ubuntu22.04服务器docker-compose方式部署ldap服务

服务器 0

一:系统版本

二:部署环境

节点名称

IP

部署组件及版本

配置文件路径

机器CPU

机器内存

机器存储

Ldap

10.10.10.111

self-service-password:latest

phpldapadmin:latest

openldap:latest

openldap:/data/openldap/config

phpldapadmin(只是web管理界面,数据依托openldap)

self-service-password:/data/self-service-password/data

2*16cores

64g

50g 系统

800g 数据盘

三:部署流程

(1)安装docker和docker-compose

apt-get install -y docker wget https://github.com/docker/compose/releases/download/1.29.2/docker-compose-Linux-x86_64 mv docker-compose-Linux-x86_64 /usr/bin/docker-compose

(2)提前拉取需要用到的镜像

docker pull osixia/openldap:latest docker pull osixia/phpldapadmin:latest docker pull tiredofit/self-service-password:latest

(3)准备应用要挂载的配置文件目录

mkdir -p /data/openldap/data mkdir -p /data/openldap/config mkdir -p /data/self-service-password/data mkdir -p /data/self-service-password/logs 备注:如遇到读取文件权限问题请使用 chmod 755 -R /data/self-service-password/data

(4)所有组件的部署方式全部为docker-compose形式编排部署,docker-compose.yml文件所在路径/app/ldap_docker_compose/,编排内容:

~]# mkdir -p /app/ldap_docker_compose/~]# cat /app/ldap_docker_compose/docker-compose.ymlversion: '3'services:  ## 安装openldap  openldap:    container_name: openldap    image: osixia/openldap:latest    restart: always    environment:      TZ: Asia/Shanghai      LDAP_ORGANISATION: "Manager"      LDAP_DOMAIN: "westhab.com"      LDAP_ADMIN_PASSWORD: "admin123456"      LDAP_CONFIG_PASSWORD: "admin123456"    volumes:      - /data/openldap/data:/var/lib/ldap      - /data/openldap/config:/etc/ldap/slapd.d    ports:      - '389:389'  ## 安装phpldapadmin  phpldapadmin:    container_name: phpldapadmin    image: osixia/phpldapadmin:latest    environment:      PHPLDAPADMIN_LDAP_HOSTS: openldap      PHPLDAPADMIN_HTTPS: "false"    ports:      - "30004:80"    depends_on:      - openldap  ## 安装自助修改密码插件self-service-password  change-ldap-password:    container_name: self-service-password    image: tiredofit/self-service-password:latest    restart: always    ports:      - "8080:80"    environment:      - LDAP_SERVER=ldap://10.10.10.111:389      - LDAP_STARTTLS=false      - LDAP_BINDDN=cn=admin,dc=westhab,dc=com      - LDAP_BINDPASS=admin123456      - LDAP_BASE_SEARCH=dc=westhab,dc=com      - LDAP_LOGIN_ATTRIBUTE=uid      - LDAP_FULLNAME_ATTRIBUTE=cn      # 邮箱配置模块      - MAIL_FROM=emis@skycloudsys.com      - MAIL_FROM_NAME=账号自助服务平台      - SMTP_DEBUG=0      - SMTP_HOST=smtp.qiye.aliyun.com      - SMTP_USER=emis@skycloudsys.com      - SMTP_PASS=QUN3ZSQmNzQ1QkJjaQ==      - SMTP_SECURE_TYPE=tls      - SMTP_AUTOTLS=false      - SMTP_AUTH_ON=true      - NOTIFY_ON_CHANGE=true    volumes:      - /etc/localtime:/etc/localtime      - /data/self-service-password/data:/www/ssp      - /data/self-service-password/logs:/www/logs

(5)启动服务

#开始部署~]# docker-compose up -d#停止运行的容器实例~]# docker-compose stop#单独启动容器~]# docker-compose up -d phpldapadmin#重启所有容器~]# docker-compose restart#查看服务状态~]# docker-compose ps

(6)查看服务状态

(7)  功能测试

1、ldapadmin服务访问测试:(正常

2、ldapadmin增删改查功能测试:(正常

3、selfpasswd(自助密码修改服务)访问测试:(正常

4、selfpasswd功能测试(原密码修改密码,忘记密码邮箱重置密码):(正常

(8)部署过程遇到的问题总结:

问题1:由于使用的阿里云smtp服务密码"ACwe$&745BBci"存在连续特殊字符"$&",而docker-compose的yaml文件无法对连续的特殊字符做转义,尝试使用把密码以挂载env_file形式去传递到docker内部,但是测试此种方案发现没有生效。

