请问是否有配置LDAP的案例供参考的?

请问是否有配置LDAP的案例参考的?

一、环境准备

假设LDAP服务器的结构如下,有两个ou分别是Dept1和Dept2,Dept1下有一个名为San Zhang的cn,Dept2下有两个cn,名字分别为Si Li和Wu Wang:


如果您的环境不能连接LDAP服务器,又想测试TigerGraph如何配置LDAP,可参考第五点“如何用docker搭建一台LDAP服务器”。

二、使用ldapsearch

1. 语法说明

语法说明见https://linux.die.net/man/1/ldapsearch,常用的参数有:

-x

​ Use simple authentication instead of SASL.

-h ldaphost

​ Specify an alternate host on which the ldap server is running. Deprecated in favor of -H.

-p ldapport

​ Specify an alternate TCP port where the ldap server is listening. Deprecated in favor of -H.

-D binddn

​ Use the Distinguished Name binddn to bind to the LDAP directory. For SASL binds, the server is expected to ignore this value.

-w passwd

​ Use passwd as the password for simple authentication.

-b searchbase

​ Use searchbase as the starting point for the search instead of the default.

-s {base|one|sub|children}

​ Specify the scope of the search to be one of base, one, sub, or children to specify a base object, one-level, subtree, or children search. The default is sub. Note: children scope requires LDAPv3 subordinate feature extension.

2. 使用ldapsearch举例

2.1 查所有用户

输入如下命令行:

ldapsearch -x \
  -h localhost \
  -p 389 \
  -D "cn=admin,dc=example,dc=org" \
  -w admin \
  -b dc=example,dc=org \
  objectClass=inetOrgPerson

输出如下:

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: objectClass=inetOrgPerson
# requesting: ALL
#

# San Zhang, Dept1, example.org
dn: cn=San Zhang,ou=Dept1,dc=example,dc=org
givenName: San
sn: Zhang
cn: San Zhang
uid: zhangsan
userPassword:: e01ENX1JQ3k1WXF4WkIxdVdTd2NWTFNOTGNBPT0=
uidNumber: 1000
gidNumber: 500
homeDirectory: /home/users/zhangsan
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top

# Si Li, Dept2, example.org
dn: cn=Si Li,ou=Dept2,dc=example,dc=org
givenName: Si
sn: Li
cn: Si Li
uid: lisi
userPassword:: e01ENX1JQ3k1WXF4WkIxdVdTd2NWTFNOTGNBPT0=
uidNumber: 1001
gidNumber: 500
homeDirectory: /home/users/lisi
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top

# Wu Wang, Dept2, example.org
dn: cn=Wu Wang,ou=Dept2,dc=example,dc=org
givenName: Wu
sn: Wang
cn: Wu Wang
uid: wangwu
userPassword:: e01ENX1JQ3k1WXF4WkIxdVdTd2NWTFNOTGNBPT0=
uidNumber: 1002
gidNumber: 500
homeDirectory: /home/users/wangwu
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

2.2 查Dept1下的用户

输入如下命令行:

ldapsearch -x \
  -h localhost \
  -p 389 \
  -D "cn=admin,dc=example,dc=org" \
  -w admin \
  -b ou=Dept2,dc=example,dc=org \
  -s children \
  objectClass=inetOrgPerson

输出如下:

# extended LDIF
#
# LDAPv3
# base <ou=Dept2,dc=example,dc=org> with scope children
# filter: (objectclass=*)
# requesting: ALL
#

# Si Li, Dept2, example.org
dn: cn=Si Li,ou=Dept2,dc=example,dc=org
givenName: Si
sn: Li
cn: Si Li
uid: lisi
userPassword:: e01ENX1JQ3k1WXF4WkIxdVdTd2NWTFNOTGNBPT0=
uidNumber: 1001
gidNumber: 500
homeDirectory: /home/users/lisi
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top

# Wu Wang, Dept2, example.org
dn: cn=Wu Wang,ou=Dept2,dc=example,dc=org
givenName: Wu
sn: Wang
cn: Wu Wang
uid: wangwu
userPassword:: e01ENX1JQ3k1WXF4WkIxdVdTd2NWTFNOTGNBPT0=
uidNumber: 1002
gidNumber: 500
homeDirectory: /home/users/wangwu
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

2.3 查Dept1下符合“uid=wangwu”条件的用户

输入如下命令行:

ldapsearch -x \
  -h localhost \
  -p 389 \
  -D "cn=admin,dc=example,dc=org" \
  -w admin \
  -b ou=Dept2,dc=example,dc=org \
  uid=wangwu

输出如下:

# extended LDIF
#
# LDAPv3
# base <ou=Dept2,dc=example,dc=org> with scope subtree
# filter: uid=wangwu
# requesting: ALL
#

# Wu Wang, Dept2, example.org
dn: cn=Wu Wang,ou=Dept2,dc=example,dc=org
givenName: Wu
sn: Wang
cn: Wu Wang
uid: wangwu
userPassword:: e01ENX1JQ3k1WXF4WkIxdVdTd2NWTFNOTGNBPT0=
uidNumber: 1002
gidNumber: 500
homeDirectory: /home/users/wangwu
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

三、配置TigerGraph中的LDAP

1. 配置LDAP连接

gadmin --configure ldap

配置的参数与ldapsearch中项的对应关系

TigerGraph中的参数 TigerGraph中的值(本案例) 对应ldapsearch中的项
security.ldap.enable TRUE
security.ldap.host localhost -h
security.ldap.port 389 -p
security.ldap.base_dn dc=example,dc=org -b
security.ldap.search_filter (objectClass=*) filter
security.ldap.username_attribute uid
security.ldap.admin_dn cn=admin,dc=example,dc=org -D
security.ldap.admin_password admin -w
security.ldap.secure.protocol none
security.ldap.secure.truststore_path /etc/ssl/certs/java/cacerts
security.ldap.secure.truststore_format JKS
security.ldap.secure.truststore_password changeit
security.ldap.secure.trust_all FALSE

security.ldap.username_attribute:本参数定义了在LDAP上检索用户名时需要查找的属性名。例如,在上面的配置示例中,登录时附加了“-u john”参数,这意味着GSQL服务器会去LDAP服务器上寻找uid为john的用户,并在找到后验证身份。

应用配置:

gadmin config-apply

重启服务器:

gadmin restart gsql -y

案例:

> gadmin --configure ldap
[Warning] License will expire in 2 days
Enter new values or accept defaults in brackets with Enter.

Enable LDAP authentication: default false
security.ldap.enable [False]: true
True

Configure LDAP server hostname: default localhost
security.ldap.host [localhost]: 
localhost

Configure LDAP server port: default 389
security.ldap.port [389]: 
389

Configure LDAP search base DN, the root node to start the LDAP search for user authentication: must specify
security.ldap.base_dn: dc=example,dc=org
dc=example,dc=org

Configure LDAP search base DN, the root node to start the LDAP search for user authentication.
security.ldap.search_filter [(objectClass=*)]: 
(objectClass=*)

Configure the username attribute name in LDAP server: default uid
security.ldap.username_attribute [uid]: 
uid

Configure the DN of LDAP user who has read access to the base DN specified above. Empty if everyone has read access to LDAP data: default empty
security.ldap.admin_dn: cn=admin,dc=example,dc=org
cn=admin,dc=example,dc=org

Configure the password of the admin DN specified above. Needed only when admin_dn is specified: default empty
security.ldap.admin_password: admin
admin

Enable SSL/StartTLS for LDAP connection [none/ssl/starttls]: default none
security.ldap.secure.protocol [none]: 
none

Configure the truststore path for the certificates used in SSL: default empty
security.ldap.secure.truststore_path [/etc/ssl/certs/java/cacerts]: 
/etc/ssl/certs/java/cacerts

Configure the truststore format  [JKS/PKCS12]: default JKS
security.ldap.secure.truststore_format [JKS]: 
JKS

Configure the truststore password: default changeit
security.ldap.secure.truststore_password [changeit]: 
changeit

