OpenLDAP

dockerhub_bitnami/openldap
github_wheelybird/ldap-user-manager

Server

ๆžถ่จญ

  • docker-compose.yaml
services: openldap: image: bitnami/openldap:2.6.7 container_name: openldap restart: always ports: - '1389:1389' # non-TLS - '1636:1636' # TLS environment: - LDAP_ROOT=dc=google,dc=org - LDAP_ADMIN_DN=cn=admin,dc=google,dc=org - LDAP_ADMIN_USERNAME=admin - LDAP_ADMIN_PASSWORD=password - LDAP_ENABLE_TLS=yes - LDAP_TLS_CERT_FILE=/opt/bitnami/openldap/certs/cert.pem - LDAP_TLS_KEY_FILE=/opt/bitnami/openldap/certs/privkey.pem - LDAP_TLS_CA_FILE=/opt/bitnami/openldap/certs/chain.pem volumes: - './bitnami/openldap:/bitnami/openldap' - './opt/bitnami/openldap/certs:/opt/bitnami/openldap/certs' lum: image: wheelybird/ldap-user-manager:v1.11 container_name: lum restart: always ports: - "8080:80" - "4433:443" environment: - LDAP_URI=ldaps://openldap:1636 - LDAP_BASE_DN=dc=google,dc=org - LDAP_ADMIN_BIND_DN=cn=admin,dc=google,dc=org - LDAP_ADMIN_BIND_PWD=password - LDAP_ADMINS_GROUP=admins - LDAP_IGNORE_CERT_ERRORS=true - NO_HTTPS=true

Init

docker compose up -d

้€ฒๅ…ฅlocalhost:8080/setup

Config

Configuring slapd

OpenLDAPๅพž2.3็‰ˆ้–‹ๅง‹ๆ”น็”จdynamic runtime configuration engine
้œ€่ฆไปฅldapmodify, ldapdelete, ldapadd็š„ๆ–นๅผไพ†ไฟฎๆ”น๏ผŒ็›ดๆŽฅไปฅๆœๅ‹™ไฟฎๆ”น็š„่ฉฑ๏ผŒๅฐฑ่ฆ็”จslapaddๅ’Œslapmodify
่€Œๅ„ฒๅญ˜็š„ๆช”ๆกˆๆœƒๅœจ/slapd.d๏ผŒไธ่ƒฝ็›ดๆŽฅไฟฎๆ”น้€™ๅ€‹่ณ‡ๆ–™ๅคพๅ…ง็š„ๆช”ๆกˆ๏ผŒๅฆๅ‰‡checkSumๆœƒไธ็›ธ็ฌฆ่€ŒๅฐŽ่‡ด้Œฏ่ชค

้€™ๅ€‹ๆ”นๅ‹•ไนŸ่ฎ“ๆˆ‘ๅ€‘ๅฏไปฅไธ็”จ้‡ๅ•Ÿslapdไพ†Applyๆ›ดๅ‹•็š„Config๏ผŒๆ”นๆˆๅ…ˆๅฎš็พฉไธ€ๅ€‹LDIFๆช”ๆกˆ๏ผŒๅœจ้€้ŽๆŒ‡ไปค่ฎŠๆ›ดLDAPไธŠ็š„Config

Configuration Layout

Slapd็š„configurationๆœ‰ๅ€‹ๅฎš็พฉๅฅฝ็š„ๆžถๆง‹ๅ’ŒDIT(Dictionary Information Tree)

image

LDAP็š„configuration root ๅซๅšcn=config๏ผŒๅŒ…ๅซ่‘—global configuration

LDAP Databaseๆ˜ฏ็„กๅบ็š„๏ผŒๅ› ๆญคๅœจConfigๆœƒๆœ‰ๅ€‹{n}๏ผŒ็”จไพ†ไปฃ่กจ่จญๅฎšDatabase็š„้ †ๅบ๏ผŒ้€™ๅ€‹้ †ๅบๆ˜ฏ่‡ชๅ‹•็”ข็”Ÿ็š„

ๅคง้ƒจๅˆ†็š„ attributes and objectClasses ้ƒฝๆœƒๆœ‰olc็š„prefix

ๆฏๅ€‹argument็”จ็ฉบ็™ฝๅˆ†้–‹๏ผŒๅฆ‚ๆžœๆœ‰argumentๆ˜ฏๆœ‰็ฉบๆ ผ็š„๏ผŒ้‚ฃ่ฆไฝฟ็”จ้›™ๅผ•่™ŸๅŒ…่ตทไพ†๏ผŒ"like this"

