Shulou(Shulou.com)05/31 Report--

Editor to share with you how to achieve Rancher2 OpenLDAP authentication, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

Version support: Rancher v2.0.5 +

If your organization uses LDAP for user authentication, you can integrate Rancher with OpenLDAP services to provide unified user authentication.

OpenLDAP authentication proc

When a user tries to log in to Rancher using a LDAP account, Rancher creates an initial binding (account initialization) to the LDAP server using a service account with search directory and read user / group permissions.

Rancher then uses a search filter based on the provided user name and configured attribute mapping to search for users in the directory.

Once the user is found, another LDAP binding request is authenticated using the user's DN and the password provided.

After successful verification, Rancher parses the group membership from the membership attribute of the user object and performs a group search based on the configured user mapping attribute.

Note that before configuring, familiarize yourself with the external authentication configuration and the concept of primary users.

precondition

Rancher must be configured with a LDAP binding account (also known as a service account) to search for and retrieve LDAP entries related to users and groups. Instead of using an administrator account or a personal account, it is recommended to create a dedicated account in OpenLDAP with read-only access to users and groups under the configured search path (see below).

Configuration step opens the OpenLDAP configuration page

Log in to Rancher UI using the system's default admin account.

From the global view, navigate to the Security > Authentication page

Select OpenLDAP, and the configuration OpenLDAP server form will be displayed.

OpenLDAP server configuration

Use TLS? If the OpenLDAP server uses a self-signed certificate or is not from an authoritative certificate authority, make sure that you have an CA certificate in PEM format (connected to all intermediate certificates). You must set up the certificate during configuration so that Rancher can verify the certificate chain.

The OpenLDAP server parameter description Hostname specifies the hostname or IP address port of the OpenLDAP server specifies the port on which the OpenLDAP server is listening, unencrypted LDAP usually uses standard port 389, while LDAPS uses port 636. TLS check this box to enable SSL/TLS-based LDAP (commonly referred to as LDAPS). If the server uses a self-signed / enterprise-signed SSL certificate, you also need to paste the CA certificate. Server connection timeout the duration, in seconds, that Rancher waits before considering that the server is unreachable. Service account the service account (DN) used to bind, search, and retrieve LDAP entries. Service account password. User search starting point user search starting point, all users search based on this DN and subdirectory. For example: ou=people,dc=acme,dc=com. User group search start user group search starting point, all user groups search based on this DN and subdirectories. If left blank, the search will be based on the starting point of the user's search. For example: ou=groups,dc=acme,dc=com. Custom schema configuration

If your OpenLDAP is not a standard OpenLDAP schema, you must customize the schema to match the appropriate fields.

Note that Rancher uses the attribute mapping configured in this section to construct the search filter and resolve group membership. Therefore, it is always recommended that you verify that the configuration here matches the fields used in your OpenLDAP schema.

If you are not familiar with the user / group schema used in the OpenLDAP server, consult your LDAP administrator, or see the use ldapsearch Identification search Base and Schema section in the Active Directory authentication documentation.

User architecture configuration

The following table details the parameters for the user schema configuration.

Parameter describes the name of the object class used for the user object in the object category field. If defined, only the name of the object class is specified-- do not include it in the LDAP wrapper, such as the & (objectClass=xxxx) username attribute user attribute whose value is appropriate as the display name. Login attribute the value of this property matches the user name entered when the user logs in to Rancher, usually uid. The user member attribute contains the user attribute of the proper name of the group to which the user belongs, usually memberOf or isMemberOf. Search Properties when a user enters text to add a user or group to UI, Rancher queries the LDAP server and attempts to match the user with the properties provided in this setting. You can specify multiple attributes by using a vertical bar ("|") symbol to separate multiple attributes. User enabled attribute if the schema of your OpenLDAP server supports a user attribute, you can evaluate its value to determine whether the account is disabled or locked, enter the name of the attribute. The default OpenLDAP mode does not support this feature, and the field should usually be left blank. Disable the status bit mask, which is the value of the disabled / locked user account. If User Enabled Attribute is empty, this parameter is ignored. User group schema configuration

The following table details the parameters for the group schema configuration.

Parameter describes the name of the object class used to group entries in the object category field. If defined, only the name of the object class is specified-- do not include it in the LDAP wrapper, such as the & (objectClass=xxxx) name property group property whose value is appropriate for the display name. The name of the group member user property user attribute, whose format matches the group member in Group Member Mapping Attribute. The group member mapping attribute contains the name of the group attribute of the group member. Search properties are used to construct the properties of the search filter when groups are added to a cluster or project in UI. Refer to the user Architecture Search Attribute description. Group DN attribute the name of the group property in a format that matches the value in the user's group membership attribute. See User Member Attribute. Nested group members this setting defines whether Rancher searches for nested group members. Use only if your organization uses these nested members (that is, you have groups that contain other groups as members). If you use Shibboleth, disable this option. Configure script #! / bin/bash

Export RANCHER_DOMAIN= "rancher.yourdomain.com"

Export RANCHER_TOKEN= "token-xxxxx:xxxx"

Export ACCESS_MODE= "unrestricted"

Export CONNECTION_TIMEOUT= "5000"

Export LDAP_HOST= "ldap.yourdomain.com"

Export LDAP_PORT=

Export TLS= "true"

Export SA_DN= "uid=x,ou=x,o=x,dc=yourdomain,dc=com"

Export SA_PW= "sa_password"

Export USER_SEARCHBASE= "ou=x,o=x,dc=yourdomain,dc=com"

Export USERNAME= "username"

Export PASSWORD= "password"

Curl-u $RANCHER_TOKEN "https://${RANCHER_DOMAIN}/v3/openLdapConfigs/openldap?action=testAndApply"\"

-H 'content-type: application/json'\

-H'accept: application/json'\

-- data-binary'{"ldapConfig": {"accessMode": "'${ACCESS_MODE}"'"," baseType ":" authConfig "," connectionTimeout ":"'${CONNECTION_TIMEOUT} "'", "enabled": true, "groupDNAttribute": "entryDN", "groupMemberMappingAttribute": "member", "groupMemberUserAttribute": "entryDN", "groupNameAttribute": "cn", "groupObjectClass": "groupOfNames", "groupSearchAttribute": "cn", "id": "openldap" "labels": {"cattle.io/creator": "norman"}, "name": "openldap", "nestedGroupMembershipEnabled": false, "port": "'" ${LDAP_PORT} "'", "servers": ["" ${LDAP_HOST} "']," serviceAccountDistinguishedName ":" ${SA_DN} "'", "tls": "" ${TLS} "'", "type": "openLdapConfig", "userDisabledBitMask": 0, "userLoginAttribute": "uid", "userMemberAttribute": "memberOf" "userNameAttribute": "cn", "userObjectClass": "inetOrgPerson", "userSearchAttribute": "uid | sn | givenName", "userSearchBase": "'" ${USER_SEARCHBASE} "'", "serviceAccountPassword": "'" ${SA_PW} "'", "groupSearchBase": null}, "enabled": true, "username": "'" ${USERNAME} "," password ":"${PASSWORD}"'"}'- compressed-insecure

The above is all the contents of the article "how to achieve OpenLDAP Certification in Rancher2". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.