LDAP 配置 (AEN 4.1.2)#

Anaconda Enterprise Notebooks 默认情况下会对 AEN 数据库中的账户进行本地认证。要将 AEN 配置为对 LDAP（轻量级目录访问协议）服务器中的账户进行认证，请按照以下说明操作。

有关配置AEN的更多信息，请参阅配置文件的文档。

安装OpenLDAP库¶

系统需要安装OpenLDAP库，并且Anaconda Enterprise Notebooks可以访问这些库。Anaconda Enterprise Notebooks使用OpenLDAP库来建立与您的LDAP服务器的LDAP连接。

CentOS/Red Hat¶

要在CentOS或Red Hat上安装openldap，请运行以下命令：

sudo yum install openldap

Ubuntu/Debian¶

要在Ubuntu或Debian上安装openldap，请遵循官方的 OpenLDAP安装说明： https://wiki.debian.org/LDAP/OpenLDAPSetup

OpenLDAP¶

接下来，编辑 /opt/wakari/wakari-server/etc/wakari/wk-server-config.json 文件。添加如下所示的LDAP设置：

{
    "accounts":"wk_server.plugins.accounts.ldap2",
    "LDAP" : {
        "URI": "ldap://openldap.EXAMPLE.COM",
        "BIND_DN": "cn=Bob Jones,ou=Users,DC=EXAMPLE,DC=COM",
        "BIND_AUTH": "secretpass",
        "USER_SEARCH": {"base": "DC=EXAMPLE,DC=COM",
                        "filter": "(| (& (ou=Payroll)
                                         (uid=%(username)s))
                                      (& (ou=Facilities)
                                         (uid=%(username)s)))"
                        },
        "KEY_MAP": {"email": "mail",
                    "name": "cn"
        }
    }
}

URI¶

The IP address or hostname of your OpenLDAP server. For SSL/TLS, use the ldaps:// prefix and specify a TLS_CACERT as described in the SSL/TLS configuration section below.

BIND_DN¶

The full directory path of the user you want AEN Server to bind as

BIND_AUTH¶

The password of the BIND_DN user

用户搜索¶

base: the level at which you want to start the search
filter: default is to search for the sAMAccountName attribute, and use its value for the AEN Server username field

键映射¶

Maps user attributes in AEN Server to LDAP user attributes (for example, the mail attribute in LDAP maps to the email attribute in AEN Server)

一旦安装了LDAP，LDAP认证就会接管，所以请再次添加您的管理员账户：

/opt/wakari/wakari-server/bin/wk-server-admin superuser --add "jsmith"

Active Directory¶

Microsoft Active Directory 是一个提供目录服务的服务器程序，它使用开放的行业标准轻量级目录访问协议（LDAP）。

要启用Active Directory支持：

编辑/opt/wakari/wakari-server/etc/wakari/wk-server-config.json文件。

添加LDAP设置如下所示：

{
    "accounts":"wk_server.plugins.accounts.ldap2",
    "LDAP" : {
        "URI": "ldap://<ad.EXAMPLE.COM>",
        "BIND_DN": "CN=Bind User,CN=Users,DC=EXAMPLE,DC=COM",
        "BIND_AUTH": "secretpass",
        "USER_SEARCH": {"base": "CN=Users,DC=EXAMPLE,DC=COM",
                        "filter": "sAMAccountName=%(username)s"
        },
        "KEY_MAP": {"email": "mail",
                    "name": "cn"
        }
    }
}

URI¶

The IP address or hostname of your Active Directory server. Replace <ad.EXAMPLE.COM> with the actual URI. For SSL/TLS, use the ldaps:// prefix and specify a TLS_CACERT as described in the SSL/TLS configuration section below.

BIND_DN¶

The full directory path of the user you want AEN Server to bind as.

绑定认证¶

The password of the BIND_DN user

用户搜索¶

base: the level at which you want to start the search
filter: default is to search for the sAMAccountName attribute, and use its value for the AEN Server username field

KEY_MAP¶

Maps user attributes in AEN Server to LDAP user attributes (for example, the mail attribute in LDAP maps to the email attribute in AEN Server)

一旦安装了LDAP，LDAP认证就会接管，所以请再次添加您的管理员账户：

/opt/wakari/wakari-server/bin/wk-server-admin superuser --add "jsmith"

SSL/TLS 配置¶

Anaconda Enterprise Notebooks 使用系统范围的 LDAP 设置，包括 SSL/TLS 支持。

On Red Hat/CentOS systems, these settings are located in /etc/openldap/ldap.conf
On Ubuntu/Debian systems, these settings are located in /etc/ldap/ldap.conf

通常，唯一需要的选项是：

TLS_CACERT /path/to/CA.cert

其中 CA.cert 是用于签署LDAP服务器SSL证书的证书颁发机构。在自签名SSL证书的情况下，这是SSL证书本身的路径。

使用Flask-LDAP检查进行测试配置¶

最后，使用 flask-ldap-login-check 命令测试 LDAP 配置：

/opt/wakari/wakari-server/bin/flask-ldap-login-check \
    wk_server.wsgi:app \
    -u [username] \
    -p [password]

其中 ``username`` 是有效用户的用户名，``password`` 是该用户的 BIND_AUTH 密码。