容器配置gitLab与ldap整合(TP内创建ldap用户)

宿主上执行

yum install -y yum-utils device-mapper-persistent-data lvm2 
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

yum install  containerd.io

配置镜像源

vim /etc/docker/daemon.json
{
  "registry-mirrors": [
    "https://registry.docker-cn.com",
    "http://hub-mirror.c.163.com",
    "https://docker.mirrors.ustc.edu.cn"
  ]
}

拉取gitlab镜像

docker pull beginor/gitlab-ce:11.1.4-ce.0

创建宿主与容器挂载目录

cd /data0/gitlab 
mkdir {etc,logs,data}
docker network create --subnet=172.19.0.0/16 my_gitlab_network

首先要严格限制允许访问容器端口的源地址和网络接口,例如 docker run -p 127.0.0.1:5432:5432

运行容器

docker run -d  -p 127.0.0.1:1443:443 -p 127.0.0.1:1180:80 -p 127.0.0.1:1222:22 --network=my_gitlab_network --ip=172.19.0.2 --name gitlab --restart=always   -v /etc/localtime:/etc/localtime:ro -v /data0/gitlab/etc:/etc/gitlab -v /data0/gitlab/logs:/var/log/gitlab -v /data0/gitlab/data:/var/opt/gitlab beginor/gitlab-ce

# -d:后台运行

# -p:将容器内部端口向外映射,绑定127.0.0.1为了安全

# –name:命名容器名称

# -v:将容器内数据文件夹或者日志、配置等文件夹挂载到宿主机指定目录

#–restart=always   开机启动,失败也会一直重启(on-failure:10 : 表示最多重启10次;no – 容器退出时,不重启容器;)


如果是已经在运行中的容器要加上该参数:

docker update –restart=always 容器名字或者容器ID

#-v /etc/timezone:/etc/timezone:ro -v /etc/localtime:/etc/localtime:ro(centos系统timezone这部分挂载会报错就没挂,非所有的 Linux 发行版都有 /etc/timezone

只挂载 /etc/timezone/etc/localtime 可能会导致一些问题,比如在处理跨时区的日期和时间时可能出现错误。

重启配置

gitlab-ctl reconfigure

安装ldap,我采用的容器,因为之前系统上安装过ldap导致有问题。

[root@storage dockerCompose]# cat docker-openldap.yml

version: '3'
services:
  openldap:
    image: osixia/openldap:latest
    container_name: openldap
    restart: always
    environment:
      LDAP_LOG_LEVEL: "256"
      LDAP_ORGANISATION: "iie ldap"
      LDAP_DOMAIN: "kinggoo.cn"
      LDAP_BASE_DN: "dc=kinggoo,dc=cn"
      LDAP_ADMIN_PASSWORD: "kinggoo这里是密码"
      LDAP_CONFIG_PASSWORD: "kinggoo这里是密码"
      LDAP_READONLY_USER: "false"
      LDAP_RFC2307BIS_SCHEMA: "false"
      LDAP_BACKEND: "mdb"
      LDAP_REPLICATION: "false"
      KEEP_EXISTING_CONFIG: "false"
      LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
      TZ: Asia/Shanghai
    networks:
      my_gitlab_network:
        ipv4_address: 172.19.0.3
    tty: true
    stdin_open: true
    volumes:
      - /opt/openldap/ldap:/var/lib/ldap
      - /opt/openldap/slapd.d:/etc/ldap/slapd.d
      - /opt/openldap/certs:/container/service/lapd/assets/certs
    ports:
      - "389:389"
      - "636:636"
    domainname: "kinggoo.cn"
    hostname: "ldap-server"
  phpldapadmin:
    image: osixia/phpldapadmin:latest
    container_name: phpldapadmin
    restart: always
    environment:
      PHPLDAPADMIN_LDAP_HOSTS: "172.16.1.251"
      PHPLDAPADMIN_HTTPS: "false"
    ports:
      - "50081:80"
    depends_on:
      - openldap
  self-service-password:
    container_name: self-service-password
    image: tiredofit/self-service-password:latest
    restart: always
    ports:
      - "50080:80"
    environment:
      - LDAP_SERVER=ldap://openldap:389
      - LDAP_BINDDN=cn=admin,dc=kinggoo,dc=cn
      - LDAP_BINDPASS=kinggoo#123
      - LDAP_BASE_SEARCH=dc=kinggoo,dc=cn
      - MAIL_FROM=smtp.mxhichina.com
      - MAIL_FROM_NAME=账号自助服务平台
      - SMTP_DEBUG=0
      - SMTP_HOST=smtp.mxhichina.com
      - SMTP_USER=notify@kinggoo.com
      - SMTP_PASS=这里是邮箱密码
      - SMTP_PORT=25
      - SMTP_AUTH_ON=true
      - NOTIFY_ON_CHANGE=true
    volumes:
      - /etc/localtime:/etc/localtime
      - /opt/openldap/self-service-password/htdocs:/www/ssp
      - /opt/openldap/self-service-password/logs:/www/logs
networks:
  my_gitlab_network:
    external: true

