LDAP 用户认证集成
一、LDAP 集中用户认证
1.1 OpenLDAP 搭建
1.1.1 部署 OpenLDAP 服务
通过 Docker 容器部署 OpenLDAP 服务
$ docker run -d \
-p 389:389 -p 636:636 \
--name openldap-container \
--env LDAP_ORGANISATION="lotusching" \
--env LDAP_DOMAIN="lotusching.com" \
--env LDAP_ADMIN_PASSWORD="admin_passwd_4_ldap" \
osixia/openldap:1.4.0容器启动日志
$ docker logs -f openldap-container
*** CONTAINER_LOG_LEVEL = 3 (info)
*** Search service in CONTAINER_SERVICE_DIR = /container/service :
*** link /container/service/:ssl-tools/startup.sh to /container/run/startup/:ssl-tools
*** link /container/service/slapd/startup.sh to /container/run/startup/slapd
*** link /container/service/slapd/process.sh to /container/run/process/slapd/run
*** Set environment for startup files
*** Environment files will be proccessed in this order :
Caution: previously defined variables will not be overriden.
/container/environment/99-default/default.startup.yaml
/container/environment/99-default/default.yaml
To see how this files are processed and environment variables values,
run this container with '--loglevel debug'
*** Running /container/run/startup/:ssl-tools...
*** Running /container/run/startup/slapd...
openldap user and group adjustments
get current openldap uid/gid info inside container
-------------------------------------
openldap GID/UID
-------------------------------------
User uid: 911
User gid: 911
uid/gid changed: false
-------------------------------------
updating file uid/gid ownership
Database and config directory are empty...
Init new ldap server...
Backing up /etc/ldap/slapd.d in /var/backups/slapd-2.4.50+dfsg-1~bpo10+1... done.
Creating initial configuration... done.
Creating LDAP directory... done.
invoke-rc.d: could not determine current runlevel
invoke-rc.d: policy-rc.d denied execution of restart.
Start OpenLDAP...
Waiting for OpenLDAP to start...
Add bootstrap schemas...
config file testing succeeded
Add image bootstrap ldif...
Add custom bootstrap ldif...
Add TLS config...
No certificate file and certificate key provided, generate:
/container/service/slapd/assets/certs/ldap.crt and /container/service/slapd/assets/certs/ldap.key
2021/07/23 04:27:55 [INFO] generate received request
2021/07/23 04:27:55 [INFO] received CSR
2021/07/23 04:27:55 [INFO] generating key: ecdsa-384
2021/07/23 04:27:55 [INFO] encoded CSR
2021/07/23 04:27:55 [INFO] signed certificate with serial number 723060059834563012694291460935161887079896476866
Link /container/service/:ssl-tools/assets/default-ca/default-ca.pem to /container/service/slapd/assets/certs/ca.crt
Disable replication config...
Stop OpenLDAP...
Configure ldap client TLS configuration...
Remove config files...
First start is done...
*** Set environment for container process
*** Remove file /container/environment/99-default/default.startup.yaml
*** Environment files will be proccessed in this order :
Caution: previously defined variables will not be overriden.
/container/environment/99-default/default.yaml
To see how this files are processed and environment variables values,
run this container with '--loglevel debug'
*** Running /container/run/process/slapd/run...
60fa454b @(#) $OpenLDAP: slapd 2.4.50+dfsg-1~bpo10+1 (May 4 2020 05:25:06) $
Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
60fa454b slapd starting1.1.2 部署 ldapadmin Web 服务
$ docker run -d \
-p 9001:80 \
-p 9443:443 \
--name phpldapadmin-service \
--hostname phpldapadmin-service \
--link openldap-container:ldap-host \
--env PHPLDAPADMIN_LDAP_HOSTS=ldap-host \
osixia/phpldapadmin:0.9.0
0e0b867665583c07f50fd6969e7e26d5833f942686980f7fb6c938267cfe1b18查看启动日志
$ docker logs -f phpldapadmin-service
*** CONTAINER_LOG_LEVEL = 3 (info)
*** Search service in CONTAINER_SERVICE_DIR = /container/service :
*** link /container/service/:apache2/startup.sh to /container/run/startup/:apache2
*** link /container/service/:apache2/process.sh to /container/run/process/:apache2/run
*** link /container/service/:apache2/finish.sh to /container/run/process/:apache2/finish
*** link /container/service/:cron/startup.sh to /container/run/startup/:cron
*** link /container/service/:cron/process.sh to /container/run/process/:cron/run
*** link /container/service/:logrotate/startup.sh to /container/run/startup/:logrotate
*** link /container/service/:php7.3-fpm/startup.sh to /container/run/startup/:php7.3-fpm
*** link /container/service/:php7.3-fpm/process.sh to /container/run/process/:php7.3-fpm/run
*** link /container/service/:ssl-tools/startup.sh to /container/run/startup/:ssl-tools
*** link /container/service/:syslog-ng-core/startup.sh to /container/run/startup/:syslog-ng-core
*** link /container/service/:syslog-ng-core/process.sh to /container/run/process/:syslog-ng-core/run
*** link /container/service/ldap-client/startup.sh to /container/run/startup/ldap-client
*** link /container/service/phpldapadmin/startup.sh to /container/run/startup/phpldapadmin
*** Set environment for startup files
*** Environment files will be proccessed in this order :
Caution: previously defined variables will not be overriden.