ๅฆ‚ไฝ•ไฟฎๆ”น

้ฆ–ๅ…ˆ่ฆๅ…ˆๆ‰พๅˆฐ่ชฐๆœ‰ๆฌŠ้™ๅฏไปฅไฟฎๆ”น๏ผŒ็”ฑๆ–ผๆˆ‘ๆ˜ฏไฝฟ็”จbitnami/openldap๏ผŒไป–็š„configไฝๆ–ผ/bitnami/openldap/slapd.d/cn=config

  • cat olcDatabase\=\{0\}config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 e5118730
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=1001,cn=peercred,cn=exter
 nal,cn=auth" manage by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 396b8800-a21f-103e-98fb-114693e3b917
creatorsName: cn=config
createTimestamp: 20240509071222Z
entryCSN: 20240509071222.209499Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20240509071222Z

ๅฏไปฅ็œ‹ๅˆฐๅชๆœ‰uid=1001ๅฏไปฅ็ทจ่ผฏ๏ผŒไฝ†ๆ˜ฏgid=0๏ผŒ้€™ไปฃ่กจไป–็š„Groupๆ˜ฏroot

ไธ€่ˆฌ็š„Openldap้ƒฝๆ˜ฏๅ…่จฑuid=0,gid=0็š„userๅฏไปฅไฟฎๆ”น๏ผŒไฝ†ๆ˜ฏๅ› ็‚บ้€™ๆ˜ฏbitnami/openldap๏ผŒ่€Œdocker exec -it openldap bashๅพŒ๏ผŒๆœƒ็™ผ็พ็ฌฆๅˆไธŠ่ฟฐ็š„้œ€ๆฑ‚

I have no name!@93d5dd35d30d:/$ id
uid=1001 gid=0(root) groups=0(root)

้€™ๆ™‚ๅ†ๅŸท่กŒldapmodify -Y EXTERNAL -H ldapi:///ๅฐฑๅฏไปฅ่ผธๅ…ฅๆƒณไฟฎๆ”น็š„ldifๅ…งๅฎน

  • ่ฎ“ไฝฟ็”จ่€…ๅฏไปฅ่‡ชๅทฑไฟฎๆ”นๅฏ†็ขผ
dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword
  by self write # ่‡ชๅทฑๅฏไปฅไฟฎๆ”น
  by anonymous auth # ไธๆ˜Žไฝฟ็”จ่€…่ฆ้ฉ—่ญ‰
  by users none # ็ถ“้Ž้ฉ—่ญ‰ไนŸๆฒ’ๆฌŠ้™
olcAccess: {1}to *
  by * read # ๆ‰€ๆœ‰ไบบ้ƒฝๆœ‰่ฎ€็š„ๆฌŠ้™

ๅธธ็”จๆŒ‡ไปค

ldapsearch -Y EXTERNAL -H ldapi:/// -b "dc=google,dc=org" "(uid=*)" ๆœๅฐ‹ๆ‰€ๆœ‰ไฝฟ็”จ่€…
ldapdelete -x -D "cn=admin,dc=google,dc=org" -W -H ldapi:/// "cn=user02,ou=users,dc=google,dc=org" ๅˆช้™คไฝฟ็”จ่€…

ๆ ผๅผ

#้–‹้ ญๆœƒ่ขซ่พจ่ญ˜็‚บ่จป่งฃ
้–‹้ ญ่‹ฅๆœ‰็ฉบๆ ผๆœƒ่ขซ่พจ่ญ˜็‚บไธŠไธ€่กŒ
ๆฏๅ€‹Entityไฝฟ็”จ็ฉบ็™ฝ่กŒไพ†ๅ€ๅˆ†

Client

ๅฎ‰่ฃ

apt -y install libnss-ldapd libpam-ldapd ldap-utils;
Package configuration


   โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค Configuring nslcd โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
   โ”‚ Please enter the Uniform Resource Identifier of the LDAP server. The   โ”‚ 
   โ”‚ format is "ldap://<hostname_or_IP_address>:<port>/". Alternatively,    โ”‚ 
   โ”‚ "ldaps://" or "ldapi://" can be used. The port number is optional.     โ”‚ 
   โ”‚                                                                        โ”‚ 
   โ”‚ When using an ldap or ldaps scheme it is recommended to use an IP      โ”‚ 
   โ”‚ address to avoid failures when domain name services are unavailable.   โ”‚ 
   โ”‚                                                                        โ”‚ 
   โ”‚ Multiple URIs can be separated by spaces.                              โ”‚ 
   โ”‚                                                                        โ”‚ 
   โ”‚ LDAP server URI:                                                       โ”‚ 
   โ”‚                                                                        โ”‚ 
   โ”‚ ldaps://openldap:1636/________________________________________________ โ”‚ 
   โ”‚                                                                        โ”‚ 
   โ”‚                   <Ok>                       <Cancel>                  โ”‚ 
   โ”‚                                                                        โ”‚ 
   โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ 
                                                                              




