OpenLDAP部署
准备配置
- 定义配置文件openldap-config.txt
LDAP_ORGANISATION=
LDAP_DOMAIN=
LDAP_ADMIN_PASSWORD=
LDAP_CONFIG_PASSWORD=
LDAP_BACKEND=mdb
- 准备init.ldif
dn: ou=people,dc=quicktable,dc=cn
ou: people
description: 用户根目录
objectClass: organizationalUnit
dn: ou=dingtalkroot,dc=quicktable,dc=cn
ou: dingtalkroot
description: 钉钉根部门
objectClass: top
objectClass: organizationalUnit
dn: ou=wecomroot,dc=quicktable,dc=cn
ou: wecomroot
description: 企业微信根部门
objectClass: top
objectClass: organizationalUnit
dn: ou=feishuroot,dc=quicktable,dc=cn
ou: feishu
description: 飞书根部门
objectClass: top
objectClass: organizationalUnit
- 生成configmap
kubectl create configmap openldap-init --from-file=./init.ldif -n open-ldap
部署openldap
- 准备openldap-deployment.yaml
使用aliyun oss当存储时,由于不支持目录权限的修改会导致openldap在启动时初始化失败,本部署选择一个Node节点直接用hostPath挂载本地路径。
kind: Deployment
apiVersion: apps/v1
metadata:
name: openldap
namespace: open-ldap
labels:
app: openldap
annotations:
app.kubernetes.io/alias-name: LDAP
app.kubernetes.io/description: 认证中心
spec:
replicas: 1
selector:
matchLabels:
app: openldap
template:
metadata:
labels:
app: openldap
spec:
nodeName: <node-name> #Node节点
volumes:
- name: ldap-data
hostPath:
path: /opt/openldap/data/
- name: ldap-config
hostPath:
path: /opt/openldap/config/
- name: openldap-init
configMap:
name: openldap-init
containers:
- name: openldap
args:
- --copy-service
image: "docker.mirrors.sjtug.sjtu.edu.cn/osixia/openldap:1.4.0"
envFrom:
- secretRef:
name: openldap-config
ports:
- name: tcp-389
containerPort: 389
protocol: TCP
- name: tcp-636
containerPort: 636
protocol: TCP
resources:
limits:
cpu: 500m
memory: 500Mi
requests:
cpu: 100m
memory: 100Mi
volumeMounts:
- name: ldap-config
mountPath: "/etc/ldap/slapd.d"
- name: ldap-data
mountPath: "/var/lib/ldap"
- name: openldap-init
mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom/init.ldif
subPath: init.ldif
---
apiVersion: v1
kind: Service
metadata:
name: openldap-svc
namespace: open-ldap
labels:
app: openldap-svc
spec:
ports:
- name: tcp-389
port: 389
protocol: TCP
targetPort: 389
- name: tcp-636
port: 636
protocol: TCP
targetPort: 636
selector:
app: openldap
- 部署ldap
kubectl apply -f openldap-deployment.yaml
kubectl -n open-ldap get svc
kubectl -n open-ldap get pods
- 部署phpldapadmin
为了方便验证ldap,phpldapadmin通过NodePort对外提供服务。
kind: Deployment
apiVersion: apps/v1
metadata:
name: ldap-phpldapadmin
namespace: open-ldap
labels:
app: ldap-phpldapadmin
annotations:
app.kubernetes.io/alias-name: LDAP
app.kubernetes.io/description: LDAP后台页面
spec:
replicas: 1
selector:
matchLabels:
app: ldap-phpldapadmin
template:
metadata:
labels:
app: ldap-phpldapadmin
spec:
nodeName: osixia/phpldapadmin:stable
containers:
- name: phpldapadmin
image: "osixia/phpldapadmin:stable"
ports:
- name: tcp-80
containerPort: 80
protocol: TCP
env:
- name: PHPLDAPADMIN_HTTPS
value: 'false'
- name: PHPLDAPADMIN_LDAP_HOSTS
value: openldap-svc
resources:
limits:
cpu: 500m
memory: 500Mi
requests:
cpu: 10m
memory: 10Mi
---
apiVersion: v1
kind: Service
metadata:
name: ldap-phpldapadmin-svc
namespace: open-ldap
labels:
app: ldap-phpldapadmin-svc
spec:
type: NodePort
ports:
- name: tcp-80
port: 80
protocol: TCP
targetPort: 80
nodePort: 30080
selector:
app: ldap-phpldapadmin
kubectl apply -f openldap-phpadmin-deployment.yaml
kubectl -n open-ldap get svc
kubectl -n open-ldap get pods
- 验证 xx.xx.xx.xx:30080 admin/<LDAP_ADMIN_PASSWORD>
映射389端口
如果ldap需要被集群外其它服务调用,那么需要将ldap 389端口对外映射,本文以LoadBalancer为例。
- 准备configmap
apiVersion: v1
kind: ConfigMap
metadata:
name: tcp-services
namespace: kube-system
data:
3089: "open-ldap/openldap-svc:389"
#3089:可自定义端口
kubectl apply -f tcp-service.yaml
kubectl -n kube-system get cm tcp-services -o yaml
- 修改ingress controller配置
kubectl -n kube-system edit svc nginx-ingress-lb
...
