ubuntu22.04服务器docker-compose方式部署ldap服务

一：系统版本

二：部署环境

节点名称

IP

部署组件及版本

配置文件路径

机器CPU

机器内存

机器存储

Ldap

10.10.10.111

self-service-password:latest

phpldapadmin:latest

openldap:latest

openldap:/data/openldap/config

phpldapadmin（只是web管理界面，数据依托openldap）

self-service-password:/data/self-service-password/data

2*16cores

64g

50g 系统

800g 数据盘

三：部署流程

（1）安装docker和docker-compose
apt-get install -y docker 
wget https://github.com/docker/compose/releases/download/1.29.2/docker-compose-Linux-x86_64 
mv docker-compose-Linux-x86_64 /usr/bin/docker-compose
（2）提前拉取需要用到的镜像
docker pull osixia/openldap:latest 
docker pull osixia/phpldapadmin:latest 
docker pull tiredofit/self-service-password:latest
（3）准备应用要挂载的配置文件目录
mkdir -p /data/openldap/data 
mkdir -p /data/openldap/config 
mkdir -p /data/self-service-password/data 
mkdir -p /data/self-service-password/logs 
备注：如遇到读取文件权限问题请使用 chmod 755 -R /data/self-service-password/data
（4）所有组件的部署方式全部为docker-compose形式编排部署，docker-compose.yml文件所在路径/app/ldap_docker_compose/，编排内容：
~]# mkdir -p /app/ldap_docker_compose/
~]# cat /app/ldap_docker_compose/docker-compose.yml

version: '3'
services:
  ## 安装openldap
  openldap:
    container_name: openldap
    image: osixia/openldap:latest
    restart: always
    environment:
      TZ: Asia/Shanghai
      LDAP_ORGANISATION: "Manager"
      LDAP_DOMAIN: "westhab.com"
      LDAP_ADMIN_PASSWORD: "admin123456"
      LDAP_CONFIG_PASSWORD: "admin123456"
    volumes:
      - /data/openldap/data:/var/lib/ldap
      - /data/openldap/config:/etc/ldap/slapd.d
    ports:
      - '389:389'
  ## 安装phpldapadmin
  phpldapadmin:
    container_name: phpldapadmin
    image: osixia/phpldapadmin:latest
    environment:
      PHPLDAPADMIN_LDAP_HOSTS: openldap
      PHPLDAPADMIN_HTTPS: "false"
    ports:
      - "30004:80"
    depends_on:
      - openldap
  ## 安装自助修改密码插件self-service-password
  change-ldap-password:
    container_name: self-service-password
    image: tiredofit/self-service-password:latest
    restart: always
    ports:
      - "8080:80"
    environment:
      - LDAP_SERVER=ldap://10.10.10.111:389
      - LDAP_STARTTLS=false
      - LDAP_BINDDN=cn=admin,dc=westhab,dc=com
      - LDAP_BINDPASS=admin123456
      - LDAP_BASE_SEARCH=dc=westhab,dc=com
      - LDAP_LOGIN_ATTRIBUTE=uid
      - LDAP_FULLNAME_ATTRIBUTE=cn
      # 邮箱配置模块
      - MAIL_FROM=emis@skycloudsys.com
      - MAIL_FROM_NAME=账号自助服务平台
      - SMTP_DEBUG=0
      - SMTP_HOST=smtp.qiye.aliyun.com
      - SMTP_USER=emis@skycloudsys.com
      - SMTP_PASS=QUN3ZSQmNzQ1QkJjaQ==
      - SMTP_SECURE_TYPE=tls
      - SMTP_AUTOTLS=false
      - SMTP_AUTH_ON=true
      - NOTIFY_ON_CHANGE=true
    volumes:
      - /etc/localtime:/etc/localtime
      - /data/self-service-password/data:/www/ssp
      - /data/self-service-password/logs:/www/logs
（5）启动服务
#开始部署
~]# docker-compose up -d
#停止运行的容器实例
~]# docker-compose stop
#单独启动容器
~]# docker-compose up -d phpldapadmin
#重启所有容器
~]# docker-compose restart
#查看服务状态
~]# docker-compose ps
(6）查看服务状态

