GitLab 通过ldap完成帐号认证
https://www.58jb.com/html/120.htmlGitLab 通过ldap完成帐号认证系统环境:Centos6.5_x86_64ldap服务器:10.0.10.30 版本:openldap-2.4.40-12.el6.x86_64GitLab服务器:10.0.10.78 版本:gitlab-ce-8.8.5-ce.1.el6.x86_64.rpmldap Web管...
文章共4,045字 · 阅读需要大约14分钟
https://www.58jb.com/html/120.html
https://blog.csdn.net/reblue520/article/details/80553528
1.环境搭建
操作系统:centos6.5 x86_64
关闭防火墙、selinux
开启时间同步
# crontab -e
加入
# time sync
*/5 * * * * /usr/sbin/ntpdate 192.168.8.102 >/dev/null 2>&1
# crontab -l
*/5 * * * * /usr/sbin/ntpdate -u 192.168.8.102 >/dev/null 2>&1
配置域名解析:
# echo "192.168.8.43 chinasoft.com" >> /etc/hosts
解决依赖关系
# yum grouplist
Base
Debugging Tools
Performance Tools
Compatibility libraries
Development tools
Dial-up Networking Support
Hardware monitoring utilities
如果缺少组包,需要安装
yum groupinstall -y "Compatibility libraries"
2.安装openldap master
# yum install -y openldap openldap-*
# yum install -y nscd nss-pam-ldapd nss-* pcre pcre*
# rpm -qa | grep openldap*
compat-openldap-2.3.43-2.el6.x86_64
openldap-2.4.40-12.el6.x86_64
openldap-clients-2.4.40-12.el6.x86_64
openldap-servers-sql-2.4.40-12.el6.x86_64
openldap-servers-2.4.40-12.el6.x86_64
openldap-devel-2.4.40-12.el6.x86_64
3.配置slapd.conf文件
# cd /etc/openldap/
[root@node5 openldap]# cp /usr/share/openldap-servers/slapd.conf.obsolete slapd.conf
[root@node5 openldap]# cp slapd.conf slapd.conf.bak
[root@node5 openldap]# slappasswd -s chinasoft|sed -e "s#{SSHA}#rootpw\t{SSHA}#g"
rootpw {SSHA}D9+lqUJZVPobp0sZfXl37jE1aVvR2P9K
[root@node5 openldap]# slappasswd -s chinasoft|sed -e "s#{SSHA}#rootpw\t{SSHA}#g">>/etc/openldap/slapd.conf
[root@node5 openldap]# tail -1 slapd.conf
rootpw {SSHA}FvBRnIPqtIi0/u11O2gOfOCrRJr+xMAr
# vim slapd.conf
注释掉一下四行
# database dbb
#suffix "dc=my-domain,dc=com"
#checkpoint 1024 15
#rootdn "cn=Manager,dc=my-domain,dc=com"
添加如下内容
# add start by jack 2016/07/01
database bdb
suffix "dc=chinasoft,dc=com"
rootdn "cn=admin,dc=chinasoft,dc=com"
对比修改是否成功:
# diff slapd.conf.bak slapd.conf
114,117c114,122
< database bdb
< suffix "dc=my-domain,dc=com"
< checkpoint 1024 15
< rootdn "cn=Manager,dc=my-domain,dc=com"
---
> #database bdb
> #suffix "dc=my-domain,dc=com"
> #checkpoint 1024 15
> #rootdn "cn=Manager,dc=my-domain,dc=com"
> # add start by jack 2016/07/01
> database dbd
> suffix "dc=chinasoft,dc=com"
> rootdn "cn=admin,dc=chinasoft,dc=com"
>
140a146
> rootpw {SSHA}FvBRnIPqtIi0/u11O2gOfOCrRJr+xMAr
添加如下内容
cat >> /etc/openldap/slapd.conf<<EOF
# add start by jack 2016/07/01
loglevel 296
cachesize 1000
checkpoint 2018 10
EOF
参数说明:
# add start by jack 2016/07/01
loglevel 296 # 日志级别,记录日志信息方便调试,296级别是由256(日志连接/操作/结果)、32(搜索过滤器处理)、8(连接管理)累加的结果
cachesize 1000 # 设置ldap可以换成的记录数
checkpoint 2018 10 # 可以设置把内存中的数据协会数据文件的操作上,上面设置表示每达到2048KB或者10分钟执行一次,checkpoint即写入数据文件的操作
4.ldap授权及安全参数配置
# vim /etc/openldap/slapd.conf
删除如下内容:
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
改为:
access to *
by self write
by anonymous auth
by * read
5.加入日志记录
# cp /etc/rsyslog.conf /etc/rsyslog.conf.bak.$(date +%F%T)
# echo '#record ldap.log by jack 2016-07-01' >> /etc/rsyslog.conf
# echo 'local4.* /var/log/ldap.log'>> /etc/rsyslog.conf
# tail -1 /etc/rsyslog.conf
local4.* /var/log/ldap.log
# service rsyslog restart
6.配置ldap数据库路径
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@node5 openldap]# ll /var/lib/ldap/DB_CONFIG
-rw-r--r-- 1 root root 845 Jul 1 17:29 /var/lib/ldap/DB_CONFIG
[root@node5 openldap]# chown ldap:ldap /var/lib/ldap/DB_CONFIG
[root@node5 openldap]# chmod 700 /var/lib/ldap/
