适用于私有云的 Edge v. 4.17.01
本部分介绍了如何获取、安装和配置将外部 LDAP 服务集成到 Apigee Edge 以进行用户身份验证所需的组件。
前提条件
- 您必须安装 Apigee Edge for Private Cloud 4.17.01。
- 您必须拥有 Apigee Edge for Private Cloud 上的全局系统管理员凭据,才能执行此安装。
- 您需要知道用于私有云的 Apigee Edge 的安装根目录。默认根目录为 /opt。
- 您必须将 Edge 全球系统管理员凭据添加到外部 LDAP。请记住,默认情况下,系统管理员凭据存储在 Edge 内部 LDAP 中。切换到外部 LDAP 后,系统会改为在该 LDAP 中对您的系统管理员凭据进行身份验证。因此,您必须先向外部系统预配凭据,然后才能在 Edge 中启用外部身份验证。
例如,如果您使用以下全球系统管理员凭据配置并安装了适用于私有云的 Apigee Edge:
用户名:edgeuser@mydomain.com
密码:Secret123
那么,外部 LDAP 中也必须存在用户 edgeuser@mydomain.com 和密码 Secret123。 - 如果您运行的是管理服务器集群,请注意,您必须为每个管理服务器执行本文档中的所有步骤。
配置外部身份验证
您要执行的主要活动是配置 management-server.properties 文件。此活动包括停止和启动边缘管理服务器、决定要使用直接还是间接绑定、加密敏感凭据,以及其他相关任务。
- 重要提示:请立即决定您打算使用间接绑定还是直接绑定身份验证方法。此决定将影响配置的某些方面。请参阅外部身份验证。
- 重要提示:您必须在每个 Apigee Edge Management 服务器上执行这些配置步骤(如果您正在运行多个服务器)。
- 在文本编辑器中打开 /opt/apigee/customer/application/management-server.properties。如果该文件不存在,请创建一个。
- 添加以下代码行。注意:请确保行末尾没有尾随空格。
conf_security_authentication.user.store=externalized.authentication
此行会将外部身份验证功能添加到您的 Edge for Private Cloud 安装。 - 为了简化此步骤,我们创建了两个带有详细注释的示例配置,一个用于直接绑定身份验证,另一个用于间接绑定身份验证。请参阅以下示例,了解您要使用的绑定,并完成配置:
直接绑定配置示例
间接绑定配置示例 - 重启管理服务器:
> /opt/apigee/apigee-service/bin/apigee-service edge-management-server restart - 验证服务器是否正在运行:
> /opt/apigee/apigee-service/bin/apigee-all status - 重要提示:在以下情况下,您必须进行额外配置:(a) 如果您想让用户使用不是电子邮件地址的用户名登录,在这种情况下,您的系统管理员用户还必须使用用户名进行身份验证; (b) 如果外部 LDAP 中的系统管理员用户账号的密码不同于您在首次安装 Apigee Edge for Private Cloud 时配置的密码,则也必须使用密码进行身份验证。请参阅使用不同系统管理员凭据所需的配置。
直接绑定配置示例
## The first property is always required to enable the external authorization feature. Do not change it.
conf_security_externalized.authentication.implementation.class=com.apigee.rbac.impl.LdapAuthenticatorImpl
## Identify the type of binding:
# Set to "true" for direct binding
# Set to "false" for indirect binding.
conf_security_externalized.authentication.bind.direct.type=true
## The next seven properties are needed regardless of direct or indirect binding. You need to configure these per your external authentication installation.
## The IP or domain for your external LDAP instance.
conf_security_externalized.authentication.server.url=ldap://localhost:389
## Your external LDAP server version.
conf_security_externalized.authentication.server.version=3
## The server timeout in milliseconds.
conf_security_externalized.authentication.server.conn.timeout=50000
## Change these baseDN values to match your external LDAP service. This attribute value will be provided by your external LDAP administrator, and may have more or fewer dc elements depending on your setup.
