Openshift 3.11和LDAP的集成
1. OpenLDAP的安装
只记录主要步骤,详细可参考
https://access.redhat.com/solutions/2484371
# yum install -y openldap openldap-clients openldap-servers [root@rhel7 ~]# cd /etc/openldap/slapd.d/ [root@rhel7 slapd.d]# ls -l drwxr-x---. 4 ldap ldap 4096 Aug 3 22:49 cn=config -rw-------. 1 ldap ldap 589 Aug 2 23:39 cn=config.ldif [root@rhel7 slapd.d]# cd cn\=config [root@rhel7 cn=config]# ls -l drwxr-x---. 2 ldap ldap 4096 Aug 3 22:11 cn=schema -rw-------. 1 ldap ldap 378 Aug 2 22:21 cn=schema.ldif -rw-------. 1 ldap ldap 552 Aug 3 20:42 olcDatabase={0}config.ldif -rw-------. 1 ldap ldap 443 Aug 2 22:21 olcDatabase={-1}frontend.ldif -rw-------. 1 ldap ldap 562 Aug 2 22:21 olcDatabase={1}monitor.ldif drwxr-x---. 2 ldap ldap 65 Aug 3 22:53 olcDatabase={2}hdb.ldif [root@rhel7 cn=config]# vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif olcSuffix: dc=mydomain,dc=com [root@rhel7 cn=config]# vi /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif olcRootDN: cn=Manager,dc=example,dc=com olcRootPW: redhat [root@rhel7 cn=config]# vi olcDatabase\=\{0\}config.ldif olcRootDN: cn=config olcRootPW: secret [root@rhel7 cn=config]# slaptest -u config file testing succeeded
启动
# systemctl start slapd
插入主要的schema(/etc/openldap/schema)
[root@node2 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f ./cosine.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=cosine,cn=schema,cn=config" [root@node2 schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f ./inetorgperson.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=inetorgperson,cn=schema,cn=config"
加入用户和组的信息
$ cat base.ldif dn: dc=mydomain,dc=com objectClass: dcObject objectClass: organization o: mydomain.com dn: ou=users,dc=mydomain,dc=com objectClass: organizationalUnit objectClass: top ou: users dn: ou=groups,dc=mydomain,dc=com objectClass: organizationalUnit objectClass: top ou: groups
[root@node2 ~]# ldapadd -x -D "cn=Manager,dc=mydomain,dc=com" -w redhat -f base.ldif adding new entry "dc=mydomain,dc=com" adding new entry "ou=users,dc=mydomain,dc=com" adding new entry "ou=groups,dc=mydomain,dc=com"
加入用户信息
设置密码
slappasswd -s welcome1
[root@node2 ~]# cat users.ldif dn: cn=admin,ou=users,dc=mydomain,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: admin sn: admin displayName: admin mail: admin@mydomain.com userPassword: {SSHA}KX9+kEHfc/ywaGlZTF3ZsqSecbARs9Yp
[root@node2 ~]# ldapadd -x -D "cn=Manager,dc=mydomain,dc=com" -w redhat -f users.ldif adding new entry "cn=admin,ou=users,dc=mydomain,dc=com"
再加一个
[root@node2 ~]# ldapadd -x -D "cn=Manager,dc=mydomain,dc=com" -w redhat -f eric.ldif adding new entry "cn=eric,ou=users,dc=mydomain,dc=com"
基于search可以全部列出
ldapsearch -x -D 'cn=Manager,dc=mydomain,dc=com' -b dc=mydomain,dc=com -w redhat
2.OpenShift和LDAP集成
- 修改master的配置文件
/etc/origin/master/master-config.yaml
主要是oauth部分,我把完整的贴上来
oauthConfig: assetPublicURL: https://master.example.com:8443/console/ grantConfig: method: auto identityProviders: - challenge: true login: true mappingMethod: claim name: my_ldap_provider provider: apiVersion: v1 attributes: email: - mail id: - dn name: - cn preferredUsername: - uid bindDN: '' bindPassword: '' ca: '' insecure: true kind: LDAPPasswordIdentityProvider url: ldap://192.168.56.105:389/ou=users,dc=mydomain,dc=com?cn masterCA: ca-bundle.crt masterPublicURL: https://master.example.com:8443 masterURL: https://master.example.com:8443 sessionConfig: sessionMaxAgeSeconds: 3600 sessionName: ssn sessionSecretsFile: /etc/origin/master/session-secrets.yaml tokenConfig: accessTokenMaxAgeSeconds: 86400 authorizeTokenMaxAgeSeconds: 500
- 修改后重启master
# master-restart api
# master-restart controllers
注意点如下:
- 只修改identityProviders部分,其他的不要修改,我不小心一个删除,然后定位了一下午才知道错误在哪里
- 不需要bindDN和bindPassword,虽然在LDAP录入的时候需要Manager的密码,但这里完全不需要。
3.如何定位问题
- 打开log level设置,缺省为2,最高为8,各级别如下
[root@master ~]# cat /etc/origin/master/master.env # Proxy configuration # See https://docs.openshift.com/container-platform/latest/install_config/http_proxies.html#configuring-hosts-for-proxies-using-ansible DEBUG_LOGLEVEL=4
- 基于命令master-logs查看
/usr/local/bin/master-logs api api
当然也有
# /usr/local/bin/master-logs controllers controllers # /usr/local/bin/master-logs api api # /usr/local/bin/master-logs etcd etcd
没有错误后,发现ldap用户登录成功,可以用oc get users进行验证一下
[root@master ~]# oc get users NAME UID FULL NAME IDENTITIES admin c746e175-f46f-11e8-ba5a-080027dc991a htpasswd_auth:admin alice 0b722de4-f7b9-11e8-88eb-080027dc991a alice my_ldap_provider:cn=alice,ou=users,dc=mydomain,dc=com cn=eric,ou=users,dc=mydomain,dc=com 03ae746c-f7b9-11e8-88eb-080027dc991a eric my_ldap_provider:cn=eric,ou=users,dc=mydomain,dc=com tom 4c9a87fd-f7b9-11e8-88eb-080027dc991a tom my_ldap_provider:cn=tom,ou=users,dc=mydomain,dc=com
显示格式有问题,看这个图
为什么NAME字段eric有一堆的后缀,查了一下ldif文件,发现eric没有定义uid, 删除重新加
[root@node2 ~]# ldapdelete -x -D "cn=Manager,dc=mydomain,dc=com" -w redhat "cn=eric,ou=users,dc=mydomain,dc=com" [root@node2 ~]# vi eric.ldif [root@node2 ~]# ldapadd -x -D "cn=Manager,dc=mydomain,dc=com" -w redhat -f eric.ldif adding new entry "cn=eric,ou=users,dc=mydomain,dc=com"
同步时间太长了。
4.LDAP组的同步
现在LDAP中插入组,方法和插入用户一致
[root@node2 ~]# cat group.ldif dn: cn=admins,ou=groups,dc=mydomain,dc=com objectClass: groupOfNames cn: admins owner: cn=Manager,dc=mydomain,dc=com member: cn=eric,ou=users,dc=mydomain,dc=com
写一个执行同步的yaml文件
kind: LDAPSyncConfig apiVersion: v1 url: ldap://192.168.56.105:389 insecure: true rfc2307: groupsQuery: baseDN: "ou=groups,dc=mydomain,dc=com" scope: sub derefAliases: never filter: (objectclass=groupOfNames) groupUIDAttribute: dn groupNameAttributes: [ cn ] groupMembershipAttributes: [ member ] usersQuery: baseDN: "ou=users,dc=mydomain,dc=com" scope: sub derefAliases: never pageSize: 0 userUIDAttribute: dn userNameAttributes: [ dn ] tolerateMemberNotFoundErrors: true tolerateMemberOutOfScopeErrors: true
运行及验证
[root@master ~]# oc adm groups sync --sync-config=groups.yaml --confirm group/admins [root@master ~]# oc get groups NAME USERS admins cn=eric,ou=users,dc=mydomain,dc=com
授权LDAP用户 alice为集群管理员
[root@master ~]# oc adm policy add-cluster-role-to-user cluster-admin alice cluster role "cluster-admin" added: "alice"
alice登录后也能看到admin能看到的所有的项目了。
