文章目录
关于我们
https://yuemake.xyz
公众号: 悦码客
v: ymkcode
视频教程:https://www.bilibili.com/video/BV1bG411M7we?vd_source=2d319a7a197bc133da44d00cd53e970c
专注方向:
自动化流程服务
it咨询
it在线教学
介绍
https://www.openldap.org/doc/admin25/intro.html
1.3. When should I use LDAP?
This is a very good question. In general, you should use a Directory server when you require data to be centrally managed, stored and accessible via standards based methods.
Some common examples found throughout the industry are, but not limited to:
Machine Authentication
User Authentication
User/System Groups
Address book
Organization Representation
Asset Tracking
Telephony Information Store
User resource management
E-mail address lookups
Application Configuration store
PBX Configuration store
etc…
参考
k8s\yamls\openldap\readme.md
镜像准备
host_ip=192.168.31.21
export http_proxy="http://${host_ip}:7890"
export https_proxy="http://${host_ip}:7890"
export no_proxy="localhost,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local,my-cluster-endpoint.com"
# yeah, ctr can pull images with the env variable http_proxy, but crictl cannot~
ctr -n k8s.io images pull docker.io/osixia/openldap:1.5.0
ctr -n k8s.io images pull docker.io/osixia/phpldapadmin:0.9.0
部署服务
cd /git_proj/blogs/k8s/yamls/openldap
kubectl apply -f ldap-deployment.yaml
# namespace/openldap created
# service/ldap-service created
kubectl apply -f phpldapadmin-rc.yaml
kubectl -n openldap get pod
# NAME READY STATUS RESTARTS AGE
# ldap-69d574ccfd-7mhpp 1/1 Running 0 30m
# phpldapadmin-controller-d8lkh 1/1 Running 0 49s
kubectl -n openldap get svc
# NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
# ldap-service NodePort 10.100.163.131 <none> 389:32743/TCP 30m
# phpldapadmin-service NodePort 10.106.14.220 <none> 443:30472/TCP 46s
https://192.168.31.111:30472
# cn=admin,dc=example,dc=org
# admin
对外暴露 ingress
# 自制证书 (购买证书可以免去ssl认证)
mkdir -p /data/crt
cd /data/crt
HOST='ldap.dev.inner.ymk.com'
CERT_NAME='ldap-cert'
KEY_FILE='ldap.key'
CERT_FILE='ldap.crt'
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout ${KEY_FILE} -out ${CERT_FILE} -subj "/CN=${HOST}/O=${HOST}" -addext "subjectAltName = DNS:${HOST}"
kubectl -n openldap create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}
cd /git_proj/blogs/k8s/yamls/openldap
kubectl apply -f ingress-resource.yaml
kubectl -n openldap get ingress
# NAME CLASS HOSTS ADDRESS PORTS AGE
# openldap-ingress nginx * 80 4s
# 详细信息
kubectl describe -n openldap ingress openldap-ingress
# 访问
https://ldap.dev.inner.ymk.com
rewrite error
重定向会导致
Your browser sent a request that this server could not understand.
Reason: You’re speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
解决方案
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#ssl-passthrough
ingress-controller 修改启动参数
-
k8s\deploy\config\ingress\deploy.yaml:444
- args 添加 --enable-ssl-passthrough
然后修改 ingress resource 添加 annotations: ssl-passthrough: “true”
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: openldap
name: openldap-ingress
annotations:
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
ldap-deployment.yaml
apiVersion: v1
kind: Namespace
metadata:
name: openldap
labels:
name: openldap
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: openldap
name: ldap
labels:
app: ldap
spec:
selector:
matchLabels:
app: ldap
replicas: 1
template:
metadata:
labels:
app: ldap
spec:
containers:
- name: ldap
image: osixia/openldap:1.5.0
volumeMounts:
- name: ldap-data
mountPath: /var/lib/ldap
- name: ldap-config
mountPath: /etc/ldap/slapd.d
- name: ldap-certs
mountPath: /container/service/slapd/assets/certs
ports:
- containerPort: 389
name: openldap
env:
- name: LDAP_LOG_LEVEL
value: "256"
- name: LDAP_ORGANISATION
value: "Example Inc."
- name: LDAP_DOMAIN
value: "example.org"
- name: LDAP_ADMIN_PASSWORD
value: "admin"
- name: LDAP_CONFIG_PASSWORD
value: "config"
- name: LDAP_BACKEND
value: "mdb"
- name: LDAP_TLS
value: "true"
- name: LDAP_TLS_ENFORCE
value: "false"
volumes:
- name: ldap-data
hostPath:
path: "/data/ldap/db"
- name: ldap-config
hostPath:
path: "/data/ldap/config"
- name: ldap-certs
hostPath:
path: "/data/ldap/certs"
---
apiVersion: v1
kind: Service
metadata:
namespace: openldap
labels:
app: ldap
name: ldap-service
spec:
type: NodePort
ports:
- port: 389
selector:
app: ldap
phpldapadmin-rc.yaml
apiVersion: v1
kind: Namespace
metadata:
name: openldap
labels:
name: openldap
---
apiVersion: v1
kind: ReplicationController
metadata:
namespace: openldap
name: phpldapadmin-controller
labels:
app: phpldapadmin
spec:
replicas: 1
selector:
app: phpldapadmin
template:
metadata:
labels:
app: phpldapadmin
spec:
containers:
- name: phpldapadmin
image: osixia/phpldapadmin:0.9.0
volumeMounts:
- name: phpldapadmin-certs
mountPath: /container/service/phpldapadmin/assets/apache2/certs
- name: ldap-client-certs
mountPath: /container/service/ldap-client/assets/certs
ports:
- containerPort: 443
env:
- name: PHPLDAPADMIN_LDAP_HOSTS
value: "ldap-service"
- name: PHPLDAPADMIN_SERVER_ADMIN
value: "webmaster@example.org"
- name: PHPLDAPADMIN_SERVER_PATH
value: "/phpldapadmin"
- name: PHPLDAPADMIN_HTTPS
value: "true"
- name: PHPLDAPADMIN_LDAP_CLIENT_TLS
value: "true"
volumes:
- name: phpldapadmin-certs
hostPath:
path: "/data/phpldapadmin/ssl/"
- name: ldap-client-certs
hostPath:
path: "/data/phpldapadmin/ldap-client-certs/"
---
apiVersion: v1
kind: Service
metadata:
namespace: openldap
labels:
app: phpldapadmin
name: phpldapadmin
spec:
type: NodePort
ports:
- port: 443
selector:
app: phpldapadmin
ingress-resource.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: openldap
name: openldap-ingress
annotations:
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- ldap.dev.inner.ymk.com
secretName: ldap-cert
rules:
- host: ldap.dev.inner.ymk.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: phpldapadmin
port:
number: 443