Package configuration




 โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค Configuring nslcd โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
 โ”‚ Please enter the distinguished name of the LDAP search base. Many sites   โ”‚ 
 โ”‚ use the components of their domain names for this purpose. For example,   โ”‚ 
 โ”‚ the domain "example.net" would use "dc=example,dc=net" as the             โ”‚ 
 โ”‚ distinguished name of the search base.                                    โ”‚ 
 โ”‚                                                                           โ”‚ 
 โ”‚ LDAP server search base:                                                  โ”‚ 
 โ”‚                                                                           โ”‚ 
 โ”‚ dc=google,dc=org_________________________________________________________ โ”‚ 
 โ”‚                                                                           โ”‚ 
 โ”‚                    <Ok>                        <Cancel>                   โ”‚ 
 โ”‚                                                                           โ”‚ 
 โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ 
                                                                               






Package configuration


    โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค Configuring nslcd โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
    โ”‚ Please choose what type of authentication the LDAP database should   โ”‚ 
    โ”‚ require (if any):                                                    โ”‚ 
    โ”‚                                                                      โ”‚ 
    โ”‚  * none: no authentication;                                          โ”‚ 
    โ”‚  * simple: simple bind DN and password authentication;               โ”‚ 
    โ”‚  * SASL: any Simple Authentication and Security Layer mechanism.     โ”‚ 
    โ”‚                                                                      โ”‚ 
    โ”‚ LDAP authentication to use:                                          โ”‚ 
    โ”‚                                                                      โ”‚ 
    โ”‚                              *none                                   โ”‚ 
    โ”‚                               simple                                 โ”‚ 
    โ”‚                               SASL                                   โ”‚ 
    โ”‚                                                                      โ”‚ 
    โ”‚                                                                      โ”‚ 
    โ”‚                  <Ok>                      <Cancel>                  โ”‚ 
    โ”‚                                                                      โ”‚ 
    โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ 
                                                                             



Package configuration





                      โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”ค Configuring nslcd โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
                      โ”‚ Check server's SSL certificate:  โ”‚ 
                      โ”‚                                  โ”‚ 
                      โ”‚             never                โ”‚ 
                      โ”‚             allow                โ”‚ 
                      โ”‚             try                  โ”‚ 
                      โ”‚            *demand               โ”‚ 
                      โ”‚                                  โ”‚ 
                      โ”‚                                  โ”‚ 
                      โ”‚      <Ok>          <Cancel>      โ”‚ 
                      โ”‚                                  โ”‚ 
                      โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ 
                                                           






Package configuration





    โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค Configuring nslcd โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
    โ”‚ When certificate checking is enabled this file contains the X.509   โ”‚ 
    โ”‚ certificate that is used to check the certificate provided by the   โ”‚ 
    โ”‚ server.                                                             โ”‚ 
    โ”‚                                                                     โ”‚ 
    โ”‚ Certificate authority certificate:                                  โ”‚ 
    โ”‚                                                                     โ”‚ 
    โ”‚ /etc/ssl/certs/ca-certificates.crt_________________________________ โ”‚ 
    โ”‚                                                                     โ”‚ 
    โ”‚                  <Ok>                      <Cancel>                 โ”‚ 
    โ”‚                                                                     โ”‚ 
    โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ 
                                                                            






