简体中文版经机器翻译而成,仅供参考。如与英语版出现任何冲突,应以英语版为准。
将Astra配置为使用LDAP服务器
贡献者
建议更改
PDF
您需要选择LDAP服务器并将Astra配置为使用该服务器作为身份验证提供程序。配置任务包括以下步骤。每个步骤都包括一个REST API调用。
第1步:添加CA证书
执行以下REST API调用、将CA证书添加到Astra。
|
此步骤是可选的、只有当您希望Astra和LDAP通过使用LDAPS的安全通道进行通信时、才需要执行此步骤。 |
HTTP方法和端点
此REST API调用使用以下方法和端点。
| HTTP 方法 | 路径 |
|---|---|
发布 |
/accouns/{account_id}/core/v1/certificates |
curl 示例
curl --request POST \
--location "https://astra.example.com/accounts/$ACCOUNT_ID/core/v1/certificates" \
--include \
--header "Content-Type: application/astra-certificate+json" \
--header "Accept: */*" \
--header "Authorization: Bearer $API_TOKEN" \
--data @JSONinputJSON 输入示例
{
"type": "application/astra-certificate",
"version": "1.0",
"certUse": "rootCA",
"cert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMyVEN",
"isSelfSigned": "true"
}有关输入参数、请注意以下事项:
-
`cert`是一个JSON字符串、其中包含base64编码的PKCS-11格式证书(PEM编码)。
-
如果证书为自签名证书、则应将`isSelfSigned`设置为`true`。默认值为
false。
JSON 输出示例
{
"type": "application/astra-certificate",
"version": "1.0",
"id": "a5212e7e-402b-4cff-bba0-63f3c6505199",
"certUse": "rootCA",
"cert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMyVEN",
"cn": "adldap.example.com",
"expiryTimestamp": "2023-07-08T20:22:07Z",
"isSelfSigned": "true",
"trustState": "trusted",
"trustStateTransitions": [
{
"from": "untrusted",
"to": [
"trusted",
"expired"
]
},
{
"from": "trusted",
"to": [
"untrusted",
"expired"
]
},
{
"from": "expired",
"to": [
"untrusted",
"trusted"
]
}
],
"trustStateDesired": "trusted",
"trustStateDetails": [],
"metadata": {
"creationTimestamp": "2022-07-21T04:16:06Z",
"modificationTimestamp": "2022-07-21T04:16:06Z",
"createdBy": "8a02d2b8-a69d-4064-827f-36851b3e1e6e",
"modifiedBy": "8a02d2b8-a69d-4064-827f-36851b3e1e6e",
"labels": []
}
}
第2步:添加绑定凭据
执行以下REST API调用以添加绑定凭据。
HTTP方法和端点
此REST API调用使用以下方法和端点。
| HTTP 方法 | 路径 |
|---|---|
发布 |
/accouns/{account_id}/core/v1/credentials |
curl 示例
curl --request POST \
--location "https://astra.example.com/accounts/$ACCOUNT_ID/core/v1/credentials" \
--include \
--header "Content-Type: application/astra-certificate+json" \
--header "Accept: */*" \
--header "Authorization: Bearer $API_TOKEN" \
--data @JSONinputJSON 输入示例
{
"name": "ldapBindCredential",
"type": "application/astra-credential",
"version": "1.1",
"keyStore": {
"bindDn": "dWlkPWFkbWluLG91PXN5c3RlbQ==",
"password": "cGFzc3dvcmQ="
}
}有关输入参数、请注意以下事项:
-
`binddn`和`password`是LDAP管理员用户的base64编码绑定凭据、可连接和搜索LDAP目录。`binddn`是LDAP用户的电子邮件地址。
JSON 输出示例
{
"type": "application/astra-credential",
"version": "1.1",
"id": "3bd9c8a7-f5a4-4c44-b778-90a85fc7d154",
"name": "ldapBindCredential",
"metadata": {
"creationTimestamp": "2022-07-21T06:53:11Z",
"modificationTimestamp": "2022-07-21T06:53:11Z",
"createdBy": "527329f2-662c-41c0-ada9-2f428f14c137"
}
}
请注意以下响应参数:
-
在后续工作流步骤中使用凭据的`id`。
第3步:检索LDAP设置的UUID
执行以下REST API调用以检索Astra控制中心附带的`Astra.account.ldap`设置的UUID。
|
|
以下cURL示例使用查询参数筛选设置收集。您可以改为删除此筛选器以获取所有设置、然后搜索`Astra.account.ldap`。 |
HTTP方法和端点
此REST API调用使用以下方法和端点。
| HTTP 方法 | 路径 |
|---|---|
获取 |
/accouns/{account_id}/core/v1/settings |
curl 示例
curl --request GET \
--location "https://astra.example.com/accounts/$ACCOUNT_ID/core/v1/settings?filter=name%20eq%20'astra.account.ldap'&include=name,id" \
--include \
--header "Accept: */*" \
--header "Authorization: Bearer $API_TOKEN" \JSON 输出示例
{
"items": [
["astra.account.ldap",
"12072b56-e939-45ec-974d-2dd83b7815df"
]
],
"metadata": {}
}
第4步:更新LDAP设置
执行以下REST API调用以更新LDAP设置并完成配置。使用上一个API调用中的`id`值作为以下URL路径中的`<setting_ID>`值。
|
|
您可以先对特定设置的GET请求进行问题描述 处理、以查看configSchema。此操作将提供有关配置中所需字段的详细信息。 |
HTTP方法和端点
此REST API调用使用以下方法和端点。
| HTTP 方法 | 路径 |
|---|---|
PUT |
/accouns/{account_id}/core/v1/settings/{setting_id} |
curl 示例
curl --request PUT \
--location "https://astra.example.com/accounts/$ACCOUNT_ID/core/v1/settings/<SETTING_ID>" \
--include \
--header "Content-Type: application/astra-setting+json" \
