Nifi+OpenLDAP安装配置
2019-05-06 06:51:53    110    0    0
louyj

Build openLDAP

You can obtain a copy of the software by following the instructions on the OpenLDAP Software download page (http://www.openldap.org/software/download/). It is recommended that new users start with the latest release.

  1. gunzip -c openldap-VERSION.tgz | tar xvfB -
  2. ./configure --prefix=/home/mingjue/openldap2446
  3. make depend
  4. make
  5. make install
  6. make test
  7. mkdir /home/mingjue/openldap2446/openldap-data

Edit the configuration file.

Use your favorite editor to edit the provided slapd.ldif example (usually installed as /home/mingjue/openldap2446/etc/openldap/slapd.ldif) to contain a MDB database definition of the form:

  1. dn: olcDatabase=mdb,cn=config
  2. objectClass: olcDatabaseConfig
  3. objectClass: olcMdbConfig
  4. olcDatabase: mdb
  5. OlcDbMaxSize: 1073741824
  6. olcSuffix: dc=mingjue,dc=com
  7. olcRootDN: cn=Manager,dc=mingjue,dc=com
  8. olcRootPW: secret
  9. olcDbDirectory: /home/mingjue/openldap2446/openldap-data
  10. olcDbIndex: objectClass eq

Import the configuration database

You are now ready to import your configration database for use by slapd(8), by running the command:

  1. ./sbin/slapadd -n 0 -F ./etc/slapd.d -l ./etc/openldap/slapd.ldif

Start SLAPD.

You are now ready to start the Standalone LDAP Daemon, slapd(8), by running the command:

  1. sudo ./libexec/slapd -F etc/slapd.d

start with debug mode

  1. sudo ./libexec/slapd -d 1 -F etc/slapd.d/

check to see if the server is running and configured correctly, you can run a search against it with ldapsearch(1).

  1. ./bin/ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts

Add initial entries to your directory.

Use your favorite editor and create an LDIF file that contains:

  1. dn: dc=mingjue,dc=com
  2. objectclass: dcObject
  3. objectclass: organization
  4. o: mingjue company
  5. dc: mingjue
  6. dn: cn=Manager,dc=mingjue,dc=com
  7. objectclass: organizationalRole
  8. cn: Manager

Now, you may run ldapadd(1) to insert these entries into your directory.

  1. ./bin/ldapadd -x -D "cn=Manager,dc=mingjue,dc=com" -W -f init.ldif

See if it works.

  1. ./bin/ldapsearch -x -b 'dc=mingjue,dc=com' '(objectclass=*)'

Add extra schema

  1. vi /home/mingjue/openldap2446/etc/openldap/slapd.conf
  2. #add
  3. include /home/mingjue/openldap2446/etc/openldap/schema/cosine.schema
  4. include /home/mingjue/openldap2446/etc/openldap/schema/inetorgperson.schema
  5. restart openldap

Add nifi account

  1. vi user.ldif
  2. # LDAP default admin user
  3. dn: cn=admin,dc=mingjue,dc=com
  4. objectclass:top
  5. objectclass:person
  6. cn: admin
  7. sn: admin
  8. userPassword:Mingjueinfo2015
  9. # entry for the user container
  10. dn: ou=people,dc=mingjue,dc=com
  11. objectclass:top
  12. objectclass:organizationalUnit
  13. ou: people
  14. # entry for Nifi user
  15. dn:uid=mjdev,ou=people,dc=mingjue,dc=com
  16. objectclass:top
  17. objectclass:person
  18. objectclass:organizationalPerson
  19. objectclass:inetOrgPerson
  20. cn:User
  21. sn:User
  22. uid:user
  23. userPassword:Mingjueinfo2015
  24. ./bin/ldapadd -x -D "cn=Manager,dc=mingjue,dc=com" -W -f user.ldif

configure nifi

生成Keystore

  1. keytool -genkey -keyalg RSA -alias nifi -keystore keystore.jks -keypass [password] -storepass [password] -validity 365 -keysize 4096 -dname "CN=[hostname], OU=nifi"

生成PKCS12文件以及对应的Truststore

https://www.jianshu.com/p/393724f02dd5

  1. keytool -genkey -keyalg RSA -alias client -keystore client_keystore.jks -keypass password -storepass password -validity 365 -keysize 4096 -dname "CN=user, OU=nifi"
  2. keytool -importkeystore -srckeystore client_keystore.jks -destkeystore client.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass password -deststorepass [client_password] -destkeypass [client_password] -srcalias client -destalias client
  3. keytool -export -keystore client_keystore.jks -alias client -file client.der -storepass password
  4. keytool -import -file client.der -alias client -keystore truststore.jks -storepass [truststore_password] -noprompt
  5. wget https://archive.apache.org/dist/nifi/1.8.0/nifi-toolkit-1.8.0-bin.tar.gz
  6. bin/tls-toolkit.sh standalone -n "172.31.2.171" -C "CN=admin, OU=admin" -o target
  7. vi nifi.properties
  8. nifi.web.http.port:去除原来的8080,使该行变为nifi.web.http.port=,防止用户从非加密的http端口访问
  9. nifi.web.https.host:设为运行Nifi的主机名字,例如host-01
  10. nifi.web.https.port:我们用8443作为https端口
  11. nifi.security.keystorekeystore的路径,例如/opt/nifi/secrets/keystore.jks
  12. nifi.security.keystoreType:设为JKS
  13. nifi.security.keystorePasswdkeystore的密码。
  14. nifi.security.truststoretruststore的路径,例如/opt/nifi/secrets/truststore.jks
  15. nifi.security.truststoreType:设为JKS
  16. nifi.security.truststorePasswdtruststore的密码。
  17. nifi.remote.input.secure:设为true,使得Nifi之间的Site-to-Site通信也用加密的方式。

Pre: Flink kubernates部署

Next: kubernetes部署

110
Sign in to leave a comment.
No Leanote account? Sign up now.
0 comments
Table of content