ports:
- name: http
nodePort: 30118
port: 80
protocol: TCP
targetPort: 80
- name: https
nodePort: 32419
port: 443
protocol: TCP
targetPort: 443
...
添加如下内容:
- name: ldap
nodePort: 32189
port: 3089
protocol: TCP
targetPort: 3089
Go-Ldap-Admin的部署
基于Go+Vue实现的openLDAP后台管理项目,可实现钉钉、飞书、企业微信帐号的同步。
需提前准备mysql、email(用来发重置密码的邮箱)
- 准备config.yml
# delelopment
system:
# 设定模式(debug/release/test,正式版改为release)
mode: debug
# url前缀
url-path-prefix: api
# 程序监听端口
port: 8888
# 是否初始化数据(没有初始数据时使用, 已发布正式版改为false)
init-data: true
# rsa公钥文件路径(config.yml相对路径, 也可以填绝对路径)
rsa-public-key: go-ldap-admin-pub.pem
# rsa私钥文件路径(config.yml相对路径, 也可以填绝对路径)
rsa-private-key: go-ldap-admin-priv.pem
logs:
# 日志等级(-1:Debug, 0:Info, 1:Warn, 2:Error, 3:DPanic, 4:Panic, 5:Fatal, -1<=level<=5, 参照zap.level源码)
level: -1
# 日志路径
path: logs
# 文件最大大小, M
max-size: 50
# 备份数
max-backups: 100
# 存放时间, 天
max-age: 30
# 是否压缩
compress: false
mysql:
# 用户名
username:
# 密码
password:
# 数据库名
database: go_ldap_admin
# 主机地址
host:
# 端口
port: 3306
# 连接字符串参数
query: parseTime=True&loc=Local&timeout=10000ms
# 是否打印日志
log-mode: true
# 数据库表前缀(无需再末尾添加下划线, 程序内部自动处理)
table-prefix: tb
# 编码方式
charset: utf8mb4
# 字符集(utf8mb4_general_ci速度比utf8mb4_unicode_ci快些)
collation: utf8mb4_general_ci
# casbin配置
casbin:
# 模型配置文件, config.yml相对路径
model-path: 'rbac_model.conf'
# jwt配置
jwt:
# jwt标识
realm: test jwt
# 服务端密钥
key: secret key
# token过期时间, 小时
timeout: 12000
# 刷新token最大过期时间, 小时
max-refresh: 12000
# 令牌桶限流配置
rate-limit:
# 填充一个令牌需要的时间间隔,毫秒
fill-interval: 50
# 桶容量
capacity: 200
# email configuration
email:
port: '465'
user: 'xxxx'
from: 'ldap-admin后台'
host: 'smtp.xxxx'
is-ssl: true
pass: 'xxxx'
# # ldap 配置
ldap:
# ldap服务器地址
url: ldap://openldap-svc.open-ldap:389
# ladp最大连接数设置
max-conn: 10
# ldap服务器基础DN
base-dn: "dc=xxxx,dc=xxxx"
# ldap管理员DN
admin-dn: "cn=admin,dc=xxxx,dc=xxxx"
# ldap管理员密码
admin-pass: ""
# ldap用户OU
user-dn: "ou=people,dc=xxxx,dc=xxxx"
# ldap用户初始默认密码
user-init-password: "xxxx"
# 是否允许更改分组DN
group-name-modify: false
# 是否允许更改用户DN
user-name-modify: false
# 📢 即便用不到如下三段配置信息,也不要删除,否则会有一些奇怪的错误出现
dingtalk:
# 配置获取详细文档参考: http://ldapdoc.eryajf.net/pages/94f43a/
flag: "dingtalk" # 作为钉钉在平台的标识
app-key: "xxxxxxxxxxxxxxx" # 应用的key
app-secret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxx" # 应用的secret
agent-id: "12121212" # 目前agent-id未使用到,可忽略
enable-sync: false # 是否开启定时同步钉钉的任务
wecom:
# 配置获取详细文档参考:http://ldapdoc.eryajf.net/pages/cf1698/
flag: "wecom" # 作为微信在平台的标识
corp-id: "xxxx" # 企业微信企业ID