[root@node5 openldap]# ls -l /var/lib/ldap/
total 4
-rw-r--r-- 1 ldap ldap 845 Jul 1 17:29 DB_CONFIG
验证配置是否Ok
# slaptest -u
config file testing succeeded
7.启动服务:
# /etc/init.d/slapd restart
# lsof -i :389
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 50735 ldap 7u IPv4 75541 0t0 TCP *:ldap (LISTEN)
slapd 50735 ldap 8u IPv6 75542 0t0 TCP *:ldap (LISTEN)
[root@node5 openldap]# ps -ef |grep ldap|grep -v grep
ldap 50735 1 0 17:33 ? 00:00:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -u ldap
配置随机启动
# chkconfig slapd on
[root@node5 openldap]# chkconfig --list slapd
slapd 0:off1:off2:on3:on4:on5:on6:off
8.测试查找内容
# ldapsearch -LLL -W -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -b "dc=chinasoft,dc=com" "(uid=*)"
Enter LDAP Password:
报错:
ldap_bind: Invalid credentials (49)
解决办法:
# rm -rf /etc/openldap/slapd.d/*
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
57763ec6 bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded
# ldapsearch -LLL -W -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -b "dc=chinasoft,dc=com" "(uid=*)"
Enter LDAP Password:
No such object (32)
重启服务
# service slapd restart
Stopping slapd: [FAILED]
Checking configuration files for slapd: [FAILED]
57763eee ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config.ldif"
slaptest: bad configuration file!
[root@node5 openldap]# chown -R ldap.ldap /etc/openldap/slapd.d/
[root@node5 openldap]# service slapd restart
Stopping slapd: [FAILED]
Starting slapd: [ OK ]
# lsof -i :389
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
slapd 51164 ldap 7u IPv4 77503 0t0 TCP *:ldap (LISTEN)
slapd 51164 ldap 8u IPv6 77504 0t0 TCP *:ldap (LISTEN)
9.为ldap master初始化数据(如果不初始化,后面无法通过web界面管理)
增加初始的入口(entries)
1) 创建LDIF文件
编辑一个LDIF格式文件:
# vim base.ldif
dn: dc=chinasoft, dc=com
objectClass: organization
objectClass: dcObject
dc: chinasoft
o: chinasoft
dn: ou=People, dc=chinasoft, dc=com
objectClass: organizationalUnit
ou: People
dn: ou=group, dc=chinasoft, dc=com
objectClass: organizationalUnit
ou: group
dn: cn=tech, ou=group, dc=chinasoft, dc=com
objectClass: posixGroup
description:: 5oqA5pyv6YOo
gidNumber: 10001
cn: tech
# vim jack.ldif
dn: uid=jack,ou=People,dc=chinasoft,dc=com
objectClass: posixaccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
homeDirectory: /home/jack
loginShell: /bin/bash
uid: jack
cn: jack
userPassword:: 55G/ReqPKeOZ8SpgszwIQhaBXySNU4mw
uidNumber: 10005
gidNumber: 10001
sn: jack
# ldapadd -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -W -f base.ldif
Enter LDAP Password:
adding new entry "dc=chinasoft, dc=com"
adding new entry "ou=People, dc=chinasoft, dc=com"
adding new entry "ou=group, dc=chinasoft, dc=com"
adding new entry "cn=tech, ou=group, dc=chinasoft, dc=com"
2) 运行ldapadd
# ldapadd -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -W -f base.ldif
Enter LDAP Password:
报错:
adding new entry "dc=chinasoft,dc=com"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #0 invalid per syntax
原因:ldif文件中存在空格 或者 个别单词拼写错误
正确书写格式:
(1空行)
dn:(空格) dc=mail,dc=kaspersky,dc=com(结尾无空格)
objectclass: (空格)dcObject(结尾无空格)
objectclass: (空格)organization(结尾无空格)
o: (空格)kaspersky(结尾无空格)
dc:(空格) test(结尾无空格)
(1空行)
dn: (空格)cn=test,dc=mail,dc=kaspersky,dc=com(结尾无空格)
objectclass: (空格)organizationalRole(结尾无空格)
cn: (空格)test(结尾无空格)
(结尾无空行)
# ldapadd -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -W -f jack.ldif
Enter LDAP Password:
adding new entry "uid=jack,ou=People,dc=chinasoft,dc=com"
