LDAP

安装 先创建一个命名空间：kubectl create namespace authen 设置PVC： # vi openldap-pvc.yaml apiVersion: v1 kind: PersistentVolumeClaim metadata: name: ldap-data-pvc namespace: authen spec: accessModes: - ReadWriteOnce resources: requests: storage: 10Gi storageClassName: local-path --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: ldap-config-pvc namespace: authen spec: accessModes: - ReadWriteOnce resources: requests: storage: 10Gi storageClassName: local-path 执行kubectl apply -f open-ldap-pvc.yaml创建PVC即可 设置初始化时需要插入的信息： # vi ldap-init.ldif dn: ou=People,dc=example,dc=com ou: People objectClass: organizationalUnit dn: ou=Group,dc=example,dc=com ou: Group objectClass: organizationalUnit 执行kubectl create configmap openldap-init --from-file=./ldap-init.ldif -n authen生成ConfigMap，供之后LDAP初始化时读取 创建部署文件： # vi openldap-deployment.yaml kind: Deployment apiVersion: apps/v1 metadata: name: openldap namespace: authen labels: app: openldap annotations: app.kubernetes.io/alias-name: LDAP app.kubernetes.io/description: 认证中心 spec: replicas: 1 selector: matchLabels: app: openldap template: metadata: labels: app: openldap spec: containers: - name: go-ldap-admin-openldap args: - --copy-service image: 'osixia/openldap:1.5.0' ports: - name: tcp-389 containerPort: 389 protocol: TCP - name: tcp-636 containerPort: 636 protocol: TCP env: - name: TZ value: Asia/Shanghai - name: LDAP_ORGANISATION value: "orgldap" - name: LDAP_DOMAIN value: "example.com" - name: LDAP_ADMIN_PASSWORD value: "123456" - name: LDAP_BACKEND value: mdb resources: limits: cpu: 500m memory: 500Mi requests: cpu: 100m memory: 100Mi volumeMounts: - name: ldap-config-pvc mountPath: /etc/ldap/slapd.d - name: ldap-data-pvc mountPath: /var/lib/ldap - name: openldap-init mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom/init.ldif subPath: init.ldif volumes: - name: ldap-config-pvc persistentVolumeClaim: claimName: ldap-config-pvc - name: ldap-data-pvc persistentVolumeClaim: claimName: ldap-data-pvc - name: openldap-init configMap: name: openldap-init --- apiVersion: v1 kind: Service metadata: name: openldap-svc namespace: authen labels: app: openldap-svc spec: ports: - name: tcp-389 port: 389 protocol: TCP targetPort: 389 - name: tcp-636 port: 636 protocol: TCP targetPort: 636 selector: app: openldap 执行kubectl apply -f ldap-deployment.yaml即可将LDAP部署为一个Pod ...

本文章所描述的各操作最终目的是将Webhook服务接入Kubernetes集群的认证流程中 LDAP安装 对于Ubuntu，使用apt安装命令：apt-get install -y slapd ldap-utils 安装过程中会出现交互式界面，可以在其中配置管理员密码（不重要，接下来会再次配置） 安装后，slapd服务即开始执行，此时运行dpkg-reconfigure slapd命令，对slapd服务再次进行配置 如果提示未找到dpkg-reconfigure命令，则执行sudo apt install debconf进行安装，若已安装，则可能是dpkg-reconfigure未被配置到PATH中，可以临时使用绝对路径：sudo /usr/sbin/dpkg-reconfigure slapd 配置界面将再次出现，在其中设置： 属性 配置 Omit configuration No DNS domain example.com Organization name orgldap Administrator password 123456 Remove database No Move old database Yes 初始设置完成后，在终端输入sudo slapcat命令即可查看条目： ficn@master:~$ sudo slapcat dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: orgldap dc: example structuralObjectClass: organization entryUUID: 8056974e-a31a-103f-8e78-156a6f1ed35c creatorsName: cn=admin,dc=example,dc=com createTimestamp: 20250401075602Z entryCSN: 20250401075602.540676Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=com modifyTimestamp: 20250401075602Z 增加条目 创建组织 创建文件base.ldif，设置三个条目，分别为组织管理者、人员组织单位以及组的组织单位 ...