ldap
LDAP:在OIDC流程中是用来做身份认证服务的,包括LDAP身份认证服务器,自己的第三方应用需要调用LDAP的客户端接口,用以访问LDAP服务器进行身份验证。作用:用户验证 用户管理 。
ldap它是用来做统一用户身份认证的.即: 你访问CSDN它说你可以用微信登录,你登录微博,它也支持微信登录等,这就是一种认证服务, 当然它们不一定用LDAP来做为他们的目录服务.LDAP(Light Directory Access Portocol),它是基于X.500标准的轻量级目录访问协议。Linux上实现LDAP的工具是 openladp, 通过配置ldap服务器,将用户信息存储在其中,就可以使用ldap协议,访问用户数据库,来实现LDAP用户认证。
1. 目录树概念
-
目录树:在一个目录服务系统中,整个目录信息集可以表示为一个目录信息树,树中的每个节点是一个条目。
-
条目:每个条目就是一条记录,每个条目有自己的唯一可区别的名称(DN)。
-
对象类(objectclass):与某个实体类型对应的一组属性,对象类是可以继承的,这样父类的必须属性也会被继承下来。
-
属性:描述条目的某个方面的信息,一个属性由一个属性类型和一个或多个属性值组成,属性有必须属性和非必须属性。
| 关键字 |
英文全称 |
含义 |
| dc |
Domain Component |
域名的部分,其格式是将完整的域名分成几部分,如域名为example.com变成dc=example,dc=com(一条记录的所属位置) |
| uid |
User Id |
用户ID songtao.xu(一条记录的ID) |
| ou |
Organization Unit |
组织单位,组织单位可以包含其他各种对象(包括其他组织单元),如“oa组”(一条记录的所属组织) |
| cn |
Common Name |
公共名称,如“Thomas Johansson”(一条记录的名称) |
| sn |
Surname |
姓,如“许” |
| dn |
Distinguished Name |
“uid=songtao.xu,ou=oa组,dc=example,dc=com”,一条记录的位置(唯一) |
| rdn |
Relative dn |
相对辨别名,类似于文件系统中的相对路径,它是与目录树结构无关的部分,如“uid=tom”或“cn= Thomas Johansson” |
LDAP的信息是以树型结构存储的,在树根一般定义国家(c=CN)或域名(dc=com),在其下则往往定义一个或多个组织 (organization)(o=Acme)或组织单元(organizational units) (ou=People)。一个组织单元可能包含诸如所有雇员、大楼内的所有打印机等信息。此外,LDAP支持对条目能够和必须支持哪些属性进行控制,这是有一个特殊的称为对象类别(objectClass)的属性来实现的。该属性的值决定了该条目必须遵循的一些规则,其规定了该条目能够及至少应该包含哪些属性。
2. 基准识别名(Base Distinguished Name, Base DN):一般指整个目录树的根。
The LDAP connector first initializes a connection to the LDAP directory using the bindDN and bindPW. It then tries to search for the given username and bind as that user to verify their password. Searches that return multiple entries are considered ambiguous and will return an error.
bindDN:一般指整个目录树的根
bindPW:设定根节点的管理密码
// BindDN and BindPW for an application service account. The connector uses these
// credentials to search for users and groups.
BindDN string `json:"bindDN"`
BindPW string `json:"bindPW"`
dex的https自签名证书
1.dex容器化部署的自签名证书会已configmap和secret的形式导出。
#dex的helm文件job-web-certs.yaml截取内容
openssl genrsa -out ca-key.pem 2048;
openssl req -x509 -new -nodes -key ca-key.pem -days {{ .Values.certs.web.caDays }} -out ca.pem -subj "/CN=dex-ca";
openssl genrsa -out key.pem 2048;
openssl req -new -key key.pem -out csr.pem -subj "/CN=dex" -config req.cnf;
openssl x509 -req -in csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -days {{ .Values.certs.web.certDays }} -extensions v3_req -extfile req.cnf;
kubectl create configmap {{ $caName | quote }} --namespace {{ .Release.Namespace }} --from-file dex-ca.pem=ca.pem;
kubectl create secret tls {{ $caName | quote }} --namespace {{ .Release.Namespace }} --cert=ca.pem --key=ca-key.pem;
kubectl create secret tls {{ $tlsSecretName }} --namespace {{ .Release.Namespace }} --cert=cert.pem --key=key.pem;
2. 在签署证书(server.csr签署ca.crt)之前需要确认openssl.cnf中的配置。openssl.cnf用来进行下一步生成服务器签署申请文件server.csr(openssl req -new -out server.csr -key server.key -config /etc/ssl/openssl.cnf)。
#openssl.cnf的alt_names域中如果没有IP这一项,浏览器使用IP访问时验证无法通过
[ alt_names ]
IP.1 = 192.168.50.115 #配置https服务端的访问ip
DNS.1 = dfe.leida.org #配置https服务端的访问域名可配多个
DNS.2 = ex.abcexpale.net
容器化部署中的dex-server中ldap配置
# Default values for dex
# This is a YAML-formatted file.
# Declare name/value pairs to be passed into your templates.
# name: value
image: node5:5000/dex
imageTag: "v2.21.0"
imagePullPolicy: "IfNotPresent"
inMiniKube: false
nodeSelector: {}
podLabels: {}
podAnnotations: {}
initContainers: []
tolerations: []
# - key: CriticalAddonsOnly
# operator: Exists
# - key: foo
# operator: Equal
# value: bar
# effect: NoSchedule
replicas: 2
# resources:
# limits:
# cpu: 100m
# memory: 50Mi
# requests:
# cpu: 100m
# memory: 50Mi
# grpc support
grpc: false
# https termination by dex itself
https: false #false配置的话dex-server则为http服务.
