Author: Adon
micro-channel public number: IT's Jiege trip (ID: Jake_Internet)
a single sign-
1, the principle of
single sign-on SSO (Single Sign on): The next multi-system coexistence environment, users in one of After logging in, there is no need to log in to other systems, that is, the user's one login can be trusted by all other systems.
The following two are the main points:
Store trust
Verify trust
Single sign-on realization method:
1.1
The simplest single sign-on realization method using cookie as the credential medium is to use cookie as the medium to store user credentials. After the user logs in to the parent application, the application returns an encrypted cookie. When the user accesses the child application, it will carry this cookie. The application is authorized to decrypt the cookie and verify it. If the verification is passed, the current user will be logged in. This method: cookie is not safe and cannot Realize password-free login across domains.
1.2 Implementation through JSONP
For cross-domain issues, JSONP can be implemented
After the user logs in to the parent application, the cookie matching the session will be stored in the client. When the user needs to log in to the child application, the application is authorized to access the JSONP interface provided by the parent application, and the cookie under the parent application’s domain name is included in the request. The parent application receives the request, verifies the user's login status, and returns encrypted information. The child application verifies the user by parsing the returned encrypted information, and logs in the user if it passes the verification.
1.3 By means of page redirection, the
parent application and the child application are redirected back and forth for communication to realize the safe transmission of information.
The parent application provides a GET login interface. The user accesses this interface through the child application redirection connection. If the user has not logged in yet, a login page is returned and the user enters the account password to log in. If the user has already logged in, an encrypted Token is generated and redirected to the Token authentication interface provided by the sub-application. After decryption and verification, the sub-application logs in to the current user.
This method solves security issues and cross-domain issues, but it is not convenient for the first two.
1.4 Using an independent login system
Generally speaking, large-scale applications will separate the authorization logic and user information related logic into one application, which is called the user center. The user center does not process business logic, but only handles the management of user information and authorization to third-party applications. When a third-party application needs to log in, it forwards the user's login request to the center for processing, and the user returns the credentials after processing Apply the authentication credentials and log in to the user after passing.
2. LDAP protocol
2.1 Introduction to
directory service: a special database used to store descriptive, attribute-based detailed information, support filtering; it is dynamic, flexible, and easy to expand.
LDAP: A lightweight directory access protocol based on the X.500 standard.
A directory is a database optimized for querying, browsing and searching. It organizes data in a tree structure, similar to a file directory.
Directory databases are different from relational databases. They have excellent read performance but poor write performance, and do not have complex functions such as transaction processing and rollback, and are not suitable for storing frequently modified data.
LDAP directory service is a system composed of a directory database and a set of access protocols
LDAP is an open internet standard that supports cross-platform internet protocols.
LDAP: Lightweight directory access protocol, LDAP is just an access protocol.
Application: ldap is used to build the same account management and authentication platform to realize the sso single sign-on mechanism.
2.2 Features
based on TCP/IP
Store data in a tree structure
Fast reading speed, slow writing speed
Using the client-server model, the server is used to store data, and the client is used to manipulate data
Cross-platform, simple maintenance
Support SSL/TLS encryption
Agreement is open
2.3 Basic model
directory tree concept
1. Directory tree: In a directory service system, the entire directory information set can represent a directory information tree, and each node in the tree is an entry;
2. Entry: Each entry is a record. Each entry has its own unique distinguishable name (DN);
3. Object class: a set of attributes corresponding to a certain entity type. The object class can be inherited, so that the necessary attributes of the parent class will also be inherited;
4. Attribute: information describing a certain aspect of the item. An attribute consists of an attribute type and one or more attribute values, and an attribute consists of required attributes and non-essential attributes;
Keyword meaning
Rdn Relative dn Relative distinguished name, similar to the relative path in the file system, it is a part that has nothing to do with the directory tree structure, such as "uid=tom", or'cn=exmaple'
information model: in the ldap information tree The basic data unit in the tree information is an item, and each item is composed of attributes, and the attribute values are stored in the attributes;
Command model: the way of locating entries in ldap, each entry in ldap has its own DN, DN is the unique name of the entry in the entire tree, just like in the file system, the file name with path is the DN;
Function model: There are four types of 10 operations in ldap: query operations, such as search, comparison, update operations, such as adding entries, deleting entries, modifying entries, modifying entry names, authentication operations, such as binding, and other operations: Such as abandon and expand operations. Extended operation: modify password and startTLS extension;
Security model: The security model in ldap is mainly implemented through identity authentication, secure channels and access control;
Information organization
directory entries are organized in a hierarchical tree structure. Reflect geographic and organizational boundaries.
