From c89bb8340cd19903c3c65bce8ec74f23e47e386b Mon Sep 17 00:00:00 2001 From: Greg Schueler Date: Mon, 2 Dec 2024 15:39:17 -0800 Subject: [PATCH 1/4] Example using ldap + local roles --- ldap-combined-localroles/README.md | 16 ++++ ldap-combined-localroles/docker-compose.yml | 39 ++++++++ .../ldif/50-bootstrap.ldif | 93 +++++++++++++++++++ ldap-combined-localroles/realm.properties | 2 + 4 files changed, 150 insertions(+) create mode 100644 ldap-combined-localroles/README.md create mode 100644 ldap-combined-localroles/docker-compose.yml create mode 100644 ldap-combined-localroles/ldif/50-bootstrap.ldif create mode 100644 ldap-combined-localroles/realm.properties diff --git a/ldap-combined-localroles/README.md b/ldap-combined-localroles/README.md new file mode 100644 index 0000000..ecde379 --- /dev/null +++ b/ldap-combined-localroles/README.md @@ -0,0 +1,16 @@ +Using LDAP for authentication and local realm file for roles +===================== + +This configuration uses LDAP for authentication, and uses a realm property file for user roles. + +The user authentication is defined in LDAP, and the groups are defined in the realm.properties file. + +**LDAP Users:** + +* `username: build` + + `password: build` + +* `username: admin` + + `password: admin` diff --git a/ldap-combined-localroles/docker-compose.yml b/ldap-combined-localroles/docker-compose.yml new file mode 100644 index 0000000..35b0f56 --- /dev/null +++ b/ldap-combined-localroles/docker-compose.yml @@ -0,0 +1,39 @@ +version: '3' + +services: + rundeck1: + hostname: rundeck1 + image: ${RUNDECK_IMAGE:-rundeck/rundeck:SNAPSHOT} + links: + - ldap + tty: true + environment: + RUNDECK_JAAS_MODULES_0: JettyCombinedLdapLoginModule + RUNDECK_JAAS_LDAP_FLAG: requisite + RUNDECK_JAAS_LDAP_PROVIDERURL: ldap://ldap:389 + RUNDECK_JAAS_LDAP_BINDDN: cn=admin,dc=rdtest,dc=com + RUNDECK_JAAS_LDAP_BINDPASSWORD: AdminPass123 + RUNDECK_JAAS_LDAP_USERBASEDN: ou=users,dc=rdtest,dc=com + RUNDECK_JAAS_LDAP_ROLEBASEDN: "" + RUNDECK_JAAS_LDAP_STOREPASS: 'true' + RUNDECK_JAAS_MODULES_1: JettyRolePropertyFileLoginModule + RUNDECK_JAAS_FILE_FLAG: required + RUNDECK_JAAS_USEFIRSTPASS: 'true' + RUNDECK_JAAS_DEBUG: 'true' + volumes: + - ${RUNDECK_LICENSE_FILE:-/dev/null}:/home/rundeck/etc/rundeckpro-license.key + - ./realm.properties:/home/rundeck/server/config/realm.properties + ports: + - 4440:4440 + ldap: + hostname: ldap + image: osixia/openldap:1.2.1 + environment: + - LDAP_ORGANISATION=RD Test + - LDAP_DOMAIN=rdtest.com + - LDAP_ADMIN_PASSWORD=AdminPass123 + volumes: + - ./ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom:rw + ports: + - "389:389" + command: --copy-service \ No newline at end of file diff --git a/ldap-combined-localroles/ldif/50-bootstrap.ldif b/ldap-combined-localroles/ldif/50-bootstrap.ldif new file mode 100644 index 0000000..dc4d4e7 --- /dev/null +++ b/ldap-combined-localroles/ldif/50-bootstrap.ldif @@ -0,0 +1,93 @@ +# Define top-level entry: +#dn: {{ LDAP_BASE_DN }} +#objectClass: dcObject +#objectClass: organization +#o: Example, Inc. +#dc: example + +# Define an entry to contain users: +dn: ou=users,{{ LDAP_BASE_DN }} +objectClass: organizationalUnit +ou: users + +# Define some users: + +dn: cn=admin, ou=users,{{ LDAP_BASE_DN }} +uid: admin +userPassword: admin +##### +# MD5 creds, Base64 encoded +#userPassword: admin +objectClass: person +objectClass: top +objectClass: inetOrgPerson +sn: The admin account +cn: admin + +dn: cn=build, ou=users,{{ LDAP_BASE_DN }} +uid: build +userPassword: {MD5}sNonVSCRjiPdYV4qdHUo8Q== +##### +# MD5 creds, Base64 encoded +#userPassword: build +objectClass: person +objectClass: top +objectClass: inetOrgPerson +sn: The account to use to demonstrate managing builds only +cn: build + +dn: cn=deploy, ou=users,{{ LDAP_BASE_DN }} +uid: deploy +userPassword: {CRYPT}de01JmlU8XXTQ +##### +# CRYPT creds +#userPassword: deploy +objectClass: person +objectClass: top +objectClass: inetOrgPerson +sn: The account to use