启动

docker-compose -f docker-openldap.yml up -d

启动成功后使用cn=admin,dc=kinggoo,dc=cn来登陆密码是上面LDAP_ADMIN_PASSWORD配置的密码

image

创建ou是group和people

image

image

image

然后创建dev

image

image

image

image

点commit就可以创建dev完成,如果还有其他的你也可以同样。

创建人员,我是要把人员放到people这个组下。

image

image

image

然后点创建 Object即可

然后到挂载的gitlab容下对应下/data0/gitlab/etc修改gitlab.rb

cat  /data0/gitlab/etc/gitlab.rb|grep -v -E ^'(#|$)'

#我开了ssl

external_url 'https://git.code.kinggoo.cn'
 gitlab_rails['gitlab_email_enabled'] = true
 gitlab_rails['gitlab_email_from'] = 'notify@kinggoo.com'
 gitlab_rails['gitlab_email_display_name'] = 'kinggoo DEV'
 gitlab_rails['gitlab_email_reply_to'] = 'notify@kinggoo.com'
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main:
#这是登陆时候的标签提示
  label: 'KG认证'
  host: '172.19.0.3'
  port: 389
  uid: 'uid'
  encryption: 'plain'
  bind_dn: 'cn=admin,dc=kinggoo,dc=cn'
  password: 'kinggoo#123'
  active_directory: false 
  allow_username_or_email_login: true 
  block_auto_created_users: false 
  base: 'ou=People,dc=kinggoo,dc=cn'
  user_filter: ''
  attributes:
     username: ['uid', 'userid', 'sAMAccountName']
     name: 'displayName'
EOS
gitlab_rails['gitlab_shell_ssh_port'] = 1222
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.mxhichina.com"
gitlab_rails['smtp_port'] = 25 
gitlab_rails['smtp_user_name'] = "notify@kinggoo.com"
gitlab_rails['smtp_password'] = "youxiangmima"
gitlab_rails['smtp_domain'] = "smtp.mxhichina.com"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = false
letsencrypt['enable'] = false

然后重新启动gitlab-ctl restart

gitlab-ctl reconfigure #重载配置文件

gitlab-rake gitlab:ldap:check #检查是否能够正常获取用户信息(添加完ldap用户后无法显示出来的情况下可以这样看是否同步)

gitlab-rake gitlab:ldap:sync_users #同步ldap用户到gitlab

gitlab-rake gitlab:ldap:clear_cache #清楚掉ldap在git内缓存

gitlab-ctl restart重启后重新登录gitlab,登录页面会有LDAP方式

由于之前我做完直接想用docker内的gitlab直接使用ssl,但没成功。

所以 在宿主机上配置了nginx代理。

nginx的配置如下:

server {
        listen 80;
        server_name git.kinggoo.cn;
 
        location / {
                rewrite ^(.*)$ https://$host$1 permanent;
        }
}
server {
        listen 443 ssl;
        server_name git.kinggoo.cn;
#auth_basic "QuanLei Auth.";
#            auth_basic_user_file passwd/authdb;
     #请填写证书文件的相对路径或绝对路径
     ssl_certificate /data0/gitlab/ssl/gitlab.crt; 
     #请填写私钥文件的相对路径或绝对路径
     ssl_certificate_key /data0/gitlab/ssl/gitlab.key; 
     ssl_session_timeout 5m;
     #请按照以下协议配置
     ssl_protocols TLSv1.2 TLSv1.3; 
     #请按照以下套件配置,配置加密套件,写法遵循 openssl 标准。
     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; 
     ssl_prefer_server_ciphers on;
 
access_log  access.log;
        location / {
            #auth_basic "QuanLei Auth.";
            #auth_basic_user_file passwd/authdb;
            proxy_pass https://githost;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
}

登陆gitlab之后如果配置https形式无法访问,可以试试调节这个地方?

