Configuring rundeck with ldap for AD authentication

2
votes

Trying here to see if anyone has worked out LDAP auth against AD with rundeck. I am using the JRE running method for rundesk. Here is what I have done so far:

  • I have set up the jaas-ldap.conf as shown on Rundeck authentication users page
  • I have requested for a ssl certificate from my admin. To use ldaps rundeck requires ssl cert or so it's written on their site. After getting the cert, they mention following two steps:

Once a certificate has been obtained. There are two options for adding the certificate. The first involves updating the truststore for the JRE. If that is not possible or not desirable, then one can set the truststore to be used by the jvm, using any arbitrary truststore that contains the appropriate certificate.

Both options require importing a certificate. The following would import a certificate called, AD.cert into the /etc/rundeck/ssl/truststore.

keytool -import -alias CompanyAD -file AD.cert -keystore /etc/rundeck/ssl/truststore -storepass adminadmin

To add the certificate to the JRE, locate the file $JAVA_HOME/lib/security/cacerts and run

keytool -import -alias CompanyAD -file AD.cert -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit

To verify your CA has been added, run keytool list and look for CompanyAD in the output.

keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit

This is where I am running into issue. I have imported my certificate to the java truststore under $JAVA_HOME/lib/security/cacerts. The ssl.properties files also ask for a keystore, keystore.password, key.password parameters. Now, am I supposed to create a new keystore or omit these and just use the truststore variables?

I also tried creating a new keystore (.jks) and imported the same ssl certificate to it setting keypass and storepass. This did not help. I am getting error saying java.io.IOException: Keystore was tampered with, or password was incorrect

I am deploying the jar using - java -Dloginmodule.conf.name=jaas-ldap.conf -Dloginmodule.name=ldap -Drundeck.ssl.config=ssl.properties -jar rundeck-launcher-2.6.4.jar

I'd appreciate help passing through this.

1
active-directoryldapssl-certificaterundeck

1 Answers

0
votes

There is no need to ask your admin for the ssl certificate. If your organization uses ldaps and the certificate installed on the ldap server is a self signed cert which is not in your keystore, then you need to add the cert to your JVM keystore. Now to get that certificate run the below query openssl s_client -connect <ldapserver>:636

This will give some output with -----BEGIN CERTIFICATE----- and ---------END CERTIFICATE--------. Copy the text between these strings to a file ldap.cert.

keytool -import -alias CompanyAD -file ldap.cert -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit. If your keystore is tampered probably you may have to reinstall Java in the system.