宿主上执行
yum install -y yum-utils device-mapper-persistent-data lvm2 yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo yum install containerd.io
配置镜像源
vim /etc/docker/daemon.json
{
"registry-mirrors": [
"https://registry.docker-cn.com",
"http://hub-mirror.c.163.com",
"https://docker.mirrors.ustc.edu.cn"
]
}
拉取gitlab镜像
docker pull beginor/gitlab-ce:11.1.4-ce.0
创建宿主与容器挂载目录
cd /data0/gitlab
mkdir {etc,logs,data}
docker network create --subnet=172.19.0.0/16 my_gitlab_network
首先要严格限制允许访问容器端口的源地址和网络接口,例如 docker run -p 127.0.0.1:5432:5432
运行容器
docker run -d -p 127.0.0.1:1443:443 -p 127.0.0.1:1180:80 -p 127.0.0.1:1222:22 --network=my_gitlab_network --ip=172.19.0.2 --name gitlab --restart=always -v /etc/localtime:/etc/localtime:ro -v /data0/gitlab/etc:/etc/gitlab -v /data0/gitlab/logs:/var/log/gitlab -v /data0/gitlab/data:/var/opt/gitlab beginor/gitlab-ce
# -d:后台运行
# -p:将容器内部端口向外映射,绑定127.0.0.1为了安全# –name:命名容器名称
# -v:将容器内数据文件夹或者日志、配置等文件夹挂载到宿主机指定目录
#–restart=always 开机启动,失败也会一直重启(on-failure:10 : 表示最多重启10次;no – 容器退出时,不重启容器;)
如果是已经在运行中的容器要加上该参数:docker update –restart=always 容器名字或者容器ID
#-v /etc/timezone:/etc/timezone:ro -v /etc/localtime:/etc/localtime:ro(centos系统timezone这部分挂载会报错就没挂,非所有的 Linux 发行版都有
/etc/timezone)只挂载
/etc/timezone或/etc/localtime可能会导致一些问题,比如在处理跨时区的日期和时间时可能出现错误。
重启配置
gitlab-ctl reconfigure
安装ldap,我采用的容器,因为之前系统上安装过ldap导致有问题。
[root@storage dockerCompose]# cat docker-openldap.yml
version: '3'
services:
openldap:
image: osixia/openldap:latest
container_name: openldap
restart: always
environment:
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: "iie ldap"
LDAP_DOMAIN: "kinggoo.cn"
LDAP_BASE_DN: "dc=kinggoo,dc=cn"
LDAP_ADMIN_PASSWORD: "kinggoo这里是密码"
LDAP_CONFIG_PASSWORD: "kinggoo这里是密码"
LDAP_READONLY_USER: "false"
LDAP_RFC2307BIS_SCHEMA: "false"
LDAP_BACKEND: "mdb"
LDAP_REPLICATION: "false"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
TZ: Asia/Shanghai
networks:
my_gitlab_network:
ipv4_address: 172.19.0.3
tty: true
stdin_open: true
volumes:
- /opt/openldap/ldap:/var/lib/ldap
- /opt/openldap/slapd.d:/etc/ldap/slapd.d
- /opt/openldap/certs:/container/service/lapd/assets/certs
ports:
- "389:389"
- "636:636"
domainname: "kinggoo.cn"
hostname: "ldap-server"
phpldapadmin:
image: osixia/phpldapadmin:latest
container_name: phpldapadmin
restart: always
environment:
PHPLDAPADMIN_LDAP_HOSTS: "172.16.1.251"
PHPLDAPADMIN_HTTPS: "false"
ports:
- "50081:80"
depends_on:
- openldap
self-service-password:
container_name: self-service-password
image: tiredofit/self-service-password:latest
restart: always
ports:
- "50080:80"
environment:
- LDAP_SERVER=ldap://openldap:389
- LDAP_BINDDN=cn=admin,dc=kinggoo,dc=cn
- LDAP_BINDPASS=kinggoo#123
- LDAP_BASE_SEARCH=dc=kinggoo,dc=cn
- MAIL_FROM=smtp.mxhichina.com
- MAIL_FROM_NAME=账号自助服务平台
- SMTP_DEBUG=0
- SMTP_HOST=smtp.mxhichina.com
- SMTP_USER=notify@kinggoo.com
- SMTP_PASS=这里是邮箱密码
- SMTP_PORT=25
- SMTP_AUTH_ON=true
- NOTIFY_ON_CHANGE=true
volumes:
- /etc/localtime:/etc/localtime
- /opt/openldap/self-service-password/htdocs:/www/ssp
- /opt/openldap/self-service-password/logs:/www/logs
networks:
my_gitlab_network:
external: true
启动
启动成功后使用cn=admin,dc=kinggoo,dc=cn来登陆密码是上面LDAP_ADMIN_PASSWORD配置的密码
创建ou是group和people
然后创建dev
点commit就可以创建dev完成,如果还有其他的你也可以同样。
创建人员,我是要把人员放到people这个组下。
然后点创建 Object即可
然后到挂载的gitlab容下对应下/data0/gitlab/etc修改gitlab.rb
cat /data0/gitlab/etc/gitlab.rb|grep -v -E ^'(#|$)'
#我开了ssl
external_url 'https://git.code.kinggoo.cn'
gitlab_rails['gitlab_email_enabled'] = true
gitlab_rails['gitlab_email_from'] = 'notify@kinggoo.com'
gitlab_rails['gitlab_email_display_name'] = 'kinggoo DEV'
gitlab_rails['gitlab_email_reply_to'] = 'notify@kinggoo.com'
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main:
#这是登陆时候的标签提示
label: 'KG认证'
host: '172.19.0.3'
port: 389
uid: 'uid'
encryption: 'plain'
bind_dn: 'cn=admin,dc=kinggoo,dc=cn'
password: 'kinggoo#123'
active_directory: false
