search

rundeck / rundeck

Enable Self-Service Operations: Give specific users access to your existing tools, services, and scripts
http://rundeck.org
Apache License 2.0
5.49k stars 908 forks source link

JettyCombinedLdapLoginModule and JettyRolePropertyFileLoginModule no search role in realm.properties #3324

Closed rll01 closed 6 years ago

rll01 commented 6 years ago

Issue type: Bug report

My Rundeck detail

Expected Behavior

When I login with ldap user it's ok but user roles no match with realm.properties . The message of web is "You have no authorized access to projects. Contact your administrator. (User roles: user)"

My config is:

`multiauth {

com.dtolabs.rundeck.jetty.jaas.JettyCombinedLdapLoginModule required debug="true" contextFactory="com.sun.jndi.ldap.LdapCtxFactory" providerUrl="ldap://metaeprinsa.eprinsa.org:389" bindDn="uid=explo,ou=Usuarios,ou=eprinsa,dc=metaeprinsa,dc=org" bindPassword="XXXX" authenticationMethod="simple" forceBindingLogin="true" userBaseDn="ou=Usuarios,ou=eprinsa,dc=metaeprinsa,dc=org" userRdnAttribute="uid" userIdAttribute="uid" userPasswordAttribute="userPassword" userObjectClass="person"
roleBaseDn="ou=Grupos,dc=metaeprinsa,dc=org" roleNameAttribute="cn" roleUsernameMemberAttribute="memberof" roleMemberAttribute="uniqueMember" roleObjectClass="groupofuniquenames" supplementalRoles="user"
reportStatistics="true" ignoreRoles="true" storePass="true" clearPass="true";

org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required debug="true" useFirstPass="true" caseInsensitive="true" refreshInterval="60" file="C:\Program Files\eprinsa\rundeck211\server\config\realm.properties"; };`

realm.properties:

explo: -,admin,user rll01: -,user,operador user2: -,user,servicedesk

How to Reproduce

Login with diferent user of ldap.

gschueler commented 6 years ago

the roles listed in the UI will only be a subset of the roles defined in your ACL policy files.

e.g. if you add an aclpolicy file for "servicedesk" role, you should see it listed in the UI after that

rll01 commented 6 years ago

I have two ACL policy files:

description: operador en proyecto Microinformatica.
context:
  project: 'Microinformatica|Clonezilla_DRBL|GAM'
for:
  resource:
    - allow: [read,run,kill]
  job:
    - allow: [read,run,kill]
  node:
    - allow: [read,run,kill] # allow read/run for all nodes
  adhoc:
    - allow: [read,run,kill] # allow read/running/killing adhoc jobs
by:
  group: operador

---

description: operador en rundeck.
context:
  application: 'rundeck'
for:
  resource:
    - allow: [read] # allow create of projects
  project:
    - allow: [read]
      match:
        name: '(Microinformatica|Clonezilla_DRBL|GAM)'
  project_acl:
    - allow: [read] # allow admin of all project-level ACL policies
  storage:
    - allow: [read] # allow read/create/update/delete for all /keys/* storage content
by:
  group: operador

and

description: servicedesk.
context:
  project: 'ServiceDesk|GAM' # all projects
for:  
  resource:
    - allow: [read,run,kill]
  job: 
    - allow: [read,run,kill]
  node:
    - allow: [read,run,kill] # allow read/run for all nodes 
  adhoc:
    - allow: [read,run,kill] # allow read/running/killing adhoc jobs
by:
  group: servicedesk

---

description: servicedesk.
context:
  application: 'rundeck'
for:
  resource:
    - allow: 'read' # allow create of projects
  project:
    - allow: [read]
      match:
        name: '(ServiceDesk|GAM)'
  project_acl:
    - allow: [read] # allow admin of all project-level ACL policies
  storage:
    - allow: [read] # allow read/create/update/delete for all /keys/* storage content
by:
  group: servicedesk

I think so the problem is module "JettyRolePropertyFileLoginModule" because no assign role to users with realm.properties .

rll01 commented 6 years ago

Yessss, I have Rundeck running with AD. I think so url path role... Thank you.

craph commented 1 year ago

@rll01 what was the issue ?