Rundeck active directory integration steps
While evaluating release management and runbook automation Devops tools we found rundeck quite handy. It has opensource as well as pro version for use. Installing Rundeck was easy but integrating rundeck Active Directory was not that straight forward. After trying few things we were able to integrate the Rundeck with our AD(active directory) software and could allow the users to login to rundeck GUI console using there domain credentials. All that said we still had one huddle here, i.e by default rundeck expects the authorization also from LDAP active directory in the form of groups and roles. This addition of roles and groups was not allowed in our corporate AD due to security restrictions so we had to find a way to authenticate users using rundeck active directory but authorization shall be managed locally as it’s much easier to change roles and update responsibilities and groups etc.
So today in this article we will discuss on how to setup/configure rundeck to manage authentication using rundeck active directory and authorization using local property file. Rundeck uses Container Authentication to determine the logged in user name and the user’s authorized roles.For the default installation (Rundeck Launcher, RPM, Deb), the Servlet Container is Jetty, and the underlying security mechanism is JAAS, so you are free to use what ever JAAS provider you feel is suitable for your environment
Here we have used LDAP rundeck active directory for authentication and realm.properties file to locally manage the roles and responsibilities. To achieve the same follow below steps.
Assumptions:
1. Rundeck installed in /opt/rundeck directory using the rundeck launcher 2.5.1(current latest) from here with Oracle JDK version 1.7.0_55
2. Rundeck launcher installed succesfully using below command to extract the jar files one time.
nohup /opt/rundeck/jdk1.7.0_55/bin/java -XX:MaxPermSize=256m -Xmx1024m -jar /opt/rundeck/rundeck-launcher-2.5.1.jar &
3. You are able to login to rundeck using admin/admin username and password in web url http://rundeck_hostname:4440/
Steps to follow:
1. Before we go ahead with integrating AD with rundeck we need to create the roles and assign privileges to the roles so that when a user logs in he will have access to certain part of the rundeck projects.
2. Follow below steps to create the roles:
a. Here we will create below roles for our day today maintenance.
– user/upload : Role for a QA person or whoever uploads the release files to the system. This user will have the minimum privileges, example: read only privileges.
– opsrm : A QA person or one of team member with privileges to run the jobs and complete the installation and release.
– opsadmin : POC of a project. Have higher privileges to modify and update work flows to suit the release or workflows.
– superadmin : Very few selected admin team member with complete privileges to rundeck like update, add, modify, delete in all projects flows, jobs, schedules, etc.
b. Please follow and setup create the groups and access control policies first before proceeding further for the active directory integration.
3. Once you are done with above steps cd to /opt/rundeck/server/config folder and create a file called “jaas-activedirectory.conf” and update below details inside it.
activedirectory { com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule required debug="true" contextFactory="com.sun.jndi.ldap.LdapCtxFactory" providerUrl="ldap://ldap_hostname:389" bindDn="CN=binduser,OU=OU_India,DC=mydomain,DC=com" bindPassword="welcome*12" authenticationMethod="simple" forceBindingLogin="true" userBaseDn="dc=mydomain,dc=com" userRdnAttribute="sAMAccountName" userIdAttribute="sAMAccountName" userPasswordAttribute="unicodePwd" userObjectClass="user" roleBaseDn="dc=mydomain,dc=com" roleNameAttribute="cn" roleMemberAttribute="member" roleObjectClass="group" cacheDurationMillis="300000" reportStatistics="true" ignoreRoles="true" storePass="true" clearPass="true" useFirstPass="false" tryFirstPass="false" supplementalRoles="upload,user"; org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required debug="true" useFirstPass="true" file="/opt/rundeck/server/config/realm.properties"; };
Notes:
– In the above configurations ignoreRoles=”true” lets the rundeck ignore the roles usage from LDAP and it takes the roles from the realm.properties and admin.aclpolicy file.
– Here supplementalRoles=”upload,user”; are the two default roles which will get assigned to all users who successfully authenticates with LDAP.
4. Once above properties are set correctly we need to update the realm.properties incase we want to provide any specific user some special privileges apart from the default supplementalRoles which gets assigned when ever a user logs in successfully . Example entry:
ramakanta.sahoo:-,admin,opsadmin,opsrm,user,upload
I have made ramakanta.sahoo user as the admin privileged user here.
Note: Password field is kept ‘-‘ as authentication will be done from active directory.
5. cd to /opt/rundeck/etc folder and open the profile file in any text editor and update below text.
search for property name “RDECK_JVM” and append below to the existing entries and save the file.
-Djava.security.auth.login.config=/opt/rundeck/etc/jaas-activedirectory.conf -Dloginmodule.name=activedirectory
6. Start the Rundeck using below command.
nohup /opt/rundeck/jdk1.7.0_55/bin/java -XX:MaxPermSize=256m -Xmx1024m -Dloginmodule.conf.name=jaas-activedirectory.conf -Djava.security.auth.login.config=jaas-activedirectory.conf -Dloginmodule.name=activedirectory -jar /opt/rundeck/rundeck-launcher-2.5.1.jar --skipinstall &
7. Once the instance is up you can use the Active directory username and your domain credentials to login to Rundeck.
References for further readings:
In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.
Great article, very helpful, but is there also a way to allow for “backdoor” local id’s that can be setup by the system admin in the case that the backend active directory service is down, that way you can still login to RunDeck and not be fully dependent?
Yes. you can have a look at below link for the same
http://rundeck.org/docs/administration/authenticating-users.html#multiple-authentication-modules
thanks for the help on this