ports:
web:
containerPort: 5556
# for service.type: NodePort
nodePort: 32000
servicePort: 32000
# Relevant only when grpc support is enabled
grpc:
containerPort: 5000
# for service.type: NodePort
nodePort: 35000
servicePort: 35000
livenessProbe:
enabled: true
initialDelaySeconds: 1
failureThreshold: 1
httpPath: "/healthz"
periodSeconds: 10
timeoutSeconds: 1
readinessProbe:
enabled: true
initialDelaySeconds: 1
failureThreshold: 1
httpPath: "/healthz"
periodSeconds: 10
timeoutSeconds: 1
service:
type: NodePort #在容器化部署中建议选择nodeport的类型用于外网ip连接
# Override IP for the Service Type: LoadBalancer.
# This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created.
# loadBalancerIP: 127.0.0.1
annotations: {}
ingress:
enabled: true
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
path: /
hosts:
- dex.tars.com
tls: []
# - secretName: dex-example-tls
# hosts:
# - dex.example.com
extraVolumes: []
extraVolumeMounts: []
certs:
securityContext:
enabled: true
runAsUser: 65534
fsGroup: 65534
image: node5:5000/kubernetes-dashboard-init-amd64
imageTag: "v1.0.0"
imagePullPolicy: "IfNotPresent"
# Section below is relevant only when https termination is enabled
web:
create: true
activeDeadlineSeconds: 300
caDays: 10000
certDays: 10000
altNames:
- dex.io
altIPs: {}
secret:
tlsName: dex-web-server-tls
caName: dex-web-server-ca
pod:
annotations: {}
# Section below is relevant only when grpc support is enabled
grpc:
create: true
activeDeadlineSeconds: 300
altNames:
- dex.io
altIPs: {}
secret:
serverTlsName: dex-grpc-server-tls
clientTlsName: dex-grpc-client-tls
caName: dex-grpc-ca
pod:
annotations: {}
env: []
rbac:
# Specifies whether RBAC resources should be created
create: true
crd:
# Specifies whether dex's CRDs are already present (if not cluster role and cluster role binding will be created
# to enable dex to create them). Depends on rbac.create
present: false
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template
name:
affinity: {}
# podAntiAffinity:
# preferredDuringSchedulingIgnoredDuringExecution:
# - weight: 5
# podAffinityTerm:
# topologyKey: "kubernetes.io/hostname"
# labelSelector:
# matchLabels:
# app: {{ template "dex.name" . }}
# release: "{{ .Release.Name }}"
podDisruptionBudget: {}
# maxUnavailable: 1
config:
issuer: http://dex.dex:32000 ##建议改成ip,貌似用域名的会出现验证的问题
storage:
type: kubernetes
config:
inCluster: true
logger:
level: debug
web:
# port is taken from ports section above
address: 0.0.0.0
tlsCert: /etc/dex/tls/https/server/tls.crt
tlsKey: /etc/dex/tls/https/server/tls.key
# Section below is relevant only when grpc support is enabled
grpc:
# port is taken from ports section above
address: 127.0.0.1
tlsCert: /etc/dex/tls/grpc/server/tls.crt
tlsKey: /etc/dex/tls/grpc/server/tls.key
tlsClientCA: /etc/dex/tls/grpc/ca/tls.crt
connectors:
- type: ldap
id: ldap
name: openLDAP
config:
host: openldap.openldap:389 #ldap-server的host
# No TLS for this setup.
insecureNoSSL: true
clientID: authServer
clientSecret: XhhbXBsZS1hcHAtc2VjcmV0
redirectURI: http://dex.dex:32000/callback
org: kubernetes
# This would normally be a read-only user.
bindDN: cn=admin,dc=alibaba,dc=com
bindPW: test
usernamePrompt: User Name
userSearch:
baseDN: ou=staff,dc=tencent,dc=com #搜索条目的基域
filter: (objectclass=organizationalPerson)
username: uid
# "DN" (case sensitive) is a special attribute name. It indicates that
# this value should be taken from the entity's DN not an attribute on
# the entity.
idAttr: uid
emailAttr: mail
nameAttr: cn
groupSearch:
baseDN: dc=alibaba,dc=com
filter: (objectclass=People)
userMatchers:
# A user is a member of a group when their DN matches
# the value of a "member" attribute on the group entity.
- userAttr: uid
groupAttr: member
#The group name should be the "cn" value.
nameAttr: cn
oauth2:
alwaysShowLoginScreen: false
skipApprovalScreen: true
expiry:
signingKeys: "6h"
idTokens: "24h"
staticClients: #dex-client的配置
- id: authServer
redirectURIs: #dex-client的回调url
- 'http://127.0.0.1:5555/callback'
name: 'authServer'
secret: XhhbXBsZfdfdS1hdfcHAtc2VfjcmV0
enablePasswordDB: true
# staticPasswords:
# - email: "admin@example.com"
# # bcrypt hash of the string "password"
# hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
# username: "admin"
# userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
# frontend:
# logoURL: https://example.com/yourlogo.png
