专注方向:
自动化流程服务
it咨询
it在线教学
介绍
https://www.openldap.org/doc/admin25/intro.html
1.3. When should I use LDAP?
This is a very good question. In general, you should use a Directory server when you require data to be centrally managed, stored and accessible via standards based methods.
Some common examples found throughout the industry are, but not limited to:
Machine Authentication
User Authentication
User/System Groups
Address book
Organization Representation
Asset Tracking
Telephony Information Store
User resource management
E-mail address lookups
Application Configuration store
PBX Configuration store
etc…
参考
k8s\yamls\openldap\readme.md
镜像准备
host_ip=192.168.31.21 export http_proxy="http://${host_ip}:7890" export https_proxy="http://${host_ip}:7890" export no_proxy="localhost,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local,my-cluster-endpoint.com" # yeah, ctr can pull images with the env variable http_proxy, but crictl cannot~ ctr -n k8s.io images pull docker.io/osixia/openldap:1.5.0 ctr -n k8s.io images pull docker.io/osixia/phpldapadmin:0.9.0
部署服务
cd /git_proj/blogs/k8s/yamls/openldap kubectl apply -f ldap-deployment.yaml # namespace/openldap created # service/ldap-service created kubectl apply -f phpldapadmin-rc.yaml kubectl -n openldap get pod # NAME READY STATUS RESTARTS AGE # ldap-69d574ccfd-7mhpp 1/1 Running 0 30m # phpldapadmin-controller-d8lkh 1/1 Running 0 49s kubectl -n openldap get svc # NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE # ldap-service NodePort 10.100.163.131 <none> 389:32743/TCP 30m # phpldapadmin-service NodePort 10.106.14.220 <none> 443:30472/TCP 46s https://192.168.31.111:30472 # cn=admin,dc=example,dc=org # admin
对外暴露 ingress
# 自制证书 (购买证书可以免去ssl认证) mkdir -p /data/crt cd /data/crt HOST='ldap.dev.inner.ymk.com' CERT_NAME='ldap-cert' KEY_FILE='ldap.key' CERT_FILE='ldap.crt' openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout ${KEY_FILE} -out ${CERT_FILE} -subj "/CN=${HOST}/O=${HOST}" -addext "subjectAltName = DNS:${HOST}" kubectl -n openldap create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE} cd /git_proj/blogs/k8s/yamls/openldap kubectl apply -f ingress-resource.yaml kubectl -n openldap get ingress # NAME CLASS HOSTS ADDRESS PORTS AGE # openldap-ingress nginx * 80 4s # 详细信息 kubectl describe -n openldap ingress openldap-ingress # 访问 https://ldap.dev.inner.ymk.com
rewrite error
重定向会导致
Your browser sent a request that this server could not understand.
Reason: You’re speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
解决方案
ingress-controller 修改启动参数
k8s\deploy\config\ingress\deploy.yaml:444
args 添加 --enable-ssl-passthrough
然后修改 ingress resource 添加 annotations: ssl-passthrough: “true”
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: namespace: openldap name: openldap-ingress annotations: nginx.ingress.kubernetes.io/ssl-passthrough: "true"
ldap-deployment.yaml
apiVersion: v1 kind: Namespace metadata: name: openldap labels: name: openldap --- apiVersion: apps/v1 kind: Deployment metadata: namespace: openldap name: ldap labels: app: ldap spec: selector: matchLabels: app: ldap replicas: 1 template: metadata: labels: app: ldap spec: containers: - name: ldap image: osixia/openldap:1.5.0 volumeMounts: - name: ldap-data mountPath: /var/lib/ldap - name: ldap-config mountPath: /etc/ldap/slapd.d - name: ldap-certs mountPath: /container/service/slapd/assets/certs ports: - containerPort: 389 name: openldap env: - name: LDAP_LOG_LEVEL value: "256" - name: LDAP_ORGANISATION value: "Example Inc." - name: LDAP_DOMAIN value: "example.org" - name: LDAP_ADMIN_PASSWORD value: "admin" - name: LDAP_CONFIG_PASSWORD value: "config" - name: LDAP_BACKEND value: "mdb" - name: LDAP_TLS value: "true" - name: LDAP_TLS_ENFORCE value: "false" volumes: - name: ldap-data hostPath: path: "/data/ldap/db" - name: ldap-config hostPath: path: "/data/ldap/config" - name: ldap-certs hostPath: path: "/data/ldap/certs" --- apiVersion: v1 kind: Service metadata: namespace: openldap labels: app: ldap name: ldap-service spec: type: NodePort ports: - port: 389 selector: app: ldap
phpldapadmin-rc.yaml
apiVersion: v1 kind: Namespace metadata: name: openldap labels: name: openldap --- apiVersion: v1 kind: ReplicationController metadata: namespace: openldap name: phpldapadmin-controller labels: app: phpldapadmin spec: replicas: 1 selector: app: phpldapadmin template: metadata: labels: app: phpldapadmin spec: containers: - name: phpldapadmin image: osixia/phpldapadmin:0.9.0 volumeMounts: - name: phpldapadmin-certs mountPath: /container/service/phpldapadmin/assets/apache2/certs - name: ldap-client-certs mountPath: /container/service/ldap-client/assets/certs ports: - containerPort: 443 env: - name: PHPLDAPADMIN_LDAP_HOSTS value: "ldap-service" - name: PHPLDAPADMIN_SERVER_ADMIN value: "webmaster@example.org" - name: PHPLDAPADMIN_SERVER_PATH value: "/phpldapadmin" - name: PHPLDAPADMIN_HTTPS value: "true" - name: PHPLDAPADMIN_LDAP_CLIENT_TLS value: "true" volumes: - name: phpldapadmin-certs hostPath: path: "/data/phpldapadmin/ssl/" - name: ldap-client-certs hostPath: path: "/data/phpldapadmin/ldap-client-certs/" --- apiVersion: v1 kind: Service metadata: namespace: openldap labels: app: phpldapadmin name: phpldapadmin spec: type: NodePort ports: - port: 443 selector: app: phpldapadmin
ingress-resource.yaml
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: namespace: openldap name: openldap-ingress annotations: nginx.ingress.kubernetes.io/ssl-passthrough: "true" spec: ingressClassName: nginx tls: - hosts: - ldap.dev.inner.ymk.com secretName: ldap-cert rules: - host: ldap.dev.inner.ymk.com http: paths: - path: / pathType: Prefix backend: service: name: phpldapadmin port: number: 443
