Skip to main content
Solved

Active Directory groups not populating after Rundeck 6 upgrade

  • July 6, 2026
  • 10 replies
  • 52 views

Forum|alt.badge.img

We upgraded our non-prod instances to Rundeck 6 this morning and immediately lost our admin access. Admin access is granted to specific Active Directory groups in an admin.aclpolicy file. I’ve noted that in the service.log when I log in, it DOES list all the user’s groups on login, however when checking the user profile after logging into rundeck, no groups are listed. It’s as though it’s pulling the Active Directory group memberships, but not applying them correctly to the rundeck user object.

Please advise if you need to see any of the specific config files (jaas-activedirectory, admin.aclpolicy, etc) to help with this.

I did go through the activedirectory conf file and confirmed that all the properties there still matched the documentation on the Authentication page. Not sure where the breakdown is or if anyone else has seen something similar. I saw no notice of deprecation affecting jass or active directory in the release notes...

Best answer by MegaDrive68k

Hi Alex,

It seems that you’re facing this and this. Please don’t upgrade the prod environment. I just reproduced this issue on my end. Nothing is wrong with your config.

The issue is reported to the engineering team.

Thanks for your feedback.

10 replies

Forum|alt.badge.img
  • Author
  • New Member 👋
  • July 6, 2026

The following are from the rundeck.audit.events.log. The first line is my last login on Rundeck 5 and the second line is my first login on Rundeck 6. You can see that the “userRoles” property is just empty now, despite all group memberships being displayed in the service.log file (the last log line below the two from audit.events):

audit.events.log:


[2026-07-06T09:05:16,452] INFO  audit.AuditLoggerPlugin - Audit Event: AuditEvent {Timestamp=Mon Jul 06 09:05:16 CDT 2026, ActionType='login_success', UserInfo={username='<USERNAME>', userRoles=[<LIST_OF_GROUPS>]}, RequestInfo={<SANITIZED>, userAgent='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36'}, ResourceInfo={resourceType='user', resourceName='<USERNAME>'}}

[2026-07-06T09:18:09,377] INFO  audit.AuditLoggerPlugin - Audit Event: AuditEvent {Timestamp=Mon Jul 06 09:18:09 CDT 2026, ActionType='login_success', UserInfo={username='<USERNAME>', userRoles=[]}, RequestInfo={<SANITIZED>, userAgent='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36'}, ResourceInfo={resourceType='user', resourceName='<USERNAME>'}}
 

service.log:

[2026-07-06T10:28:19,752] DEBUG jaas.JettyCachingLdapLoginModule - JettyCachingLdapLoginModule: User '<USERNAME>' has roles: [<LIST OF GROUPS>]


Forum|alt.badge.img
  • PagerDuty Team 📟
  • July 6, 2026

Hi Alex, also share the service.log at the moment of relaunching rundeck and trying to login. Regards.


Forum|alt.badge.img
  • Author
  • New Member 👋
  • July 6, 2026

Attached the service log file below. Sanitized passwords, user and project names, and the group list, but left as much in as I could. This snippet runs from restarting rundeck to my login attempt.


Forum|alt.badge.img
  • Author
  • New Member 👋
  • July 6, 2026

Is it possible I’ve just run into this:
https://github.com/rundeck/rundeck/issues/10288


Forum|alt.badge.img
  • Author
  • New Member 👋
  • July 6, 2026

Sorry, linked to this as well:

https://github.com/rundeck/rundeck/issues/10302


Seem to be multiple reports of admin acls not working based on jaas ldap group memberships after upgrade from 5.20.1 to 6...​​​


Forum|alt.badge.img
  • PagerDuty Team 📟
  • Answer
  • July 6, 2026

Hi Alex,

It seems that you’re facing this and this. Please don’t upgrade the prod environment. I just reproduced this issue on my end. Nothing is wrong with your config.

The issue is reported to the engineering team.

Thanks for your feedback.


Forum|alt.badge.img
  • Author
  • New Member 👋
  • July 6, 2026

Thanks Mega. Do we have any idea how long engineering is expecting before the fix for this comes out?


Forum|alt.badge.img
  • PagerDuty Team 📟
  • July 6, 2026

Hi ​@alexsz,

The engineering team is checking it now. Could you please try with this? Does it work on your end?


Forum|alt.badge.img
  • Author
  • New Member 👋
  • July 6, 2026

jaas-loginmodule.conf already had:

org.rundeck.jaas.PropertyFileLoginModule required

 

jass-activedirectory.conf has:

com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule required

This matches the documentation on https://docs.rundeck.com/docs/administration/security/authentication.html#active-directory

 

Not sure what else I should be changing regarding jetty/jaas


Forum|alt.badge.img
  • PagerDuty Team 📟
  • July 6, 2026

Yeah, same here (I just tried it and it doesn’t work either). I’ll update you as soon as we have more information. Thanks again!