LDAP Server
AD域要挂在 windows 下,实在麻烦
找到一个还算比较满意的ldap服务端
osixia/openldap 不好用
name: sso
services:
samba-dc:
image: nowsci/samba-domain:latest
hostname: Samba-DC
restart: always
environment:
DOMAIN: 'XYH.MOE'
DOMAINPASS: 'xxxxxxxxx' # only setup set
DNSFORWARDER: '192.168.8.1' # 路由器的 IP
HOSTIP: '192.168.8.222' # 主机的 IP
INSECURELDAP: true
NOCOMPLEXITY: false
ports:
- "88:88" # LDAP
- "88:88/udp" # LDAP
- "135:135" # LDAP
- "137-138:137-138/udp" # LDAP
- "139:139" # LDAP
- "389:389" # LDAP
- "389:389/udp" # LDAP
- "636:636"
- "1024-1044:1024-1044"
- "3268-3269:3268-3269" # LDAP
volumes:
- /etc/localtime:/etc/localtime:ro
- ./samba/data/:/var/lib/samba
- ./samba/config/samba:/etc/samba/external
LDAP Client
我的 LDAP 结构
﹀DC=xyh,DC=moe
﹀OU=玉衡结界
﹀ [组]CN=Alist
﹀ [组]CN=Gitea Admins
﹀ [组]CN=Gitea Users
﹀ [组]CN=Grafana Admins
﹀ [组]CN=Grafana Users
﹀ [组]CN=Harbor Admins
﹀ [组]CN=Harbor Users
﹀ [人]CN=典吏
﹀ [人]CN=仙玉衡
﹀ ...
﹀CN=Users
﹀ [组]CN=Domain Users
﹀ [组]CN=Domain Admins
﹀ [人]CN=Administrator
﹀ ...
﹀...
CN=典吏 为只读用户组
CN=仙玉衡 隶属各 Admins 组
Grafana 配置 LDAP
# /etc/grafana/grafana.ini
...
[auth.ldap]
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true
skip_org_role_sync = true
...
# /etc/grafana/ldap.toml
[[servers]]
host = "ldap.xyh.moe"
port = 389
use_ssl = false
start_tls = true
tls_ciphers = []
min_tls_version = ""
ssl_skip_verify = true
bind_dn = "CN=典吏,OU=玉衡结界,DC=xyh,DC=moe"
bind_password = "${LDAP_ADMIN_PASSWORD}"
timeout = 15
search_filter = "(&(objectClass=organizationalPerson)(|(memberOf=CN=Grafana Admins,OU=玉衡结界,DC=xyh,DC=moe)(memberOf=CN=Grafana Users,OU=玉衡结界,DC=xyh,DC=moe))(|(cn=%s)(mail=%s)))"
search_base_dns = ["OU=玉衡结界,DC=xyh,DC=moe"]
[servers.attributes]
name = "givenName"
surname = "sn"
username = "sAMAccountName"
member_of = "memberOf"
email = "mail"
[[servers.group_mappings]]
group_dn = "CN=Grafana Admins,OU=玉衡结界,DC=xyh,DC=moe"
org_role = "Admin"
[[servers.group_mappings]]
group_dn = "CN=Grafana Users,OU=玉衡结界,DC=xyh,DC=moe"
org_role = "Viewer"
#[[servers.group_mappings]]
#group_dn = "cn=admins,ou=groups,dc=grafana,dc=org"
#org_role = "Admin"
#
#[[servers.group_mappings]]
#group_dn = "cn=it1,cn=users,dc=songxwn,dc=com"
#org_role = "Editor"
#
Harbor 配置 LDAP
| 项 | 值 | 备注 |
|---|---|---|
