配置OpenLDAP

    如果您的组织使用LDAP进行用户身份验证,则可以将Rancher与OpenLDAP服务集成,以提供统一的用户身份验证。

    • 当用户尝试使用LDAP账号登录Rancher时,Rancher使用具有搜索目录和读取用户/组权限的服务帐户创建对LDAP服务器的初始绑定。(账号初始化)
    • 然后,Rancher使用基于提供的用户名和配置的属性映射的搜索过滤器在目录中搜索用户。(搜索用户)
    • 找到用户后,使用用户的DN和提供的密码对另一个LDAP绑定请求进行身份验证。()

    二、先决条件

    必须使用LDAP绑定帐户(也称为服务帐户)配置Rancher,以搜索和检索用户和组相关的LDAP条目。建议不要使用管理员帐户或个人帐户,而是在OpenLDAP中创建一个专用帐户,对配置的搜索路径下的用户和组只具有只读访问权限(见下文)。

    使用TLS?如果OpenLDAP服务器使用的是自签名证书,或不是来自权威的证书颁发机构,请确保有PEM格式的CA证书(与所有的中间证书连接)。您必须在配置期间设置证书,以便Rancher能够验证证书链。

    打开OpenLDAP配置页面

    • 使用系统默认的admin帐户登录Rancher UI。
    • 全局视图中,导航到安全 > 认证页面
    • 选择OpenLDAP,将显示表单。

    在标题为1. Configure an OpenLDAP server的部分中,填写特定于LDAP服务器的信息字段。有关每个参数所需值的详细信息,请参阅下表。

    If your OpenLDAP directory deviates from the standard OpenLDAP schema, you must complete the Customize Schema section to match it.Note that the attribute mappings configured in this section are used by Rancher to construct search filters and resolve group membership. It is therefore always recommended to verify that the configuration here matches the schema used in your OpenLDAP.

    Note:

    If you are unfamiliar with the user/group schema used in the OpenLDAP server, consult your LDAP administrator or refer to the section Identify Search Base and Schema using ldapsearch in the Active Directory authentication documentation.

    User Schema

    The table below details the parameters for the user schema configuration.

    Table 2: User schema configuration parameters

    Group Schema

    The table below details the parameters for the group schema configuration.

    Test Authentication

    Once you have completed the configuration, proceed by testing the connection to the OpenLDAP server. Authentication with OpenLDAP will be enabled implicitly if the test is successful.

    • Enter the username and password for the OpenLDAP account that should be mapped to the local principal account.

    • Click Authenticate With OpenLDAP to test the OpenLDAP connection and finalise the setup.Result:

    • OpenLDAP authentication is configured.

    Note:

    Annex: Troubleshooting

    If you are experiencing issues while testing the connection to the OpenLDAP server, first double-check the credentials entered for the service account as well as the search base configuration. You may also inspect the Rancher logs to help pinpointing the problem cause. Debug logs may contain more detailed information about the error. Please refer to in this documentation.