一:系统版本
二:部署环境
节点名称
IP
部署组件及版本
配置文件路径
机器CPU
机器内存
机器存储
Ldap
10.10.10.111
self-service-password:latest
phpldapadmin:latest
openldap:latest
openldap:/data/openldap/config
phpldapadmin(只是web管理界面,数据依托openldap)
self-service-password:/data/self-service-password/data
2*16cores
64g
50g 系统
800g 数据盘
三:部署流程
(1)安装docker和docker-compose
apt-get install -y docker
wget https:///docker/compose/releases/download/1.29.2/docker-compose-Linux-x86_64
mv docker-compose-Linux-x86_64 /usr/bin/docker-compose(2)提前拉取需要用到的镜像
docker pull osixia/openldap:latest
docker pull osixia/phpldapadmin:latest
docker pull tiredofit/self-service-password:latest(3)准备应用要挂载的配置文件目录
mkdir -p /data/openldap/data
mkdir -p /data/openldap/config
mkdir -p /data/self-service-password/data
mkdir -p /data/self-service-password/logs
备注:如遇到读取文件权限问题请使用 chmod 755 -R /data/self-service-password/data(4)所有组件的部署方式全部为docker-compose形式编排部署,docker-compose.yml文件所在路径/app/ldap_docker_compose/,编排内容:
~]# mkdir -p /app/ldap_docker_compose/
~]# cat /app/ldap_docker_compose/docker-compose.yml
version: '3'
services:
## 安装openldap
openldap:
container_name: openldap
image: osixia/openldap:latest
restart: always
environment:
TZ: Asia/Shanghai
LDAP_ORGANISATION: "Manager"
LDAP_DOMAIN: "westhab.com"
LDAP_ADMIN_PASSWORD: "admin123456"
LDAP_CONFIG_PASSWORD: "admin123456"
volumes:
- /data/openldap/data:/var/lib/ldap
- /data/openldap/config:/etc/ldap/slapd.d
ports:
- '389:389'
## 安装phpldapadmin
phpldapadmin:
container_name: phpldapadmin
image: osixia/phpldapadmin:latest
environment:
PHPLDAPADMIN_LDAP_HOSTS: openldap
PHPLDAPADMIN_HTTPS: "false"
ports:
- "30004:80"
depends_on:
- openldap
## 安装自助修改密码插件self-service-password
change-ldap-password:
container_name: self-service-password
image: tiredofit/self-service-password:latest
restart: always
ports:
- "8080:80"
environment:
- LDAP_SERVER=ldap://10.10.10.111:389
- LDAP_STARTTLS=false
- LDAP_BINDDN=cn=admin,dc=westhab,dc=com
- LDAP_BINDPASS=admin123456
- LDAP_BASE_SEARCH=dc=westhab,dc=com
- LDAP_LOGIN_ATTRIBUTE=uid
- LDAP_FULLNAME_ATTRIBUTE=cn
# 邮箱配置模块
- MAIL_FROM=emis@skycloudsys.com
- MAIL_FROM_NAME=账号自助服务平台
- SMTP_DEBUG=0
- SMTP_HOST=
- SMTP_USER=emis@skycloudsys.com
- SMTP_PASS=QUN3ZSQmNzQ1QkJjaQ==
- SMTP_SECURE_TYPE=tls
- SMTP_AUTOTLS=false
- SMTP_AUTH_ON=true
- NOTIFY_ON_CHANGE=true
volumes:
- /etc/localtime:/etc/localtime
- /data/self-service-password/data:/www/ssp
- /data/self-service-password/logs:/www/logs(5)启动服务
#开始部署
~]# docker-compose up -d
#停止运行的容器实例
~]# docker-compose stop
#单独启动容器
~]# docker-compose up -d phpldapadmin
#重启所有容器
~]# docker-compose restart
#查看服务状态
~]# docker-compose ps(6)查看服务状态
(7) 功能测试
1、ldapadmin服务访问测试:(正常)
2、ldapadmin增删改查功能测试:(正常)
3、selfpasswd(自助密码修改服务)访问测试:(正常)
4、selfpasswd功能测试(原密码修改密码,忘记密码邮箱重置密码):(正常)
(8)部署过程遇到的问题总结:
问题1:由于使用的阿里云smtp服务密码"ACwe$&745BBci"存在连续特殊字符"$&",而docker-compose的yaml文件无法对连续的特殊字符做转义,尝试使用把密码以挂载env_file形式去传递到docker内部,但是测试此种方案发现没有生效。
解决办法:尝试对原密码进行base64位加密,然后去修改docker volume的服务器上的本地配置文件做base64的解码,以这种方式去规避连续特殊字符。(修改完之后需要重启docker服务生效 docker-compose restart)
在index.php中的email password 修改原配置为base64_decode($mail_smtp_pass);
在/data/self-service-password/data/conf/config.inc.php中的email password 修改原配置为 $mail_smtp_pass = base64_decode($mail_smtp_pass);
问题2:发现邮件重置密码时,重置链接不完整,缺少实际的ip或域名信息。
解决办法:在修改docker volume的服务器上的本地配置/data/self-service-password/data/conf/config.inc.php文件补全重置邮件链接的前缀换成域名信息。(修改完之后需要重启docker服务生效 docker-compose restart)
三:服务接入
关于要用到的ldap目录树的解释:
1. 基础 DN(Base DN): 作用: 基础 DN 是 LDAP 搜索操作的起始点,指定了搜索的根节点。 用途: 当执行 LDAP 搜索操作时,基础 DN 指定了搜索的起始位置,搜索将从该位置开始递归地向下搜索整个 LDAP 目录树。 示例: 基础 DN 可以是整个 LDAP 目录树的根节点,如 dc=example,dc=com,或者是特定组织单位(OU)的 DN。
2. 搜索 DN(Search DN): 作用: 搜索 DN 是用于执行 LDAP 搜索操作时的身份验证信息,用于访问 LDAP 目录中的数据。 用途: 在执行 LDAP 搜索操作时,需要提供搜索 DN 和相应的密码以进行身份验证,以便访问 LDAP 数据。 示例: 搜索 DN 可以是具有适当权限的用户或服务账户的 DN,用于执行 LDAP 搜索操作。(1)grafana对接ldap
1.在grafana.ini中启用ldap服务开关
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true
# prevent synchronizing ldap users organization roles
skip_org_role_sync = true
2.ldap.toml配置
# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
# [log]
# filters = ldap:debug
[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "10.10.100.111"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
use_ssl = false
# If set to true, use LDAP with STARTTLS instead of LDAPS
start_tls = false
# The value of an accepted TLS cipher. By default, this value is empty. Example value: ["TLS_AES_256_GCM_SHA384"])
# For a complete list of supported ciphers and TLS versions, refer to: https://go.dev/src/crypto/tls/cipher_suites.go
tls_ciphers = []
# This is the minimum TLS version allowed. By default, this value is empty. Accepted values are: TLS1.1, TLS1.2, TLS1.3.
min_tls_version = ""
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"
# Search user bind dn
bind_dn = "cn=admin,dc=westhpc,dc=com"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = 'admin123456'
# We recommend using variable expansion for the bind_password, for more info https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
# bind_password = '$__env{LDAP_BIND_PASSWORD}'
# Timeout in seconds (applies to each host specified in the 'host' entry (space separated))
timeout = 10
# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(uid=%s)"
# An array of base dns to search through
search_base_dns = ["dc=westhap,dc=com"]
## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
## Please check grafana LDAP docs for examples
group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
group_search_base_dns = ["dc=westhab,dc=com"]
# group_search_filter_user_attribute = "uid"
# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "uid"
member_of = "cn"
email = "email"
# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "cn=admins,ou=groups,dc=grafana,dc=org"
org_role = "Admin"
# To make user an instance admin (Grafana Admin) uncomment line below
# grafana_admin = true
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
# org_id = 1
[[servers.group_mappings]]
group_dn = "cn=editors,ou=groups,dc=grafana,dc=org"
org_role = "Editor"
[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "*"
org_role = "Viewer"3.重启服务生效
docker-compose restart
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
