Welcome, Guest Login

Rundeck Enterprise Support Center

Migrate JAAS.conf to Tomcat JNDI Realm

Last Updated: Aug 12, 2015 12:03PM PDT

1.0 Scenario

You are a Rundeck OSS user with a Jetty/JAAS-based configuration and are migrating to a Tomcat deployment.

The example below lists a JAAS configuration that will authenticate a user by first a check to a flat file (realm.properties) and then fall to LDAP directory.


Example jaas-login.conf from Jetty/JAAS

multiauth {
    org.eclipse.jetty.plus.jaas.spi.PropertyFileLoginModule required
    debug="true"
    file="/home/rundeck/server/config/realm.properties";


    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient
    debug="true"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    providerUrl="ldap://activedirectory.acme.com:389"
    bindDn="CN=rundeckauth,OU=Services,OU=People,OU=Admins,DC=global,DC=acme,DC=com"
    bindPassword="bindpassword"
    authenticationMethod="simple"
    forceBindingLogin="true"
    userBaseDn="DC=global,DC=acme,DC=com"
    userRdnAttribute="samaccountname"
    userIdAttribute="samaccountname"
    userPasswordAttribute="unicodePwd"
    userObjectClass="user"
    roleBaseDn="DC=global,DC=acme,DC=com"
    roleNameAttribute="cn"
    roleMemberAttribute="member"
    roleObjectClass="group"
    cacheDurationMillis="300000"
    reportStatistics="true";
};

 


The JAAS configuration above includes two login modules:

  1. PropertyFileLoginModule Reads users from a flat file (realm.properties).
  2. JettyCachingLdapLoginModule Reads users from an LDAP server (activedirectory).


Tomcat contains similar functionality but is configured differently.

  1. Flat file: Tomcat uses a flat file called $CATALINA_BASE/server/conf/tomcat-users.xml (rather than realm.properties) 
  2. LDAP: Tomcat uses a JNDI Realm declared in $CATALINA_BASE/server/conf/server.xml



1.1 Installer Flags


Rundeck PRO is tested with OpenLDAP and Active Directory. The installer will require the following options.
The equivalent JAAS config property is in italics (eg, bindDn).
  • --jndi-connection-name (bindDn): the distinguished name used to login to the directory (eg, 'cn=Manager,dc=acme,dc=com' )
  • --jndi-connection-password (bindPassword): the connection user's password (eg 'bindpassword')
  • --jndi-connection-url (providerUrl): the URL to the ldap server (eg, 'ldap://activedirectory.acme.com:389' )
  • --jndi-user-pattern(userBaseDn): The query pattern for finding users. (eg, 'cn={0},ou=users,dc=acme,dc=com')
  • --jndi-role-base (roleBaseDn): The query pattern for finding roles (eg 'ou=roles,dc=acme,dc=com' )
  • --serverxml-template: The tomcat server.xml template to use (eg, 'activedirectory')



1.2 Example Install Command


As the "rundeck" user, execute the installer command, install-all. The example shows the --jndi-* flags that specify the parameters for the JNDI Realm.


rdpro-installer install-all \
        --rdeck-base $RDECK_BASE \
        --datasource-driver 'com.mysql.jdbc.Driver' \
        --datasource-url 'jdbc:mysql://192.168.50.10/rundeck?autoReconnect=true' \
        --datasource-username rundeckuser \
        --datasource-password rundeckpassword \
        --jndi-connection-name 'cn=Manager,dc=acme,dc=com' \
        --jndi-connection-password bindpassword \
        --jndi-connection-url 'ldap://activedirectory.acme.com:389' \
        --jndi-user-pattern 'cn={0},ou=users,dc=acme,dc=com' \
        --jndi-role-base 'ou=roles,dc=acme,dc=com' \
        --serverxml-template 'activedirectory' \

        --server-hostname '191.168.50.15'"

After the installation is complete you can check the Tomcat server.xml configuration file. The file should contain two stanzas, one for each (flat file and LDAP):

  <GlobalNamingResources>
    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users
    -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>
.
.
.
   <Realm className="org.apache.catalina.realm.JNDIRealm"
          connectionName="cn=Manager,dc=acme,dc=com"
          connectionPassword="bindpassword"
          connectionURL="ldap://activedirectory.acme.com:389"
          referrals="follow"
          userBase="cn={0},ou=users,dc=acme,dc=com"
          userSearch="(sAMAccountName={0})"
          userSubtree="true"
          roleBase="ou=roles,dc=acme,dc=com"
          roleName="cn"
          roleSearch="(member={0})"
          roleSubtree="true"
          roleNested="true"
          commonRole="user"
      />     


The installer will also generate a tomcat-users.xml file similar to below:

<tomcat-users>
  <role rolename="user"/>
  <role rolename="admin"/>
  <user username="user" password="user" roles="user"/>
  <user username="admin" password="admin" roles="user,admin"/>
</tomcat-users>

 

1.3 Required Role in web.xml


The RUNDECK PRO webapp requires users be in a common group to access the application.

By default, it requires users belong to the group named "user". This should be changed to the user group your site requires:


        <security-role>
                <role-name>user</role-name>
        </security-role>


Also, change the tomcat-users.xml to replace the rolename "user"  to the one you choose.
 

1fb43f9155a47800b95738aff7e657fc@rundeck.desk-mail.com
http://assets2.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete