LADP
| LDAP | DB |
|---|---|
| dn | primary key |
| object class | table |
| entry | row |
| schema | constraint |
- 端口
- 389 ldap
- 636,3269 ldaps - LDAP over SSL
- 389 - starttls - LDAP over TLS - rfc2830
- LDAP vs Kerberos
- LDAP
- 主要用于集中账户管理
- Kerberos
- 主要用于 SSO
- 可以使用 LDAP 作为认证来源
- LDAP
- 操作
- Add
- Bind - 认证
- Delete
- Modify
- Unbind - 断开认证连接
- 用户
- Anonymous
- Simple
- SASL (Simple Authentication and Security Layer)
- TLS, Kerberos
- LDAPv3 Password Modify Extended Operation
- DSA - Directory System Agent
- PAM - Privileged Access Management
- Reference
- LDAP 使用
- List of LDAP software
- iOS/macOS 支持添加 LDAP 导入联系人
- 存储
- PowerDNS backend-ldap
- 认证
- Gitlab LDAP
- Gogs/Gitea LDAP Authentication Module
- Nexus LDAP Integration
- Nginx nginx-auth-ldap
- Linux
- SSH
- Odoo auth_ldap
- Piwik LoginLdap
- Rundeck ldap
- Windows
- pgina 不活跃
- Samba 提供 AD 服务, 后端对接 LDAP
- Can Windows integrate with LDAP?
- Samba
- MySQL LDAP Authentication without Proxy Users
- MongoDB
- 库
- pac4j 支持 LDAP
- spring-ldap
- JNDI
- Kerberos 使用
- Reference
- LDAP
- LDAP tut v2
- 演示文稿
- 非常好的讲解
- 逻辑梳理的非常清晰
- 使用 LDAP + Kerberos 实现集中用户认证及授权系统
- MSDN Lightweight Directory Access Protocol
- LDAP tut v2
- Kerberos
- LDAP
- 推荐通过 安全协议 使用 - LDAPS, StartTLS
https://github.com/github/github-ldap
Kerberos 5 http://searchsecurity.techtarget.com/definition/Kerberos https://en.wikipedia.org/wiki/Authentication_server Change Password Protocol http://directory.apache.org/
- tools
- GroupOfUniqueNames vs groupOfNames
- acl
- NOTE
- LDAPS 已经废弃, 建议使用 StartTLS
- https://forum.forgerock.com/2015/04/ldaps-or-starttls-that-is-the-question/
- ldif
https://github.com/Pryz/terraform-provider-ldap
# 以简化操作
alias ldapsearch="ldapsearch -H ldap://127.0.0.1:10389 -D 'uid=admin,ou=system' -w secret"
# 检测用户是否在组中
ldapsearch -b 'cn=developer,ou=groups,dc=example,dc=com' '(&(member=uid=wener,ou=users,dc=example,dc=com))'
cn=developer,ou=groups,dc=wener,dc=me
fortress
- https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-DOCKER-APACHEDS.md
- 用到的 schema
# 下载并加载 schema
wget https://raw.githubusercontent.com/apache/directory-fortress-core/master/ldap/schema/apacheds-fortress.ldif
ldapmodify -h localhost -p 10389 -D uid=admin,ou=system -w secret -a -f apacheds-fortress.ldif
# 可以直接使用 jetty-runner 来执行 war
wget http://maven.aliyun.com/nexus/content/groups/public/org/eclipse/jetty/jetty-runner/9.4.6.v20170531/jetty-runner-9.4.6.v20170531.jar -O jetty-runner.jar
java -jar jetty-runner.jar --port 8081 fortress-rest.war
Usecase
- OpenVPN
- Jenkins
- Kubernetes
- Docker
- Atlassian Jira & Confluence
- Linux Samba
常见结构
- dc=wener,dc=me
- ou=users
- cn=USERNAME - 用户 - inetOrgPerson,organizationalPerson,person
- MUST cn, sn
- uid 唯一标识符
- cn 名称
- sn 姓
- givenName
- cn= - Linux 用户 - posixAccount
- MUST uidNumber, gidNumber
- cn=USERNAME - 用户 - inetOrgPerson,organizationalPerson,person
- ou=groups
- cn=GROUPNAME - 分组 - groupOfNames
- member - 成员
- entryDN - 组成员属性、组 DN 属性
- displayName - 如果不想显示 cn 可以考虑使用该属性
- cn=admin - Linux 分组 posixGroup
- MUST gidNumber
- cn=GROUPNAME - 分组 - groupOfNames
- ou=rules
- cn=NAME - groupOfNames
- ou=service - Service Account
- uid=keycloak - simpleSecurityObject,account
- MUST uid, userPassword
- uid=keycloak - simpleSecurityObject,account
- ou=policies - 策略
- cn=default - pwdPolicy,namedPolicy,top
- ou=users
- c=国家
- o=组织
# 以简化操作
alias ldapsearch="ldapsearch -H ldap://127.0.0.1:10389 -D 'uid=admin,ou=system' -w admin"
# 检测用户是否在组中
ldapsearch -b 'cn=developer,ou=groups,dc=example,dc=com' '(&(member=uid=wener,ou=users,dc=example,dc=com))'
ldapsearch -b 'ou=users,dc=wener,dc=me' '(uid=wener.cyw)'