conf_security_externalized.authentication.user.store.baseDN=dc=apigee,dc=com
## Do not change this search string. It is used internally.
conf_security_externalized.authentication.user.store.search.query=(&(${userAttribute}=${userId}))
## Identifies the external LDAP property you want to bind against for Authentication. For example if you are binding against an email address, this would typically be in the userPrincipalName property in your external LDAP instance. Alternatively if you are binding against the user’s ID, this would typically be in the sAMAccountName property:
conf_security_externalized.authentication.user.store.user.attribute=userPrincipalName
## The LDAP attribute where the user email value is stored. For direct binding, set it to userPrincipalName.
conf_security_externalized.authentication.user.store.user.email.attribute=userPrincipalName
## ONLY needed for DIRECT binding.
## The direct.bind.user.directDN property defines the string that is used for the bind against the external authentication service. Ensure it is set as follows:
conf_security_externalized.authentication.direct.bind.user.directDN=${userDN}
间接绑定配置示例
## Required to enable the external authorization feature. Do not change it.
conf_security_externalized.authentication.implementation.class=com.apigee.rbac.impl.LdapAuthenticatorImpl
## Identifies the type of binding:
# Set to "true" for direct binding
# Set to "false" for indirect binding.
conf_security_externalized.authentication.bind.direct.type=false
## The next seven properties are needed regardless of direct or indirect binding. You need to configure these per your external LDAP installation.
## The IP or domain for your external LDAP instance.
conf_security_externalized.authentication.server.url=ldap://localhost:389
## Replace with your external LDAP server version.
conf_security_externalized.authentication.server.version=3
## Set the server timeout in milliseconds.
conf_security_externalized.authentication.server.conn.timeout=50000
## Change these baseDN values to match your external LDAP service. This attribute value will be provided by your external LDAP administrator, and may have more or fewer dc elements depending on your setup.
conf_security_externalized.authentication.user.store.baseDN=dc=apigee,dc=com
## Do not change this search string. It is used internally.
conf_security_externalized.authentication.user.store.search.query=(&(${userAttribute}=${userId}))
## Identifies the external LDAP property you want to bind against for Authentication. For example if you are binding against an email address, this would typically be in the userPrincipalName property in your external LDAP instance. Alternatively if you are binding against the user’s ID, this would typically be in the sAMAccountName property. See also "Configuration required for different sysadmin credentials".
conf_security_externalized.authentication.user.store.user.attribute=userPrincipalName
## Used by Apigee to perform the Authorization step and currently, Apigee only supports email address for Authorization. Make sure to set it to the attribute in your external LDAP that stores the user’s email address. Typically this will be in the userPrincipalName property.
conf_security_externalized.authentication.user.store.user.email.attribute=userPrincipalName
## The external LDAP username (for a user with search privileges on the external LDAP) and password and whether the password is encrypted. You must also set the attribute externalized.authentication.bind.direct.type to false.
## The password attribute can be encrypted or in plain text. See "Indirect binding only: Encrypting the external LDAP user’s password" for encryption instructions. Set the password.encrypted attribute to "true" if the password is encrypted. Set it to "false" if the password is in plain text.
conf_security_externalized.authentication.indirect.bind.server.admin.dn=myExtLdapUsername
conf_security_externalized.authentication.indirect.bind.server.admin.password=myExtLdapPassword
conf_security_externalized.authentication.indirect.bind.server.admin.password.encrypted=true
测试安装
- 验证服务器是否正在运行:
> /opt/apigee/apigee-service/bin/apigee-all status - 执行此命令,提供一组 Apigee Edge 全局系统管理员凭据。我们要测试的 API 调用只能由 Edge 系统管理员执行。
重要提示:外部 LDAP 账号中必须存在相同的凭据。 如果没有,您需要立即添加。请注意,用户名通常是电子邮件地址;不过,具体取决于您配置外部身份验证的方式,如本文档前面所述。
> curl -v http://<管理服务器 IP 地址>:8080/v1/o -u <系统管理员用户名>
例如:
> curl -v http://192.168.52.100:8080/v1/o -u jdoe@mydomain.com - 出现提示时,输入您的密码。
如果该命令返回 200 状态和组织列表,则表示配置正确无误。 此命令用于验证对边缘管理服务器的 API 调用是否已成功通过外部 LDAP 系统进行身份验证。