Edge for Private Cloud v4.18.05
本部分介绍如何获取、安装和配置将 LDAP 服务集成到 Apigee Edge 以进行用户身份验证所需的组件。
前提条件
- 您必须安装 Apigee Edge for Private Cloud 4.18.05。
- 您必须在适用于私有云的 Apigee Edge 上拥有全局系统管理员凭据才能执行此安装。
- 您需要知道安装私有云的 Apigee Edge 的根目录。默认根目录为
/opt
。 - 您必须将 Edge 全局系统管理员凭据添加到外部 LDAP 中。请注意,默认情况下,系统管理员凭据存储在 Edge 内部 LDAP 中。您切换到外部 LDAP 后,系统将改为在外部 LDAP 中对您的系统管理员凭据进行身份验证。因此,在 Edge 中启用外部身份验证之前,您必须先将凭据预配到外部系统。
例如,如果您已使用以下全局系统管理员凭据配置和安装适用于私有云的 Apigee Edge:
username: edgeuser@mydomain.com password: Secret123
然后,使用密码
Secret123
的用户edgeuser@mydomain.com
也必须位于外部 LDAP 中。 - 请注意,如果您运行的是 Management Server 集群,则必须为每个 Management Server 执行本文档中的所有步骤。
配置外部身份验证
您要执行的主要 activity 是配置 management-server.properties
文件。此活动包括停止和启动边缘管理服务器、决定要使用直接绑定还是间接绑定、加密敏感凭据以及其他相关任务。
- 重要提示:请立即确定您要使用间接绑定还是直接绑定身份验证方法。此决定会影响配置的某些方面。请参阅外部身份验证。
- 重要提示:您必须在每个 Apigee Edge Management Server 上执行这些配置步骤(如果运行多个 Apigee Edge Management Server)。
- 用文本编辑器打开
/opt/apigee/customer/application/management-server.properties
。如果该文件不存在,请创建一个。 - 添加以下行:
conf_security_authentication.user.store=externalized.authentication
此行会将外部身份验证功能添加到您的 Edge,以便安装 Private Cloud。
- 为简化此步骤,我们创建了两个明确说明的示例配置:一个用于直接绑定,另一个用于间接绑定身份验证。请参阅以下示例,了解您要使用的绑定,并完成配置:
- 重启管理服务器:
/opt/apigee/apigee-service/bin/apigee-service edge-management-server restart
- 验证服务器正在运行:
/opt/apigee/apigee-service/bin/apigee-all status
- 重要提示:在以下任一情况下(或同时出现这两种情况),您必须进行其他配置:
- 如果您计划让用户使用非电子邮件地址用户名登录。在这种情况下,您的系统管理员用户还必须使用用户名进行身份验证。
和/或
- 如果外部 LDAP 中的系统管理员用户帐号密码与您首次安装适用于私有云的 Apigee Edge 时配置的密码不同。请参阅不同系统管理员凭据所需的配置。
- 如果您计划让用户使用非电子邮件地址用户名登录。在这种情况下,您的系统管理员用户还必须使用用户名进行身份验证。
直接绑定配置示例
## The first property is always required to enable the external authorization feature. ## Do not change it. conf_security_externalized.authentication.implementation.class=com.apigee.rbac.impl.LdapAuthenticatorImpl ## Identify the type of binding: ## Set to "true" for direct binding ## Set to "false" for indirect binding. conf_security_externalized.authentication.bind.direct.type=true ## The next seven properties are needed regardless of direct or indirect binding. You need to ## configure these per your external authentication installation. ## The IP or domain for your external LDAP instance. conf_security_externalized.authentication.server.url=ldap://localhost:389 ## Your external LDAP server version. conf_security_externalized.authentication.server.version=3 ## The server timeout in milliseconds. conf_security_externalized.authentication.server.conn.timeout=50000 ## Change these baseDN values to match your external LDAP service. This attribute value will be ## provided by your external LDAP administrator, and may have more or fewer dc elements depending ## on your setup. conf_security_externalized.authentication.user.store.baseDN=dc=apigee,dc=com ## Do not change this search string. It is used internally. conf_security_externalized.authentication.user.store.search.query=(&(${userAttribute}=${userId})) ## Identifies the external LDAP property you want to bind against for Authentication. For ## example if you are binding against an email address in Microsoft Active Directory, this would be ## the userPrincipalName property in your external LDAP instance. Alternatively if you are binding ## against the user's ID, this would typically be in the sAMAccountName property: conf_security_externalized.authentication.user.store.user.attribute=userPrincipalName ## The LDAP attribute where the user email value is stored. For direct binding with AD, set it to ## userPrincipalName. conf_security_externalized.authentication.user.store.user.email.attribute=userPrincipalName ## ONLY needed for DIRECT binding. ## The direct.bind.user.directDN property defines the string that is used for the bind against the ## external authentication service. Ensure it is set as follows: conf_security_externalized.authentication.direct.bind.user.directDN=${userDN}
INDIRECT BINDING 配置示例
