{"id":45,"date":"2019-10-28T20:42:02","date_gmt":"2019-10-28T20:42:02","guid":{"rendered":"https:\/\/blog.simulakrum.diskstation.eu\/?p=45"},"modified":"2019-10-28T20:42:04","modified_gmt":"2019-10-28T20:42:04","slug":"rundeck-jaas-ldap-and-policies","status":"publish","type":"post","link":"https:\/\/blog.simulakrum.vpndns.org\/?p=45","title":{"rendered":"Rundeck jaas-ldap and policies"},"content":{"rendered":"\n<p>Had a few hit&amp;miss recently with a Rundeck instance, so I thought I might share it: <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>the jaas-ldap should look something like this if you&#8217;d like it to work with 389-ds<br><\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">ldap {<br>  com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule required<br>  ignoreRoles=\"True\"<br>  debug=\"True\"<br>  contextFactory=\"com.sun.jndi.ldap.LdapCtxFactory\"<br>  providerUrl=\"ldaps:\/\/389ds.my.example.com:636\"<br>  bindDn=\"CN=Directory Manager\"<br>  bindPassword=\"passgoeshere\"<br>  authenticationMethod=\"simple\"<br>  forceBindingLogin=\"true\"<br>  userBaseDn=\"OU=People,DC=my,DC=example,DC=com\"<br>  userRdnAttribute=\"uid\"<br>  userIdAttribute=\"uid\"<br>  userObjectClass=\"inetOrgPerson\"<br>  userPasswordAttribute=\"userPassword\"<br>  userLastNameAttribute=\"sn\"<br>  userFirstNameAttribute=\"givenName\"<br>  userEmailAttribute=\"mail\"<br>  roleBaseDn=\"OU=Groups,DC=my,DC=example,DC=com\"<br>  roleNameAttribute=\"cn\"<br>  roleMemberAttribute=\"uniqueMember\"<br>  roleObjectClass=\"groupOfUniqueNames\"<br>  cacheDurationMillis=\"300000\"<br>  reportStatistics=\"true\"<br>  cacheDurationMillis=\"0\"<br>  reportStatistics=\"true\"<br>  timeoutRead=\"10000\"<br>  timeoutConnect=\"20000\"<br>  nestedGroups=\"True\";<br>};<\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>the aclpolicy files admin.aclpolicy and user.aclpolicy allowing a minimal access to the users can be like the following: <br><\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">description: Admin, all access.\ncontext:\n  project: '.*<em>' # all projects\nfor:\n  resource:\n    - allow: '<\/em>*' # allow read\/create all kinds\n  adhoc:\n    - allow: '*<em>' # allow read\/running\/killing adhoc jobs\n  job:\n    - allow: '<\/em>*' # allow read\/write\/delete\/run\/kill of all jobs\n  node:\n    - allow: '*' # allow read\/run for all nodes\nby:\n  group: [RundeckAdmins]<\/pre>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<pre class=\"wp-block-preformatted\">description: Admin, all access.\ncontext:\n  application: 'rundeck'\nfor:\n  resource:\n    - allow: '*<em>' # allow create of projects\n  project:\n    - allow: '<\/em>*' # allow view\/admin of all projects\n  project_acl:\n    - allow: '*<em>' # allow admin of all project-level ACL policies\n  storage:\n    - allow: '<\/em>*' # allow read\/create\/update\/delete for all \/keys\/* storage content\nby:\n  group: [RundeckAdmins]\n<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">description: User, partial access.\ncontext:\n  project: '.*'\nfor:\n  resource:\n    - allow: 'read'\n  adhoc:\n    - allow: 'read,run'\n  job:\n    - allow: 'read,run'\n  node:\n    - allow: '*'\nby:\n  group: [RundeckUsers]<\/pre>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<pre class=\"wp-block-preformatted\">description: User, partial access.\ncontext:\n  application: 'rundeck'\nfor:\n  resource:\n    - allow: 'read'\n  project:\n    - allow: 'read'\n  project_acl:\n    - allow: 'read'\n  storage:\n    - allow: 'read'\nby:\n  group: [RundeckUsers]<\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>More on this can be found in the official <a href=\"https:\/\/docs.rundeck.com\/docs\/administration\/security\/authentication.html#propertyfileloginmodule\">documenatation<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Had a few hit&amp;miss recently with a Rundeck instance, so I thought I might share it: the jaas-ldap should look something like this if you&#8217;d like it to work with 389-ds ldap { com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule required ignoreRoles=&#8221;True&#8221; debug=&#8221;True&#8221; contextFactory=&#8221;com.sun.jndi.ldap.LdapCtxFactory&#8221; providerUrl=&#8221;ldaps:\/\/389ds.my.example.com:636&#8243; bindDn=&#8221;CN=Directory Manager&#8221; bindPassword=&#8221;passgoeshere&#8221; authenticationMethod=&#8221;simple&#8221; forceBindingLogin=&#8221;true&#8221; userBaseDn=&#8221;OU=People,DC=my,DC=example,DC=com&#8221; userRdnAttribute=&#8221;uid&#8221; userIdAttribute=&#8221;uid&#8221; userObjectClass=&#8221;inetOrgPerson&#8221; userPasswordAttribute=&#8221;userPassword&#8221; userLastNameAttribute=&#8221;sn&#8221; userFirstNameAttribute=&#8221;givenName&#8221; userEmailAttribute=&#8221;mail&#8221; roleBaseDn=&#8221;OU=Groups,DC=my,DC=example,DC=com&#8221; roleNameAttribute=&#8221;cn&#8221; roleMemberAttribute=&#8221;uniqueMember&#8221; roleObjectClass=&#8221;groupOfUniqueNames&#8221; cacheDurationMillis=&#8221;300000&#8243; reportStatistics=&#8221;true&#8221; cacheDurationMillis=&#8221;0&#8243; reportStatistics=&#8221;true&#8221; &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-45","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blog.simulakrum.vpndns.org\/index.php?rest_route=\/wp\/v2\/posts\/45","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.simulakrum.vpndns.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.simulakrum.vpndns.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.simulakrum.vpndns.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.simulakrum.vpndns.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=45"}],"version-history":[{"count":1,"href":"https:\/\/blog.simulakrum.vpndns.org\/index.php?rest_route=\/wp\/v2\/posts\/45\/revisions"}],"predecessor-version":[{"id":46,"href":"https:\/\/blog.simulakrum.vpndns.org\/index.php?rest_route=\/wp\/v2\/posts\/45\/revisions\/46"}],"wp:attachment":[{"href":"https:\/\/blog.simulakrum.vpndns.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=45"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.simulakrum.vpndns.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=45"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.simulakrum.vpndns.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=45"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}