jenkins中集成LDAP,管控不同组用户看到不同内容
1. 安装ldap服务器,并指定用户名密码、指定域
1-1. 安装
sudo apt-get install slapd ldap-utils
1-2. 配置
sudo dpkg-reconfigure slapd
a
会弹框让你填写DNS Domain Name,
The DNS domain name is used to construct the base DN of the LDAP directory.
For example, 'foo.example.org' will create the directory with 'dc=foo, dc=example, dc=org' as base DN.
DNS domain name:
这里我的domain是’love3q.tech’,
b
会弹框让你填写组织名
Please enter the name of the organization to use in the base DN of your LDAP directory.
Organization name:
输入组织名,随便填写
c
会弹框让你设置密码
我这里给admin设置密码’adminpwd’
d. slapcat命令查看初始配置
用slapcat命令查看初始设置
$ sudo slapcat |grep -n -e ""
1:dn: dc=love3q,dc=tech
2:objectClass: top
3:objectClass: dcObject
4:objectClass: organization
5:o: peggy
6:dc: love3q
7:structuralObjectClass: organization
8:entryUUID: 8bb9f7da-995b-1039-9c64-b77ca7797a9b
9:creatorsName: cn=admin,dc=love3q,dc=tech
10:createTimestamp: 20191112054641Z
11:entryCSN: 20191112054641.280128Z#000000#000#000000
12:modifiersName: cn=admin,dc=love3q,dc=tech
13:modifyTimestamp: 20191112054641Z
14:
15:dn: cn=admin,dc=love3q,dc=tech
16:objectClass: simpleSecurityObject
17:objectClass: organizationalRole
18:cn: admin
19:description: LDAP administrator
20:userPassword:: e1NTSEF9ZTBiT2NpN3BTOUFPVE51ZXYwVStEQlZ4Y2dyLzR3RXY=
21:structuralObjectClass: organizationalRole
22:entryUUID: 8bbfb224-995b-1039-9c65-b77ca7797a9b
23:creatorsName: cn=admin,dc=love3q,dc=tech
24:createTimestamp: 20191112054641Z
25:entryCSN: 20191112054641.317700Z#000000#000#000000
26:modifiersName: cn=admin,dc=love3q,dc=tech
27:modifyTimestamp: 20191112054641Z
可以看到o: peggy
对应之前我填写的组织名。
ldapadmin辅助工具查看ldap的配置
请自行安装ldapadmin.exe.
双击ldapadmin.exe->Start->‘New Connection’,
配置如图所示
其中
Host:填写ldap服务器所在的地址,可以填写域名,可以填写ip
Port:389
Account.username:填写‘cn=admin,dc=love3q,dc=tech’,就是slapcat
命令结果中的一条cn
Account.password:填写配置ldap服务器时设定的密码,这里我的是’adminpwd’
此时点击’Fetch DNs’,再在’Base’的下拉框中选择’dc=love3q,dc=tech’
这个时候点击’Test Connection’,没问题的话test ok。
连接!
2. ldap服务器增加组和用户
2-1. ldap服务器增加ou=group & ou=people
编写ldif文件’ldap_jenkins_ou_people_group.ldif’,此文件可放任意位置
dn: ou=user,dc=love3q,dc=tech
objectClass:organizationalUnit
ou: user
dn: ou=group,dc=love3q,dc=tech
objectClass: organizationalUnit
ou: group
用ldapadd命令增加新的dn
$ sudo ldapadd -x -D 'cn=admin,dc=love3q,dc=tech' -w adminpwd -f ldap_jenkins_ou_people_group.ldif
adding new entry "ou=user,dc=love3q,dc=tech"
adding new entry "ou=group,dc=love3q,dc=tech"
用slapcat命令查看增加的内容
$ sudo slapcat
...(省略)...