| 认证模式 | LDAP | |
| LDAP URL | ldap://ldap.xyh.moe:389 | |
| LDAP搜索DN | CN=典吏,OU=玉衡结界,DC=xyh,DC=moe | 一个只读用户 |
| LDAP搜索密码 | 密码 | 密码 |
| LDAP基础DN | OU=玉衡结界,DC=xyh,DC=moe | |
| LDAP过滤器 | (|(memberOf=CN=Harbor Admins,OU=玉衡结界,DC=xyh,DC=moe)(memberOf=CN=Harbor Users,OU=玉衡结界,DC=xyh,DC=moe)) | |
| LDAP用户UID | cn | |
| LDAP搜索范围 | 子树 | |
| LDAP组基础DN | OU=玉衡结界,DC=xyh,DC=moe | |
| LDAP组过滤器 | (&(objectClass=group)(|(CN=Harbor Admins,OU=玉衡结界,DC=xyh,DC=moe)(CN=Harbor Users,OU=玉衡结界,DC=xyh,DC=moe))) | |
| LDAP组ID属性 | cn | |
| LDAP组管理员DN | cn=harbor admins,ou=玉衡结界,dc=xyh,dc=moe | |
| LDAP 组成员 | memberof | |
| LDAP组搜索范围 | 子树 | |
| LDAP检查证书 | √ |
Alist 配置 LDAP
| 项 | 值 | 备注 |
|---|---|---|
| 启用Ldap登陆 | √ | |
| Ldap 服务器 | ldap.xyh.moe:389 | |
| Ldap 管理器 dn | CN=典吏,OU=玉衡结界,DC=xyh,DC=moe | |
| Ldap 管理员密码 | 密码 | |
| Ldap 用户搜索基础 | OU=玉衡结界,DC=xyh,DC=moe | |
| Ldap 用户搜索过滤器 | (&(|(cn=%[1]s)(sAMAccountName=%[1]s))(memberOf=CN=Alist XS,OU=玉衡结界,DC=xyh,DC=moe)) | |
| Ldap默认路径 | / | 没研究,默认 |
| Ldap 默认权限 | 0 | 没研究,默认 |
| Ldap登录提示 | LDAP 登陆 | 随意 |
Gitea 配置 LDAP
| 项 | 值 | 备注 |
|---|---|---|
| 认证类型* | LDAP (via BindDN) | |
| 认证名称* | ldap.xyh.moe | |
| 安全协议* | StartTLS | |
| 主机* | ldap.xyh.moe | |
| 端口* | 389 | |
| 忽略 TLS 验证 | √ | |
| 绑定 DN | CN=典吏,OU=玉衡结界,DC=xyh,DC=moe | |
| 绑定密码 | 密码 | |
| 用户搜索基准* | OU=玉衡结界,DC=xyh,DC=moe | |
| 用户过滤规则* | (&(objectClass=organizationalPerson)(|(memberOf=CN=Gitea Admins,OU=玉衡结界,DC=xyh,DC=moe)(memberOf=CN=Gitea Users,OU=玉衡结界,DC=xyh,DC=moe))(|(cn=%[1]s)(mail=%[1]s)(sAMAccountName=%[1]s)(givenName=%[1]s))) | |
| 管理员过滤规则 | (memberOf=CN=Gitea Admins,OU=玉衡结界,DC=xyh,DC=moe) | |
| 受限的过滤器 | ||
| 用户名属性 | sAMAccountName | |
| 名字属性 | givenName | |
| 姓氏属性 | sn | |
| 电子邮箱属性* | ||
| SSH公钥属性 | ||
| 头像属性 | jpegPhoto | |
| 启用 LDAP 组 | ||
| 使用分页搜索 | ||
| 从 Bind DN 中拉取属性信息 | √ | |
| 跳过本地两部验证 | ||
| 允许在搜索结构为空时停用所有用户 | ||
| 启用用户同步 | √ | |
| 该认证源已经启用 | √ |
未整理
xxx
https://github.com/osixia/docker-openldap
https://hub.docker.com/r/osixia/openldap/
修改密码
https://hub.docker.com/r/wheelybird/ldap-user-manager
https://hub.docker.com/r/ltbproject/self-service-password
https://blog.frognew.com/2017/05/openldap-self-service-password.html
LDAP
ldapsearch -x -H ldap://127.0.0.1:389 -b "dc=xyh,dc=moe" -D "cn=admin,dc=xxz,dc=moe" -w aaaaaaaa