请问是否有配置LDAP的案例参考的?
一、环境准备
假设LDAP服务器的结构如下,有两个ou分别是Dept1和Dept2,Dept1下有一个名为San Zhang的cn,Dept2下有两个cn,名字分别为Si Li和Wu Wang:
如果您的环境不能连接LDAP服务器,又想测试TigerGraph如何配置LDAP,可参考第五点“如何用docker搭建一台LDAP服务器”。
二、使用ldapsearch
1. 语法说明
语法说明见https://linux.die.net/man/1/ldapsearch,常用的参数有:
-x
Use simple authentication instead of SASL.
-h ldaphost
Specify an alternate host on which the ldap server is running. Deprecated in favor of -H.
-p ldapport
Specify an alternate TCP port where the ldap server is listening. Deprecated in favor of -H.
-D binddn
Use the Distinguished Name binddn to bind to the LDAP directory. For SASL binds, the server is expected to ignore this value.
-w passwd
Use passwd as the password for simple authentication.
-b searchbase
Use searchbase as the starting point for the search instead of the default.
-s {base|one|sub|children}
Specify the scope of the search to be one of base, one, sub, or children to specify a base object, one-level, subtree, or children search. The default is sub. Note: children scope requires LDAPv3 subordinate feature extension.
2. 使用ldapsearch举例
2.1 查所有用户
输入如下命令行:
ldapsearch -x \
-h localhost \
-p 389 \
-D "cn=admin,dc=example,dc=org" \
-w admin \
-b dc=example,dc=org \
objectClass=inetOrgPerson
输出如下:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: objectClass=inetOrgPerson
# requesting: ALL
#
# San Zhang, Dept1, example.org
dn: cn=San Zhang,ou=Dept1,dc=example,dc=org
givenName: San
sn: Zhang
cn: San Zhang
uid: zhangsan
userPassword:: e01ENX1JQ3k1WXF4WkIxdVdTd2NWTFNOTGNBPT0=
uidNumber: 1000
gidNumber: 500
homeDirectory: /home/users/zhangsan
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
# Si Li, Dept2, example.org
dn: cn=Si Li,ou=Dept2,dc=example,dc=org
givenName: Si
sn: Li
cn: Si Li
uid: lisi
userPassword:: e01ENX1JQ3k1WXF4WkIxdVdTd2NWTFNOTGNBPT0=
uidNumber: 1001
gidNumber: 500
homeDirectory: /home/users/lisi
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
# Wu Wang, Dept2, example.org
dn: cn=Wu Wang,ou=Dept2,dc=example,dc=org
givenName: Wu
sn: Wang
cn: Wu Wang
uid: wangwu
userPassword:: e01ENX1JQ3k1WXF4WkIxdVdTd2NWTFNOTGNBPT0=
uidNumber: 1002
gidNumber: 500
homeDirectory: /home/users/wangwu
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
2.2 查Dept1下的用户
输入如下命令行:
ldapsearch -x \
-h localhost \
-p 389 \
-D "cn=admin,dc=example,dc=org" \
-w admin \
-b ou=Dept2,dc=example,dc=org \
-s children \
objectClass=inetOrgPerson
输出如下:
# extended LDIF
#
# LDAPv3
# base <ou=Dept2,dc=example,dc=org> with scope children
# filter: (objectclass=*)
# requesting: ALL
#
# Si Li, Dept2, example.org
dn: cn=Si Li,ou=Dept2,dc=example,dc=org
givenName: Si
sn: Li
cn: Si Li
uid: lisi
userPassword:: e01ENX1JQ3k1WXF4WkIxdVdTd2NWTFNOTGNBPT0=
uidNumber: 1001
gidNumber: 500
homeDirectory: /home/users/lisi
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
# Wu Wang, Dept2, example.org
dn: cn=Wu Wang,ou=Dept2,dc=example,dc=org
givenName: Wu
sn: Wang
cn: Wu Wang
uid: wangwu
userPassword:: e01ENX1JQ3k1WXF4WkIxdVdTd2NWTFNOTGNBPT0=
uidNumber: 1002
gidNumber: 500
homeDirectory: /home/users/wangwu
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
2.3 查Dept1下符合“uid=wangwu”条件的用户
输入如下命令行:
ldapsearch -x \
-h localhost \
-p 389 \
-D "cn=admin,dc=example,dc=org" \
-w admin \
-b ou=Dept2,dc=example,dc=org \
uid=wangwu
输出如下:
# extended LDIF
#
# LDAPv3
# base <ou=Dept2,dc=example,dc=org> with scope subtree
# filter: uid=wangwu
# requesting: ALL
#
# Wu Wang, Dept2, example.org
dn: cn=Wu Wang,ou=Dept2,dc=example,dc=org
givenName: Wu
sn: Wang
cn: Wu Wang
uid: wangwu
userPassword:: e01ENX1JQ3k1WXF4WkIxdVdTd2NWTFNOTGNBPT0=
uidNumber: 1002
gidNumber: 500
homeDirectory: /home/users/wangwu
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
三、配置TigerGraph中的LDAP
1. 配置LDAP连接
gadmin --configure ldap
配置的参数与ldapsearch中项的对应关系
| TigerGraph中的参数 | TigerGraph中的值(本案例) | 对应ldapsearch中的项 |
|---|---|---|
| security.ldap.enable | TRUE | |
| security.ldap.host | localhost | -h |
| security.ldap.port | 389 | -p |
| security.ldap.base_dn | dc=example,dc=org | -b |
| security.ldap.search_filter | (objectClass=*) | filter |
| security.ldap.username_attribute | uid | |
| security.ldap.admin_dn | cn=admin,dc=example,dc=org | -D |
| security.ldap.admin_password | admin | -w |
| security.ldap.secure.protocol | none | |
| security.ldap.secure.truststore_path | /etc/ssl/certs/java/cacerts | |
| security.ldap.secure.truststore_format | JKS | |
| security.ldap.secure.truststore_password | changeit | |
| security.ldap.secure.trust_all | FALSE |
security.ldap.username_attribute:本参数定义了在LDAP上检索用户名时需要查找的属性名。例如,在上面的配置示例中,登录时附加了“-u john”参数,这意味着GSQL服务器会去LDAP服务器上寻找uid为john的用户,并在找到后验证身份。
应用配置:
gadmin config-apply
重启服务器:
gadmin restart gsql -y
案例:
> gadmin --configure ldap
[Warning] License will expire in 2 days
Enter new values or accept defaults in brackets with Enter.
Enable LDAP authentication: default false
security.ldap.enable [False]: true
True
Configure LDAP server hostname: default localhost
security.ldap.host [localhost]:
localhost
Configure LDAP server port: default 389
security.ldap.port [389]:
389
Configure LDAP search base DN, the root node to start the LDAP search for user authentication: must specify
security.ldap.base_dn: dc=example,dc=org
dc=example,dc=org
Configure LDAP search base DN, the root node to start the LDAP search for user authentication.
security.ldap.search_filter [(objectClass=*)]:
(objectClass=*)
Configure the username attribute name in LDAP server: default uid
security.ldap.username_attribute [uid]:
uid
Configure the DN of LDAP user who has read access to the base DN specified above. Empty if everyone has read access to LDAP data: default empty
security.ldap.admin_dn: cn=admin,dc=example,dc=org
cn=admin,dc=example,dc=org
Configure the password of the admin DN specified above. Needed only when admin_dn is specified: default empty
security.ldap.admin_password: admin
admin
Enable SSL/StartTLS for LDAP connection [none/ssl/starttls]: default none
security.ldap.secure.protocol [none]:
none
Configure the truststore path for the certificates used in SSL: default empty
security.ldap.secure.truststore_path [/etc/ssl/certs/java/cacerts]:
/etc/ssl/certs/java/cacerts
Configure the truststore format [JKS/PKCS12]: default JKS
security.ldap.secure.truststore_format [JKS]:
JKS
Configure the truststore password: default changeit
security.ldap.secure.truststore_password [changeit]:
changeit
Configure to trust all LDAP servers (unsafe): default false
security.ldap.secure.trust_all [False]:
False
2. 配置GSQL代理用户组和用户
2.1 指定单一用户
按如下方法设置一个代理用户组test_group,其规则为“uid=zhangsan”。然后再用用户zhangsan登录gsql,即可成功;而用其他用户如lisi登录gsql,则会失败。
> gsql
GSQL > CREATE GROUP test_group PROXY "uid=zhangsan"
GSQL > GRANT ROLE querywriter ON GRAPH abc TO test_group
Role "querywriter" is successfully granted to user(s): test_group
GSQL > SHOW GROUP
Groups:
- Name: test_group
- Roles:
- GraphName: abc
- Roles: querywriter
- Rule: "uid=zhangsan"
GSQL > exit
> gsql -u zhangsan
Password for zhangsan : ***
Welcome to TigerGraph.
GSQL > exit
> gsql -u lisi
Password for lisi : ***
LDAP user "lisi" does not match any proxy rule.
2.2 指定所有用户
按如下方法设置一个代理用户组test_group_2,其规则为“objectClass=inetOrgPerson”。此时任何用户如zhangsan和lisi登录gsql,都可成功。
GSQL > CREATE GROUP test_group_2 PROXY "objectClass=inetOrgPerson"
GSQL > GRANT ROLE queryreader ON GRAPH abc TO test_group_2
Role "queryreader" is successfully granted to user(s): test_group_2
GSQL > SHOW GROUP
Groups:
- Name: test_group
- Roles:
- GraphName: abc
- Roles: querywriter
- Rule: "uid=zhangsan"
- Name: test_group_2
- Roles:
- GraphName: abc
- Roles: queryreader
- Rule: "objectClass=inetOrgPerson"
GSQL > exit
> gsql -u zhangsan
Password for zhangsan : ***
Welcome to TigerGraph.
GSQL > exit
> gsql -u lisi
Password for lisi : ***
Welcome to TigerGraph.
GSQL >
四、gsql日志位置
gsql日志位置:【TigerGraph根目录】/logs/gsql_server_log/GSQL_LOG
五、如何用docker搭建一台LDAP服务器
1. 安装docker
参考如下资料安装docker:
2. 安装openldap和phpLDAPadmin
2.1 安装openldap
sudo docker run -p 389:389 \
-p 636:636 \
--name ldap-service \
--hostname ldap-service \
--detach osixia/openldap
2.2 安装phpLDAPadmin
sudo docker run --name phpldapadmin-service \
--hostname phpldapadmin-service \
--link ldap-service:ldap-host \
--env PHPLDAPADMIN_LDAP_HOSTS=ldap-host \
-p 6443:443 \
--detach osixia/phpldapadmin
3. 添加用户
3.1 登录phpLDAPadmin页面
管理员的密码:admin
管理员的DN:cn=admin,dc=example,dc=org
登录地址:https://【docker安装的机器IP地址】:6443
用浏览器登录LDAP的管理页面。
3.2 创建Posix Group
3.2.1 选中左边树状结构中的“dc=example,dc=org”,然后点击Create a child entry
3.2.2 选中Generic: Posix Group
3.2.3 填写Group名并点击Create Object按钮
3.2.4 点击Commit按钮
3.3 创建Organisational Unit
3.3.1 选中左边树状结构中的“dc=example,dc=org”,然后点击Create a child entry
3.3.2 选中Generic: Organisational Unit
3.3.3 填写Organisational Unit名并点击Create Object按钮
3.3.4 点击Commit按钮
3.4 创建User Account
3.4.1 选中左边树状结构中的“dc=example,dc=org”下的“ou=Dept1”,然后点击Create a child entry
3.4.2 选中Generic: User Account
3.4.3 填相关信息并点击Create Object按钮
3.4.4 点击Commit按钮
3.5 创建其他Organisational Unit和User Account
按以上方法创建其他Organisational Unit和User Account,结果如下: