openshift 4.3 using ldap
演示场景如下
- 部署openlap,并部署web前端
- 在openlap上配置2个group,一个是admins,一个是users,并给每个group配置一个user
- ocp上配置ldap方式的用户认证
- 在ocp上使用命令行,同步ldap,查看已经生成了group和user
- 用这个用户登录ocp,发现什么都干不了
- 在ocp上使用命令行,给admins group授予cluster view的权限,给users group授予demo project view的权限。
- 重新登录/刷新页面,可以看到admin用户可以看到整个集群的内容,users的用户有了demo project的权限。
video
- https://youtu.be/Sg3euS3ip4k
- https://www.bilibili.com/video/BV1XA411b7N6/
参考资料:
- https://docs.openshift.com/container-platform/4.3/authentication/identity_providers/configuring-ldap-identity-provider.html
- https://docs.openshift.com/container-platform/4.3/authentication/ldap-syncing.html
- https://www.cnblogs.com/ericnie/p/10063816.html
- https://access.redhat.com/solutions/2484371
- https://access.redhat.com/solutions/3419841
openldap
skopeo copy docker://docker.io/osixia/openldap:latest docker://registry.redhat.ren:5443/docker.io/osixia/openldap:latest
skopeo copy docker://docker.io/osixia/phpldapadmin:latest docker://registry.redhat.ren:5443/docker.io/osixia/phpldapadmin:latest
# 启动openldap服务
podman run -p 389:389 --name openldap --hostname ldap.redhat.ren --env LDAP_ORGANISATION="redhat" --env LDAP_DOMAIN="redhat.ren" --env LDAP_ADMIN_PASSWORD="ldap123" --detach registry.redhat.ren:5443/docker.io/osixia/openldap:latest
# 默认登录用户名:admin
podman run -d -p 5080:80 --name phpldapadmin --env PHPLDAPADMIN_HTTPS=false --env PHPLDAPADMIN_LDAP_HOSTS=117.177.241.16 --detach registry.redhat.ren:5443/docker.io/osixia/phpldapadmin:latest
# http://helper.hsc.redhat.ren:5080
# Login DN: cn=admin,dc=redhat,dc=ren
# Password: ldap123
podman rm -fv phpldapadmin
podman rm -fv openldap
yum install -y openldap openldap-clients openldap-servers
systemctl status slapd
# 为ldap添加测试用户数据
cat << EOF > base.ldif
dn: ou=users,dc=redhat,dc=ren
objectClass: organizationalUnit
objectClass: top
ou: users
dn: ou=groups,dc=redhat,dc=ren
objectClass: organizationalUnit
objectClass: top
ou: groups
EOF
ldapadd -x -D "cn=admin,dc=redhat,dc=ren" -w ldap123 -f base.ldif
# 创建用户密码
slappasswd -s redhat
# {SSHA}yiR9306gQWh4mdeOuJ1KUg5cxQ8uoWKK
cat << EOF >users.ldif
dn: cn=ocpadm,ou=users,dc=redhat,dc=ren
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: ocpadm
sn: ocpadm
uid: ocpadm
displayName: ocpadm
mail: ocpadm@redhat.ren
userPassword: {SSHA}yiR9306gQWh4mdeOuJ1KUg5cxQ8uoWKK
dn: cn=wzh,ou=users,dc=redhat,dc=ren
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: wzh
sn: wzh
uid: wzh
displayName: wzh
mail: wzh@redhat.ren
userPassword: {SSHA}yiR9306gQWh4mdeOuJ1KUg5cxQ8uoWKK
dn: cn=admins,ou=groups,dc=redhat,dc=ren
objectClass: groupOfNames
cn: admins
owner: cn=admin,dc=redhat,dc=ren
member: cn=ocpadm,ou=users,dc=redhat,dc=ren
dn: cn=normals,ou=groups,dc=redhat,dc=ren
objectClass: groupOfNames
cn: normals
owner: cn=admin,dc=redhat,dc=ren
member: cn=wzh,ou=users,dc=redhat,dc=ren
EOF
ldapadd -x -D "cn=admin,dc=redhat,dc=ren" -w ldap123 -f users.ldif
ldapsearch -x -D "cn=admin,dc=redhat,dc=ren" -w ldap123 -b dc=redhat,dc=ren ocp operation
oc get user
oc get group
oc get identity
# cleanup 垃圾用户数据
oc get user | grep ldap | awk '{print $1}' | xargs -I DEMO oc delete user DEMO
oc get identity | grep ldap | awk '{print $1}' | xargs -I DEMO oc delete identity DEMO