dn: ou=user,dc=love3q,dc=tech
objectClass: organizationalUnit
ou: user
structuralObjectClass: organizationalUnit
entryUUID: a76d11ae-995d-1039-8343-ed16fa7cf653
creatorsName: cn=admin,dc=love3q,dc=tech
createTimestamp: 20191112060146Z
entryCSN: 20191112060146.745854Z#000000#000#000000
modifiersName: cn=admin,dc=love3q,dc=tech
modifyTimestamp: 20191112060146Z
dn: ou=group,dc=love3q,dc=tech
objectClass: organizationalUnit
ou: group
structuralObjectClass: organizationalUnit
entryUUID: a77558aa-995d-1039-8344-ed16fa7cf653
creatorsName: cn=admin,dc=love3q,dc=tech
createTimestamp: 20191112060146Z
entryCSN: 20191112060146.800109Z#000000#000#000000
modifiersName: cn=admin,dc=love3q,dc=tech
modifyTimestamp: 20191112060146Z
2-2. ldap服务器增加三个组
我这里计划把所有用户分成三个组,一个是amdin,可以对jenkins做任何事,一个是manager,可以配置任务,一个是tester,可以执行manager配置好的任务。
a. 增加分组jenkins-admin
编辑ldif文件’ldap_jenkins_cn_jenkins.ldif’
dn: cn=jenkins-admin,ou=group,dc=love3q,dc=tech
objectClass: posixGroup
cn: jenkins-admin
gidNumber: 5000
$ sudo ldapadd -x -D 'cn=admin,dc=love3q,dc=tech' -w adminpwd -f ldap_jenkins_cn_jenkins.ldif
adding new entry "cn=jenkins-admin,ou=group,dc=love3q,dc=tech"
b. 增加分组jenkins-manager
编辑ldif文件’ldap_jenkins_cn_jenkins.ldif’
dn: cn=jenkins-manager,ou=group,dc=love3q,dc=tech
objectClass: posixGroup
cn: jenkins-manager
gidNumber: 5000
$ sudo ldapadd -x -D 'cn=admin,dc=love3q,dc=tech' -w adminpwd -f ldap_jenkins_cn_jenkins.ldif
adding new entry "cn=jenkins-manager,ou=group,dc=love3q,dc=tech"
c. 增加分组jenkins-tester
编辑ldif文件’ldap_jenkins_cn_jenkins.ldif’
dn: cn=jenkins-tester,ou=group,dc=love3q,dc=tech
objectClass: posixGroup
cn: jenkins-tester
gidNumber: 5000
$ sudo ldapadd -x -D 'cn=admin,dc=love3q,dc=tech' -w adminpwd -f ldap_jenkins_cn_jenkins.ldif
adding new entry "cn=jenkins-tester,ou=group,dc=love3q,dc=tech"
d. 查看新增加的三个分组
$ sudo slapcat
...(省略)...