Trees can be organized according to Internet domain names, allowing the use of DNS to locate directory services.
The top level is the root ride "baseDN (baseDN)", such as "dc=example, dc=com" or "o=example.org"
OU (organization Unit) is used to indicate the internal organization of the company, such as department, etc., can also indicate Equipment, personnel, etc.
openLDAP
openLDAP is a specific implementation of the LDAPv3 protocol and can support multiple platforms to provide directory services. Its process is slapd.
Installation
environment:
Centos-7
Openldap-2.4.44
Use yum to install openldap server, client and other related components (requires epel source)
# sudo yum install -y epel-release
# sudo yum install -y openldap openldap-servers openldap-clients openldap-servers-sql openldap-devel migrationtools compat-openldap
Check the version number after installation
# slapd -V
Create an administrator password and use the slappasswd command to generate an encrypted field
# slappasswd -s you_passwd
Modify the openldap configuration file, the configuration file storage location: /etc/openldap/slapd.d
# vim /etc/openldap/slapd.d/cn=confg/olcDatabase={2}hdb.ldif
olcRootPW: {SSHA}xxxxxx
olcSuffix:dc=example,dc=com #dc修改域名
olcRootDN: cn=admin,dc=example,dc=com #admin为管理员账号
# vim /etc/openldap/slapd.d/cn=confg/olcDatabase={1}monitor.ldif
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" read by dn.base="cn=Manager,dc=hzins,dc=com" read by * none #修改dc信息为自己的域名
Verify that the configuration file is correct
# slaptest -u
Start the service, openldap listens on port 389
# systemctl enable slapd
# systemctl start slapd
# firewall-cmd –add-service=ldap –permanent
# firewall-cmd –add-port=389/tcp –permanentThe database used by Openldap is BerkeleyDB, you need to copy a configuration file to the appropriate directory and modify the permissions
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown ldap:ldap -R /var/lib/ldap
# chmod 700 -R /var/lib/ldap
Import the basic Schema table structure
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldifModify the migrate_common.ph file, the information of the file will be used to generate the ldif file
# vim /usr/share/migrationtools/migrate_common.ph
$DEFAULT_MAIL_DOMAIN = “example.com”; #大约在71行
$DEFAULT_BASE = “dc=example,dc=com”;
$EXTENDED_SCHEMA = 1;Use two migrate_base.pl scripts to generate the base.ldif file, and then load the file into the openldap database
# ./migrate_base.pl > /root/base.ldif
# ldapadd -x -W -D “cn=admin,dc=example,dc=com” -f /root/base.ldif
Openldap enables logging
1) First create a log file, and adjust the permissions, modify rsyslog.con
# mkdir -p /var/log/slapd
# chown ldap:ldap /var/log/slapd
# touch /var/log/slapd/slapd.log
# chow ldap.ldap /var/log/slapd/slapd.log
# vim /etc/rsyslog.conf
Local4.* /var/log/slapd/slapd.log
# systemctl restart rsyslog
2) Modify the database configuration file
# vim log.ldif
dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: 32
# ldapmodify -Y EXTERNAL -H ldapi:/// -f log.ldif3) Configure log cutting
# vim /etc/logrotate.d/ldap
/var/log/slapd/slapd.log {
prerotate
/usr/bin/chattr -a /var/log/slapd/slapd.log
endscript
compress
delaycompress
notifempty
rotate 100
size 10M
postrotate
/usr/bin/chattr +a /var/log/slapd/slapd.log
endscript
}
Management
Web management: Phpldapadmin
tool management: Ldapadmin, ApacheDirectoryStud