LLDAP and Rundeck #1209

klokare · 2025-07-10T14:33:47Z

klokare
Jul 10, 2025

Has anyone been able to use LLDAP as the auth backend for Rundeck (community edition)? I have them both running in a single docker compose and LLDAP itself is behaving beautifully, but Rundeck is apparently not liking the reply:

rundeck-rundeck-1  | [2025-07-10T13:39:52,865] INFO  jaas.JettyCachingLdapLoginModule - Login attempts: 1, Hits: 0, Ratio: 0%.
rundeck-rundeck-1  | [2025-07-10T13:39:52,867] DEBUG jaas.JettyCachingLdapLoginModule - Cache Miss for admin.
rundeck-rundeck-1  | [2025-07-10T13:39:52,868] DEBUG jaas.JettyCachingLdapLoginModule - Searching for users with filter: '(&(objectClass={0})({1}={2}))' from base dn: ou=people,dc=example,dc=com
lldap              | 2025-07-10T13:39:52.871456725+00:00  INFO     LDAP request [ 551µs | 10.76% / 100.00% ] session_id: 880a971c-7de2-48f6-a756-ccd665e26cc0
lldap              | 2025-07-10T13:39:52.871474165+00:00  DEBUG    ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 2, op: SearchRequest(LdapSearchRequest { base: "ou=people,dc=example,dc=com", scope: Subtree, aliases: Always, sizelimit: 1, timelimit: 0, typesonly: false, filter: And([Equality("objectClass", "person"), Equality("cn", "admin")]), attrs: [] }), ctrl: [LdapControl::ManageDsaIT { criticality: false }] }
lldap              | 2025-07-10T13:39:52.871477535+00:00  DEBUG    ┝━ do_search [ 491µs | 0.00% / 89.24% ]
lldap              | 2025-07-10T13:39:52.871839397+00:00  DEBUG    │  ┝━ 🐛 [debug]:  | request.base: "ou=people,dc=example,dc=com" | scope: Users
lldap              | 2025-07-10T13:39:52.871841617+00:00  DEBUG    │  ┕━ get_user_list [ 491µs | 0.00% / 89.24% ]
lldap              | 2025-07-10T13:39:52.871857307+00:00  DEBUG    │     ┝━ 🐛 [debug]:  | filters: And([And([]), Equality(DisplayName, "admin")])
lldap              | 2025-07-10T13:39:52
10000
.871862137+00:00  DEBUG    │     ┕━ list_users [ 491µs | 89.24% ] filters: Some(And([And([]), Equality(DisplayName, "admin")])) | _get_groups: false
lldap              | 2025-07-10T13:39:52.872415441+00:00  DEBUG    │        ┕━ 🐛 [debug]:  | return: []
lldap              | 2025-07-10T13:39:52.872429761+00:00  DEBUG    ┕━ 🐛 [debug]:  | response: SearchResultDone(LdapResult { code: Success, matcheddn: "", message: "", referral: [] })
rundeck-rundeck-1  | [2025-07-10T13:39:52,875] DEBUG jaas.JettyCachingLdapLoginModule - Found user?: false
lldap              | 2025-07-10T13:39:52.876194072+00:00  INFO     LDAP request [ 21.5µs | 100.00% ] session_id: 880a971c-7de2-48f6-a756-ccd665e26cc0
lldap              | 2025-07-10T13:39:52.876210312+00:00  DEBUG    ┝━ 🐛 [debug]:  | msg: LdapMsg { msgid: 3, op: UnbindRequest, ctrl: [LdapControl::ManageDsaIT { criticality: false }] }
lldap              | 2025-07-10T13:39:52.876216482+00:00  DEBUG    ┕━ 🐛 [debug]: Unbind request for admin
lldap              | 2025-07-10T13:39:52.876589874+00:00  INFO     ｉ [info]: LDAP session end: 880a971c-7de2-48f6-a756-ccd665e26cc0
rundeck-rundeck-1  | [2025-07-10T13:39:52,879] DEBUG event.ApplicationEventPublisher - Publishing event: org.springframework.security.authentication.jaas.event.JaasAuthenticationFailedEvent[source=UsernamePasswordAuthenticationToken [Principal=admin, Credentials=[PROTECTED], Authenticated=false, Details=WebAuthenticationDetails [RemoteIpAddress=172.29.0.1, SessionId=node0i1w91vw03f8r1rayythkadgng0], Granted Authorities=[]]]

