Nifi+OpenLDAP安装配置
2019-05-06 06:51:53    110    0    0
louyj

Build openLDAP

You can obtain a copy of the software by following the instructions on the OpenLDAP Software download page (http://www.openldap.org/software/download/). It is recommended that new users start with the latest release. 

  1. gunzip -c openldap-VERSION.tgz | tar xvfB -
  3. ./configure --prefix=/home/mingjue/openldap2446 
  4. make depend 
  5. make
  6. make install
  7. make test
  9. mkdir /home/mingjue/openldap2446/openldap-data

Edit the configuration file.

Use your favorite editor to edit the provided slapd.ldif example (usually installed as /home/mingjue/openldap2446/etc/openldap/slapd.ldif) to contain a MDB database definition of the form:

  1. dn: olcDatabase=mdb,cn=config 
  2. objectClass: olcDatabaseConfig 
  3. objectClass: olcMdbConfig 
  4. olcDatabase: mdb 
  5. OlcDbMaxSize: 1073741824 
  6. olcSuffix: dc=mingjue,dc=com
  7. olcRootDN: cn=Manager,dc=mingjue,dc=com 
  8. olcRootPW: secret 
  9. olcDbDirectory: /home/mingjue/openldap2446/openldap-data 
  10. olcDbIndex: objectClass eq

Import the configuration database

You are now ready to import your configration database for use by slapd(8), by running the command:

  1. ./sbin/slapadd -n 0 -F ./etc/slapd.d -l ./etc/openldap/slapd.ldif

Start SLAPD.

You are now ready to start the Standalone LDAP Daemon, slapd(8), by running the command:

  1. sudo ./libexec/slapd -F etc/slapd.d

start with debug mode

  1. sudo ./libexec/slapd -d 1 -F etc/slapd.d/

check to see if the server is running and configured correctly, you can run a search against it with ldapsearch(1).

  1. ./bin/ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

Add initial entries to your directory.

Use your favorite editor and create an LDIF file that contains:

  1. dn: dc=mingjue,dc=com
  2. objectclass: dcObject
  3. objectclass: organization
  4. o: mingjue company
  5. dc: mingjue
  7. dn: cn=Manager,dc=mingjue,dc=com
  8. objectclass: organizationalRole
  9. cn: Manager

Now, you may run ldapadd(1) to insert these entries into your directory.

  1. ./bin/ldapadd -x -D "cn=Manager,dc=mingjue,dc=com" -W -f init.ldif

See if it works. 

  1. ./bin/ldapsearch -x -b 'dc=mingjue,dc=com' '(objectclass=*)'

Add extra schema

  1. vi /home/mingjue/openldap2446/etc/openldap/slapd.conf
  2. #add
  3. include         /home/mingjue/openldap2446/etc/openldap/schema/cosine.schema
  4. include         /home/mingjue/openldap2446/etc/openldap/schema/inetorgperson.schema
  6. restart openldap

Add nifi account

  1. vi user.ldif
  3. # LDAP default admin user
  4. dn: cn=admin,dc=mingjue,dc=com
  5. objectclass:top
  6. objectclass:person
  7. cn: admin
  8. sn: admin
  9. userPassword:Mingjueinfo2015
  11. # entry for the user container
  12. dn: ou=people,dc=mingjue,dc=com
  13. objectclass:top
  14. objectclass:organizationalUnit
  15. ou: people
  17. # entry for Nifi user
  18. dn:uid=mjdev,ou=people,dc=mingjue,dc=com
  19. objectclass:top
  20. objectclass:person
  21. objectclass:organizationalPerson
  22. objectclass:inetOrgPerson
  23. cn:User
  24. sn:User
  25. uid:user
  26. userPassword:Mingjueinfo2015
  29. ./bin/ldapadd -x -D "cn=Manager,dc=mingjue,dc=com" -W -f user.ldif

configure nifi

生成Keystore

  1. keytool -genkey -keyalg RSA -alias nifi -keystore keystore.jks -keypass [password] -storepass [password] -validity 365 -keysize 4096 -dname "CN=[hostname], OU=nifi"

生成PKCS12文件以及对应的Truststore

https://www.jianshu.com/p/393724f02dd5

  1. keytool -genkey -keyalg RSA -alias client -keystore client_keystore.jks -keypass password -storepass password -validity 365 -keysize 4096 -dname "CN=user, OU=nifi"
  4. keytool -importkeystore -srckeystore client_keystore.jks -destkeystore client.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass password -deststorepass [client_password] -destkeypass [client_password] -srcalias client -destalias client
  6. keytool -export -keystore client_keystore.jks -alias client -file client.der -storepass password
  8. keytool -import -file client.der -alias client -keystore truststore.jks -storepass [truststore_password] -noprompt
  11. wget https://archive.apache.org/dist/nifi/1.8.0/nifi-toolkit-1.8.0-bin.tar.gz
  12. bin/tls-toolkit.sh standalone -n "172.31.2.171" -C "CN=admin, OU=admin" -o target
  14. vi nifi.properties
  16. nifi.web.http.port:去除原来的8080,使该行变为nifi.web.http.port=,防止用户从非加密的http端口访问
  17. nifi.web.https.host:设为运行Nifi的主机名字,例如host-01
  18. nifi.web.https.port:我们用8443作为https端口
  19. nifi.security.keystorekeystore的路径,例如/opt/nifi/secrets/keystore.jks
  20. nifi.security.keystoreType:设为JKS
  21. nifi.security.keystorePasswdkeystore的密码。
  22. nifi.security.truststoretruststore的路径,例如/opt/nifi/secrets/truststore.jks
  23. nifi.security.truststoreType:设为JKS
  24. nifi.security.truststorePasswdtruststore的密码。
  25. nifi.remote.input.secure:设为true,使得Nifi之间的Site-to-Site通信也用加密的方式。

Pre: Flink kubernates部署

Next: kubernetes部署

110
Sign in to leave a comment.
No Leanote account? Sign up now.
0 comments
Proudly powered by Leanote
Table of content