(7) 功能测试

1、ldapadmin服务访问测试：（正常）

2、ldapadmin增删改查功能测试：（正常）

3、selfpasswd（自助密码修改服务）访问测试：（正常）

4、selfpasswd功能测试（原密码修改密码，忘记密码邮箱重置密码）：（正常）

（8）部署过程遇到的问题总结：

问题1：由于使用的阿里云smtp服务密码"ACwe$&745BBci"存在连续特殊字符"$&"，而docker-compose的yaml文件无法对连续的特殊字符做转义，尝试使用把密码以挂载env_file形式去传递到docker内部，但是测试此种方案发现没有生效。

解决办法：尝试对原密码进行base64位加密，然后去修改docker volume的服务器上的本地配置文件做base64的解码，以这种方式去规避连续特殊字符。（修改完之后需要重启docker服务生效 docker-compose restart）

在index.php中的email password 修改原配置为base64_decode($mail_smtp_pass);

在/data/self-service-password/data/conf/config.inc.php中的email password 修改原配置为 $mail_smtp_pass = base64_decode($mail_smtp_pass)；

问题2：发现邮件重置密码时，重置链接不完整，缺少实际的ip或域名信息。

解决办法：在修改docker volume的服务器上的本地配置/data/self-service-password/data/conf/config.inc.php文件补全重置邮件链接的前缀换成域名信息。（修改完之后需要重启docker服务生效 docker-compose restart）

三：服务接入

关于要用到的ldap目录树的解释：

1. 基础 DN（Base DN）：作用：基础 DN 是 LDAP 搜索操作的起始点，指定了搜索的根节点。用途：当执行 LDAP 搜索操作时，基础 DN 指定了搜索的起始位置，搜索将从该位置开始递归地向下搜索整个 LDAP 目录树。示例：基础 DN 可以是整个 LDAP 目录树的根节点，如 dc=example,dc=com，或者是特定组织单位（OU）的 DN。 2. 搜索 DN（Search DN）：作用：搜索 DN 是用于执行 LDAP 搜索操作时的身份验证信息，用于访问 LDAP 目录中的数据。用途：在执行 LDAP 搜索操作时，需要提供搜索 DN 和相应的密码以进行身份验证，以便访问 LDAP 数据。示例：搜索 DN 可以是具有适当权限的用户或服务账户的 DN，用于执行 LDAP 搜索操作。

（1）grafana对接ldap

1.在grafana.ini中启用ldap服务开关
enabled = true
config_file = /etc/grafana/ldap.toml
allow_sign_up = true
# prevent synchronizing ldap users organization roles
skip_org_role_sync = true
2.ldap.toml配置
# To troubleshoot and get more log info enable ldap debug logging in grafana.ini
# [log]
# filters = ldap:debug

[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "10.10.100.111"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
use_ssl = false
# If set to true, use LDAP with STARTTLS instead of LDAPS
start_tls = false
# The value of an accepted TLS cipher. By default, this value is empty. Example value: ["TLS_AES_256_GCM_SHA384"])
# For a complete list of supported ciphers and TLS versions, refer to: https://go.dev/src/crypto/tls/cipher_suites.go
tls_ciphers = []
# This is the minimum TLS version allowed. By default, this value is empty. Accepted values are: TLS1.1, TLS1.2, TLS1.3.
min_tls_version = ""
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"

# Search user bind dn
bind_dn = "cn=admin,dc=westhpc,dc=com"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = 'admin123456'
# We recommend using variable expansion for the bind_password, for more info https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
# bind_password = '$__env{LDAP_BIND_PASSWORD}'

# Timeout in seconds (applies to each host specified in the 'host' entry (space separated))
timeout = 10

# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
search_filter = "(uid=%s)"

# An array of base dns to search through
search_base_dns = ["dc=westhap,dc=com"]

## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
## Please check grafana LDAP docs for examples
group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
group_search_base_dns = ["dc=westhab,dc=com"]
# group_search_filter_user_attribute = "uid"

# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "uid"
member_of = "cn"
email =  "email"

# Map ldap groups to grafana org roles
[[servers.group_mappings]]
group_dn = "cn=admins,ou=groups,dc=grafana,dc=org"
org_role = "Admin"
# To make user an instance admin  (Grafana Admin) uncomment line below
# grafana_admin = true
# The Grafana organization database id, optional, if left out the default org (id 1) will be used
# org_id = 1

[[servers.group_mappings]]
group_dn = "cn=editors,ou=groups,dc=grafana,dc=org"
org_role = "Editor"

[[servers.group_mappings]]
# If you want to match all (or no ldap groups) then you can use wildcard
group_dn = "*"
org_role = "Viewer"