If I am reading that correctly, the credentials that Rundeck uses to search LLDAP work. LLDAP showing success ("response: SearchResultDone(LdapResult { code: Success"), but Rundeck immediately states, "Found user?: false"

Answered by nitnelave

Jul 10, 2025

You should use "uid" rather than "cn", both when logging in and when looking up users. Logging in works right now, but when looking for a user with cn "admin", it fails to find.

Having a quick look at the config from the website, it seems that you're looking for the userRdnAttribute or userIdAttribute, which should both be "uid"

View full answer

klokare · 2025-07-10T14:37:31Z

klokare
Jul 10, 2025
Author

Here is the docker-compose.yaml

services:
  lldap:
    image: lldap/lldap:stable
    container_name: lldap
    ports:
      # For LDAP, not recommended to expose, see Usage section.
      #- "3890:3890"
      # For LDAPS (LDAP Over SSL), enable port if LLDAP_LDAPS_OPTIONS__ENABLED set true, look env below
      #- "6360:6360"
      # For the web front-end
      - "8084:17170"
    volumes:
      #- "lldap_data:/data"
      # Alternatively, you can mount a local folder
      - "/volume2/docker/rundeck/lldap_data:/data"
    environment:
      - UID=1026
      - GID=100
      - TZ=Europe/Berlin
      - LLDAP_JWT_SECRET=REPLACE_WITH_RANDOM
      - LLDAP_KEY_SEED=REPLACE_WITH_RANDOM
      - LLDAP_LDAP_BASE_DN=dc=example,dc=com
      - LLDAP_LDAP_USER_PASS=adminpass

  rundeck:
      hostname: rundeck
      image: rundeck/rundeck:5.13.0
      links:
        - lldap
      tty: true
      environment:
          RUNDECK_JAAS_MODULES_0: JettyCombinedLdapLoginModule
          RUNDECK_JAAS_LDAP_PROVIDERURL: ldap://lldap:3890
          RUNDECK_JAAS_LDAP_BINDDN: cn=admin,ou=people,dc=example,dc=com
          RUNDECK_JAAS_LDAP_BINDPASSWORD: adminpass
          RUNDECK_JAAS_LDAP_USERBASEDN: ou=people,dc=example,dc=com
          RUNDECK_JAAS_LDAP_ROLEBASEDN: ou=groups,dc=example,dc=com
          RUNDECK_GRAILS_URL: http://127.0.0.1:4440
          RUNDECK_LOGGING_LOGLEVEL_DEFAULT: debug
          RUNDECK_LOGGING_LOGLEVEL_ROOT: debug
          #RUNDECK_LOGGING_LOGLEVEL_HIBERNATE: debug
          #RUNDECK_LOGGING_LOGLEVEL_SPRING: debug
          #RUNDECK_LOGGING_LOGLEVEL_SPRINGBEAN: debug
          #RUNDECK_LOGGING_LOGLEVEL_INTERNALS: debug
          #RUNDECK_LOGGING_LOGLEVEL_GRAILS: debug
          RUNDECK_LOGGING_LOGLEVEL_JETTY: debug
          RUNDECK_JAAS_LDAP_FORCEBINDINGLOGIN: true
      volumes:
        #- /u01/app/rundeck/.ssh:/home/rundeck/.ssh
        - /volume2/docker/rundeck/rundeck_data:/home/rundeck/server/data
  #      - ${RUNDECK_LICENSE_FILE:-/dev/null}:/home/rundeck/etc/rundeckpro-license.key
      ports:
        - 8083:4440

NOTE: this is just a first attempt to get these running together so it is just a "throw example". no need to chide me for posting a password. :)

4 replies

nitnelave Jul 10, 2025
Maintainer

You should use "uid" rather than "cn", both when logging in and when looking up users. Logging in works right now, but when looking for a user with cn "admin", it fails to find.