image

记得开启端口80和443以及你配置的差不多基本就通了,如果你配置了

gitlab_rails['gitlab_shell_ssh_port'] = 1222,那就在开放这个1222端口

php创建ldap用户,因为这边是多个平台使用,所以采用创建帐号是自动把ldap的帐号添加了,里面采用的是tp的框架内。


namespace app\tsoa\controller;

use think\App;
use think\facade\Config;

class Ldap extends Common
{

    private $connect;
    private $ldapserver;
    private $ldapprot;
    private $uname;
    private $password;
    private $dn;
    private $base_dn;

    public function __construct(App $app = null)
    {
        parent::__construct($app);
	//这几个配置的地方你们可以自行修改成自己的配置信息
//return [
//    'ldap_server' => '172.16.1.251', //默认值 1,代表主 关联企业
//    'ldap_port' => 389,
//    'ldap_base_dn'=>'dc=kinggoo,dc=cn',
//    'ldap_dn'=>'cn=admin,dc=kinggoo,dc=cn',
//    'ldap_password'=> 'kinggoo这里是ldap密码',
//];
        $this->ldapserver = Config::get('Ldap.ldap_server');
        $this->ldapprot = Config::get('Ldap.ldap_port');
        $this->base_dn = Config::get('Ldap.ldap_base_dn');
        $this->dn = Config::get('Ldap.ldap_dn');
        $this->ldap_password = Config::get('Ldap.ldap_password');
    }

    public function ldap_kg_connect()
    {
        $this->connect = ldap_connect($this->ldapserver, $this->ldapprot) or die('无法连接到服务器');
        return $this->connect;
    }

    public function ldap_kg_bind($conn)
    {
        ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_bind($conn, $this->dn, $this->ldap_password) or die ("Error trying to bind: " . ldap_error($conn));


    }


    public function ldap_kg_addPeople($conn, $people_info,$ou='people')
    {
        self::ldap_kg_bind($conn);
//密码这个地方别弄错了
        $people_info['userPassword'] = "{MD5}" . base64_encode(pack('H*', md5($people_info['userPassword'])));
        print_r($people_info);
        $user_dn = "cn=" . $people_info['cn'] . ',ou='.$ou.',' . $this->base_dn;
        if (ldap_add($conn, $user_dn, $people_info)) {
            $mes = 'ok';
            $code = 200;
        } else {
            $mes = 'err';
            $code = 400;
        }
        return json(array('code'=>$code,'mes'=>$mes));
    }

    public function ldap_kg_add($conn,$item)
    {
//        基础用户信息
        if (!is_array($item) && count($item)<=0)
            return json(array('code'=>400,'mes'=>"not array. include:'cn', 'givenName', 'sn', 'objectclass', 'mail', 'uid','userPassword'"));
        $arr = array(
            'cn' => $item['cn'],
            'givenName' => $item['givenName'],
            'sn' => $item['sn'],
            'objectclass' => "inetOrgPerson",
            'mail' => $item['mail'],
            'uid' => $item['uid'],
            'userPassword' => $item['userPassword'],
        );
        return self::ldap_kg_addPeople($conn, $arr);
    }
}

例子

 public function ldap_test(){
//可以改成你自己的。
//代码写的不好,就是为了实现
        $g = input();
        $ldap_kg = new Ldap_kg();
        $conn = $ldap_kg->ldap_kg_connect();
        $bind = $ldap_kg->ldap_kg_bind($conn);
        $ldap_kg->ldap_kg_add($conn,$g);
    }
- THE END -
版权声明:
转载原创文章请注明,文章出处://kinggoo.com
原文地址:https://kinggoo.com/gitlab-ldap.htm
发表评论?

4 条评论。

  1. 这篇文章写得深入浅出,让我这个小白也看懂了!

  2. warning: HTTPS connections may not be secure. See https://aka.ms/gcmcore-tlsverify for more information.
    fatal: Authentication failed for ‘http://git.code.iiestar.cn/niubi/test.git/’
    ######

    git config --global http.sslVerify true
    • 针对添加ldap用户属性这块,如果有人了解更多的方法,可以互相学习下。

      $arr = array(
                  'cn' => $item['cn'],
                  'givenName' => $item['givenName'],
                  'sn' => $item['sn'],
                  'objectclass' => "inetOrgPerson",
                  'mail' => $item['mail'],
                  'uid' => $item['uid'],
                  'userPassword' => $item['userPassword'],
              );
      

发表评论


此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据