agent-id: 1000003 # 企业微信中创建的应用ID
corp-secret: "xxxxx" # 企业微信中创建的应用secret
enable-sync: false # 是否开启定时同步企业微信的任务
feishu:
# 配置获取详细文档参考:http://ldapdoc.eryajf.net/pages/83c90b/
flag: "feishu" # 作为飞书在平台的标识
app-id: "xxxx" # 飞书的app-id
app-secret: "xxxx" # 飞书的app-secret
enable-sync: false # 是否开启定时同步飞书的任务
- 生成configmap
kubectl create configmap config --from-file=./config.yml -n open-ldap
- 准备go-ldap-admin.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
name: go-ldap-admin
namespace: open-ldap
labels:
app: go-ldap-admin
annotations:
app.kubernetes.io/alias-name: go-ldap-admin
spec:
replicas: 1
selector:
matchLabels:
app: go-ldap-admin
template:
metadata:
labels:
app: go-ldap-admin
spec:
volumes:
- name: config
configMap:
name: config
containers:
- name: go-ldap-admin-server
image: eryajf/go-ldap-admin-server
volumeMounts:
- name: config
mountPath: /app/config.yml
subPath: config.yml
ports:
- name: tcp-8888
containerPort: 8888
protocol: TCP
resources:
limits:
cpu: 500m
memory: 500Mi
requests:
cpu: 10m
memory: 10Mi
---
apiVersion: v1
kind: Service
metadata:
name: go-ldap-admin-server
namespace: open-ldap
labels:
app: go-ldap-admin-server
spec:
ports:
- name: tcp-8888
port: 8888
protocol: TCP
targetPort: 8888
selector:
app: go-ldap-admin
- 准备go-ldap-admin-ui.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
name: go-ldap-admin-ui
namespace: open-ldap
labels:
app: go-ldap-admin-ui
annotations:
app.kubernetes.io/alias-name: go-ldap-admin-ui
spec:
replicas: 1
selector:
matchLabels:
app: go-ldap-admin-ui
template:
metadata:
labels:
app: go-ldap-admin-ui
spec:
containers:
- name: go-ldap-admin-ui-server
image: eryajf/go-ldap-admin-ui
ports:
- name: tcp-80
containerPort: 80
protocol: TCP
resources:
limits:
cpu: 500m
memory: 500Mi
requests:
cpu: 10m
memory: 10Mi
---
apiVersion: v1
kind: Service
metadata:
name: go-ldap-admin-ui-svc
namespace: open-ldap
labels:
app: go-ldap-admin-ui-svc
spec:
type: ClusterIP
ports:
- name: tcp-80
port: 80
protocol: TCP
targetPort: 80
selector:
app: go-ldap-admin-ui
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/service-weight: ""
name: openldap-ingress
namespace: open-ldap
spec:
ingressClassName: nginx
rules:
- host: openldap.xxxx.xxxx
http:
paths:
- backend:
service:
name: go-ldap-admin-ui-svc
port:
number: 80
path: /
pathType: Prefix
- 执行部署
kubectl apply -f go-ldap-admin.yaml
kubectl apply -f go-ldap-admin-ui.yaml
- 登录 admin/<LDAP_ADMIN_PASSWORD>