--header "Accept: */*" \
--header "Authorization: Bearer $API_TOKEN" \
--data @JSONinputJSON 输入示例
{
"type": "application/astra-setting",
"version": "1.0",
"desiredConfig": {
"connectionHost": "myldap.example.com",
"credentialId": "3bd9c8a7-f5a4-4c44-b778-90a85fc7d154",
"groupBaseDN": "OU=groups,OU=astra,DC=example,DC=com",
"isEnabled": "true",
"port": 686,
"secureMode": "LDAPS",
"userBaseDN": "OU=users,OU=astra,DC=example,dc=com",
"userSearchFilter": "((objectClass=User))",
"vendor": "Active Directory"
}
}有关输入参数、请注意以下事项:
-
isenabled`应设置为`true、否则可能会发生错误。 -
`credentialId`是先前创建的绑定凭据的ID。
-
secureModeshould be set toLDAPorLDAPSbased on your configuration in the earlier stee. -
仅支持使用"Active Directory"作为供应商。
如果调用成功、则返回HTTP 204响应。
第5步:检索LDAP设置
您可以选择执行以下REST API调用来检索LDAP设置并确认更新。
HTTP方法和端点
此REST API调用使用以下方法和端点。
| HTTP 方法 | 路径 |
|---|---|
获取 |
/accouns/{account_id}/core/v1/settings/{setting_id} |
curl 示例
curl --request GET \
--location "'https://astra.example.com/accounts/$ACCOUNT_ID/core/v1/settings/<SETTING_ID>" \
--include \
--header "Accept: */*" \
--header "Authorization: Bearer $API_TOKEN"JSON 输出示例
{
"items": [
{
"type": "application/astra-setting",
"version": "1.0",
"metadata": {
"creationTimestamp": "2022-06-17T21:16:31Z",
"modificationTimestamp": "2022-07-21T07:12:20Z",
"labels": [],
"createdBy": "system",
"modifiedBy": "00000000-0000-0000-0000-000000000000"
},
"id": "12072b56-e939-45ec-974d-2dd83b7815df",
"name": "astra.account.ldap",
"desiredConfig": {
"connectionHost": "10.193.61.88",
"credentialId": "3bd9c8a7-f5a4-4c44-b778-90a85fc7d154",
"groupBaseDN": "ou=groups,ou=astra,dc=example,dc=com",
"isEnabled": "true",
"port": 686,
"secureMode": "LDAPS",
"userBaseDN": "ou=users,ou=astra,dc=example,dc=com",
"userSearchFilter": "((objectClass=User))",
"vendor": "Active Directory"
},
"currentConfig": {
"connectionHost": "10.193.160.209",
"credentialId": "3bd9c8a7-f5a4-4c44-b778-90a85fc7d154",
"groupBaseDN": "ou=groups,ou=astra,dc=example,dc=com",
"isEnabled": "true",
"port": 686,
"secureMode": "LDAPS",
"userBaseDN": "ou=users,ou=astra,dc=example,dc=com",
"userSearchFilter": "((objectClass=User))",
"vendor": "Active Directory"
},
"configSchema": {
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "astra.account.ldap",
"type": "object",
"properties": {
"connectionHost": {
"type": "string",
"description": "The hostname or IP address of your LDAP server."
},
"credentialId": {
"type": "string",
"description": "The credential ID for LDAP account."
},
"groupBaseDN": {
"type": "string",
"description": "The base DN of the tree used to start the group search. The system searches the subtree from the specified location."
},
"groupSearchCustomFilter": {
"type": "string",
"description": "Type of search that controls the default group search filter used."
},
"isEnabled": {
"type": "string",
"description": "This property determines if this setting is enabled or not."
},
"port": {
"type": "integer",
"description": "The port on which the LDAP server is running."
},
"secureMode": {
"type": "string",
"description": "The secure mode LDAPS or LDAP."
},
"userBaseDN": {
"type": "string",
"description": "The base DN of the tree used to start the user search. The system searches the subtree from the specified location."
},
"userSearchFilter": {
"type": "string",
"description": "The filter used to search for users according a search criteria."
},
"vendor": {
"type": "string",
"description": "The LDAP provider you are using.",
"enum": ["Active Directory"]
}
},
"additionalProperties": false,
"required": [
"connectionHost",
"secureMode",
"credentialId",
"userBaseDN",
"userSearchFilter",
"groupBaseDN",
"vendor",
"isEnabled"
]
},
"state": "valid",
}
],
"metadata": {}
}
在响应中找到`state`字段、该字段将具有下表中的一个值。
| State | Description |
|---|---|
待定 |
配置过程仍处于活动状态、尚未完成。 |
valid |
已成功完成配置、并且响应中的`currentConfig`匹配`desiredConfig`。 |
error |
LDAP配置过程失败。 |