -Drdeck.projects=$RDECK_PROJECTS \
 -Drdeck.runlogs=$RUNDECK_LOGDIR \
 -Drundeck.config.location=$RDECK_CONFIG_FILE \
 -Djava.io.tmpdir=$RUNDECK_TEMPDIR \
 -Drundeck.server.workDir=$RUNDECK_WORKDIR \
 -Dserver.http.port=$RDECK_HTTP_PORT"
#
# Set min/max heap size
#
RDECK_JVM="$RDECK_JVM $RDECK_JVM_SETTINGS"
#
# SSL Configuration - Uncomment the following to enable. Check SSL.properties for details.
#
if [ -n "$RUNDECK_WITH_SSL" ] ; then
 RDECK_SSL_OPTS="${RDECK_SSL_OPTS:- -Djavax.net.ssl.trustStore=$RDECK_TRUSTSTORE_FILE -Djavax.net.ssl.trustStoreType=$RDECK_TRUSTSTORE_TYPE -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol}"
 RDECK_JVM="$RDECK_JVM -Drundeck.ssl.config=$RDECK_SERVER_CONFIG/ssl/ssl.properties -Dserver.https.port=${RDECK_HTTPS_PORT} ${RDECK_SSL_OPTS}"
fi

unset JRE_HOME

umask 002

rundeckd="$JAVA_CMD $RDECK_JVM $RDECK_JVM_OPTS -cp $BOOTSTRAP_CP com.dtolabs.rundeck.RunServer $RDECK_BASE"

Here, local login configuration was replaced with the newly created AD Auth configuration file

3. Update “/var/lib/rundeck/exp/webapp/WEB-INF/web.xml” 

IMPORTANT: In most of the blogs or sites, only one entry made to add domain user group. In this case, requirement was to add 2 groups,

  • Admin group with full access @ Rundeck – Create, Modify & Kill jobs
  • User group with limited/read-only access, specific to projects @ Rundeck – View & Run jobs of that particular project

Search for

<security-role>
<role-name>user</role-name> 
</security-role>

Replace with

<security-role>
<role-name>rundeck_admins</role-name> 
</security-role> 
<security-role>                
<role-name>rundeck_users</role-name>        
</security-role>


rundeck_admins {users added to this group would have admin level access in Rundeck} and rundeck_users {users added to this group would have limited/read-only level access in Rundeck} are two domain groups created in s01.test.com.  

4. Create ACL policy files for the above groups and place them in /etc/rundeck 

  • rundeck_admins.aclpolicy
description: Admin, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
by:
group: admin

description: Full access.
context:
project: '.*' # all projects
for:
resource:
- allow: '*' # allow read/create all kinds
adhoc:
- allow: '*' # allow read/running/killing adhoc jobs
job:
- allow: '*' # allow read/write/delete/run/kill of all jobs
node:
- allow: '*' # allow read/run for all nodes
by:
group: rundeck_admins

---

description: Admin, all access.
context:
application: 'rundeck'
for:
resource:
- allow: '*' # allow create of projects
project:
- allow: '*' # allow view/admin of all projects
by:
group: rundeck_admins
  • rundeck_users.aclpolicy
---
description: "Ops Engineers can launch jobs but not edit them"
context:
 project: *
for:
 resource:
 - equals:
 kind: 'node'
 allow: [read,update,refresh]
 - equals:
 kind: 'job'
 allow: [read,run,kill]
 - equals:
 kind: 'adhoc'
 allow: [read,run,kill]
 - equals:
 kind: 'event'
 allow: [read,create]
 job:
 - match:
 name: '.*'
 allow: [read,run,kill]
 adhoc:
 - match:
 name: '.*'
 allow: [read,run,kill]
 node:
 - match:
 nodename: '.*'
 allow: [read,run,refresh]
by:
 group:
 - rundeck_users

---
context:
 application: rundeck
description: "Ops Engineers can launch jobs but not edit them"
for:
 project:
 - match:
 name: '*'
 allow: [read]
 system:
 - match:
 name: '.*'
 allow: [read]
by:
 group:
 - rundeck_users

Rundeck accesses the above configuration files and applies ACL policy accordingly based on the user’s group.

5. Restart Rundeck service

/etc/init.d/rundeckd restart 
{OR} 
service rundeckd restart 
{OR} 
systemctl restart rundeckd.service

Troubleshooting:

Check Rundeck service logs for any configuration related errors messages.

tail -200 /var/log/rundeck/service.log

NOTE:

This configuration tested on the versionRundeck 2.8.4-1 cafe cubano purple gift 2017-07-12″I do not guarantee that whether this configuration works on the newer versions of Rundeck 🙂

BELLISIMO!!!  You’ve configured AD auth for Rundeck and should be able to access it from your domain account.

Thanks for stopping by… Please leave your comments/suggestions below.

Advertisements

4 thoughts on “Setup Active Directory Authentication for Rundeck

  1. First off, thanks for this informative instructions for integrating AD with Rundeck. For whatever reason, Im stuck on 2 items.
    1. I’m unable to login with an AD user. Although I add this user to the “rundeck_admin” group (in AD), I still cannot login and not sure what the issue is. The log in /var/log/rundeck/service/log is:

    2018-12-14 09:17:00.319 DEBUG — [tp1465511423-27] ailsUsernamePasswordAuthenticationFilter : Updated SecurityContextHolder to contain null Authentication
    2018-12-14 09:17:00.319 DEBUG — [tp1465511423-27] ailsUsernamePasswordAuthenticationFilter : Delegating to authentication failure handler grails.plugin.springsecurity.web.authentication.AjaxAwareAuthenticationFailureHandler@51aaa9d4

    2. The other issue is the yaml syntax for the “rundeck_users.aclpolicy” file. Is there a way you can post the syntax in a way it doesnt distort the yaml file?

    Thanks in advance

    1. Hi Ruffin,
      As per the latest version we don’t have to update /etc/rundeck/profile please see the comments from Reiner for now till I update the blog.
      Best,
      Vinay

  2. Hi!

    Please update this awesome guide, right now is not necessary (and not recommended) edit the /etc/rundeck/profile file. Instead, you can create/edit /etc/sysconfig/rundeckd file with this params:

    export LOGIN_MODULE=”activedirectory”
    export JAAS_CONF=”/etc/rundeck/jaas-activedirectory.conf”

    or

    LOGIN_MODULE=activedirectory
    AAS_CONF=/etc/rundeck/jaas-activedirectory.conf

    Thanks a lot.

    Best Regards!

Leave a Reply to Reiner Acuña Pisani Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s