JettyCachingLdapLoginModule role query doesn't work as expected

[lkthomas]

Issue type: Bug report / problem to deploy

My Rundeck detail

• Rundeck version: 3.2.6
• install type: Docker Container from official runDeck Docker Hub
• OS Name/version: Ubuntu 18.04.4 LTS
• DB Type/version: None/Internal

Expected Behavior "IT Users" should be able to login as Admin role on rundeck

How to Reproduce

Logs: [2020-05-12 00:33:11.518] DEBUG JettyCachingLdapLoginModule --- [qtp757791801-27] Cache Miss for jonwish. [2020-05-12 00:33:11.519] DEBUG JettyCachingLdapLoginModule --- [qtp757791801-27] Searching for users with filter: '(&(objectClass={0})({1}={2}))' from base dn: ou=users,dc=somename,dc=com [2020-05-12 00:33:11.531] DEBUG JettyCachingLdapLoginModule --- [qtp757791801-27] Found user?: true [2020-05-12 00:33:11.532] INFO JettyCachingLdapLoginModule --- [qtp757791801-27] Attempting authentication: cn=jonwish,ou=users,dc=somename,dc=com [2020-05-12 00:33:11.533] DEBUG JettyCachingLdapLoginModule --- [qtp757791801-27] Using _rootContext for role lookup. [2020-05-12 00:33:11.534] WARN JettyCachingLdapLoginModule --- [qtp757791801-27] JettyCachingLdapLoginModule: User 'jonwish' has no role membership; role query configuration may be incorrect

---

admin.aclpolicy:

description: Admin, all access. context: project: '.*' # all projects for: resource:

• allow: '*' # allow read/create all kinds adhoc:
• allow: '*' # allow read/running/killing adhoc jobs job:
• allow: '*' # allow read/write/delete/run/kill of all jobs node:
• allow: '*' # allow read/run for all nodes by: group: "IT Users"

---

description: Admin, all access. context: application: 'rundeck' for: resource:

• allow: '*' # allow create of projects project:
• allow: '*' # allow view/admin of all projects project_acl:
• allow: '*' # allow admin of all project-level ACL policies storage:
• allow: '' # allow read/create/update/delete for all /keys/ storage content by: group: "IT Users"

---

docker-compose.yml:

version: '3'

services: rundeck: hostname: location9rundeck01 image: ${RUNDECK_IMAGE:-rundeck/rundeck:3.2.6} tty: true environment: RUNDECK_GRAILS_URL: http://location9rundeck01:4440 RUNDECK_JAAS_MODULES_0: JettyCombinedLdapLoginModule RUNDECK_JAAS_LDAP_FLAG: sufficient RUNDECK_JAAS_LDAP_PROVIDERURL: ldap://location9ldap.somename.localdomain:389 RUNDECK_JAAS_LDAP_BINDDN: cn=admin,dc=somename,dc=com RUNDECK_JAAS_LDAP_BINDPASSWORD: RUNDECK_JAAS_LDAP_USERBASEDN: ou=users,dc=somename,dc=com RUNDECK_JAAS_LDAP_ROLEBASEDN: ou=groups,dc=somename,dc=com RUNDECK_JAAS_LDAP_ROLENAMEATTRIBUTE: cn RUNDECK_JAAS_LDAP_ROLEMEMBERATTRIBUTE: memberUid RUNDECK_JAAS_LDAP_ROLEOBJECTCLASS: posixGroup RUNDECK_JAAS_MODULES_1: PropertyFileLoginModule RUNDECK_JAAS_FILE_FLAG: sufficient

    volumes:
      - /home/user1/rundeck-container/admin.aclpolicy:/home/rundeck/etc/admin.aclpolicy
    ports:
      - 4440:4440
    restart: always

volumes: data:

LDAP cn=IT Users section:

dn: cn=IT Users,ou=groups,dc=somename,dc=com cn: IT Users description: IT Users displayName: IT Users gidNumber: 123 objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping sambaGroupType: 2 sambaSID: S-1-1-1-1 structuralObjectClass: posixGroup entryUUID: 1-1-1-1 creatorsName: cn=admin,dc=somename,dc=com createTimestamp: 20161222085806Z memberUid: jonwish entryCSN: 2000 modifiersName: cn=admin,dc=somename,dc=com modifyTimestamp: 20200217081910Z

---

Does it have anything to do with white space for "IT Users"?

[0xbentang]

From the official document: https://docs.rundeck.com/docs/administration/security/authentication.html#login-module-configuration

roleMemberAttribute: Attribute name for a role that would contain a user's DN, default "uniqueMember".

roleUsernameMemberAttribute: Attribute name for a role that would contain a user's username. If set, this overrides the roleMemberAttribute behavior.

So basically you need to replace RUNDECK_JAAS_LDAP_ROLEMEMBERATTRIBUTE with RUNDECK_JAAS_LDAP_ROLEUSERNAMEMEMBERATTRIBUTE