/container/environment/99-default/default.startup.yaml
/container/environment/99-default/default.yaml
To see how this files are processed and environment variables values,
run this container with '--loglevel debug'
*** Running /container/run/startup/:apache2...
*** Running /container/run/startup/:cron...
*** Running /container/run/startup/:logrotate...
*** Running /container/run/startup/:php7.3-fpm...
*** Running /container/run/startup/:ssl-tools...
*** Running /container/run/startup/:syslog-ng-core...
*** Running /container/run/startup/ldap-client...
No certificate file and certificate key provided, generate:
/container/service/ldap-client/assets/certs/ldap-client.crt and /container/service/ldap-client/assets/certs/ldap-client.key
2021/07/23 04:45:38 [INFO] generate received request
2021/07/23 04:45:38 [INFO] received CSR
2021/07/23 04:45:38 [INFO] generating key: ecdsa-384
2021/07/23 04:45:38 [INFO] encoded CSR
2021/07/23 04:45:38 [INFO] signed certificate with serial number 319526677058401650874661920785130772390750381634
Link /container/service/:ssl-tools/assets/default-ca/default-ca.pem to /container/service/ldap-client/assets/certs/ldap-ca.crt
*** Running /container/run/startup/phpldapadmin...
Set apache2 https config...
No certificate file and certificate key provided, generate:
/container/service/phpldapadmin/assets/apache2/certs/phpldapadmin.crt and /container/service/phpldapadmin/assets/apache2/certs/phpldapadmin.key
2021/07/23 04:45:38 [INFO] generate received request
2021/07/23 04:45:38 [INFO] received CSR
2021/07/23 04:45:38 [INFO] generating key: ecdsa-384
2021/07/23 04:45:38 [INFO] encoded CSR
2021/07/23 04:45:38 [INFO] signed certificate with serial number 339355825750494954127327856460385200530719060144
Link /container/service/:ssl-tools/assets/default-ca/default-ca.pem to /container/service/phpldapadmin/assets/apache2/certs/ca.crt
Bootstap phpLDAPadmin...
tr: write error: Broken pipe
tr: write error
*** Set environment for container process
*** Remove file /container/environment/99-default/default.startup.yaml
*** Environment files will be proccessed in this order :
Caution: previously defined variables will not be overriden.
/container/environment/99-default/default.yaml
To see how this files are processed and environment variables values,
run this container with '--loglevel debug'
*** Running runit daemon...
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.3. Set the 'ServerName' directive globally to suppress this message
[Fri Jul 23 04:45:39.007720 2021] [ssl:warn] [pid 917:tid 140223126140032] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.1d 10 Sep 2019, version currently loaded is OpenSSL 1.1.1c 28 May 2019) - may result in undefined or erroneous behavior
[Fri Jul 23 04:45:39.008770 2021] [ssl:error] [pid 917:tid 140223126140032] AH02218: ssl_stapling_init_cert: no OCSP URI in certificate and no SSLStaplingForceURL set [subject: CN=phpldapadmin-service,OU=Information Technology Dep.,O=A1A Car Wash,L=Albuquerque,ST=New Mexico,C=US / issuer: CN=docker-light-baseimage,ST=New Mexico,L=Albuquerque,OU=Information Technology Dep.,O=A1A Car Wash,C=US / serial: 3B713DD438898656FDA220985D1253A6EE7D30B0 / notbefore: Jul 23 04:41:00 2021 GMT / notafter: Jul 23 04:41:00 2022 GMT]
[Fri Jul 23 04:45:39.008778 2021] [ssl:error] [pid 917:tid 140223126140032] AH02604: Unable to configure certificate phpldapadmin-service:443:0 for stapling
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.3. Set the 'ServerName' directive globally to suppress this message
[Fri Jul 23 04:45:39.014474 2021] [ssl:warn] [pid 917:tid 140223126140032] AH01882: Init: this version of mod_ssl was compiled against a newer library (OpenSSL 1.1.1d 10 Sep 2019, version currently loaded is OpenSSL 1.1.1c 28 May 2019) - may result in undefined or erroneous behavior
