My latest and most complete articles are in the pumpkin slow say www.pkslow.com, welcome to tea!

1 introduction

Spring Cloud Data Flow integration of UAA has written two articles, the previous scheme is to save user information in the database; However, in many enterprises, AD is used to manage account information, and this article explains how to integrate Data Flow with LDAP.

Spring Cloud Data Flow

Initial experience of Spring Cloud Data Flow, running in Local mode

Deploy Spring Cloud Data Flow on Kubernetes and run another task

Spring Cloud Data Flow is operated by Shell to facilitate CICD establishment

The source code has finally solved the problem of DataFlow deploying K8s applications

Spring Cloud Data Flow integrates Cloudfoundry UAA services for permission control

Spring Cloud Data Flow integrates UAA using an external database and API interface

2 Start the LDAP server

2.1 Starting the Server

We use Apache’s open source framework as an Ldap server, introducing the following dependencies:

<dependencies>
  <dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter</artifactId>
    <version>2.1.0. RELEASE</version>
  </dependency>
  <dependency>
    <groupId>org.apache.directory.server</groupId>
    <artifactId>apacheds-protocol-ldap</artifactId>
    <version>1.5.5</version>
  </dependency>
  <dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-ldap</artifactId>
  </dependency>
</dependencies>
Copy the code

The boot classes for Springboot are as follows:

@SpringBootApplication
public class LdapServer {
    public static void main(String[] args) throws Throwable {
        SpringApplication.run(LdapServer.class, args);
    }

    @Bean
    public ApacheDSContainer apacheDSContainer(a) throws Exception {
        final File temporaryFolder = Files.createTempDirectory("ldap_server").toFile();
        final String ldapFileName = "testUsers.ldif";

        ApacheDSContainer apacheDSContainer = new ApacheDSContainer("dc=springframework,dc=org"."classpath:" + ldapFileName);

        apacheDSContainer.setPort(40000);
        final File workingDir = new File(temporaryFolder, UUID.randomUUID().toString());
        apacheDSContainer.setWorkingDirectory(workingDir);
        returnapacheDSContainer; }}Copy the code

The startup port is 40000, and the lDIf file of user configuration information is testusers. ldif. The AD account and group information used in the test are configured in this file. Dc =springframework,dc=org is the root directory of the AD and the starting point of the configuration information tree.

The testusers. ldif is large and can be found at github.com/LarryDpk/pk… .

2.2 Connecting the Server

Once the Ldap server is started, you can view and manage it using the Apache Directory Studio client tool. As shown below:

3 UAA configuration

The UAA server needs to configure related information to connect to the Ldap service. The configuration is described in the uaa.yml file.

spring_profiles: default,postgresql,ldap

ldap:
  profile:
    file: ldap/ldap-search-and-bind.xml
  base:
    url: 'ldap://localhost:40000/'
    userDn: 'uid=leah,ou=people,dc=springframework,dc=org'
    password: 'leahberlin'
    searchBase: 'ou=otherpeople,dc=springframework,dc=org'
    searchFilter: 'uid={0}'
    referral: follow
  groups:
    file: 'ldap/ldap-groups-map-to-scopes.xml'
    searchBase: 'ou=groups,dc=springframework,dc=org'
    searchSubtree: true
    groupSearchFilter: member={0}
    maxSearchDepth: 10
    autoAdd: true
Copy the code

Profiles needs to add LDAP to enable this feature.

The configuration takes effect after you restart the UAA server. However, we can obtain the AD group of a user through his login information, but this group is different from the UAA group, and a mapping relationship needs to be established for them. That is:

AD group –> UAA group –> Data Flow Role

The second half of this mapping was explained earlier, and the first half can be configured via uAAC or Rest apis as follows:

uaac group map "cn=view,ou=groups,dc=springframework,dc=org" --name="dataflow.view" --origin=ldap
uaac group map "cn=create,ou=groups,dc=springframework,dc=org" --name="dataflow.create" --origin=ldap
uaac group map "cn=manage,ou=groups,dc=springframework,dc=org" --name="dataflow.manage" --origin=ldap
Copy the code

4 Landing test

The user Marlene/Supersecret that we directly configured with the LDIF file is as follows:

In fact, we can still log in using accounts stored in the database (such as Larry/Larry), and they can coexist, providing great convenience.

5 concludes

This article explains the integration of Data Flow with LDAP, so far, the authentication aspect of Spring Cloud Data Flow is fairly complete.

Please check the code: github.com/LarryDpk/pk…

Reference Documents:

security-ldap-uaa-example

This section describes the concepts and working principles of OpenLDAP

Welcome to pay attention to the wechat public number “Pumpkin slow Talk”, will continue to update for you…

Read more and share more; Write more. Organize more.