Build openLDAP
You can obtain a copy of the software by following the instructions on the OpenLDAP Software download page (http://www.openldap.org/software/download/). It is recommended that new users start with the latest release.
gunzip -c openldap-VERSION.tgz | tar xvfB -
./configure --prefix=/home/mingjue/openldap2446
make depend
make
make install
make test
mkdir /home/mingjue/openldap2446/openldap-data
Edit the configuration file.
Use your favorite editor to edit the provided slapd.ldif example (usually installed as /home/mingjue/openldap2446/etc/openldap/slapd.ldif) to contain a MDB database definition of the form:
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
OlcDbMaxSize: 1073741824
olcSuffix: dc=mingjue,dc=com
olcRootDN: cn=Manager,dc=mingjue,dc=com
olcRootPW: secret
olcDbDirectory: /home/mingjue/openldap2446/openldap-data
olcDbIndex: objectClass eq
Import the configuration database
You are now ready to import your configration database for use by slapd(8), by running the command:
./sbin/slapadd -n 0 -F ./etc/slapd.d -l ./etc/openldap/slapd.ldif
Start SLAPD.
You are now ready to start the Standalone LDAP Daemon, slapd(8), by running the command:
sudo ./libexec/slapd -F etc/slapd.d
start with debug mode
sudo ./libexec/slapd -d 1 -F etc/slapd.d/
check to see if the server is running and configured correctly, you can run a search against it with ldapsearch(1).
./bin/ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
Add initial entries to your directory.
Use your favorite editor and create an LDIF file that contains:
dn: dc=mingjue,dc=com
objectclass: dcObject
objectclass: organization
o: mingjue company
dc: mingjue
dn: cn=Manager,dc=mingjue,dc=com
objectclass: organizationalRole
cn: Manager
Now, you may run ldapadd(1) to insert these entries into your directory.
./bin/ldapadd -x -D "cn=Manager,dc=mingjue,dc=com" -W -f init.ldif
See if it works.
./bin/ldapsearch -x -b 'dc=mingjue,dc=com' '(objectclass=*)'
Add extra schema
vi /home/mingjue/openldap2446/etc/openldap/slapd.conf
#add
include /home/mingjue/openldap2446/etc/openldap/schema/cosine.schema
include /home/mingjue/openldap2446/etc/openldap/schema/inetorgperson.schema
restart openldap
Add nifi account
vi user.ldif
# LDAP default admin user
dn: cn=admin,dc=mingjue,dc=com
objectclass:top
objectclass:person
cn: admin
sn: admin
userPassword:Mingjueinfo2015
# entry for the user container
dn: ou=people,dc=mingjue,dc=com
objectclass:top
objectclass:organizationalUnit
ou: people
# entry for Nifi user
dn:uid=mjdev,ou=people,dc=mingjue,dc=com
objectclass:top
objectclass:person
objectclass:organizationalPerson
objectclass:inetOrgPerson
cn:User
sn:User
uid:user
userPassword:Mingjueinfo2015
./bin/ldapadd -x -D "cn=Manager,dc=mingjue,dc=com" -W -f user.ldif
configure nifi
生成Keystore
keytool -genkey -keyalg RSA -alias nifi -keystore keystore.jks -keypass [password] -storepass [password] -validity 365 -keysize 4096 -dname "CN=[hostname], OU=nifi"
生成PKCS12文件以及对应的Truststore
https://www.jianshu.com/p/393724f02dd5
keytool -genkey -keyalg RSA -alias client -keystore client_keystore.jks -keypass password -storepass password -validity 365 -keysize 4096 -dname "CN=user, OU=nifi"
keytool -importkeystore -srckeystore client_keystore.jks -destkeystore client.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass password -deststorepass [client_password] -destkeypass [client_password] -srcalias client -destalias client
keytool -export -keystore client_keystore.jks -alias client -file client.der -storepass password
keytool -import -file client.der -alias client -keystore truststore.jks -storepass [truststore_password] -noprompt
wget https://archive.apache.org/dist/nifi/1.8.0/nifi-toolkit-1.8.0-bin.tar.gz
bin/tls-toolkit.sh standalone -n "172.31.2.171" -C "CN=admin, OU=admin" -o target
vi nifi.properties
nifi.web.http.port:去除原来的8080,使该行变为nifi.web.http.port=,防止用户从非加密的http端口访问
nifi.web.https.host:设为运行Nifi的主机名字,例如host-01
nifi.web.https.port:我们用8443作为https端口
nifi.security.keystore:keystore的路径,例如/opt/nifi/secrets/keystore.jks
nifi.security.keystoreType:设为JKS
nifi.security.keystorePasswd:keystore的密码。
nifi.security.truststore:truststore的路径,例如/opt/nifi/secrets/truststore.jks
nifi.security.truststoreType:设为JKS
nifi.security.truststorePasswd:truststore的密码。
nifi.remote.input.secure:设为true,使得Nifi之间的Site-to-Site通信也用加密的方式。
No Leanote account? Sign up now.