Rundeck jaas-ldap and policies

Posted on by vanja

Had a few hit&miss recently with a Rundeck instance, so I thought I might share it:

  • the jaas-ldap should look something like this if you’d like it to work with 389-ds
ldap {
  com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule required
  ignoreRoles="True"
  debug="True"
  contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
  providerUrl="ldaps://389ds.my.example.com:636"
  bindDn="CN=Directory Manager"
  bindPassword="passgoeshere"
  authenticationMethod="simple"
  forceBindingLogin="true"
  userBaseDn="OU=People,DC=my,DC=example,DC=com"
  userRdnAttribute="uid"
  userIdAttribute="uid"
  userObjectClass="inetOrgPerson"
  userPasswordAttribute="userPassword"
  userLastNameAttribute="sn"
  userFirstNameAttribute="givenName"
  userEmailAttribute="mail"
  roleBaseDn="OU=Groups,DC=my,DC=example,DC=com"
  roleNameAttribute="cn"
  roleMemberAttribute="uniqueMember"
  roleObjectClass="groupOfUniqueNames"
  cacheDurationMillis="300000"
  reportStatistics="true"
  cacheDurationMillis="0"
  reportStatistics="true"
  timeoutRead="10000"
  timeoutConnect="20000"
  nestedGroups="True";
};
  • the aclpolicy files admin.aclpolicy and user.aclpolicy allowing a minimal access to the users can be like the following: 
description: Admin, all access.
context:
  project: '.*' # all projects
for:
  resource:
    - allow: '*' # allow read/create all kinds
  adhoc:
    - allow: '*' # allow read/running/killing adhoc jobs
  job:
    - allow: '*' # allow read/write/delete/run/kill of all jobs
  node:
    - allow: '*' # allow read/run for all nodes
by:
  group: [RundeckAdmins]
description: Admin, all access.
context:
  application: 'rundeck'
for:
  resource:
    - allow: '*' # allow create of projects
  project:
    - allow: '*' # allow view/admin of all projects
  project_acl:
    - allow: '*' # allow admin of all project-level ACL policies
  storage:
    - allow: '*' # allow read/create/update/delete for all /keys/* storage content
by:
  group: [RundeckAdmins]

description: User, partial access.
context:
  project: '.*'
for:
  resource:
    - allow: 'read'
  adhoc:
    - allow: 'read,run'
  job:
    - allow: 'read,run'
  node:
    - allow: '*'
by:
  group: [RundeckUsers]
description: User, partial access.
context:
  application: 'rundeck'
for:
  resource:
    - allow: 'read'
  project:
    - allow: 'read'
  project_acl:
    - allow: 'read'
  storage:
    - allow: 'read'
by:
  group: [RundeckUsers]

More on this can be found in the official documenatation.

Leave a Comment

Your email address will not be published. Required fields are marked *