使用ldap配置Rundeck进行AD身份验证 [英] Configuring rundeck with ldap for AD authentication
问题描述
尝试在此处查看是否有人使用rundeck针对AD制定了LDAP身份验证.我正在为rundesk使用JRE运行方法.到目前为止,这是我所做的:
Trying here to see if anyone has worked out LDAP auth against AD with rundeck. I am using the JRE running method for rundesk. Here is what I have done so far:
- 我已按照 Rundeck 身份验证用户页面上所示设置了 jaas-ldap.conf
- 我已请求管理员提供ssl证书.要使用ldaps rundeck,需要ssl cert或将其写在其站点上.获得证书后,他们提到了以下两个步骤:
一旦获得证书.有两个添加证书的选项.第一个涉及更新JRE的信任库.如果这是不可能的或不可取的,那么可以使用包含适当证书的任意信任库来设置 jvm 使用的信任库.
Once a certificate has been obtained. There are two options for adding the certificate. The first involves updating the truststore for the JRE. If that is not possible or not desirable, then one can set the truststore to be used by the jvm, using any arbitrary truststore that contains the appropriate certificate.
两个选项都需要导入证书.下面将把名为AD.cert的证书导入到/etc/rundeck/ssl/truststore中.
Both options require importing a certificate. The following would import a certificate called, AD.cert into the /etc/rundeck/ssl/truststore.
keytool -import -alias CompanyAD -file AD.cert -keystore/etc/rundeck/ssl/truststore -storepass adminadmin
keytool -import -alias CompanyAD -file AD.cert -keystore /etc/rundeck/ssl/truststore -storepass adminadmin
要将证书添加到JRE,请找到文件$ JAVA_HOME/lib/security/cacerts并运行
To add the certificate to the JRE, locate the file $JAVA_HOME/lib/security/cacerts and run
keytool -import -alias CompanyAD -file AD.cert -keystore $ JAVA_HOME/lib/security/cacerts -storepass changeit
keytool -import -alias CompanyAD -file AD.cert -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
要验证是否已添加您的CA,请运行keytool列表并在输出中查找CompanyAD.
To verify your CA has been added, run keytool list and look for CompanyAD in the output.
keytool -list -keystore $ JAVA_HOME/lib/security/cacerts -storepass changeit
keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
这是我遇到的问题.我已将证书导入到 $ JAVA_HOME/lib/security/cacerts 下的Java信任库中.ssl.properties文件还要求提供 keystore,keystore.password,key.password 参数.现在,我应该创建一个新的密钥库还是忽略这些密钥库,而只使用truststore变量?
This is where I am running into issue. I have imported my certificate to the java truststore under $JAVA_HOME/lib/security/cacerts. The ssl.properties files also ask for a keystore, keystore.password, key.password parameters. Now, am I supposed to create a new keystore or omit these and just use the truststore variables?
我还尝试创建一个新的密钥库(.jks),并将相同的ssl证书导入其中,并设置了密钥密码和存储密码.这没有帮助.我收到错误消息说 java.io.IOException:密钥库被篡改,或者密码不正确
I also tried creating a new keystore (.jks) and imported the same ssl certificate to it setting keypass and storepass. This did not help. I am getting error saying java.io.IOException: Keystore was tampered with, or password was incorrect
我正在使用- java -Dloginmodule.conf.name = jaas-ldap.conf -Dloginmodule.name = ldap -Drundeck.ssl.config = ssl.properties -jar rundeck-launcher-2.6部署jar.4.jar
希望能帮助您解决这个问题.
I'd appreciate help passing through this.
推荐答案
无需向您的管理员询问ssl证书.如果您的组织使用 ldaps ,并且 ldap 服务器上安装的证书是自签名证书,但不在您的密钥库中,那么您需要将该证书添加到> JVM 密钥库.现在,要获取该证书,请运行以下查询 openssl s_client -connect< ldapserver>:636
There is no need to ask your admin for the ssl certificate. If your organization uses ldaps and the certificate installed on the ldap server is a self signed cert which is not in your keystore, then you need to add the cert to your JVM keystore. Now to get that certificate run the below query
openssl s_client -connect <ldapserver>:636
这将通过 ----- BEGIN CERTIFICATE ----- 和 --------- END CERTIFICATE -------给出一些输出-.将这些字符串之间的文本复制到文件 ldap.cert .
This will give some output with -----BEGIN CERTIFICATE----- and ---------END CERTIFICATE--------. Copy the text between these strings to a file ldap.cert.
keytool -import -alias CompanyAD -file ldap.cert -keystore $ JAVA_HOME/lib/security/cacerts -storepass changeit .如果您的密钥库被篡改,则可能必须在系统中重新安装Java.
keytool -import -alias CompanyAD -file ldap.cert -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit.
If your keystore is tampered probably you may have to reinstall Java in the system.
这篇关于使用ldap配置Rundeck进行AD身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
