Rundeck + OpenLDAP + PostgreSQL (pgAdmin + Apache Directory Studio + VNC server)

For this article we will use Cloud9 with EC2 instance (t3.medium), workspace which you can share with others (ie. to get support).
We will access our solution via "desktop gateway" - VNC docker container running inside virtual network.
At the bottom is available video version of this tutorial.

Preparation

1. Create network

   docker network create --driver bridge pink --subnet 172.30.0.0/16
   

2. Resize system partition from 10GB to 20GB.
   2.1. Change size of EC2 EBS volume via console or cmd line tool
   2.2. Extend a Linux file system after resizing a volume doing following steps (if it doesn't work, here you can read about the details https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/recognize-expanded-volume-linux.html).

   sudo growpart /dev/nvme0n1 1
   sudo resize2fs /dev/nvme0n1p1
   

VNC

1. Run docker container and open URL (Preview > Preview Running Application). For better experience use your preferred resolution and open VNC URL outside of C9 editor (in browser new window or tab). Password is optional, no one but you will have access to docker containers (in default EC2 configuration when running via Cloud9).

   docker run \
   -it \
   --name vnc \
   -p 8080:80 \
   -v /dev/shm:/dev/shm \
   --net pink \
   -e RESOLUTION=800x600 \
   -e VNC_PASSWORD=Upd4t34lm4n4ch \
   --ip 172.30.0.13 \
   -d dorowu/ubuntu-desktop-lxde-vnc
   

2. Download Apache Directory Studio (https://directory.apache.org/studio/downloads.html) application if you want use GUI for OpenLDAP configuration.

3. To run it, download and install JRE

   sudo apt-get update && sudo apt-get install default-jre -y
   

OpenLDAP

1. Run OpenLDAP container

   docker run \
   -it \
   --name ldap \
   --hostname ldap \
   --net pink \
   --ip 172.30.0.14 \
   --restart unless-stopped \
   -e 'LDAP_ORGANISATION=ACME' \
   -e 'LDAP_DOMAIN=acme.it' \
   -e 'LDAP_ADMIN_PASSWORD=123' \
   -d osixia/openldap:1.2.1 
   

2. Sign in using credentials

   login: cn=admin,dc=acme,dc=it
   password: 123
   

3. Create "superadmin" role using posixGroup object class

   cn=superadmin,ou=rundeck,ou=roles,dc=acme,dc=it
   

4. Create new user "John Doe" using posixAccount and inetOrgPerson, set password to "123"

   cn=John Doe,ou=users,dc=acme,dc=it
   

5. Add attribute "memberUid" to "superadmin" role

   cn=John Doe,ou=users,dc=acme,dc=it
   

PostgreSQL

1. Create volume for database files

   docker volume create var_lib_postgresql_data_pgdata
   

2. Run PostgreSQL docker container

   docker run \
   --hostname postgres \
   --name postgres \
   -it \
   --ip 172.30.0.11 \
   --restart unless-stopped \
   --net pink \
   -e POSTGRES_PASSWORD=123 \
   -e PGDATA=/var/lib/postgresql/data/pgdata \
   --mount source=var_lib_postgresql_data_pgdata,target=/var/lib/postgresql/data/pgdata \
   -d postgres:12.3
   

3. Create user "rundeck" with password "123" and database "rundeck". You can accomplish this step later using pgAdmin.

pgAdmin

1. Create volume for data

   docker volume create var_lib_pgadmin
   

2. Run pgAdmin docker container and access it via VNC container using browser with URL http://pgadmin

   docker run \
   -it \
   --hostname pgadmin \
   --name pgadmin \
   --mount source=var_lib_pgadmin,target=/var/lib/pgadmin \
   --ip 172.30.0.12 \
   --restart unless-stopped \
   --net pink \
   -e 'PGADMIN_DEFAULT_EMAIL=my@e-mail.it' \
   -e 'PGADMIN_DEFAULT_PASSWORD=123' \
   -d dpage/pgadmin4
   

Rundeck

To persist /home/rundeck/etc directory we will run docker container, copy files, delete container and run it again with mounted directory. Next we will map container user UID to the host user UID to avoid permissions error after files modification in host. Last step is acl file modification, where we will change "admin" group/role to "superadmin".

1. Run Rundeck

   docker run -it --name rundeck -d rundeck/rundeck:3.2.8
   

2. Copy folder "/home/rundeck/etc" to "/home/ec2-user/environment/etc"

   docker cp -a -L rundeck:/home/rundeck/etc /home/ec2-user/environment
   

3. Delete container

    docker rm -f rundeck
   

4. Run Rundeck container and access it via VNC container using browser with URL http://rundeck:4440

   docker run \
   -it \
   --name rundeck \
   --hostname rundeck \
   --net pink \
   --ip 172.30.0.15 \
   --restart unless-stopped \
   --mount type=bind,source=/home/ec2-user/environment/etc,target=/home/rundeck/etc \
   -e 'RUNDECK_GRAILS_URL=http://rundeck:4440' \
   -e 'RUNDECK_DATABASE_DRIVER=org.postgresql.Driver' \
   -e 'RUNDECK_DATABASE_URL=jdbc:postgresql://postgres/rundeck?autoReconnect=true&useSSL=false' \
   -e 'RUNDECK_DATABASE_USERNAME=rundeck' \
   -e 'RUNDECK_DATABASE_PASSWORD=123' \
   -e 'RUNDECK_JAAS_MODULES_0=JettyCombinedLdapLoginModule' \
   -e 'RUNDECK_JAAS_LDAP_PROVIDERURL=ldap://ldap:389' \
   -e 'RUNDECK_JAAS_LDAP_BINDDN=cn=admin,dc=acme,dc=it' \
   -e 'RUNDECK_JAAS_LDAP_BINDPASSWORD=123' \
   -e 'RUNDECK_JAAS_LDAP_USERBASEDN=ou=users,dc=acme,dc=it' \
   -e 'RUNDECK_JAAS_LDAP_ROLEBASEDN=ou=rundeck,ou=roles,dc=acme,dc=it' \
   -e 'RUNDECK_JAAS_LDAP_ROLEOBJECTCLASS=posixGroup' \
   -e 'RUNDECK_JAAS_LDAP_ROLEMEMBERATTRIBUTE=memberUid' \
   -e 'RUNDECK_JAAS_LDAP_ROLENAMEATTRIBUTE=cn' \
   -d rundeck/rundeck:3.2.8
   

5. Change UID for container user "rundeck" from "1000" to "501" and reflect changes to files and dirs.

   docker exec -ti -u root rundeck bash
   usermod -u 501 rundeck
   find / -user 1000 -exec chown -h rundeck {} \;
   exit
   

6. Restart container

   docker restart rundeck
   

7. Modify host file mounted in container ~/environment/etc/admin.aclpolicy and change two "admin" occurrences to "superadmin".

8. Now you can successfully login - open url http://rundeck:4440 via browser in vnc container

Video (steps visualization)

Video is also available on d.tube.

Appendix

Watch video about Rundeck authentication (AD, OpenLDAP) and ACL

Article source

https://blog.digitaloak.it/en/posts/rundeck-openldap-postgresql/