Rancher 、Harbor、Minio 銜接 AD

# Rancher、Harbor、Minio 銜接 AD ## Windows AD 2019 安裝與建立使用者安裝 AD 請參考[文章](https://medium.com/@brianmwambia3/installing-active-directory-services-on-windows-server-2019-and-promoting-the-server-into-a-domain-ca9e81f9c172) 1. AD 建立 `rancher` 組織(OU) 2. AD 建立 `antony` 和 `rbean` 使用者 (不是聯絡人!!!) 3. AD 建立 `admin` 群組 4. 將 `antony` 和 `rbean` 使用者加入 `admin` 群組 ![image](https://hackmd.io/_uploads/HJ8celvB0.png) * 使用指令檢查 AD andy 使用者設定 * 須先將 nameserver 指向到 AD 這台機器 ```! # 安裝套件 $ sudo zypper install 389-ds $ ldapsearch -x -D "example\andy" -w '!QAZ2wsx#EDC!!' -p 389 -h example.com -b "dc=example,dc=com" -s sub "sAMAccountName=andy" # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: sAMAccountName=andy # requesting: ALL # # andy, test, example.com dn: CN=andy,OU=test,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: andy givenName: andy distinguishedName: CN=andy,OU=test,DC=example,DC=com instanceType: 4 whenCreated: 20240522070159.0Z whenChanged: 20240605055321.0Z displayName: andy uSNCreated: 16592 memberOf: CN=rancher3,OU=hi,DC=example,DC=com memberOf: CN=rancherldap,OU=test,DC=example,DC=com memberOf: CN=Administrators,CN=Builtin,DC=example,DC=com uSNChanged: 18893 name: andy objectGUID:: MKwAXmwpH0upLaETMZlcTA== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 133620376658624041 lastLogoff: 0 lastLogon: 133620376824855664 pwdLastSet: 133608349193391855 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAa5ks4NT2++CzIzlKVgQAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 8 sAMAccountName: andy sAMAccountType: 805306368 userPrincipalName: andy@example.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com dSCorePropagationData: 20240605055321.0Z dSCorePropagationData: 20240522070159.0Z dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 133617006865074152 # search reference ref: ldap://ForestDnsZones.example.com/DC=ForestDnsZones,DC=example,DC=com # search reference ref: ldap://DomainDnsZones.example.com/DC=DomainDnsZones,DC=example,DC=com # search reference ref: ldap://example.com/CN=Configuration,DC=example,DC=com # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 1 # numReferences: 3 ``` * 使用指令檢查 AD rancherldap 群組設定 ```! $ ldapsearch -x -D "example\andy" -w '!QAZ2wsx#EDC!!' -p 389 -h example.com -b "ou=test,dc=example,dc=com" -s sub "CN=rancherldap" # extended LDIF # # LDAPv3 # base <ou=test,dc=example,dc=com> with scope subtree # filter: CN=rancherldap # requesting: ALL # # rancherldap, test, example.com dn: CN=rancherldap,OU=test,DC=example,DC=com objectClass: top objectClass: group cn: rancherldap member: CN=tony,OU=test,DC=example,DC=com member: CN=hihi,OU=hi,DC=example,DC=com member: CN=suma,OU=test,DC=example,DC=com member: CN=test,CN=Users,DC=example,DC=com member: CN=andy,OU=test,DC=example,DC=com member: CN=rbean,OU=test,DC=example,DC=com distinguishedName: CN=rancherldap,OU=test,DC=example,DC=com instanceType: 4 whenCreated: 20240605050534.0Z whenChanged: 20240605065025.0Z uSNCreated: 18842 uSNChanged: 18946 name: rancherldap objectGUID:: a6eSnj3d+EK1Ja+mAZVmAw== objectSid:: AQUAAAAAAAUVAAAAa5ks4NT2++CzIzlKXgQAAA== sAMAccountName: rancherldap sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com dSCorePropagationData: 16010101000000.0Z # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ``` ### Windows AD 2025 額外設定 Windows Server 2025 預設啟用 LDAP 簽章。所以如果要繼續使用 389 port 需做以下設定： 1. 請使用 administrator 登入 windows server 2025 2. 搜尋 "群組原則管理"，並以系統管理員執行 ![image](https://hackmd.io/_uploads/SJ1ZQkZNWg.png) 3. 點選"樹系" -> "網域" -> "Domain Controllers" -> "Default Domain Controllers Policy" -> "設定" -> 在電腦設定按滑鼠右鍵選擇 "編輯" ![image](https://hackmd.io/_uploads/B1pqX1-Nbl.png) 4. 點選"點腦設定" -> "原則" -> "Windows 設定" -> "安全性設定" -> "本機原則" -> "安全性選項" -> 調整以下設定 - Domain controller: LDAP server channel binding token requirements: "When Supported" - Domain controller: LDAP server signing requirements: "None" - Domain controller: LDAP server Enforce signing requirements: "Disabled" - Network security: LDAP client encryption requirements: "Negotiate Sealing" - Network security: LDAP client signing requirements: "Negotiate Signing" ![image](https://hackmd.io/_uploads/BkG6Eyb4bg.png) ## Rancher 設定 ### Example 1 : 新增單一使用者 * 注意 > 1. 