[Fri Jul 23 04:45:39.015200 2021] [ssl:error] [pid 917:tid 140223126140032] AH02218: ssl_stapling_init_cert: no OCSP URI in certificate and no SSLStaplingForceURL set [subject: CN=phpldapadmin-service,OU=Information Technology Dep.,O=A1A Car Wash,L=Albuquerque,ST=New Mexico,C=US / issuer: CN=docker-light-baseimage,ST=New Mexico,L=Albuquerque,OU=Information Technology Dep.,O=A1A Car Wash,C=US / serial: 3B713DD438898656FDA220985D1253A6EE7D30B0 / notbefore: Jul 23 04:41:00 2021 GMT / notafter: Jul 23 04:41:00 2022 GMT]
[Fri Jul 23 04:45:39.015209 2021] [ssl:error] [pid 917:tid 140223126140032] AH02604: Unable to configure certificate phpldapadmin-service:443:0 for stapling
[Fri Jul 23 04:45:39.016964 2021] [mpm_event:notice] [pid 917:tid 140223126140032] AH00489: Apache/2.4.38 (Debian) OpenSSL/1.1.1c configured -- resuming normal operations
[Fri Jul 23 04:45:39.016979 2021] [core:notice] [pid 917:tid 140223126140032] AH00094: Command line: '/usr/sbin/apache2 -D FOREGROUND'
Jul 23 04:45:39 phpldapadmin-service syslog-ng[904]: syslog-ng starting up; version='3.19.1'
[23-Jul-2021 04:45:39] NOTICE: fpm is running, pid 903
[23-Jul-2021 04:45:39] NOTICE: ready to handle connections
[23-Jul-2021 04:45:39] NOTICE: systemd monitor interval set to 10000ms1.1.3 访问 LDAP Web 服务
创建容器时声明了 3 个变量
--env LDAP_ORGANISATION="lotusching" \
--env LDAP_DOMAIN="lotusching.com" \
--env LDAP_ADMIN_PASSWORD="admin_passwd_4_ldap" \将以上参数拼接,即可得出登录的 DN 及 密码:
- Login DN:
cn=admin,dc=lotusching,dc=com - Password:
admin_passwd_4_ldap
1.1.4 创建各种对象
管理后台主页:https://ip:9443/
创建 OU 组织单元
点击 左侧顶层 dc 栏,右边页面选择 Create a child entry
创建 Posix 用户默认组
点击 左侧 OU 栏,右边页面选择 Create a child entry,选择 Generic: Posix Group 输入组名
创建 用户
点击 左侧 OU 栏,右边页面选择 Create a child entry,选择 Generic: User Account 输入用户信息
最终结构
1.1.5 测试用户登录
- Login DN:
cn=dayo,ou=Beijing,dc=lotusching,dc=com - Password:
dayodayo
1.2 Jenkins 集成 OpenLDAP
1.2.1 安装插件
安装 LDAP Plugin 及 LDAP Email Plugin 插件
1.2.2 配置集成
路径:配置中心 → 全局安全配置
配置好以后,我们通过 Test LDAP settings 测试下
1.2.3 测试登录
首先,我们使用原有的管理员帐号登录
不出意料,登录不上了,很显然是因为 LDAP 中我们 lotusching 账户
我们再用 dayo 测试下,密码 dayodayo
OK,登录成功!
1.2.4 权限配置
既然要做权限配置,为了对比,我们再创建一个 LDAP 用户,还是叫 lotusching 好了
点击 Create Object
确认 Commit
我们用 ldap 新建的 lotusching 用户登录 jenkins
嗯,登录成功~
OK,现在我们开始配置用户权限
- lotusching:超级管理员,拥有所有权限
- dayo:普通用户,只可以看 job
首先,调整使用 Role-Base Strategy
进入,Manage and Assign Roles → Manage Roles 确认 admin 角色权限 及 配置普通用户权限
保存退出~
进入 Assign Roles 为用户绑定 角色
apply,并保存退出
1.2.5 测试权限
重新登录,首先使用 dayo 这个只读用户
OK,符合预期~ 只能 read 和 build 流水线 job
注销登录,使用 lotusching 这个管理员用户
OK,大功告成~
为了进一步确认,重启下 Jenkins 服务,确认配置是否仍然正常生效
$ systemctl restart jenkins观察启动日志
$ tail -f /var/log/jenkins/jenkins.log
g legacy Workspace Root Directory ‘${ITEM_ROOTDIR}/workspace’; switch to ‘${JENKINS_HOME}/workspace/${ITEM_FULL_NAME}’ as in JENKINS-8446 / JENKINS-21942
2021-11-13 05:05:54.406+0000 [id=22] INFO hudson.WebAppMain$3#run: Jenkins is fully up and running
2021-11-13 05:06:01.459+0000 [id=77] INFO h.TcpSlaveAgentListener$ConnectionHandler#run: Connection #1 failed: java.io.EOFException
2021-11-13 05:06:01.459+0000 [id=78] INFO h.TcpSlaveAgentListener$ConnectionHandler#run: Accepted JNLP4-connect connection #2 from /47.115.121.119:37220
2021-11-13 05:06:04.832+0000 [id=16] INFO o.j.p.p.m.GlobalPipelineMavenConfig#getDao: Connect to database jdbc:h2:file:/var/lib/jenkins/jenkins-jobs/jenkins-jobs;AUTO_SERVER=TRUE;MULTI_THREADED=1;QUERY_CACHE_SIZE=25;JMX=TRUE with username sa and properties {}
2021-11-13 05:06:04.841+0000 [id=16] INFO c.zaxxer.hikari.HikariDataSource#<init>: HikariPool-1 - Starting...
2021-11-13 05:06:08.458+0000 [id=16] INFO c.zaxxer.hikari.HikariDataSource#<init>: HikariPool-1 - Start completed.再次尝试用户登录及权限配置,一切无误,不截图了~