allow_username_or_email_login: true
block_auto_created_users: false
base: 'ou=People,dc=kinggoo,dc=cn'
user_filter: ''
attributes:
username: ['uid', 'userid', 'sAMAccountName']
name: 'displayName'
EOS
gitlab_rails['gitlab_shell_ssh_port'] = 1222
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "smtp.mxhichina.com"
gitlab_rails['smtp_port'] = 25
gitlab_rails['smtp_user_name'] = "notify@kinggoo.com"
gitlab_rails['smtp_password'] = "youxiangmima"
gitlab_rails['smtp_domain'] = "smtp.mxhichina.com"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = true
gitlab_rails['smtp_tls'] = false
letsencrypt['enable'] = false
然后重新启动gitlab-ctl restart
gitlab-ctl reconfigure #重载配置文件
gitlab-rake gitlab:ldap:check #检查是否能够正常获取用户信息(添加完ldap用户后无法显示出来的情况下可以这样看是否同步)
gitlab-rake gitlab:ldap:sync_users #同步ldap用户到gitlab
gitlab-rake gitlab:ldap:clear_cache #清楚掉ldap在git内缓存
gitlab-ctl restart重启后重新登录gitlab,登录页面会有LDAP方式
由于之前我做完直接想用docker内的gitlab直接使用ssl,但没成功。
所以 在宿主机上配置了nginx代理。
nginx的配置如下:
server {
listen 80;
server_name git.kinggoo.cn;
location / {
rewrite ^(.*)$ https://$host$1 permanent;
}
}
server {
listen 443 ssl;
server_name git.kinggoo.cn;
#auth_basic "QuanLei Auth.";
# auth_basic_user_file passwd/authdb;
#请填写证书文件的相对路径或绝对路径
ssl_certificate /data0/gitlab/ssl/gitlab.crt;
#请填写私钥文件的相对路径或绝对路径
ssl_certificate_key /data0/gitlab/ssl/gitlab.key;
ssl_session_timeout 5m;
#请按照以下协议配置
ssl_protocols TLSv1.2 TLSv1.3;
#请按照以下套件配置,配置加密套件,写法遵循 openssl 标准。
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
access_log access.log;
location / {
#auth_basic "QuanLei Auth.";
#auth_basic_user_file passwd/authdb;
proxy_pass https://githost;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
登陆gitlab之后如果配置https形式无法访问,可以试试调节这个地方?
记得开启端口80和443以及你配置的差不多基本就通了,如果你配置了
gitlab_rails['gitlab_shell_ssh_port'] = 1222,那就在开放这个1222端口
php创建ldap用户,因为这边是多个平台使用,所以采用创建帐号是自动把ldap的帐号添加了,里面采用的是tp的框架内。
namespace app\tsoa\controller;
use think\App;
use think\facade\Config;
class Ldap extends Common
{
private $connect;
private $ldapserver;
private $ldapprot;
private $uname;
private $password;
private $dn;
private $base_dn;
public function __construct(App $app = null)
{
parent::__construct($app);
//这几个配置的地方你们可以自行修改成自己的配置信息
//return [
// 'ldap_server' => '172.16.1.251', //默认值 1,代表主 关联企业
// 'ldap_port' => 389,
// 'ldap_base_dn'=>'dc=kinggoo,dc=cn',
// 'ldap_dn'=>'cn=admin,dc=kinggoo,dc=cn',
// 'ldap_password'=> 'kinggoo这里是ldap密码',
//];
$this->ldapserver = Config::get('Ldap.ldap_server');
$this->ldapprot = Config::get('Ldap.ldap_port');
$this->base_dn = Config::get('Ldap.ldap_base_dn');
$this->dn = Config::get('Ldap.ldap_dn');
$this->ldap_password = Config::get('Ldap.ldap_password');
}
public function ldap_kg_connect()
{
$this->connect = ldap_connect($this->ldapserver, $this->ldapprot) or die('无法连接到服务器');
return $this->connect;
}
public function ldap_kg_bind($conn)
{
ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind($conn, $this->dn, $this->ldap_password) or die ("Error trying to bind: " . ldap_error($conn));
}
public function ldap_kg_addPeople($conn, $people_info,$ou='people')
{
self::ldap_kg_bind($conn);
//密码这个地方别弄错了
$people_info['userPassword'] = "{MD5}" . base64_encode(pack('H*', md5($people_info['userPassword'])));
print_r($people_info);
例子
public function ldap_test(){
//可以改成你自己的。
//代码写的不好,就是为了实现
$g = input();
$ldap_kg = new Ldap_kg();
$conn = $ldap_kg->ldap_kg_connect();
$bind = $ldap_kg->ldap_kg_bind($conn);
$ldap_kg->ldap_kg_add($conn,$g);
}
- THE END -
玩趣儿
warning: HTTPS connections may not be secure. See https://aka.ms/gcmcore-tlsverify for more information.
fatal: Authentication failed for ‘http://git.code.iiestar.cn/niubi/test.git/’
######
针对添加ldap用户属性这块,如果有人了解更多的方法,可以互相学习下。
$arr = array( 'cn' => $item['cn'], 'givenName' => $item['givenName'], 'sn' => $item['sn'], 'objectclass' => "inetOrgPerson", 'mail' => $item['mail'], 'uid' => $item['uid'], 'userPassword' => $item['userPassword'], );