在 AD 需要額外建立組織，因為 rancher 不能直接使用 Users。 > 2. 如果建立群組只有同個組織(OU)內才有效，群組內的使用者不能跨組織。 > rancher AD 認證不支援多 ou 搜尋用戶，在設定中可以看到設定了 user search base dn，如果用戶不在這個 ou 下則無法搜尋。 * Main Menu -> Users & Authentication -> Auth Provider -> ActiveDirectory > Hostname/IP: 192.168.11.81 > Port: 389 > Distinguished Name: andy > Service Account Password: 一大兩小三大兩驚嘆 > User Search Base: OU=test,DC=example,DC=com > Username: andy > Password: 一大兩小三大兩驚嘆 > * 此時加入的 andy 帳號就會是最高權限使用者 ![image](https://hackmd.io/_uploads/SJc0hGi7C.png) ![image](https://hackmd.io/_uploads/BJVeTfsm0.png) ![image](https://hackmd.io/_uploads/HkuZTzo7R.png) ### Example 2 : 新增群組並賦予對應權限 1. 點選 `Users & Authentication` > `Auth Provider` > `Edit Config` ![image](https://hackmd.io/_uploads/SkNoakvSC.png) 2. 在 `Group Search Base` 欄位輸入 : `CN=admin,OU=rancher,DC=antony520,DC=com` > `CN` 輸入群組的名稱 ![image](https://hackmd.io/_uploads/BJGZRkwS0.png) 3. 在 `Service Account Password` 和 **Test and Enable Authentication** 區塊底下的 `Username` 和 `Password` 都填入對應的值，並在確認沒問題後按右下角 `Save` 儲存。 ![image](https://hackmd.io/_uploads/BJy6CyDSC.png) ![image](https://hackmd.io/_uploads/H1geJlwSR.png) ## Harbor 設定 * Administrator -> Configuration -> Authentication > LDAP URL: ldap://192.168.11.81:389 > LDAP Search DN: CN=andy,OU=test,DC=example,DC=com > LDAP Search Password: 一大兩小三大兩驚嘆 > LDAP Base DN: DC=example,DC=com > LDAP UID: sAMAccountName * 要設定 AD/LDAP 都需要先把除了 admin 以外的帳號刪除 ![image](https://hackmd.io/_uploads/SkT4aGo7C.png) ## minio 設定 * 安裝 mc CLI ``` $ sudo curl https://dl.min.io/client/mc/release/linux-amd64/mc --create-dirs -o /usr/local/bin/mc $ sudo chmod +x /usr/local/bin/mc ``` * 讓 OS 信任憑證 ``` $ sudo cp ssl/cacerts.pem /usr/share/pki/trust/anchors/ $ sudo cp ssl/cacerts.pem /etc/pki/trust/anchors/ $ sudo update-ca-certificates --fresh ``` * mc client 連接到 minio ``` $ mc alias set minio https://minio.example.com:9000 admin admin123 ``` * 新增 ldap，連接至 AD ``` $ mc idp ldap add minio \ server_addr="192.168.11.81:389" \ lookup_bind_dn="CN=andy,OU=test,DC=example,DC=com" \ lookup_bind_password='!QAZ2wsx#EDC!!' \ user_dn_search_base_dn="DC=example,DC=com" \ user_dn_search_filter="(sAMAccountName=%s)" \ group_search_filter="(&(objectClass=group)(member=%d))" \ group_search_base_dn="CN=Domain Users,CN=Users,DC=example,DC=com" \ tls_skip_verify="true" \ server_insecure="true" \ server_starttls="off" \ comment="Test LDAP server" ``` * 設定完之後重啟 minio ``` $ mc admin service restart minio ``` * 檢查 minio ldap 資訊 ``` $ mc idp ldap info minio ╭───────────────────────────────────────────────────────────────────╮ │ comment: Test LDAP server │ │ enable: on │ │ group_search_base_dn: CN=Domain Users,CN=Users,DC=example,DC=com │ │ group_search_filter: (&(objectClass=group)(member=%d)) │ │ lookup_bind_dn: CN=andy,OU=test,DC=example,DC=com │ │ server_addr: 192.168.11.81:389 │ │ server_insecure: true │ │ tls_skip_verify: true │ │user_dn_search_base_dn: DC=example,DC=com │ │ user_dn_search_filter: (sAMAccountName=%s) │ ╰───────────────────────────────────────────────────────────────────╯ ``` * 檢查 minio policy，並且需設定 AD 使用者在 minio 有什麼 policy ``` $ mc admin policy list minio writeonly consoleAdmin diagnostics readonly readwrite # consoleAdmin 這個 policy 是整個 minio 的最高權限 $ mc admin policy info minio consoleAdmin { "PolicyName": "consoleAdmin", "Policy": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "admin:*" ] }, { "Effect": "Allow", "Action": [ "kms:*" ] }, { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::*" ] } ] } } ``` * 這邊給 AD 的 andy user 擁有 consoleAdmin 權限 ``` $ mc idp ldap policy attach minio consoleAdmin --user='CN=andy,OU=test,DC=example,DC=com' Attached Policies: [consoleAdmin] To User: CN=andy,OU=test,DC=example,DC=com ``` * 刪除 andy 的 consoleAdmin 權限 ``` $ mc idp ldap policy detach minio consoleAdmin --user='CN=andy,OU=test,DC=example,DC=com' Detached Policies: [consoleAdmin] From User: CN=andy,OU=test,DC=example,DC=com ``` * 刪除 ldap ``` $ mc idp ldap disable minio $ mc idp ldap rm minio ``` ## 參考文件 https://github.com/minio/minio/blob/master/docs/sts/ldap.md https://ranchermanager.docs.rancher.com/zh/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-active-directory#%E9%99%84%E5%BD%95%E4%BD%BF%E7%94%A8-ldapsearch-%E7%A1%AE%E5%AE%9A%E6%90%9C%E7%B4%A2%E5%BA%93%E5%92%8C-schema