docs: openldap plugin doc (devstream-io#284)

keepauto · Mar 8, 2022 · aa3c176 · aa3c176
1 parent 62cdd82
commit aa3c176
Show file tree

Hide file tree

Showing 3 changed files with 145 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -77,6 +77,7 @@ Want to remove or reinstall a specific piece in the workflow? DevStream has got
 | CD/GitOps | argocdapp | ArgoCD Application creation | [doc](./docs/plugins/argocdapp_plugin.md) |
 | Monitoring | kube-prometheus | Prometheus/Grafana K8s install | [doc](./docs/plugins/kube-prometheus_plugin.md) |
 | Observability | devlake | DevLake installation | [doc](./docs/plugins/devlake_plugin.md) |
+| LDAP | openldap | OpenLDAP installation | [doc](./docs/plugins/openldap_plugin.md) |
 
 ## Quick Start
 

diff --git a/docs/images/openldap-example.png b/docs/images/openldap-example.png
diff --git a/docs/plugins/openldap_plugin.md b/docs/plugins/openldap_plugin.md
@@ -1,6 +1,6 @@
-## 1 `argocd` Plugin
+## 1 `openldap` Plugin
 
-This plugin installs [OpenLDAP](https://argoproj.github.io/cd/) in an existing Kubernetes cluster using the Helm chart.
+This plugin installs [OpenLDAP](https://www.openldap.org/) in an existing Kubernetes cluster using the Helm chart. Please at least make sure your Kubernetes's version is greater than 1.18.
 
 ## 2 Usage:
 
@@ -35,11 +35,11 @@ tools:
  # custom configuration (Optional). You can refer to https://github.com/jp-gouin/helm-openldap/blob/master/values.yaml
  values_yaml: |
  service: 
- type: NodePort
+ type: NodePort 
  env:
  LDAP_LOG_LEVEL: "256"
- LDAP_ORGANISATION: "Example Inc."
- LDAP_DOMAIN: "example.org"
+ LDAP_ORGANISATION: "DevStream Inc."
+ LDAP_DOMAIN: "devstream.org"
  LDAP_READONLY_USER: "false"
  LDAP_READONLY_USER_USERNAME: "readonly"
  LDAP_READONLY_USER_PASSWORD: "readonly"
@@ -68,7 +68,6 @@ tools:
  adminPassword: Not@SecurePassw0rd
  configPassword: Not@SecurePassw0rd
 
- # you can modify user's password by this config
  ltb-passwd:
  enabled : true
  ingress:
@@ -81,12 +80,11 @@ tools:
  - "ssl-ldap2.example"
  ldap:
  server: ldap://openldap-openldap-stack-ha
- searchBase: dc=example,dc=org
+ searchBase: dc=devstream,dc=org
  # existingSecret: openldaptest
- bindDN: cn=admin,dc=example,dc=org
+ bindDN: cn=admin,dc=devstream,dc=org
  bindPWKey: LDAP_ADMIN_PASSWORD
 