# 创建登录密码
oc create secret generic ldap-secret --from-literal=bindPassword=ldap123 -n openshift-config
# 创建ldap登录入口
cat << EOF > ldap.yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: "Local Password"
mappingMethod: claim
type: HTPasswd
htpasswd:
fileData:
name: htpasswd
- name: ldapidp
mappingMethod: claim
type: LDAP
ldap:
attributes:
id:
- dn
email:
- mail
name:
- cn
preferredUsername:
- uid
bindDN: "cn=admin,dc=redhat,dc=ren"
bindPassword:
name: ldap-secret
insecure: true
url: "ldap://registry.redhat.ren:389/ou=users,dc=redhat,dc=ren?uid"
EOF
oc apply -f ldap.yaml
# 从ldap同步group数据
cat << EOF > ldapsync.yaml
kind: LDAPSyncConfig
apiVersion: v1
url: ldap://registry.redhat.ren:389
insecure: true
bindDN: cn=admin,dc=redhat,dc=ren
bindPassword: ldap123
groupUIDNameMapping:
"cn=admins,ou=groups,dc=redhat,dc=ren": Administrators
"cn=normals,ou=groups,dc=redhat,dc=ren": NormalUsers
rfc2307:
groupsQuery:
baseDN: "ou=groups,dc=redhat,dc=ren"
scope: sub
derefAliases: never
pageSize: 0
filter: (objectclass=groupOfNames)
groupUIDAttribute: dn
groupNameAttributes: [ cn ]
groupMembershipAttributes: [ member ]
usersQuery:
baseDN: "ou=users,dc=redhat,dc=ren"
scope: sub
derefAliases: never
pageSize: 0
userUIDAttribute: dn
userNameAttributes: [ cn ]
tolerateMemberNotFoundErrors: false
tolerateMemberOutOfScopeErrors: false
EOF
oc adm groups sync --sync-config=ldapsync.yaml --confirm
# 删除ldap上已经删除的用户组
# oc adm prune groups --sync-config=ldapsync.yaml --confirm
# 在这个时候,可以用wzh/ocpadm登录系统,但是可以看到没有任何project的权限
# 准备为用户组赋权
oc get clusterrole
oc get role
# 赋予admin和normal组不同的权限
oc adm policy add-cluster-role-to-group cluster-reader Administrators
oc policy add-role-to-group view NormalUsers -n demo
# 再次登录系统,可以看到用户有了相应的权限
# 撤销用户组权限
oc adm policy remove-cluster-role-from-group cluster-reader Administrators
oc policy remove-role-from-group view NormalUsers -n demo
# remove ldap
# cleanup 垃圾用户数据
oc get user | grep ldap | awk '{print $1}' | xargs -I DEMO oc delete user DEMO
oc get identity | grep ldap | awk '{print $1}' | xargs -I DEMO oc delete identity DEMO
cat << EOF > ldap.yaml
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
name: cluster
spec:
identityProviders:
- name: "Local Password"
mappingMethod: claim
type: HTPasswd
htpasswd:
fileData:
name: htpasswd
EOF
oc apply -f ldap.yamlfree ipa
skopeo copy docker://docker.io/freeipa/freeipa-server:latest docker://registry.redhat.ren:5443/docker.io/freeipa/freeipa-server:latest
mkdir -p /data/freeipa
cat << EOF > /data/freeipa/ipa-server-install-options
--realm=redhat.ren
--ds-password=The-directory-server-password
--admin-password=The-admin-password
EOF
# setsebool -P container_manage_cgroup 1
docker run --name freeipa-server-container -ti --privileged \
-e IPA_SERVER_IP=10.66.208.240 \
-p 3080:80 -p 3443:443 -p 389:389 -p 636:636 -p 88:88 -p 464:464 \
-p 88:88/udp -p 464:464/udp -p 123:123/udp \
-h ipa.redhat.ren \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro \
--tmpfs /run --tmpfs /tmp \
-v /data/freeipa:/data:Z \
docker.io/freeipa/freeipa-server ipa-server-install
docker start -ai freeipa-server-container
docker rm -fv $(docker ps -qa)
firewall-cmd --zone=public --add-port=3443/tcp --permanent
firewall-cmd --reload