to demonstrate managing deployment only +cn: deploy + +dn: cn=test, ou=users,{{ LDAP_BASE_DN }} +uid: test +userPassword: test +objectClass: person +objectClass: top +objectClass: inetOrgPerson +sn: Has no role access +cn: test + +# Define an entry to contain roles: +dn: ou=roles, {{ LDAP_BASE_DN }} +objectClass: organizationalUnit +ou: roles + +# Define some roles and their membership: +dn: cn=architect, ou=roles,{{ LDAP_BASE_DN }} +objectClass: groupOfUniqueNames +uniqueMember: cn=admin,ou=users,{{ LDAP_BASE_DN }} +cn: architect + +dn: cn=admin, ou=roles,{{ LDAP_BASE_DN }} +objectClass: groupOfUniqueNames +uniqueMember: cn=admin,ou=users,{{ LDAP_BASE_DN }} +cn: admin + +dn: cn=user, ou=roles,{{ LDAP_BASE_DN }} +objectClass: groupOfUniqueNames +uniqueMember: cn=admin,ou=users,{{ LDAP_BASE_DN }} +uniqueMember: cn=deploy,ou=users,{{ LDAP_BASE_DN }} +uniqueMember: cn=build,ou=users,{{ LDAP_BASE_DN }} +cn: user + +dn: cn=build, ou=roles,{{ LDAP_BASE_DN }} +objectClass: groupOfUniqueNames +uniqueMember: cn=admin,ou=users,{{ LDAP_BASE_DN }} +uniqueMember: cn=build,ou=users,{{ LDAP_BASE_DN }} +cn: build + +dn: cn=deploy, ou=roles,{{ LDAP_BASE_DN }} +objectClass: groupOfUniqueNames +uniqueMember: cn=admin,ou=users,{{ LDAP_BASE_DN }} +uniqueMember: cn=deploy,ou=users,{{ LDAP_BASE_DN }} +cn: deploy \ No newline at end of file diff --git a/ldap-combined-localroles/realm.properties b/ldap-combined-localroles/realm.properties new file mode 100644 index 0000000..ca5153e --- /dev/null +++ b/ldap-combined-localroles/realm.properties @@ -0,0 +1,2 @@ +admin:-,user,admin +build:-,user From a8ccfd7bcf2968087f8723a0e0dfd761dcb742b6 Mon Sep 17 00:00:00 2001 From: Greg Schueler Date: Thu, 19 Dec 2024 16:39:16 -0800 Subject: [PATCH 2/4] fix env var name --- ldap-combined-localroles/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ldap-combined-localroles/docker-compose.yml b/ldap-combined-localroles/docker-compose.yml index 35b0f56..84bc13b 100644 --- a/ldap-combined-localroles/docker-compose.yml +++ b/ldap-combined-localroles/docker-compose.yml @@ -18,7 +18,7 @@ services: RUNDECK_JAAS_LDAP_STOREPASS: 'true' RUNDECK_JAAS_MODULES_1: JettyRolePropertyFileLoginModule RUNDECK_JAAS_FILE_FLAG: required - RUNDECK_JAAS_USEFIRSTPASS: 'true' + RUNDECK_JAAS_FILE_USEFIRSTPASS: 'true' RUNDECK_JAAS_DEBUG: 'true' volumes: - ${RUNDECK_LICENSE_FILE:-/dev/null}:/home/rundeck/etc/rundeckpro-license.key From f33fb081a04bd950f32356331fe86aae41888f99 Mon Sep 17 00:00:00 2001 From: Greg Schueler Date: Thu, 19 Dec 2024 16:39:37 -0800 Subject: [PATCH 3/4] use ignoreroles --- ldap-combined-localroles/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ldap-combined-localroles/docker-compose.yml b/ldap-combined-localroles/docker-compose.yml index 84bc13b..3be64f0 100644 --- a/ldap-combined-localroles/docker-compose.yml +++ b/ldap-combined-localroles/docker-compose.yml @@ -14,7 +14,7 @@ services: RUNDECK_JAAS_LDAP_BINDDN: cn=admin,dc=rdtest,dc=com RUNDECK_JAAS_LDAP_BINDPASSWORD: AdminPass123 RUNDECK_JAAS_LDAP_USERBASEDN: ou=users,dc=rdtest,dc=com - RUNDECK_JAAS_LDAP_ROLEBASEDN: "" + RUNDECK_JAAS_LDAP_IGNOREROLES: 'true' RUNDECK_JAAS_LDAP_STOREPASS: 'true' RUNDECK_JAAS_MODULES_1: JettyRolePropertyFileLoginModule RUNDECK_JAAS_FILE_FLAG: required From 9017484530ea5b15f75da6641973ef3f7b2f5fef Mon Sep 17 00:00:00 2001 From: Greg Schueler Date: Thu, 19 Dec 2024 16:40:01 -0800 Subject: [PATCH 4/4] missing url env var --- ldap-combined-localroles/docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ldap-combined-localroles/docker-compose.yml b/ldap-combined-localroles/docker-compose.yml index 3be64f0..5be9493 100644 --- a/ldap-combined-localroles/docker-compose.yml +++ b/ldap-combined-localroles/docker-compose.yml @@ -8,6 +8,7 @@ services: - ldap tty: true environment: + RUNDECK_GRAILS_URL: http://localhost:4440 RUNDECK_JAAS_MODULES_0: JettyCombinedLdapLoginModule RUNDECK_JAAS_LDAP_FLAG: requisite RUNDECK_JAAS_LDAP_PROVIDERURL: ldap://ldap:389