# 安裝 LDAP 銜接 Rancher ## 安裝 LDAP * 在 sles15-sp4 上安裝 ``` $ sudo zypper install 389-ds ``` * LDAP1 設定檔 ``` $ nano LDAP1.inf # LDAP1.inf [general] config_version = 2 [slapd] root_password = rancheradmin self_sign_cert = True instance_name = andy-test [backend-userroot] sample_entries = yes suffix = dc=LDAP1,dc=COM ``` ``` $ sudo dscreate -v from-file LDAP1.inf ``` ``` $ sudo dsctl andy-test status Instance "andy-test" is running ``` * 移除指令 ``` $ sudo dsctl andy-test remove --do-it ``` * 檢查服務 ``` $ systemctl status --no-pager --full dirsrv@andy-test.service ● dirsrv@LDAP1.service - 389 Directory Server LDAP1. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2023-08-11 11:42:38 CST; 7s ago Process: 19266 ExecStartPre=/usr/lib/dirsrv/ds_systemd_ask_password_acl /etc/dirsrv/slapd-LDAP1/dse.ldif (code=exited, status=0/SUCCESS) Process: 19271 ExecStartPre=/usr/lib/dirsrv/ds_selinux_restorecon.sh /etc/dirsrv/slapd-LDAP1/dse.ldif (code=exited, status=0/SUCCESS) Main PID: 19276 (ns-slapd) Status: "slapd started: Ready to process requests" Tasks: 28 CGroup: /system.slice/system-dirsrv.slice/dirsrv@LDAP1.service └─19276 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-LDAP1 -i /run/dirsrv/slapd-LDAP1.pid ``` ## 建立 wilber 帳號 ``` # 建立 wilber 帳號 $ sudo dsidm -b "dc=LDAP1,dc=COM" andy-test user create --uid wilber \ --cn wilber --displayName 'Wilber Fox' --uidNumber 1001 --gidNumber 101 \ --homeDirectory /home/wilber # 重設密碼，設定密碼為 wilber $ sudo dsidm -b "dc=LDAP1,dc=COM" andy-test account reset_password \ uid=wilber,ou=people,dc=LDAP1,dc=COM # 驗證用戶的密碼是否有效 $ ldapwhoami -D uid=wilber,ou=people,dc=LDAP1,dc=COM -W Enter LDAP Password: "wilber" dn: uid=wilber,ou=people,dc=ldap1,dc=com ``` ## 建立其他帳號 ``` $ sudo dsidm -b "dc=LDAP1,dc=COM" andy-test user create --uid rbean --cn rbean --displayName 'rbean Fox' --uidNumber 1003 --gidNumber 103 --homeDirectory /home/rbean $ sudo dsidm -b "dc=LDAP1,dc=COM" andy-test user create --uid andy --cn andy --displayName 'andy Fox' --uidNumber 1004 --gidNumber 104 --homeDirectory /home/andy ``` ``` $ sudo dsidm -b "dc=LDAP1,dc=COM" andy-test account reset_password uid=rbean,ou=people,dc=LDAP1,dc=COM $ sudo dsidm -b "dc=LDAP1,dc=COM" andy-test account reset_password uid=andy,ou=people,dc=LDAP1,dc=COM ``` * 查詢所有 user ``` $ sudo dsidm -b "dc=LDAP1,dc=COM" andy-test user list demo_user wilber andy rbean ``` * 查看 wilber 詳細訊息 ``` $ sudo dsidm -b "dc=LDAP1,dc=COM" andy-test user get wilber dn: uid=wilber,ou=people,dc=ldap1,dc=com cn: wilber displayName: Wilber Fox gidNumber: 101 homeDirectory: /home/wilber objectClass: top objectClass: nsPerson objectClass: nsAccount objectClass: nsOrgPerson objectClass: posixAccount uid: wilber uidNumber: 1001 userPassword: {PBKDF2_SHA256}AAAIABxQ4ZAcCmIoRZJy1WrqpsBUcJ2IjZ/HRv4MYTZitm66WfZWfZRHfeO5kXdzWBMcTT08jbdO+wlcpfoWMcI0G/YfLtrdbZzaABUPvoTIkwgoksZ87HfuKchav8CI3bPMsK4faaj+pJZKkBZJVVIwKVSSMEczSMp35vDOlnlmgHZP4tsJFgsOnlsqFBe5bAqEkA0UjR1tDZ6s4/gOQdMQGK2QPWPeLx9BjZ+8LoCT8wo1lQUaKqILYBF+bnKcIT4ZKVzEfZuhox5KxCWQ7XOjaCdlqPq5xMpEQOVl6hn6aAwKJvbDB8uUxXGmXTlRZZKWqquwfQc3F4lBsj5yi2WJgonwmiXhe+ZXbsJRy0oXY+shO3vFMpZrYoS2Fk/13MM/8i/dp4cReOPNd+d+OZvuXsLFO7Ql7X2gBga3QjNgWL5/ ``` ## 建立 LDAP 群組 * 建立 test 群組 ``` $ sudo dsidm -b "dc=LDAP1,dc=COM" andy-test group create Enter value for cn : test Successfully created test ``` * 把 wilber、rbean、andy 加入 test 群組 ``` $ sudo dsidm -b "dc=LDAP1,dc=COM" andy-test group add_member test uid=wilber,ou=people,dc=LDAP1,dc=COM $ sudo dsidm -b "dc=LDAP1,dc=COM" andy-test group add_member test uid=rbean,ou=people,dc=LDAP1,dc=COM $ sudo dsidm -b "dc=LDAP1,dc=COM" andy-test group add_member test uid=andy,ou=people,dc=LDAP1,dc=COM ``` * 檢查 test 群組有誰 ``` $ sudo dsidm -b "dc=LDAP1,dc=COM" andy-test group members test dn: uid=wilber,ou=people,dc=LDAP1,dc=COM dn: uid=rbean,ou=people,dc=LDAP1,dc=COM dn: uid=andy,ou=people,dc=LDAP1,dc=COM ``` ## Rancher LDAP 設定 * Main Menu -> Users & Authentication -> Auth Provider -> OpenLDAP > Hostname/IP: 192.168.11.65 > Port: 389 > Distinguished Name: uid=wilber,ou=people,dc=ldap1,dc=com > Service Account Password: wilber > User Search Base: ou=people,dc=ldap1,dc=com > Group Search Base: ou=groups,dc=LDAP1,dc=COM > Object Class: top > Username: wilber > Password: wilber   * 設定 `Allow members od clusters and projects,plus authorized users & groups` - 在 Add Member 填入: wilber、rbean 使用者與 test 群組名稱  * 設定群組權限   * Rancher 使用 LDAP(wilber、rbean、andy) 做登入  #### 文件連結 https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-security-ldap.html