Configure to trust all LDAP servers (unsafe): default false
security.ldap.secure.trust_all [False]: 
False

2. 配置GSQL代理用户组和用户

2.1 指定单一用户

按如下方法设置一个代理用户组test_group,其规则为“uid=zhangsan”。然后再用用户zhangsan登录gsql,即可成功;而用其他用户如lisi登录gsql,则会失败。

> gsql
GSQL > CREATE GROUP test_group PROXY "uid=zhangsan"
GSQL > GRANT ROLE querywriter ON GRAPH abc TO test_group
Role "querywriter" is successfully granted to user(s): test_group
GSQL > SHOW GROUP
Groups: 
  - Name: test_group
    - Roles:
      - GraphName: abc
        - Roles: querywriter
    - Rule: "uid=zhangsan"
GSQL > exit
> gsql -u zhangsan
Password for zhangsan : ***
Welcome to TigerGraph.
GSQL > exit
> gsql -u lisi
Password for lisi : ***
LDAP user "lisi" does not match any proxy rule.

2.2 指定所有用户

按如下方法设置一个代理用户组test_group_2,其规则为“objectClass=inetOrgPerson”。此时任何用户如zhangsan和lisi登录gsql,都可成功。

GSQL > CREATE GROUP test_group_2 PROXY "objectClass=inetOrgPerson"
GSQL > GRANT ROLE queryreader ON GRAPH abc TO test_group_2
Role "queryreader" is successfully granted to user(s): test_group_2
GSQL > SHOW GROUP
Groups: 
  - Name: test_group
    - Roles:
      - GraphName: abc
        - Roles: querywriter
    - Rule: "uid=zhangsan"

  - Name: test_group_2
    - Roles:
      - GraphName: abc
        - Roles: queryreader
    - Rule: "objectClass=inetOrgPerson"
GSQL > exit
> gsql -u zhangsan
Password for zhangsan : ***
Welcome to TigerGraph.
GSQL > exit
> gsql -u lisi
Password for lisi : ***
Welcome to TigerGraph.
GSQL > 

四、gsql日志位置

gsql日志位置:【TigerGraph根目录】/logs/gsql_server_log/GSQL_LOG

五、如何用docker搭建一台LDAP服务器

1. 安装docker

参考如下资料安装docker:

2. 安装openldap和phpLDAPadmin

2.1 安装openldap

sudo docker run -p 389:389 \
  -p 636:636 \
  --name ldap-service \
  --hostname ldap-service \
  --detach osixia/openldap

2.2 安装phpLDAPadmin

sudo docker run --name phpldapadmin-service \
  --hostname phpldapadmin-service \
  --link ldap-service:ldap-host \
  --env PHPLDAPADMIN_LDAP_HOSTS=ldap-host \
  -p 6443:443 \
  --detach osixia/phpldapadmin

3. 添加用户

3.1 登录phpLDAPadmin页面

管理员的密码:admin

管理员的DN:cn=admin,dc=example,dc=org

登录地址:https://【docker安装的机器IP地址】:6443

用浏览器登录LDAP的管理页面。

3.2 创建Posix Group

3.2.1 选中左边树状结构中的“dc=example,dc=org”,然后点击Create a child entry

3.2.2 选中Generic: Posix Group

3.2.3 填写Group名并点击Create Object按钮

3.2.4 点击Commit按钮

3.3 创建Organisational Unit

3.3.1 选中左边树状结构中的“dc=example,dc=org”,然后点击Create a child entry

3.3.2 选中Generic: Organisational Unit

3.3.3 填写Organisational Unit名并点击Create Object按钮

3.3.4 点击Commit按钮

3.4 创建User Account

3.4.1 选中左边树状结构中的“dc=example,dc=org”下的“ou=Dept1”,然后点击Create a child entry

3.4.2 选中Generic: User Account

3.4.3 填相关信息并点击Create Object按钮

3.4.4 点击Commit按钮

3.5 创建其他Organisational Unit和User Account

按以上方法创建其他Organisational Unit和User Account,结果如下: