forked from devstream-io/devstream
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: openldap plugin doc (devstream-io#284)
- Loading branch information
Showing
3 changed files
with
145 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
## 1 `argocd` Plugin | ||
## 1 `openldap` Plugin | ||
|
||
This plugin installs [OpenLDAP](https://argoproj.github.io/cd/) in an existing Kubernetes cluster using the Helm chart. | ||
This plugin installs [OpenLDAP](https://www.openldap.org/) in an existing Kubernetes cluster using the Helm chart. Please at least make sure your Kubernetes's version is greater than 1.18. | ||
|
||
## 2 Usage: | ||
|
||
|
@@ -35,11 +35,11 @@ tools: | |
# custom configuration (Optional). You can refer to https://github.com/jp-gouin/helm-openldap/blob/master/values.yaml | ||
values_yaml: | | ||
service: | ||
type: NodePort | ||
type: NodePort | ||
env: | ||
LDAP_LOG_LEVEL: "256" | ||
LDAP_ORGANISATION: "Example Inc." | ||
LDAP_DOMAIN: "example.org" | ||
LDAP_ORGANISATION: "DevStream Inc." | ||
LDAP_DOMAIN: "devstream.org" | ||
LDAP_READONLY_USER: "false" | ||
LDAP_READONLY_USER_USERNAME: "readonly" | ||
LDAP_READONLY_USER_PASSWORD: "readonly" | ||
|
@@ -68,7 +68,6 @@ tools: | |
adminPassword: Not@SecurePassw0rd | ||
configPassword: Not@SecurePassw0rd | ||
# you can modify user's password by this config | ||
ltb-passwd: | ||
enabled : true | ||
ingress: | ||
|
@@ -81,12 +80,11 @@ tools: | |
- "ssl-ldap2.example" | ||
ldap: | ||
server: ldap://openldap-openldap-stack-ha | ||
searchBase: dc=example,dc=org | ||
searchBase: dc=devstream,dc=org | ||
# existingSecret: openldaptest | ||
bindDN: cn=admin,dc=example,dc=org | ||
bindDN: cn=admin,dc=devstream,dc=org | ||
bindPWKey: LDAP_ADMIN_PASSWORD | ||
# web | ||
phpldapadmin: | ||
enabled: true | ||
ingress: | ||
|
@@ -100,3 +98,140 @@ tools: | |
env: | ||
PHPLDAPADMIN_LDAP_HOSTS: openldap-openldap-stack-ha | ||
``` | ||
## Description of key fields in values_yaml | ||
- `service.type`: The default value is `ClusterIP`, if you have services outside the Kubernetes cluster that require ldap integration, the value preferably be set to `NodePort`, so that services outside the Kubernetes cluster can access the ldap service via `ldap://ip:389` instead of `ldap://openldap.openldap-openldap-stack-ha` | ||
- `env`: List of key value pairs as env variables to be sent to the docker image. See https://github.com/osixia/docker-openldap for available ones. Please change the value of `LDAP_DOMAIN`. Of course even if you use **devstream.org** it will be fine, except that the search base will be `dc=devstream,dc=org`. | ||
- `persistence.storageClass`: Please use your own `storage class`, or use the `storage class` provided by the Kubernetes cluster hosted in the public cloud directly. The above example uses the NFS-based `storage class` provided by AliCloud ACK | ||
- `adminPassword`: Use your own custom password | ||
- `configPassword`: Use your own custom password | ||
- `ltb-passwd.ingress`: Ingress of the Ltb-Passwd service by which you can modify your password. Please change **ssl-ldap2.example** to your own domain name | ||
- `ltb-passwd.ldap`: Ldap configuration for the Ltb-Passwd service. If you change the `env.LDAP_DOMAIN`, don't forget to change the values of `ltb-passwd.ldap.searchBase` and `ltb-passwd.ldap.bindDN` | ||
- `phpldapadmin.ingress`: Ingress of Phpldapadmin service by which you can manage your ldap service. Please change **phpldapadmin.example** to your own domain name | ||
|
||
## Post-installation operations | ||
|
||
Once the installation is complete, you can manage ldap service through **phpldapadmin**. Access the service by visiting the domain name (e.g. **phpldapadmin.example**) in the `phpldapadmin.ingress` configuration section of the above example. If you have not changed the default values in the above example, its account will be **cn=admin,dc=devstream,dc=org** and password will be **Not@SecurePassw0rd**. | ||
|
||
