Nifi+OpenLDAP安装配置

# Build openLDAP
You can obtain a copy of the software by following the instructions on the OpenLDAP Software download page (http://www.openldap.org/software/download/). It is recommended that new users start with the latest release. 
 
    gunzip -c openldap-VERSION.tgz | tar xvfB -
    
    ./configure --prefix=/home/mingjue/openldap2446 
    make depend 
    make
    make install
    make test
    
    mkdir /home/mingjue/openldap2446/openldap-data

#Edit the configuration file.

Use your favorite editor to edit the provided slapd.ldif example (usually installed as /home/mingjue/openldap2446/etc/openldap/slapd.ldif) to contain a MDB database definition of the form:

dn: olcDatabase=mdb,cn=config 
    objectClass: olcDatabaseConfig 
    objectClass: olcMdbConfig 
    olcDatabase: mdb 
    OlcDbMaxSize: 1073741824 
    olcSuffix: dc=mingjue,dc=com
    olcRootDN: cn=Manager,dc=mingjue,dc=com 
    olcRootPW: secret 
    olcDbDirectory: /home/mingjue/openldap2446/openldap-data 
    olcDbIndex: objectClass eq
    
#Import the configuration database

You are now ready to import your configration database for use by slapd(8), by running the command:

./sbin/slapadd -n 0 -F ./etc/slapd.d -l ./etc/openldap/slapd.ldif
    
#Start SLAPD.

You are now ready to start the Standalone LDAP Daemon, slapd(8), by running the command:

sudo ./libexec/slapd -F etc/slapd.d
    
start with debug mode

sudo ./libexec/slapd -d 1 -F etc/slapd.d/
    
check to see if the server is running and configured correctly, you can run a search against it with ldapsearch(1).

./bin/ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

#Add initial entries to your directory.

Use your favorite editor and create an LDIF file that contains:

dn: dc=mingjue,dc=com
    objectclass: dcObject
    objectclass: organization
    o: mingjue company
    dc: mingjue
    
    dn: cn=Manager,dc=mingjue,dc=com
    objectclass: organizationalRole
    cn: Manager
    
Now, you may run ldapadd(1) to insert these entries into your directory.

./bin/ldapadd -x -D "cn=Manager,dc=mingjue,dc=com" -W -f init.ldif

See if it works.

./bin/ldapsearch -x -b 'dc=mingjue,dc=com' '(objectclass=*)'

#Add extra schema

vi /home/mingjue/openldap2446/etc/openldap/slapd.conf
    #add
    include         /home/mingjue/openldap2446/etc/openldap/schema/cosine.schema
    include         /home/mingjue/openldap2446/etc/openldap/schema/inetorgperson.schema
    
    restart openldap

#Add nifi account

vi user.ldif
    
    # LDAP default admin user
    dn: cn=admin,dc=mingjue,dc=com
    objectclass:top
    objectclass:person
    cn: admin
    sn: admin
    userPassword:Mingjueinfo2015
    
    # entry for the user container
    dn: ou=people,dc=mingjue,dc=com
    objectclass:top
    objectclass:organizationalUnit
    ou: people
    
    # entry for Nifi user
    dn:uid=mjdev,ou=people,dc=mingjue,dc=com
    objectclass:top
    objectclass:person
    objectclass:organizationalPerson
    objectclass:inetOrgPerson
    cn:User
    sn:User
    uid:user
    userPassword:Mingjueinfo2015
    
    
    ./bin/ldapadd -x -D "cn=Manager,dc=mingjue,dc=com" -W -f user.ldif
    
#configure nifi

生成Keystore

keytool -genkey -keyalg RSA -alias nifi -keystore keystore.jks -keypass [password] -storepass [password] -validity 365 -keysize 4096 -dname "CN=[hostname], OU=nifi"

生成PKCS12文件以及对应的Truststore

https://www.jianshu.com/p/393724f02dd5

keytool -genkey -keyalg RSA -alias client -keystore client_keystore.jks -keypass password -storepass password -validity 365 -keysize 4096 -dname "CN=user, OU=nifi"

keytool -importkeystore -srckeystore client_keystore.jks -destkeystore client.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass password -deststorepass [client_password] -destkeypass [client_password] -srcalias client -destalias client

keytool -export -keystore client_keystore.jks -alias client -file client.der -storepass password
    
    keytool -import -file client.der -alias client -keystore truststore.jks -storepass [truststore_password] -noprompt

wget https://archive.apache.org/dist/nifi/1.8.0/nifi-toolkit-1.8.0-bin.tar.gz
    bin/tls-toolkit.sh standalone -n "172.31.2.171" -C "CN=admin, OU=admin" -o target
    
    vi nifi.properties
    
    nifi.web.http.port：去除原来的8080，使该行变为nifi.web.http.port=，防止用户从非加密的http端口访问
    nifi.web.https.host：设为运行Nifi的主机名字，例如host-01
    nifi.web.https.port：我们用8443作为https端口
    nifi.security.keystore：keystore的路径，例如/opt/nifi/secrets/keystore.jks
    nifi.security.keystoreType：设为JKS
    nifi.security.keystorePasswd：keystore的密码。
    nifi.security.truststore：truststore的路径，例如/opt/nifi/secrets/truststore.jks
    nifi.security.truststoreType：设为JKS
    nifi.security.truststorePasswd：truststore的密码。
    nifi.remote.input.secure：设为true，使得Nifi之间的Site-to-Site通信也用加密的方式。

Navigation

Recent Posts

Friend Links