http,web,Authentication

GitLab 使用FreeIPA进行身份认证

系统环境

  • GitLab: gitlab-ce_11.10.7-ce.0_amd64.deb
  • FreeIPA: VERSION: 4.6.90.pre1+git20180411, API_VERSION: 2.229
  • OS: Ubuntu 1804

安装前准备

配置主机名

两个节点都执行该步骤

  • 修改主机名
$ sudo hostnamectl set-hostname ipa.ccav.com  #ipa server
$ sudo hostnamectl set-hostname gitlab.ccav.com  #gitlab server
  • 配置解析
$ echo "172.20.0.5 ipa.ccav.com" | sudo tee -a /etc/hosts
$ echo "172.20.0.6 gitlab.ccav.com" | sudo tee -a /etc/hosts

安装和配置rng-tools

  FreeIPA服务器在运行时执行大量加密操作,因此你的VM必须具有足够可以确保FreeIPA加密操作不会停止的性能,可以安装和配置rng-tools

$ sudo apt update
$ sudo apt install rng-tools

  安装完成后,编辑文件/etc/default/rng-tools,并通过添加行HRNGDEVICE=/dev/urandom将随机数据的输入源设置为/dev/urandom

$ sudo vim  /etc/default/rng-tools
...
# for the viapadlock and tpm drivers.
#HRNGDEVICE=/dev/hwrng
#HRNGDEVICE=/dev/null
HRNGDEVICE=/dev/urandom
...
  • 启用并启动rng-tools
$ sudo systemctl enable --now rng-tools

至此,服务器已经满足基本条件了,可以进行安装FreeIPA。

安装FreeIPA

  • 运行以下命令安装FreeIPA包:
$ sudo apt -y install freeipa-server

  在安装过程中,系统将提示你输入Kerberos、Kerberos服务器的主机名以及Kerberos的管理服务器的主机名:分别输入CCAV.COMipa.ccav.comipa.ccav.com。此过程中遇到与Kerberos和tomcat相关的错误,不过可以放心地忽略它们。安装完成后,运行FreeIPA安装命令,它会提示需要提供许多配置选项并安装FreeIPA:

$ sudo ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log
==============================================================================
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'ntp' will be disabled
in favor of chronyd

Do you want to configure integrated DNS (BIND)? [no]: no

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: master.example.com.


Server host name [ipa.ccav.com]: ipa.ccav.com

The domain name has been determined based on the host name.

Please confirm the domain name [ccav.com]: ccav.com

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [CCAV.COM]: CCAV.COM
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password:
Password (confirm):

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:
Password (confirm):


The IPA Master Server will be configured with:
Hostname:       ipa.ccav.com
IP address(es): 172.20.0.5
Domain name:    ccav.com
Realm name:     CCAV.COM

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=CCAV.COM
Subject base: O=CCAV.COM
Chaining:     self-signed

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.
...
==============================================================================
Setup complete

Next steps:
    1. You must make sure these network ports are open:
        TCP Ports:
          * 80, 443: HTTP/HTTPS
          * 389, 636: LDAP/LDAPS
          * 88, 464: kerberos
        UDP Ports:
          * 88, 464: kerberos
          * 123: ntp

    2. You can now obtain a kerberos ticket using the command: 'kinit admin'
       This ticket will allow you to use the IPA tools (e.g., ipa user-add)
       and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
  • 配置防火墙
$ sudo ufw enable
$ for i in 22 80 443 389 636 88 464; do sudo ufw allow proto tcp from any to any port $i; done
$ for i in 88 464 123; do sudo ufw allow proto udp from any to any port $i; done

登陆FreeIPA

  现在端口已通过防火墙打开,通过为管理员用户初始化Kerberos令牌来验证FreeIPA服务器。对于正常的管理活动,已创建管理帐户管理员,提示输入密码时,使用在配置步骤中为admin用户指定的密码:

$ kinit admin
Password for admin@CCAV.COM:
  • 检查Kerberos:
$ klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@CCAV.COM

Valid starting       Expires              Service principal
09/21/2019 00:41:06  09/22/2019 00:41:03  krbtgt/CCAV.COM@CCAV.COM
  • 查找FreeIPA服务器上是否存在用户admin:
$ ipa user-find admin
--------------
1 user matched
--------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: admin@CCAV.COM
  UID: 1404200000
  GID: 1404200000
  Account disabled: False
----------------------------
Number of entries returned 1
----------------------------

  现在可以从Web仪表板以及命令行执行任何IPA任务了,要登录Web仪表板,使用地址:https://ipa.ccav.com,需要确保域名能被解析,Web登录用户名为admin,密码是admin用户配置步骤中提供的密码:

创建gitlab_user组

这些操作,如果你喜欢,也可以通过Web仪表板来进行操作完成。

  • 创建gitlab_user
$ ipa group-add --desc='DevOps' gitlab_user
  • 创建用户
$ ipa user-add gitlab --first=Git --last=Lab --password
$ ipa user-add jenkins --first=CI --last=CD --email=master@s4lm0x.com  --shell=/bin/bash --password
  • 将用户添加到组
$ ipa group-add-member --users=gitlab,jenkins gitlab_user

  至此,FreeIPA已经安装和初始化完成,接下来安装配置GitLab。

安装GitLab

  • 安装

两种方式都可以

$ wget --content-disposition https://packages.gitlab.com/gitlab/gitlab-ce/packages/ubuntu/bionic/gitlab-ce_11.10.7-ce.0_amd64.deb/download.deb
$ dpkg -i download.deb
$ curl -s https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash
$ sudo apt install gitlab-ce=11.10.7-ce.0
  • 配置

此处使用到之前所创建的gitlab_suer

$ sudo vim /etc/gitlab/gitlab.rb
...
external_url 'http://gitlab.ccav.com'
...
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
  main:
    label: 'LDAP'
    host: 'ipa.ccav.com'
    port: 389
    uid: 'uid'
    bind_dn: 'uid=admin,cn=users,cn=accounts,dc=ccav,dc=com'
    password: 'manunkind'
    encryption: 'plain'
    active_directory: ture
    allow_username_or_email_login: false
    lowercase_usernames: false
    block_auto_created_users: false
    base: 'cn=users,cn=accounts,dc=ccav,dc=com'
    user_filter: (memberOf=cn=gitlab_user,cn=groups,cn=accounts,dc=ccav,dc=com)
EOS
...
  • 重新加载新配置
$ gitlab-ctl reconfigure
  • 查看是否能正常获取用户列表

能看到gitlab_user组里边的用户即可

$ gitlab-rake gitlab:ldap:check
Checking LDAP ...

LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
    DN: uid=s4lm0x,cn=users,cn=accounts,dc=ccav,dc=com     uid: s4lm0x
    DN: uid=gitlab,cn=users,cn=accounts,dc=ccav,dc=com     uid: gitlab
    DN: uid=gitlab1,cn=users,cn=accounts,dc=ccav,dc=com     uid: gitlab1

Checking LDAP ... Finished
  • 重启gitlab
$ gitlab-ctl restart

  重启成功之后会看到如下界面,使用之前所创建的gitlab_user组中的账户即可登录GitLab。

参考

微信扫一扫,向我赞赏

微信扫一扫,向我赞赏

微信扫一扫,向我赞赏

支付宝扫一扫,向我赞赏

回复

This is just a placeholder img.