dn: cn=jenkins-admin,ou=group,dc=love3q,dc=tech
objectClass: posixGroup
cn: jenkins-admin
gidNumber: 5000
structuralObjectClass: posixGroup
entryUUID: ad54981a-995f-1039-947e-655c7f81cbef
creatorsName: cn=admin,dc=love3q,dc=tech
createTimestamp: 20191112061615Z
entryCSN: 20191112061615.645239Z#000000#000#000000
modifiersName: cn=admin,dc=love3q,dc=tech
modifyTimestamp: 20191112061615Z
dn: cn=jenkins-manager,ou=group,dc=love3q,dc=tech
objectClass: posixGroup
cn: jenkins-manager
gidNumber: 5000
structuralObjectClass: posixGroup
entryUUID: d99c2370-995f-1039-947f-655c7f81cbef
creatorsName: cn=admin,dc=love3q,dc=tech
createTimestamp: 20191112061729Z
entryCSN: 20191112061729.933876Z#000000#000#000000
modifiersName: cn=admin,dc=love3q,dc=tech
modifyTimestamp: 20191112061729Z
dn: cn=jenkins-tester,ou=group,dc=love3q,dc=tech
objectClass: posixGroup
cn: jenkins-tester
gidNumber: 5000
structuralObjectClass: posixGroup
entryUUID: ee37ec88-995f-1039-9480-655c7f81cbef
creatorsName: cn=admin,dc=love3q,dc=tech
createTimestamp: 20191112061804Z
entryCSN: 20191112061804.509265Z#000000#000#000000
modifiersName: cn=admin,dc=love3q,dc=tech
modifyTimestamp: 20191112061804Z
2-3. ldap增加几个用户,
增加用户j_admin_01
设置一个用户j_admin_01,将来它会属于组jenkins-admin
编辑ldif文件’ldap_jenkins_uid.ldif ’
dn: uid=j_admin_01,ou=user,dc=love3q,dc=tech
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: j_admin_01
sn: jenkins
givenName: j_admin_01
cn: jenkins-user
displayName: j_admin_01
uidNumber: 10000
gidNumber: 5000
userPassword: 123456
gecos: j_admin_01
loginShell: /bin/bash
homeDirectory: /data/vsftpd/j_admin_01
mail: j_admin_01@love3q.tech.com
$ sudo ldapadd -x -D 'cn=admin,dc=love3q,dc=tech' -w adminpwd -f ldap_jenkins_uid.ldif
adding new entry "uid=j_admin_01,ou=user,dc=love3q,dc=tech"
增加用户j_manager_01
设置一个用户j_manager_01,将来它会属于组jenkins-manager
编辑ldif文件’ldap_jenkins_uid.ldif ’
dn: uid=j_manager_01,ou=user,dc=love3q,dc=tech
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: j_manager_01
sn: jenkins
givenName: j_manager_01
cn: jenkins-user
displayName: j_manager_01
uidNumber: 10000
gidNumber: 5000
userPassword: 123456
gecos: j_manager_01
loginShell: /bin/bash
homeDirectory: /data/vsftpd/j_manager_01
mail: j_manager_01@love3q.tech.com
$ sudo ldapadd -x -D 'cn=admin,dc=love3q,dc=tech' -w adminpwd -f ldap_jenkins_uid.ldif
adding new entry "uid=j_manager_01,ou=user,dc=love3q,dc=tech"
增加用户j_tester_01
设置一个用户j_tester_01,将来它会属于组jenkins-tester
编辑ldif文件’ldap_jenkins_uid.ldif ’
$ cat ldap_jenkins_uid.ldif
dn: uid=j_tester_01,ou=user,dc=love3q,dc=tech
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: j_tester_01
sn: jenkins
givenName: j_tester_01
cn: jenkins-user
displayName: j_tester_01
uidNumber: 10000
gidNumber: 5000
userPassword: 123456
gecos: j_tester_01
loginShell: /bin/bash
homeDirectory: /data/vsftpd/j_tester_01
mail: j_tester_01@love3q.tech.com
$ sudo ldapadd -x -D 'cn=admin,dc=love3q,dc=tech' -w adminpwd -f ldap_jenkins_uid.ldif
adding new entry "uid=j_tester_01,ou=user,dc=love3q,dc=tech"
查看新增加的3个用户:
$ sudo slapcat
...(省略)...
