jumpldap安装手册原创
# 摘要
JumpLdap 是基于JumpServer 二次开发、与 OpenLdap深度集成的开源版本,其不仅是使用OpenLdap进行账号的集中管理,同时其还利用OpenLdap的授权功能,实现了对Linux主机的登录及sudo授权管理操作。
# 文档环境
(opens new window)
(opens new window) 
(opens new window) 
(opens new window)
- 本文档中代码的测试环境
# OpenLdap 安装
JumpLdap 依赖OpenLdap,所以首先需要有一套支持sudo及memberOf的OpenLdap服务器环境。使用新建或现有的OpenLdap服务器,均可以快速完成与JumpLdap的集成,对于使用已经存在的OpenLdap服务器,通过导入模板即可。所有用户无需创建或导入,直接对接OpenLdap服务器。
# 新建OpenLdap服务器
此处使用nginxbar/ldapsso 镜像,docker-compose 脚本如下:
version: '3.3'
services:
ldapsso:
hostname: ldapsso
image: nginxbar/ldapsso:0.2
container_name: ldapsso
ports:
- 389:389
- 636:636
- 8080:8080
environment:
- HOSTNAME=localhost
- LOG_LEVEL=256
- ADMIN=root
- CONFIG_PASS=admin
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 导入ldif 文件
对于已经存在的OpenLdap服务器,只需执行这一步即可。 在example目录下提供了users.ldif 文件,默认ldap 域是dc=nginxbar,dc=com,可根据自己的实际情况进行替换。
cat<<EOF >/tmp/users.ldif
dn: ou=Employees,dc=nginxbar,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Employees
dn: ou=Group,dc=nginxbar,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Group
dn: ou=apps,ou=Employees,dc=nginxbar,dc=com
objectClass: top
objectClass: organizationalUnit
ou: apps
dn: ou=Sre,ou=Employees,dc=nginxbar,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Sre
dn: uid=sre,ou=Sre,ou=Employees,dc=nginxbar,dc=com
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: person
objectClass: obPerson
gidNumber: 10001
givenName: sre
initials: sre
sn: sre
displayName: sre
uid: sre
uidNumber: 1072
homeDirectory: /home/sre
loginShell: /bin/bash
shadowFlag: 0
shadowMin: 0
shadowMax: 99999
shadowWarning: 0
shadowInactive: 99999
shadowLastChange: 12011
shadowExpire: 99999
cn: sre
userPassword: {SHA}pkKner19T1G/kibOr4kfy7Wymbg=
mail: sre@nginxbar.com
dn: ou=jumpldap,ou=Group,dc=nginxbar,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Group
dn: cn=login_users,ou=jumpldap,ou=Group,dc=nginxbar,dc=com
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: uid=sre,ou=Sre,ou=Employees,dc=nginxbar,dc=com
cn: login_users
description: ai
### sudo
dn: ou=sudoers,dc=nginxbar,dc=com
objectClass: top
objectClass: organizationalUnit
ou: sudoers
dn: cn=defaults,ou=sudoers,dc=nginxbar,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
sudoOption: !visiblepw
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: requiretty
sudoOption: secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
EOF
# 导入users.ldif
ldapadd -v -x -w $LDAPROOTPSWD -D cn=$LDAP_USER -H ldapi:/// -f /tmp/users.ldif
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# JumpLdap 安装
# 依赖环境安装
systemctl disable firewalld
systemctl stop firewalld
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
yum -y install epel-release
yum -y install iptables iptables-services net-tools vim yum-utils wget
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce docker-compose
systemctl enable docker
systemctl start docker
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
安装并配置redis
yum install redis
systemctl enable redis
hostip="xxx.xxx.xxx.xxx" # 本机IP
sed -i "s/bind 127.*/bind $hostip/g" /etc/redis.conf
systemctl start redis
1
2
3
4
5
2
3
4
5
# Mysql 安装
docker-compose 脚本如下:
version: '3.3'
services:
mysql:
image: mysql:5.7
restart: always
container_name: mysql
hostname: mysql
environment:
- MYSQL_ROOT_PASSWORD=1qaz2wsx
volumes:
- '/opt/data/apps/mysql:/var/lib/mysql'
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
# 初始化mysql
create database jumpserver default charset 'utf8' collate 'utf8_general_ci';
grant all on jumpserver.* to 'jumpserver'@'%' identified by 'weakPassword';
1
2
3
4
2
3
4
#
# 生成随机加密秘钥,
[ "$SECRET_KEY" = "" ] && SECRET_KEY=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 50` && echo "SECRET_KEY=$SECRET_KEY" >> ~/.bashrc && echo $SECRET_KEY
