Article author: Liu Hanhua, senior operation and maintenance engineer of Beitchat
What is LDAP? Lightweight Directory Access Protocol (LDAP), usually abbreviated as LDAP
With LDAP we can:
1. All relevant systems can be accessed
2. Unified user identity and security management
3. One account and password for all systems
At the same time, the implementation of our online operation must first ensure that everyone’s work is not affected.
The following is an introduction of our implementation steps:
Step 1 Select an LDAP service scheme
Choose the openldap? Or is it domain controller AD?
1. Openldap is a free and open source implementation of LDAP. However, we found that the configuration and use of Openldap are not mature and the online application is very risky
2. The implementation period of LDAP is limited. The mature domain controller AD is selected to access services
Here are my reasons for choosing domain control:
1. The domain controller provides convenient and unified management
2. Mature security policies
3. Good redundancy backup mechanism, supporting master/slave redundancy and backup snapshot
In a word, sso, SVN, Cwiki, SQUID, VPN, Maven, git, Zabbix and so on can get LDAP users and groups, and keep the original permissions unchanged;
During the testing process, we adopted another deployment method to avoid affecting online users.
LDAP access modes for different systems
Oss backend system is supported by Java code, which is not described here.
Here are just a few of the LDAP access configurations we use
Confluence Wiki supports LDAP access configuration as shown in the following example
Apache support for SVN authentication
Ldap support for Git
Configuration file /etc/gitlab/gitlab.rb
PPTP VPN supports LDAP
Squid proxy supports LDAP
Step 3,The AD of the domain controller records all employee accounts, passwords, and related information
1. Import the user list in batches and initialize user passwords
A. Handle account data provided by HR
B. Convert to command line import
The domain controller supports the Csvde -f command
Step 4, continue to push through the list until you are done.
Below is the schedule of implementation process
Two key points of the implementation process:
1, Confluence Wiki and other users use a lot of systems, which policy to switch:
A. Users are completely unaware of the system. Dual track system is adopted. New accounts are connected to LDAP, while the original accounts remain unchanged
B. Switch all users to LDAP accounts at one time
Users can test and verify the unified LDAP access management
Finally: Choose Strategy B
2. Check and test all functions during SSO access
A. In order to avoid bad user experience when going online, we listed and tested all possible problems in A centralized manner to ensure no omission
Looking back at the whole implementation process, there are a lot of risks and hidden dangers. Here are the valuable implementation parts summarized and shared with you:
1. Tabulated overall implementation schedule, so that we can have a unified plan and management for the implementation of LDAP
2. Is the technical backup plan sufficient? This is the key to a successful implementation, as unexpected circumstances can block the entire implementation
3. “Gray scale strategy” is adopted in the implementation process. Here, we first implement it in a small area and then in a large area, which can ultimately reduce the scope of bad experience and let more people have better experience
4. Go online and issue notices
A. The content of the message is not easy to understand or clear, which will cause A large number of users to communicate with you or ask for help at the same time after the online
B, the content of the message to show, determines the impression and perception in the hearts of all people, good writing will have the effect of painting the dragon point clear
The before and after process renderings are as follows:
Before the process
Optimized process