## Required to enable the external authorization feature. Do not change it. conf_security_externalized.authentication.implementation.class=com.apigee.rbac.impl.LdapAuthenticatorImpl ## Identifies the type of binding: ## Set to "true" for direct binding ## Set to "false" for indirect binding. conf_security_externalized.authentication.bind.direct.type=false ## The next seven properties are needed regardless of direct or indirect binding. You need to ## configure these per your external LDAP installation. ## The IP or domain for your external LDAP instance. conf_security_externalized.authentication.server.url=ldap://localhost:389 ## Replace with your external LDAP server version. conf_security_externalized.authentication.server.version=3 ## Set the server timeout in milliseconds. conf_security_externalized.authentication.server.conn.timeout=50000 ## Change these baseDN values to match your external LDAP service. This attribute value will be # provided by your external LDAP administrator, and may have more or fewer dc elements # depending on your setup. conf_security_externalized.authentication.user.store.baseDN=dc=apigee,dc=com ## Do not change this search string. It is used internally. conf_security_externalized.authentication.user.store.search.query=(&(${userAttribute}=${userId})) ## Identifies the external LDAP property you want to bind against for Authentication. For example ## if you are binding against an email address, this would typically be in the ## userPrincipalName property in your external LDAP instance. Alternatively if you are binding ## against the user's ID, this would typically be in the sAMAccountName property. ## See also "Configuration required for different sysadmin credentials". conf_security_externalized.authentication.user.store.user.attribute=userPrincipalName ## Used by Apigee to perform the Authorization step and currently, Apigee only supports email ## address for Authorization. Make sure to set it to the attribute in your external LDAP that ## stores the user's email address. Typically this will be in the userPrincipalName property. conf_security_externalized.authentication.user.store.user.email.attribute=userPrincipalName ## The external LDAP username (for a user with search privileges on the external LDAP) and ## password and whether the password is encrypted. You must also set the attribute ## externalized.authentication.bind.direct.type to false. ## The password attribute can be encrypted or in plain text. See ## "Indirect binding only: Encrypting the external LDAP user's password" ## for encryption instructions. Set the password.encrypted attribute to "true" if the password is ## encrypted. Set it to "false" if the password is in plain text. conf_security_externalized.authentication.indirect.bind.server.admin.dn=myExtLdapUsername conf_security_externalized.authentication.indirect.bind.server.admin.password=myExtLdapPassword conf_security_externalized.authentication.indirect.bind.server.admin.password.encrypted=true
测试安装
- 验证服务器正在运行:
/opt/apigee/apigee-service/bin/apigee-all status
- 执行此命令,并提供一组 Apigee Edge 全局系统管理员凭据。我们要测试的 API 调用只能由 Edge 系统管理员执行。
curl -v http://management-server-IP:8080/v1/o -u sysadmin_username
例如:
curl -v http://192.168.52.100:8080/v1/o -u jdoe@mydomain.com
- 出现提示时,输入您的密码。
如果该命令返回 200 状态和组织列表,则表示配置正确无误。 此命令用于验证对边缘管理服务器的 API 调用是否已成功通过外部 LDAP 系统进行身份验证。