目录
四、安装openldap、phpldapadmin、grafana
一、OpenLdap介绍
OpenLDAP是轻型目录访问协议(Lightweight Directory Access Protocol,LDAP)的自由和开源的实现,在其OpenLDAP许可证下发行,并已经被包含在众多流行的Linux发行版中。它本身是一个小型文件数据库。Ldap是树形结构的,能够通过server + client(服务端+客户端)的方式。进行统一的用户(账号)管理。
举个栗子:如果有100台机器,一个用户需要登录这100台机器。传统的做法就是每台机器中,都需要创建登录账号,操作100次。想想都会疯掉。如果使用ldap来管理,就只需要在ldap服务中创建一次就可以了。账号清理也是类似的道理。我们通过控制一台机器登录账号,即可控制所有机器登录账号。是不是方便很多呢?
ldap架构图
二、PhpLdapAdmin介绍
phpLDAPadmin(又称PLA)是一个基于Web的LDAP客户端。它提供了方便,随时随地可访问的,多语言管理为LDAP服务器。其层次树状浏览器和先进的搜索功能,使其直观地浏览和管理LDAP目录。既然是一个Web应用程序,此浏览器的LDAP工作在许多平台上,让您的LDAP服务器轻松地从任何位置管理。
简单来说就是openldap的一个web管理页面,通过点点的方式代替复杂的命令
三、使用docker-compose进行安装
说明:Grafana只是作为对接LDAP的一个应用,可以替换成其它应用例如jenkins、gitlab等等...
说了不少废话了,该上干货了。下面是应用于生产环境中的配置,由于一些隐私不得进行脱敏~
# 安装目录结构如下root@10-50-183-112:/home/sunwenbo# tree /home/sunwenbo//home/sunwenbo/├── docker-compose.yml└── grafana ├── grafana.ini ├── ldap.toml └── provisioning ├── access-control ├── alerting ├── dashboards ├── datasources ├── notifiers └── plugins8 directories, 3 files
1. docker-compose.yml
完整的内容如下,替换到yml中的xxx即可
version: '3'services: openldap: image: osixia/openldap:latest container_name: openldap-server hostname: ldap.xxx.cn restart: always environment: LDAP_LOG_LEVEL: "256" LDAP_ORGANISATION: "xxx Company" LDAP_DOMAIN: "xxx.cn" LDAP_ADMIN_PASSWORD: 'xxxxxxx' LDAP_BASE_DN: "dc=xxx,dc=cn" LDAP_TLS: "true" LDAP_READONLY_USER: "false" LDAP_BACKEND: "mdb" LDAP_TLS_CRT_FILENAME: "ldap.crt" LDAP_TLS_KEY_FILENAME: "ldap.key" LDAP_TLS_DH_PARAM_FILENAME: "dhparam.pem" LDAP_TLS_CA_CRT_FILENAME: "ca.crt" LDAP_TLS_ENFORCE: "false" LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0" LDAP_TLS_VERIFY_CLIENT: "demand" LDAP_REPLICATION: "false" KEEP_EXISTING_CONFIG: "false" LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" LDAP_SSL_HELPER_PREFIX: "ldap" tty: true stdin_open: true ports: - 389:389 - 636:636 volumes: - /data/slapd/database/:/var/lib/ldap/ - /data/slapd/config/:/etc/ldap/slapd.d/ networks: - openldap-net phpldapadmin: image: osixia/phpldapadmin:latest hostname: phpldapadmin-service restart: always container_name: phpldapadmin privileged: true environment: PHPLDAPADMIN_HTTPS: "false" PHPLDAPADMIN_LDAP_HOSTS: "ldap.xxx.cn" ports: - 80:80 - 443:443 depends_on: - openldap networks: - openldap-net grafana: image: grafana/grafana:latest hostname: grafana restart: always container_name: grafana privileged: true ports: - 3000:3000 volumes: - /home/sunwenbo/grafana/:/etc/grafana depends_on: - openldap networks: - openldap-netnetworks: openldap-net: driver: bridge
2. grafana配置文件
grafana.ini 只修改以下内容即可
#################################### Auth LDAP ##########################[auth.ldap]enabled = trueconfig_file = /etc/grafana/ldap.toml allow_sign_up = true # prevent synchronizing ldap users organization roles# skip_org_role_sync = false # LDAP background sync (Enterprise only)# At 1 am every daysync_cron = "0 1 * * *"active_sync_enabled = true
ldap.toml 配置如下,xxx替换为实际的dc