Package configuration

 โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค Configuring libnss-ldapd โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
 โ”‚ For this package to work, you need to modify the /etc/nsswitch.conf file  โ”‚ 
 โ”‚ to use the ldap datasource.                                               โ”‚ 
 โ”‚                                                                           โ”‚ 
 โ”‚ You can select the services that should have LDAP lookups enabled. The    โ”‚ 
 โ”‚ new LDAP lookups will be added as the last datasource. Be sure to review  โ”‚ 
 โ”‚ these changes.                                                            โ”‚ 
 โ”‚                                                                           โ”‚ 
 โ”‚ Name services to configure:                                               โ”‚ 
 โ”‚                                                                           โ”‚ 
 โ”‚    [*] passwd                                                         โ†‘   โ”‚ 
 โ”‚    [*] group                                                          โ–ฎ   โ”‚ 
 โ”‚    [*] shadow                                                         โ–’   โ”‚ 
 โ”‚    [ ] hosts                                                          โ–’   โ”‚ 
 โ”‚    [ ] networks                                                       โ†“   โ”‚ 
 โ”‚                                                                           โ”‚ 
 โ”‚                                                                           โ”‚ 
 โ”‚                                  <Ok>                                     โ”‚ 
 โ”‚                                                                           โ”‚ 
 โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ 
                                                                               


  • Ldapไฝฟ็”จ่€…็™ปๅ…ฅๆ™‚่‡ชๅ‹•ๆ–ฐๅขžHome dir
echo "session optional pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session systemctl restart nscd nslcd;
  • ่จญๅฎšๆŒ‡ๅฎšgroupๆœ‰sudoๆฌŠ้™
sudo visudo

ๅŠ ไธŠ%admins ALL=(ALL) ALL
admins็‚บๅœจLdapๆŒ‡ๅฎš็š„็พค็ต„ๅ็จฑ

libnss-ldapd

ๆ–‡ไปถ - nsswitch.conf

  • ๅฐๆ‡‰Service
    nscd.service

  • ้‡ๆ–ฐไปฅui่จญๅฎš
    dpkg-reconfigure libnss-ldapd

  • /etc/nsswitch.conf

# # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files systemd ldap group: files systemd ldap shadow: files ldap gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis

libpam-ldapd

ๆ–‡ไปถ - nslcd.conf

  • ๅฐๆ‡‰Service
    nslcd.service

  • ้‡ๆ–ฐไปฅui่จญๅฎš
    dpkg-reconfigure nslcd

  • /etc/nslcd.conf

# /etc/nslcd.conf # nslcd configuration file. See nslcd.conf(5) # for details. # The user and group nslcd should run as. uid nslcd gid nslcd # The location at which the LDAP server(s) should be reachable. uri ldaps://openldap:1636/ # The search base that will be used for all queries. base dc=google,dc=org # The LDAP protocol version to use. #ldap_version 3 # The DN to bind with for normal lookups. #binddn cn=annonymous,dc=example,dc=net #bindpw secret # The DN used for password modifications by root. #rootpwmoddn cn=admin,dc=example,dc=com # SSL options ssl on tls_reqcert demand tls_cacertfile /etc/ssl/certs/ca-certificates.crt # The search scope. #scope sub
  • debug
systemctl stop nscd nslcd nslcd -d
  • TLS
    ่‹ฅ้ธ็”จTLS LDAP๏ผŒ่ฆๆณจๆ„uriๅฟ…้ ˆ่ˆ‡ๆ†‘่ญ‰็”ณ่ซ‹็š„็ฏ„ๅœไธ€่‡ด

ldap-utils

LDAP Debugๅทฅๅ…ท
ldap.conf /etc/ldap/ldap.conf

่ฎ“LDAPๆŒ‡ๅฎšGroupๅฏไปฅไฝฟ็”จdocker

่ฎ“Userไฝฟ็”จssh็™ปๅ…ฅๆ™‚๏ผŒ็ขบ่ชๆ˜ฏๅฆ็ฌฆๅˆๆŒ‡ๅฎš็š„Group๏ผŒ็ฌฆๅˆๅพŒ็ตฆไบˆ้€™ๅ€‹User docker group

  • addDocker.sh
#!/bin/bash

username="${PAM_USER}"

if id -nG "$username" | grep -qw "smms"; then
    if ! id -nG "$username" | grep -qw "docker"; then
        usermod -aG docker "$username"
    fi
fi

ๅ…ˆๆŠŠๆ”พๅˆฐไปปๆ„ๆŒ‡ๅฎšไฝ็ฝฎ๏ผŒ้€™้‚Šๆ˜ฏๆ”พๅœจ/etc/security

ๅœจ/etc/pam.d/sshdๅขžๅŠ auth [default=ignore] pam_exec.so seteuid /etc/security/smmsDocker.sh

ๅฆ‚ๆญคไธ€ไพ†ๆฏๆฌกssh็™ปๅ…ฅๆ™‚้ƒฝๆœƒ่ท‘addDocker.sh๏ผŒไพ†ๆชขๆŸฅๆ˜ฏๅฆ็ตฆไบˆdocker group