dn: uid=j_admin_01,ou=user,dc=love3q,dc=tech
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: j_admin_01
sn: jenkins
givenName: j_admin_01
cn: jenkins-user
displayName: j_admin_01
uidNumber: 10000
gidNumber: 5000
userPassword:: MTIzNDU2
gecos: j_admin_01
loginShell: /bin/bash
homeDirectory: /data/vsftpd/j_admin_01
mail: j_admin_01@love3q.tech.com
structuralObjectClass: inetOrgPerson
entryUUID: 40a1ee96-9961-1039-9482-655c7f81cbef
creatorsName: cn=admin,dc=love3q,dc=tech
createTimestamp: 20191112062732Z
entryCSN: 20191112062732.273899Z#000000#000#000000
modifiersName: cn=admin,dc=love3q,dc=tech
modifyTimestamp: 20191112062732Z
dn: uid=j_manager_01,ou=user,dc=love3q,dc=tech
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: j_manager_01
sn: jenkins
givenName: j_manager_01
cn: jenkins-user
displayName: j_manager_01
uidNumber: 10000
gidNumber: 5000
userPassword:: MTIzNDU2
gecos: j_manager_01
loginShell: /bin/bash
homeDirectory: /data/vsftpd/j_manager_01
mail: j_manager_01@love3q.tech.com
structuralObjectClass: inetOrgPerson
entryUUID: a5090752-9961-1039-9483-655c7f81cbef
creatorsName: cn=admin,dc=love3q,dc=tech
createTimestamp: 20191112063020Z
entryCSN: 20191112063020.721714Z#000000#000#000000
modifiersName: cn=admin,dc=love3q,dc=tech
modifyTimestamp: 20191112063020Z
dn: uid=j_tester_01,ou=user,dc=love3q,dc=tech
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: j_tester_01
sn: jenkins
givenName: j_tester_01
cn: jenkins-user
displayName: j_tester_01
uidNumber: 10000
gidNumber: 5000
userPassword:: MTIzNDU2
gecos: j_tester_01
loginShell: /bin/bash
homeDirectory: /data/vsftpd/j_tester_01
mail: j_tester_01@love3q.tech.com
structuralObjectClass: inetOrgPerson
entryUUID: c6b69b76-9961-1039-9484-655c7f81cbef
creatorsName: cn=admin,dc=love3q,dc=tech
createTimestamp: 20191112063117Z
entryCSN: 20191112063117.224092Z#000000#000#000000
modifiersName: cn=admin,dc=love3q,dc=tech
modifyTimestamp: 20191112063117Z
用ldapadmin.exe查看
把几个用户分配给三个组
把j_admin_01用户加入到级jenkins-admin组中,
$ cat ldap_modify.ldif
dn: cn=jenkins-admin,ou=group,dc=love3q,dc=tech
changetype: modify
add: memberUid
memberUid: j_admin_01
develop@develop-Z97-HD3:/etc/ldap/slapd.d$ sudo ldapmodify -x -D 'cn=admin,dc=love3q,dc=tech' -w adminpwd -f ldap_modify.ldif
modifying entry "cn=jenkins-admin,ou=group,dc=love3q,dc=tech"
把j_manager_01用户加入到级jenkins-manager组中,
$ cat ldap_modify.ldif
dn: cn=jenkins-manager,ou=group,dc=love3q,dc=tech
changetype: modify
add: memberUid
memberUid: j_manager_01
$ sudo ldapmodify -x -D 'cn=admin,dc=love3q,dc=tech' -w adminpwd -f ldap_modify.ldif
modifying entry "cn=jenkins-manager,ou=group,dc=love3q,dc=tech"
把j_tester_01用户加入到级jenkins-tester组中,
$ cat ldap_modify.ldif
dn: cn=jenkins-tester,ou=group,dc=love3q,dc=tech
changetype: modify
add: memberUid
memberUid: j_tester_01
$ sudo ldapmodify -x -D 'cn=admin,dc=love3q,dc=tech' -w adminpwd -f ldap_modify.ldif
modifying entry "cn=jenkins-tester,ou=group,dc=love3q,dc=tech"
查看发现组中有新增的用户
$ sudo slapcat
...