Having a quick look at the config from the website, it seems that you're looking for the userRdnAttribute or userIdAttribute, which should both be "uid"

Answer selected by klokare

klokare Jul 10, 2025
Author

This is what was needed. I added these to my docker-compose.yaml as environment variables for rundeck:

          RUNDECK_JAAS_LDAP_USERRDNATTRIBUTE: uid
          RUNDECK_JAAS_LDAP_USERIDATTRIBUTE: uid

and now I can use uid=<username>,ou=people,dc=example,dc=com for all users.

nitnelave Jul 10, 2025
Maintainer

Thanks! Do you think you can contribute a configuration guide?

klokare Jul 10, 2025
Author

Yes. Maybe not tonight, but I will do one. We have been trying to use Rundeck in my organisation to make it easier for our users to be more self sufficient with technical tasks, but the authentication set up for the community edition is limited to options that do not allow the user to change their own password or the administrator to create new users easily. LLDAP is a great solution to this problem. I would be happy to help others connect the two applications.

klokare · 2025-07-10T16:26:25Z

klokare
Jul 10, 2025
Author

So I may have figured this out. I noticed in an ldapsearch result that my admin user was:

# admin, people, example.com
dn: uid=admin,ou=people,dc=example,dc=com
cn: Administrator
createtimestamp: 2025-07-10T12:49:45.710865912+00:00
entryuuid: 4e1340d3-d91c-38cc-abbb-6b90780ea4a1
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: mailAccount
objectclass: person
uid: admin

but I had used

RUNDECK_JAAS_LDAP_BINDDN: cn=admin,ou=people,dc=example,dc=com

my dn is uid=admin and not cn=admin. so I changed it to

RUNDECK_JAAS_LDAP_BINDDN: uid=admin,ou=people,dc=example,dc=com

no luck. Rundeck apparently wants a cn not a uid. So I changed it back to

RUNDECK_JAAS_LDAP_BINDDN: cn=admin,ou=people,dc=example,dc=com

and went into the LLDAP front end and change the display name from Administrator to admin (making it the cn). Authentication now works.

I then added an "admin" group and put my admin user in it. Rundeck now lets me login as an administrator.

2 replies

nitnelave Jul 10, 2025
Maintainer

Right, but other users won't be found unless their display game will be the same as their uid

klokare Jul 10, 2025
Author

yep. just ran into that. looking into your previous comment about definining the attributes. thanks for the help.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

LLDAP and Rundeck #1209

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 6 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

LLDAP and Rundeck #1209

Uh oh!

klokare Jul 10, 2025

Replies: 2 comments · 6 replies

Uh oh!

klokare Jul 10, 2025 Author

Uh oh!

nitnelave Jul 10, 2025 Maintainer

Uh oh!

klokare Jul 10, 2025 Author

Uh oh!

nitnelave Jul 10, 2025 Maintainer

Uh oh!

Uh oh!

klokare Jul 10, 2025 Author

Uh oh!

klokare Jul 10, 2025 Author

Uh oh!

nitnelave Jul 10, 2025 Maintainer

Uh oh!

klokare Jul 10, 2025 Author

klokare
Jul 10, 2025

Replies: 2 comments 6 replies

klokare
Jul 10, 2025
Author

nitnelave Jul 10, 2025
Maintainer

klokare Jul 10, 2025
Author

nitnelave Jul 10, 2025
Maintainer

klokare Jul 10, 2025
Author

klokare
Jul 10, 2025
Author

nitnelave Jul 10, 2025
Maintainer

klokare Jul 10, 2025
Author