本文目的为例验证极限网关和ldap之间的集成功能:
- 直接访问网关,走ldap验证
- kibana连接网关,走ldap验证
实验步骤:
1. 既然是验证ldap,肯定要先准备个ldap
访问 https://github.com/glauth/glauth,下载对应的软件:https://github.com/glauth/glauth/releases
下载ldap的配置文件:https://github.com/glauth/glauth/raw/master/v2/sample-simple.cfg
运行ldap:./glauth64 -c sample-simple.cfg
手工验证下ldap是否正常:
ldapsearch -LLL -H ldap://localhost:3893 -D cn=serviceuser,ou=svcaccts,dc=glauth,dc=com -w mysecret -x -bdc=glauth,dc=com cn=hackers
能正常返回hackers的信息,则ldap运行正常:
2. 配置极限网关
下载极限网关:http://release.infinilabs.com/gateway/snapshot/
本次测试下载的最新版本:gateway-1.6.0_SNAPSHOT-643
下载完后,去sample里找下ldap的配置。
修改成自己的环境:
flow: - name: hello_world filter: - ldap_auth: host: "localhost" port: 3893 bind_dn: "cn=serviceuser,ou=svcaccts,dc=glauth,dc=com" bind_password: "mysecret" base_dn: "dc=glauth,dc=com" user_filter: "(cn=%s)" group_attribute: "ou" bypass_api_key: true - set_basic_auth: username: elastic password: password elasticsearch: - name: 717 enabled: true endpoints: - http://192.168.56.3:7171 basic_auth: username: elastic password: password - name: logging enabled: false endpoints: - http://192.168.3.188:9206 basic_auth: username: elastic password: Bp2HyArQDd+5PdgEJ4QH pipeline: # pipelines for logging # - name: consume-request_logging_index-to-backup # auto_start: true # keep_running: true # processor: # - json_indexing: # index_name: "test-gateway_requests" # elasticsearch: "logging" # input_queue: "request_logging"
启动网关:./gateway-linux-amd64 -config sample-configs/elasticsearch-with-ldap.yml
3. 测试ldap是否正常
- 直接访问网关,使用ldap中的用户
curl localhost:8000 -u hackers:dogood
正常返回es的信息
搜索下看看
- kibana连接网关,输入ldap用户名和密码后登录到Elastic
elasticsearch.hosts: ["http://127.0.0.1:8000"] elasticsearch.username: "hackers" elasticsearch.password: "dogood"
启动kibana后,用ladap用户登录
或者
逻辑:ldap验证通过后,使用 set_basic_auth 中设置的用户名和密码登录到Elasticsearch
至此,本次测试就结束了,ldap功能集成功能正常。期待后续为各个ldap用户增加到Elastic用户的映射。