51:dn: cn=jenkins-admin,ou=group,dc=love3q,dc=tech
52:objectClass: posixGroup
53:cn: jenkins-admin
54:gidNumber: 5000
55:structuralObjectClass: posixGroup
56:entryUUID: ad54981a-995f-1039-947e-655c7f81cbef
57:creatorsName: cn=admin,dc=love3q,dc=tech
58:createTimestamp: 20191112061615Z
59:memberUid: j_admin_01
60:entryCSN: 20191112063608.133792Z#000000#000#000000
61:modifiersName: cn=admin,dc=love3q,dc=tech
62:modifyTimestamp: 20191112063608Z
63:
64:dn: cn=jenkins-manager,ou=group,dc=love3q,dc=tech
65:objectClass: posixGroup
66:cn: jenkins-manager
67:gidNumber: 5000
68:structuralObjectClass: posixGroup
69:entryUUID: d99c2370-995f-1039-947f-655c7f81cbef
70:creatorsName: cn=admin,dc=love3q,dc=tech
71:createTimestamp: 20191112061729Z
72:memberUid: j_manager_01
73:entryCSN: 20191112063656.229771Z#000000#000#000000
74:modifiersName: cn=admin,dc=love3q,dc=tech
75:modifyTimestamp: 20191112063656Z
76:
77:dn: cn=jenkins-tester,ou=group,dc=love3q,dc=tech
78:objectClass: posixGroup
79:cn: jenkins-tester
80:gidNumber: 5000
81:structuralObjectClass: posixGroup
82:entryUUID: ee37ec88-995f-1039-9480-655c7f81cbef
83:creatorsName: cn=admin,dc=love3q,dc=tech
84:createTimestamp: 20191112061804Z
85:memberUid: j_tester_01
86:entryCSN: 20191112063727.008609Z#000000#000#000000
87:modifiersName: cn=admin,dc=love3q,dc=tech
88:modifyTimestamp: 20191112063727Z
发现多了
memberUid: j_admin_01
memberUid: j_manager_01
memberUid: j_tester_01
这几行。
用ldapadmin.exe查看
配置jenkins LDAP
备份配置
在/var/lib/jenkins/config.xml
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
<denyAnonymousReadAccess>true</denyAnonymousReadAccess>
</authorizationStrategy>
<securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
<disableSignup>true</disableSignup>
<enableCaptcha>false</enableCaptcha>
</securityRealm>
其中
<securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
<disableSignup>true</disableSignup>
<enableCaptcha>false</enableCaptcha>
</securityRealm>
对应’管理Jenkins’->‘Configure Global Security’->‘访问控制’->‘安全域’中选择了’Jenkins专有数据库’,且没有勾选’允许用户注册’
<authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
<denyAnonymousReadAccess>true</denyAnonymousReadAccess>
</authorizationStrategy>
对应’管理Jenkins’->‘Configure Global Security’->‘访问控制’->‘授权策略’中选择了’Logged-in users can do anything’ 、‘任何用户可以做任何事(没有任何限制)’
如果一旦配置了ldap,但是配置错了,导致无法再登录进jenkins,
则改config.xml
把<securityRealm></securityRealm>
内容和<authorizationStrategy></authorizationStrategy>
内容换成以上备份的内容,并sudo service jenkins restart
重启jenkins,则jenkins可恢复成非ldap配置的状态,可用正常用户名密码登录jenkins.(账号密码就是当年安装jenkins时的账号密码)
开启jenkins安全配置,按group配置。
‘管理Jenkins’->‘Configure Global Security’->‘访问控制’->‘安全域’
选择’LDAP’,其中
Server: ldap://192.168.150.218:389
User search base: ou=user,dc=love3q,dc=tech
Group search base: ou=group,dc=love3q,dc=tech
点击Test LDAP settings
测试一下我们配置的有没有问题。
输入用户名和密码
user:j_admin_01
password:123456
发现测试通过。
‘管理Jenkins’->‘Configure Global Security’->‘访问控制’->授权策略’中,
选择’项目矩阵授权策略’.
配置就完成了,保存配置。
此时jenkins注销登录,再用j_admin_01 或者 j_user_01 或者 j_manager_01,都可以登录成功,并且它们三种用户登录进去能看到的页面是不一样的。