88 lines
2.7 KiB
Markdown
88 lines
2.7 KiB
Markdown
|
# 本機 OpenLDAP(k6 / dev)
|
|||
|
|
|
|||
|
|
與 `make k6-up` 一併啟動的測試用 LDAP 目錄。ZITADEL 透過 **LDAP IdP** 連到這台伺服器;Gateway 仍只走 OIDC(`provider=ldap` + `LdapIdPID`)。
|
|||
|
|
|
|||
|
|
## 啟動
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
make k6-up # 含 openldap
|
|||
|
|
make k6-wait # 等 OpenLDAP seed + ZITADEL ready
|
|||
|
|
make ldap-test # 確認 alice / bob 可查
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
`make k6-wait` 會自動執行 `ldap-seed`,把 [bootstrap/10-people.ldif](bootstrap/10-people.ldif) 寫入目錄(可重複執行)。
|
|||
|
|
|
|||
|
|
## 連線資訊
|
|||
|
|
|
|||
|
|
| 項目 | 值 |
|
|||
|
|
|------|-----|
|
|||
|
|
| 主機(本機) | `localhost:389` |
|
|||
|
|
| 主機(ZITADEL 容器內) | `openldap:389` |
|
|||
|
|
| Base DN | `dc=gateway,dc=local` |
|
|||
|
|
| Bind DN | `cn=admin,dc=gateway,dc=local` |
|
|||
|
|
| Bind 密碼 | `admin` |
|
|||
|
|
| Users OU | `ou=people,dc=gateway,dc=local` |
|
|||
|
|
|
|||
|
|
## 測試帳號
|
|||
|
|
|
|||
|
|
| uid | 密碼 | Email |
|
|||
|
|
|-----|------|-------|
|
|||
|
|
| `alice` | `Password1!` | alice@gateway.local |
|
|||
|
|
| `bob` | `Password1!` | bob@gateway.local |
|
|||
|
|
|
|||
|
|
登入 ZITADEL LDAP IdP 時,使用者名稱通常填 **uid**(例如 `alice`),不是 email。
|
|||
|
|
|
|||
|
|
## 在 ZITADEL Console 建立 LDAP IdP
|
|||
|
|
|
|||
|
|
1. 開啟 http://localhost:8080/ui/console(admin:`zitadel-admin@zitadel.localhost` / `Password1!`)
|
|||
|
|
2. **Settings → Identity Providers → New → LDAP**(Generic LDAP)
|
|||
|
|
3. 建議欄位(名稱可自訂):
|
|||
|
|
|
|||
|
|
| 欄位 | 建議值 |
|
|||
|
|
|------|--------|
|
|||
|
|
| Servers | `ldap://openldap:389` |
|
|||
|
|
| StartTLS | 關閉 |
|
|||
|
|
| Bind DN / Username | `cn=admin,dc=gateway,dc=local` |
|
|||
|
|
| Bind password | `admin` |
|
|||
|
|
| User base DN | `ou=people,dc=gateway,dc=local` |
|
|||
|
|
| User object class | `inetOrgPerson` |
|
|||
|
|
| User unique attribute | `uid` |
|
|||
|
|
| User filters / Login filter | `(&(objectClass=inetOrgPerson)(uid=%s))` 或 `(uid=%s)` |
|
|||
|
|
| Email attribute | `mail` |
|
|||
|
|
| Display name attribute | `cn` |
|
|||
|
|
| Username attribute | `uid` |
|
|||
|
|
|
|||
|
|
4. 儲存後複製 **IdP ID**,寫入 Gateway:
|
|||
|
|
|
|||
|
|
```yaml
|
|||
|
|
# etc/gateway.k6.yaml 或 gateway.dev.yaml
|
|||
|
|
Zitadel:
|
|||
|
|
OAuthClientID: "<你的 OIDC app client id>"
|
|||
|
|
OAuthClientSecret: "<secret>"
|
|||
|
|
LdapIdPID: "<zitadel-ldap-idp-id>"
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
5. 重啟 Gateway,前端登入頁點 **使用 LDAP 登入**,以 `alice` / `Password1!` 測試。
|
|||
|
|
|
|||
|
|
## 本機 ldapsearch(選用)
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
make ldap-test
|
|||
|
|
|
|||
|
|
# 或手動(需本機 openldap 客戶端:brew install openldap)
|
|||
|
|
ldapsearch -x -H ldap://localhost:389 \
|
|||
|
|
-D "cn=admin,dc=gateway,dc=local" -w admin \
|
|||
|
|
-b "ou=people,dc=gateway,dc=local" "(uid=alice)" mail cn
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## 重設資料
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
make k6-down # 會刪除 openldap volume,下次 k6-up 會重新 bootstrap LDIF
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## 注意
|
|||
|
|
|
|||
|
|
- 僅供本機開發;`admin` / `Password1!` 不可上線。
|
|||
|
|
- 若改過 LDIF,可 `make ldap-seed` 重灌(已存在的 entry 會略過);要完全重建請 `make k6-down` 後再 `make k6-up`。
|