[[servers]]host = "10.50.183.112"port = 389ssl_skip_verify = falsebind_dn = "cn=admin,dc=xxx,dc=cn"bind_password = 'xxxxxxx'search_filter = "(cn=%s)"search_base_dns = ["ou=users,dc=xxx,dc=cn"]group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"group_search_base_dns = ["ou=GrafanaGroups,ou=Application,dc=xxx,dc=cn"]group_search_filter_user_attribute = "uid"[servers.attributes]name = "givenName"surname = "sn"username = "cn"member_of = "memberOf"email = "email"[[servers.group_mappings]]group_dn = "cn=Grafana-admins,ou=GrafanaGroups,ou=Application,dc=xxx,dc=cn"org_role = "Admin"[[servers.group_mappings]]group_dn = "cn=Grafana-editors,ou=GrafanaGroups,ou=Application,dc=xxx,dc=cn"org_role = "Editor"[[servers.group_mappings]]# group_dn = "*" #修改为*,可以认为所有LDAP用户都是viewer角色,根据实际需求进行配置group_dn = "cn=Grafana-viewers,ou=GrafanaGroups,ou=Application,dc=xxx,dc=cn"org_role = "Viewer"
3. provisioning
这个目录不做任何修改只是单纯的挂载出来了。
四、安装openldap、phpldapadmin、grafana
一条命令搞定
root@10-50-183-112:/home/sunwenbo# docker-compose up -d [+] Running 4/4 ✔ Network sunwenbo_openldap-net Created 0.0s ✔ Container openldap-server Started 0.2s ✔ Container phpldapadmin Started 0.6s ✔ Container grafana Started 0.6s root@10-50-183-112:/home/sunwenbo# docker-compose ps NAME IMAGE COMMAND SERVICE CREATED STATUS PORTSgrafana grafana/grafana:latest "/run.sh" grafana 16 seconds ago Up 14 seconds 0.0.0.0:3000->3000/tcp, :::3000->3000/tcpopenldap-server osixia/openldap:latest "/container/tool/run" openldap 16 seconds ago Up 15 seconds 0.0.0.0:389->389/tcp, :::389->389/tcp, 0.0.0.0:636->636/tcp, :::636->636/tcpphpldapadmin osixia/phpldapadmin:latest "/container/tool/run" phpldapadmin 16 seconds ago Up 14 seconds 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp
检查端口是否监听
root@10-50-183-112:/home/sunwenbo# netstat -nlpt Active Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 323033/sshd: /usr/s tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 377291/docker-proxy tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 377156/docker-proxy tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 377266/docker-proxy tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 377137/docker-proxy tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 377248/docker-proxy tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 591/systemd-resolve tcp6 0 0 :::22 :::* LISTEN 323033/sshd: /usr/s tcp6 0 0 :::80 :::* LISTEN 377299/docker-proxy tcp6 0 0 :::389 :::* LISTEN 377162/docker-proxy tcp6 0 0 :::443 :::* LISTEN 377273/docker-proxy tcp6 0 0 :::636 :::* LISTEN 377144/docker-proxy tcp6 0 0 :::3000 :::* LISTEN 377253/docker-proxy
五、配置OpenLDAP
1. 登陆PhpLdapAdmin web管理
目录结构如下
2. 需要注意的细节
OU:创建选择为Generic: Organisational Unit
CN:创建选择为Generic: Posix Group
将名字为test的人员添加到CN
登陆grafana验证
有不明白的地方欢迎随时找我~
查询用户信息ldapsearch -x -H ldap://10.50.183.112:389 -D "cn=admin,dc=bigmodel,dc=cn" -w "StrongAdminPassw0rd" -b "dc=bigmodel,dc=cn" "(cn=sunwenbo)"查询组信息ldapsearch -x -H ldap://10.50.183.112:389 -D "cn=admin,dc=bigmodel,dc=cn" -w "StrongAdminPassw0rd" -b "dc=bigmodel,dc=cn" "(&(objectClass=organizationalUnit)(ou=groups)"
内容介绍参考:
小白篇(十九):openLdap介绍(又名:Ldap介绍)_belialxing的博客-CSDN博客
来源地址:https://blog.csdn.net/weixin_43798031/article/details/132691482