[ "$BOOTSTRAP_TOKEN" = "" ] && BOOTSTRAP_TOKEN=`cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 16` && echo "BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN" >> ~/.bashrc && echo $BOOTSTRAP_TOKEN
mkdir -p /opt/data/scripts/jumpldap
echo "SECRET_KEY=$SECRET_KEY
BOOTSTRAP_TOKEN=$BOOTSTRAP_TOKEN">.env
# 初始化luna
mkdir -p /opt/data/apps/jumpldap
wget https://github.com/jumpserver/luna/releases/download/1.5.2/luna.tar.gz
tar xf luna.tar.gz -C /opt/data/apps/jumpldap
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
jumpldap.yaml
version: '3.3'
services:
core:
image: nginxbar/jumpldap:0.1
container_name: jumpldap
restart: always
tty: true
environment:
SECRET_KEY: $SECRET_KEY
BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
DB_HOST: mysql
DB_PORT: 3306
DB_USER: root
DB_PASSWORD: *******
DB_NAME: jumpserver
REDIS_HOST: xxx.xxx.xxx.xxx
REDIS_PORT: 6379
LDAP_DN: 'dc=nginxbar,dc=com'
LDAP_SERVER: 'ldap://xxx.xxx.xxx.xxx:389'
BIND_DN: 'cn=root,dc=nginxbar,dc=com'
BIND_PASSWORD: 'admin'
SEARCH_OU: 'ou=Employees,dc=nginxbar,dc=com'
SEARCH_FILTER: '(\&(cn=%(user)s)(memberof=cn=login_users,ou=jumpldap,ou=Group,dc=nginxbar,dc=com))'
external_links:
- mysql:mysql
volumes:
- /opt/data/apps/jumpldap/core/jumpldap:/opt/jumpserver
ports:
- 8080:8080
koko:
image: jumpserver/jms_koko:1.5.2
container_name: jms_koko
restart: always
tty: true
environment:
CORE_HOST: http://core:8080
BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
links:
- core:core
depends_on:
- core
volumes:
- /opt/data/apps/jumpldap/koko/koko-keys:/opt/koko/data/keys
ports:
- 5000:5000
- 2222:2222
guacamole:
image: jumpserver/jms_guacamole:1.5.2
container_name: jms_guacamole
restart: always
tty: true
environment:
JUMPSERVER_SERVER: http://core:8080
BOOTSTRAP_TOKEN: $BOOTSTRAP_TOKEN
JUMPSERVER_KEY_DIR: /config/guacamole/keys
GUACAMOLE_HOME: /config/guacamole
GUACAMOLE_LOG_LEVEL: ERROR
JUMPSERVER_ENABLE_DRIVE: 'true'
links:
- core:core
depends_on:
- core
volumes:
- /opt/data/apps/jumpldap/guacamole/guacamole-keys:/config/guacamole/keys
ports:
- 8081:8081
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# nginx 安装及配置
yum install nginx
cat >/etc/nginx/conf.d/jumpldap.conf<<EOF
server {
listen 80;
client_max_body_size 8G; # 录像及文件上传大小限制
location /luna/ {
try_files $uri / /index.html;
alias /opt/data/apps/jumpldap/luna/; # luna 路径, 如果修改安装目录, 此处需要修改
}
location /media/ {
add_header Content-Encoding gzip;
root /opt/data/apps/jumpldap/core/jumpserver/data/media; # 录像位置, 如果修改安装目录, 此处需要修改
}
location /static {
root /opt/data/apps/jumpldap/core/jumpserver/apps/; # 静态资源, 如果修改安装目录, 此处需要修改
}
location /socket.io/ {
proxy_pass http://127.0.0.1:5000/socket.io/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /coco/ {
proxy_pass http://127.0.0.1:5000/coco/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location /guacamole/ {
proxy_pass http://127.0.0.1:8081/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
access_log off;
}
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
EOF
systemctl enable nginx
systemctl start nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# OpenLdap客户端 for Centos
yum install -y wget net-tools
# xxx.xxx.xxx.xxx 为openldap服务器IP
echo "xxx.xxx.xxx.xxx ldap.nginxbar.com" >>/etc/hosts
# 获得ldapsso docker 镜像中客户端脚本
wget http://ldap.nginxbar.com:8086/scripts/ldapclient.sh -O /tmp/ldapclient.sh && sh /tmp/ldapclient.sh
1
2
3
4
5
2
3
4
5
# 开始使用
- 系统设置-LDAP设置 配置ldap地址及参数
- 资产管理-系统用户 创建系统用户
- 资产管理-资产列表 创建资产
- 授权管理-资产授权 创建授权规则
- 授权管理-资产授权-授权资产 关联系统用户、资产及普通用户
- 用户管理-用户列表 选择用户-授权资产 设置所选用户是否可在对应的资产系统拥有sudo权限
上次更新: 2023/03/21, 13:44:52