- # web 
  phpldapadmin:
  enabled: true
  ingress:
@@ -100,3 +98,140 @@ tools:
  env:
  PHPLDAPADMIN_LDAP_HOSTS: openldap-openldap-stack-ha
 ```
+
+## Description of key fields in values_yaml
+- `service.type`: The default value is `ClusterIP`, if you have services outside the Kubernetes cluster that require ldap integration, the value preferably be set to `NodePort`, so that services outside the Kubernetes cluster can access the ldap service via `ldap://ip:389` instead of `ldap://openldap.openldap-openldap-stack-ha`
+- `env`: List of key value pairs as env variables to be sent to the docker image. See https://github.com/osixia/docker-openldap for available ones. Please change the value of `LDAP_DOMAIN`. Of course even if you use **devstream.org** it will be fine, except that the search base will be `dc=devstream,dc=org`. 
+- `persistence.storageClass`: Please use your own `storage class`, or use the `storage class` provided by the Kubernetes cluster hosted in the public cloud directly. The above example uses the NFS-based `storage class` provided by AliCloud ACK
+- `adminPassword`: Use your own custom password
+- `configPassword`: Use your own custom password
+- `ltb-passwd.ingress`: Ingress of the Ltb-Passwd service by which you can modify your password. Please change **ssl-ldap2.example** to your own domain name
+- `ltb-passwd.ldap`: Ldap configuration for the Ltb-Passwd service. If you change the `env.LDAP_DOMAIN`, don't forget to change the values of `ltb-passwd.ldap.searchBase` and `ltb-passwd.ldap.bindDN`
+- `phpldapadmin.ingress`: Ingress of Phpldapadmin service by which you can manage your ldap service. Please change **phpldapadmin.example** to your own domain name
+
+## Post-installation operations
+
+Once the installation is complete, you can manage ldap service through **phpldapadmin**. Access the service by visiting the domain name (e.g. **phpldapadmin.example**) in the `phpldapadmin.ingress` configuration section of the above example. If you have not changed the default values in the above example, its account will be **cn=admin,dc=devstream,dc=org** and password will be **Not@SecurePassw0rd**.
+
+If you're familiar with OpenLDAP, then you don't need to continue reading the tutorial below, you can just go ahead and integrate ldap for your service.
+
+### Importing your data
+
+The following is a sample file, if you have changed the above configuration, remember to replace `dc=devstream,dc=org` with your own.
+
+```
+dn: cn=admin,dc=devstream,dc=org
+cn: admin
+objectclass: organizationalRole
+
+dn: ou=Group,dc=devstream,dc=org
+cn: Group
+objectclass: organizationalRole
+ou: Group
+
+# confluence organizationalUnit
+dn: ou=confluence,ou=Group,dc=devstream,dc=org
+objectclass: organizationalUnit
+objectclass: top
+ou: confluence
+
+# confluence administrators group
+dn: cn=confluence-administrators,ou=confluence,ou=Group,dc=devstream,dc=org
+cn: confluence-administrators
+description:: d2lraeeuoeeQhue7hA==
+objectclass: groupOfUniqueNames
+uniquemember: uid=example,ou=People,dc=devstream,dc=org
+
+# confluence users group
+dn: cn=confluence-users,ou=confluence,ou=Group,dc=devstream,dc=org
+cn: confluence-users
+description:: d2lraeaZrumAmueUqOaItw==
+objectclass: groupOfUniqueNames
+uniquemember: uid=example,ou=People,dc=devstream,dc=org
+
+# jira organizationalUnit
+dn: ou=jira,ou=Group,dc=devstream,dc=org
+objectclass: organizationalUnit
+objectclass: top
+ou: jira
+
+# jira administrators Group
+dn: cn=jira-administrators,ou=jira,ou=Group,dc=devstream,dc=org
+cn: jira-administrators
+description:: amlyYeeuoeeQhue7hA==
+objectclass: groupOfUniqueNames
+uniquemember: uid=example,ou=People,dc=devstream,dc=org
+
+# jira users group
+dn: cn=jira-software-users,ou=jira,ou=Group,dc=devstream,dc=org
+cn: jira-software-users
+description:: amlyYeeuoeeQhue7hA==
+objectclass: groupOfUniqueNames
+uniquemember: uid=example,ou=People,dc=devstream,dc=org
+
+dn: ou=People,dc=devstream,dc=org
+objectclass: organizationalUnit
+ou: People
+
+# People for example
+dn: uid=example,ou=People,dc=devstream,dc=org
+cn: example
+gidnumber: 500
+givenname: example
+homedirectory: /home/example
+loginshell: /bin/sh
+mail: [email protected]
+objectclass: inetOrgPerson
+objectclass: posixAccount
+objectclass: top
+sn: example
+uid: example
+uidnumber: 1007
+userpassword: example@123456
+```
+
+Login your `phpldapadmin` service and import the sample configuration above.After importing the data successfully, the result is as follows.
+
+![](../images/openldap-example.png)
+
+### Verify the ldap service
+
+Log in to the container where the ldap service is located, and then use the `ldapsearch` command to query the user(`uid=example,ou=people,dc=devstream,dc=org`) created above
+
+```bash
+root@openldap-openldap-stack-ha-0:/# ldapsearch -x -H ldap://127.0.0.1:389 -b uid=example,ou=people,dc=devstream,dc=org -D "cn=admin,dc=devstream,dc=org" -w Not@SecurePassw0rd
+
+# extended LDIF
+#
+# LDAPv3
+# base <uid=example,ou=people,dc=devstream,dc=org> with scope subtree
+# filter: (objectclass=*)
+# requesting: ALL
+#
+
+# example, People, devstream.org
+dn: uid=example,ou=People,dc=devstream,dc=org
+cn: example
+gidNumber: 500
+givenName: example
+homeDirectory: /home/example
+loginShell: /bin/sh
+mail: [email protected]
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: top
+sn: example
+uid: example
+uidNumber: 1007
+userPassword:: ZXhhbXBsZUAxMjM0NTY=
+
+# search result
+search: 2
+result: 0 Success
+
+# numResponses: 2
+# numEntries: 1
+```
+
+
+Then you can create users in the **People** group, assign them to different groups, and integrate with ldap-enabled services, and you can implement unified authentication based on OpenLDAP.