3) 检查是否已经开始正常工作
# ldapsearch -LLL -W -x -H ldap://chinasoft.com -D "cn=admin,dc=chinasoft,dc=com" -b "dc=chinasoft,dc=com" "(uid=*)"
Enter LDAP Password:
dn: uid=jack,ou=People,dc=chinasoft,dc=com
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
homeDirectory: /home/jack
loginShell: /bin/bash
uid: jack
cn: jack
userPassword:: 55G/ReqPKeOZ8SpgszwIQhaBXySNU4mw
uidNumber: 10005
gidNumber: 10001
sn: jack
10.为ldap master配置web管理接口
安装lamp环境
# yum install -y httpd php php-ldap php-gd
# rpm -qa httpd php php-ldap php-gd
php-5.3.3-47.el6.x86_64
httpd-2.2.15-53.el6.centos.x86_64
php-gd-5.3.3-47.el6.x86_64
php-ldap-5.3.3-47.el6.x86_64
安装ldap-account-manager管理软件
https://www.ldap-account-manager.org/lamcms/releases?page=3
将ldap-account-manager-3.7.tar.gz安装包上传到/var/www/html目录
# cd /var/www/html/
[root@node5 html]# tar zxf ldap-account-manager-3.7.tar.gz
[root@node5 html]# mv ldap-account-manager-3.7 ldap
[root@node5 html]# cd ldap/config
[root@node5 config]# cp config.cfg_sample config.cfg
[root@node5 config]# cp lam.conf_sample lam.conf
[root@node5 config]# sed -i 's#cn=Manager#cn=admin#g' lam.conf
[root@node5 config]# sed -i 's#dc=my-domain#dc=chinasoft#g' lam.conf
[root@node5 config]# diff lam.conf_sample lam.conf
13c13
< admins: cn=Manager,dc=my-domain,dc=com
---
> admins: cn=admin,dc=chinasoft,dc=com
55c55
< types: suffix_user: ou=People,dc=my-domain,dc=com
---
> types: suffix_user: ou=People,dc=chinasoft,dc=com
59c59
< types: suffix_group: ou=group,dc=my-domain,dc=com
---
> types: suffix_group: ou=group,dc=chinasoft,dc=com
63c63
< types: suffix_host: ou=machines,dc=my-domain,dc=com
---
> types: suffix_host: ou=machines,dc=chinasoft,dc=com
67c67
< types: suffix_smbDomain: dc=my-domain,dc=com
---
> types: suffix_smbDomain: dc=chinasoft,dc=com
# chown -R apache.apache /var/www/html/ldap
访问http://192.168.8.43/ldap/templates/login.php
使用刚才配置的 admin 和密码chinasoft登陆即可
————————————————
=================================
GitLab 通过ldap完成帐号认证
系统环境:Centos6.5_x86_64
ldap服务器:10.0.10.30 版本:openldap-2.4.40-12.el6.x86_64
GitLab服务器:10.0.10.78 版本:gitlab-ce-8.8.5-ce.1.el6.x86_64.rpm
ldap Web管理客户端工具版本: ldap-account-manager-4.8.tar.bz2
关闭防火墙和SELINUX
/etc/init.d/iptables stop
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
Yum安装ldap服务器:
yum upgrade nss-softokn-freebl -y
yum install openldap openldap* nss-* -y
复制slapd.conf配置文件:
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
创建管理员密码:
slappasswd -s swper|sed -e "s#{SSHA}#rootpw\t{SSHA}#g" >>/etc/openldap/slapd.conf
salpd.conf 配置修改:[修改或添加]
把配置文件中:dc=my-domain,dc=com 修改成自己的域名; dc=58jb,dc=org ;cn=Manager就是管理员账号;
database bdb
suffix "dc=58jb,dc=org"
checkpoint 1024 15
rootdn "cn=Manager,dc=58jb,dc=org"
loglevel Stats #增加一个日志记录
cachesize 1000 #缓存大小
快速替换上面关键字;
sed -i 's/dc=my-domain/dc=58jb/g' /etc/openldap/slapd.conf
sed -i 's/dc=com/dc=org/g' /etc/openldap/slapd.conf
配置数据库信息:[复制配置文件]
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/DB_CONFIG
chmod 700 /var/lib/ldap
配置rsyslog日志记录ldap的日志;
echo "local4.* /var/log/ldap.log" >>/etc/rsyslog.conf
/etc/init.d/rsyslog restart
启动服务:
/etc/init.d/slapd start
重新生成配置文件;
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
修改权限:
chown -R ldap.ldap /etc/openldap/slapd.d/
重新启动服务:
/etc/init.d/slapd restart
测试一下认证:
slaptest -u
日志检查:
tail -10 /var/log/ldap.log
再检查ldap的连接测试:
ldapsearch -LLL -W -x -H ldap://58jb.org -D "cn=Manager,dc=58jb,dcdc=org" -b "dc=58jb,dc=org" "(uid=*)"
输入密码后返回信息:No such object (32) 表示成功!
Yum安装lamp环境;
yum install httpd php php-ldap php-gd -y
修改配置文件:
sed -i 's@#ServerName www.example.com:80@ServerName 127.0.0.1:80@g' /etc/httpd/conf/httpd.conf
启动httpd服务:
/etc/init.d/httpd start
chkconfig httpd on
安装ldap Web管理客户端工具:[5.0以上要求php要大于5.4以上的]
ldap-account-manager-4.8.tar.bz2
tar xf ldap-account-manager-4.8.tar.bz2 -C /var/www/html
mv /var/www/html/ldap-account-manager-4.8.tar.bz2 /var/www/html/ldap
复制配置文件:
cd /var/www/html/ldap/config
cp config.cfg.sample config.cfg
cp lam.conf.sample lam.conf
修改配置文件:
sed -i "s#dc=my-domain#dc=58jb#g" /var/www/html/ldap/config/lam.conf
sed -i "s#dc=com#dc=org#g" /var/www/html/ldap/config/lam.conf
sed -i "s#dc=yourdomain#dc=58jb#g" /var/www/html/ldap/config/lam.conf
启动httpd服务;
service httpd restart
打开浏览器:http://58jb.org/ldap
先添加一个组,再添加用户,添加用户时最好填上邮件地址,因为Gitlab要使用邮件地址;转存失败重新上传取消
再命令行下测试效果:
上面成功返回了刚在Web界面创建的用户信息;到此ldap服务器上的配置基本完成。
接下来是Gitlab服务器上的配置;
yum install openssh-server openssh-clients postfix cronie -y
service postfix start
chkconfig postfix on
使用rpm包安装gitldb服务,这样方便,如果使用yum也可以,但是网络不稳定的情况下可能会很久;
[root@gitlab soft]# rpm -ivh gitlab-ce-8.8.5-ce.1.el6.x86_64.rpm
Preparing... ########################################### [100%]
1:gitlab-ce ########################################### [100%]
hostname: Unknown host
gitlab: Thank you for installing GitLab!
gitlab: To configure and start GitLab, RUN THE FOLLOWING COMMAND:
sudo gitlab-ctl reconfigure
gitlab: GitLab should be reachable at http://gitlab.example.com
gitlab: Otherwise configure GitLab for your system by editing /etc/gitlab/gitlab.rb file
gitlab: And running reconfigure again.
gitlab:
gitlab: For a comprehensive list of configuration options please see the Omnibus GitLab readme
gitlab: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md
gitlab:
It looks like GitLab has not been configured yet; skipping the upgrade script.
修改配置文件:
external_url 'http://gitlab.example.com'
改成自己的域名或者IP地址:
external_url 'http://10.0.10.78'
101-150段中,把101和121的注释去掉,并作如下修改:记得后面的EOS是跟102的对应的;
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: '10.0.10.30'
port: 389
uid: 'uid'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: 'cn=Manager,dc=58jb,dc=org'
password: '_the_password_of_the_bind_user'
active_directory: true
allow_username_or_email_login: false
block_auto_created_users: false
base: 'dc=58jb,dc=org'
user_filter: ''
attributes:
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
name: 'cn'
first_name: 'givenName'
last_name: 'sn'
EOS
初始化配置:
gitlab-ctl reconfigure
注意最后的几行信息,如果没有异常就成功了;
Running handlers:
Running handlers complete
Chef Client finished, 3/277 resources updated in 03 seconds
gitlab Reconfigured!
打开浏览器:http://10.0.10.78, 第一次会要求配置root的密码,至少8位以上;修改完后再用ldap上的用户登陆;
正在上传…重新上传取消
中途遇到的异常,如果按照上面的配置方法是不会出错的;
gitlab使用ldap用户登陆时报的错误:
Could not authenticate you from Ldapmain because "No route to host - connect(2) for "10.0.10.30" port 389".
原因:可能是ldap服务监听的IP为本机,或者是防火墙问题,清空一下规则;
iptables -F
错误二,也是登陆验证是失败:
Could not authenticate you from Ldapmain because "Invalid credentials".
一般都是gitlab.rb配置文件中的配置有问题,或者修改完配置后要把gitlab的服务全停止后,重新初始化一次再启动;
旨在为数千万中国开发者提供一个无缝且高效的云端环境,以支持学习、使用和贡献开源项目。
更多推荐
0
0- 0
已为社区贡献5条内容
所有评论(0)