If you're familiar with OpenLDAP, then you don't need to continue reading the tutorial below, you can just go ahead and integrate ldap for your service. | ||
|
||
### Importing your data | ||
|
||
The following is a sample file, if you have changed the above configuration, remember to replace `dc=devstream,dc=org` with your own. | ||
|
||
``` | ||
dn: cn=admin,dc=devstream,dc=org | ||
cn: admin | ||
objectclass: organizationalRole | ||
|
||
dn: ou=Group,dc=devstream,dc=org | ||
cn: Group | ||
objectclass: organizationalRole | ||
ou: Group | ||
|
||
# confluence organizationalUnit | ||
dn: ou=confluence,ou=Group,dc=devstream,dc=org | ||
objectclass: organizationalUnit | ||
objectclass: top | ||
ou: confluence | ||
|
||
# confluence administrators group | ||
dn: cn=confluence-administrators,ou=confluence,ou=Group,dc=devstream,dc=org | ||
cn: confluence-administrators | ||
description:: d2lraeeuoeeQhue7hA== | ||
objectclass: groupOfUniqueNames | ||
uniquemember: uid=example,ou=People,dc=devstream,dc=org | ||
|
||
# confluence users group | ||
dn: cn=confluence-users,ou=confluence,ou=Group,dc=devstream,dc=org | ||
cn: confluence-users | ||
description:: d2lraeaZrumAmueUqOaItw== | ||
objectclass: groupOfUniqueNames | ||
uniquemember: uid=example,ou=People,dc=devstream,dc=org | ||
|
||
# jira organizationalUnit | ||
dn: ou=jira,ou=Group,dc=devstream,dc=org | ||
objectclass: organizationalUnit | ||
objectclass: top | ||
ou: jira | ||
|
||
# jira administrators Group | ||
dn: cn=jira-administrators,ou=jira,ou=Group,dc=devstream,dc=org | ||
cn: jira-administrators | ||
description:: amlyYeeuoeeQhue7hA== | ||
objectclass: groupOfUniqueNames | ||
uniquemember: uid=example,ou=People,dc=devstream,dc=org | ||
|
||
# jira users group | ||
dn: cn=jira-software-users,ou=jira,ou=Group,dc=devstream,dc=org | ||
cn: jira-software-users | ||
description:: amlyYeeuoeeQhue7hA== | ||
objectclass: groupOfUniqueNames | ||
uniquemember: uid=example,ou=People,dc=devstream,dc=org | ||
|
||
dn: ou=People,dc=devstream,dc=org | ||
objectclass: organizationalUnit | ||
ou: People | ||
|
||
# People for example | ||
dn: uid=example,ou=People,dc=devstream,dc=org | ||
cn: example | ||
gidnumber: 500 | ||
givenname: example | ||
homedirectory: /home/example | ||
loginshell: /bin/sh | ||
mail: [email protected] | ||
objectclass: inetOrgPerson | ||
objectclass: posixAccount | ||
objectclass: top | ||
sn: example | ||
uid: example | ||
uidnumber: 1007 | ||
userpassword: example@123456 | ||
``` | ||
Login your `phpldapadmin` service and import the sample configuration above.After importing the data successfully, the result is as follows. | ||
![](../images/openldap-example.png) | ||
### Verify the ldap service | ||
Log in to the container where the ldap service is located, and then use the `ldapsearch` command to query the user(`uid=example,ou=people,dc=devstream,dc=org`) created above | ||
```bash | ||
root@openldap-openldap-stack-ha-0:/# ldapsearch -x -H ldap://127.0.0.1:389 -b uid=example,ou=people,dc=devstream,dc=org -D "cn=admin,dc=devstream,dc=org" -w Not@SecurePassw0rd | ||
# extended LDIF | ||
# | ||
# LDAPv3 | ||
# base <uid=example,ou=people,dc=devstream,dc=org> with scope subtree | ||
# filter: (objectclass=*) | ||
# requesting: ALL | ||
# | ||
# example, People, devstream.org | ||
dn: uid=example,ou=People,dc=devstream,dc=org | ||
cn: example | ||
gidNumber: 500 | ||
givenName: example | ||
homeDirectory: /home/example | ||
loginShell: /bin/sh | ||
mail: [email protected] | ||
objectClass: inetOrgPerson | ||
objectClass: posixAccount | ||
objectClass: top | ||
sn: example | ||
uid: example | ||
uidNumber: 1007 | ||
userPassword:: ZXhhbXBsZUAxMjM0NTY= | ||
# search result | ||
search: 2 | ||
result: 0 Success | ||
# numResponses: 2 | ||
# numEntries: 1 | ||
``` | ||
|
||
|
||
Then you can create users in the **People** group, assign them to different groups, and integrate with ldap-enabled services, and you can implement unified authentication based on OpenLDAP. |