解决办法:尝试对原密码进行base64位加密,然后去修改docker volume的服务器上的本地配置文件做base64的解码,以这种方式去规避连续特殊字符。(修改完之后需要重启docker服务生效 docker-compose restart

在index.php中的email password 修改原配置为base64_decode($mail_smtp_pass);

在/data/self-service-password/data/conf/config.inc.php中的email password 修改原配置为 $mail_smtp_pass = base64_decode($mail_smtp_pass);

问题2:发现邮件重置密码时,重置链接不完整,缺少实际的ip或域名信息。

解决办法:在修改docker volume的服务器上的本地配置/data/self-service-password/data/conf/config.inc.php文件补全重置邮件链接的前缀换成域名信息。(修改完之后需要重启docker服务生效 docker-compose restart

三:服务接入

关于要用到的ldap目录树的解释:

1. 基础 DN(Base DN): 作用: 基础 DN 是 LDAP 搜索操作的起始点,指定了搜索的根节点。 用途: 当执行 LDAP 搜索操作时,基础 DN 指定了搜索的起始位置,搜索将从该位置开始递归地向下搜索整个 LDAP 目录树。 示例: 基础 DN 可以是整个 LDAP 目录树的根节点,如 dc=example,dc=com,或者是特定组织单位(OU)的 DN。

2. 搜索 DN(Search DN): 作用: 搜索 DN 是用于执行 LDAP 搜索操作时的身份验证信息,用于访问 LDAP 目录中的数据。 用途: 在执行 LDAP 搜索操作时,需要提供搜索 DN 和相应的密码以进行身份验证,以便访问 LDAP 数据。 示例: 搜索 DN 可以是具有适当权限的用户或服务账户的 DN,用于执行 LDAP 搜索操作。

(1)grafana对接ldap

1.在grafana.ini中启用ldap服务开关

enabled = trueconfig_file = /etc/grafana/ldap.tomlallow_sign_up = true# prevent synchronizing ldap users organization rolesskip_org_role_sync = true

2.ldap.toml配置

# To troubleshoot and get more log info enable ldap debug logging in grafana.ini# [log]# filters = ldap:debug[[servers]]# Ldap server host (specify multiple hosts space separated)host = "10.10.100.111"# Default port is 389 or 636 if use_ssl = trueport = 389# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)use_ssl = false# If set to true, use LDAP with STARTTLS instead of LDAPSstart_tls = false# The value of an accepted TLS cipher. By default, this value is empty. Example value: ["TLS_AES_256_GCM_SHA384"])# For a complete list of supported ciphers and TLS versions, refer to: https://go.dev/src/crypto/tls/cipher_suites.gotls_ciphers = []# This is the minimum TLS version allowed. By default, this value is empty. Accepted values are: TLS1.1, TLS1.2, TLS1.3.min_tls_version = ""# set to true if you want to skip ssl cert validationssl_skip_verify = false# set to the path to your root CA certificate or leave unset to use system defaults# root_ca_cert = "/path/to/certificate.crt"# Authentication against LDAP servers requiring client certificates# client_cert = "/path/to/client.crt"# client_key = "/path/to/client.key"# Search user bind dnbind_dn = "cn=admin,dc=westhpc,dc=com"# Search user bind password# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""bind_password = 'admin123456'# We recommend using variable expansion for the bind_password, for more info https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion# bind_password = '$__env{LDAP_BIND_PASSWORD}'# Timeout in seconds (applies to each host specified in the 'host' entry (space separated))timeout = 10# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"search_filter = "(uid=%s)"# An array of base dns to search throughsearch_base_dns = ["dc=westhap,dc=com"]## For Posix or LDAP setups that does not support member_of attribute you can define the below settings## Please check grafana LDAP docs for examplesgroup_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"group_search_base_dns = ["dc=westhab,dc=com"]# group_search_filter_user_attribute = "uid"# Specify names of the ldap attributes your ldap uses[servers.attributes]name = "givenName"surname = "sn"username = "uid"member_of = "cn"email =  "email"# Map ldap groups to grafana org roles[[servers.group_mappings]]group_dn = "cn=admins,ou=groups,dc=grafana,dc=org"org_role = "Admin"# To make user an instance admin  (Grafana Admin) uncomment line below# grafana_admin = true# The Grafana organization database id, optional, if left out the default org (id 1) will be used# org_id = 1[[servers.group_mappings]]group_dn = "cn=editors,ou=groups,dc=grafana,dc=org"org_role = "Editor"[[servers.group_mappings]]# If you want to match all (or no ldap groups) then you can use wildcardgroup_dn = "*"org_role = "Viewer"

3.重启服务生效

docker-compose restart
4.验证grafana和ldap是否对接成功

也许您对下面的内容还感兴趣: