Private Cloud v4.19.01 版
本節說明如何取得、安裝及設定 將 LDAP 服務整合至 Apigee Edge,以便進行使用者驗證。
必要條件
- 您必須安裝適用於 Private Cloud 4.18.05 的 Apigee Edge。
- 您必須具備 Apigee Edge 的全域系統管理員憑證,才能 才能執行這個安裝作業
- 您必須知道適用於 Private Cloud 安裝的 Apigee Edge 根目錄。
預設根目錄為
/opt
。 - 您必須將 Edge 全域系統管理員憑證新增到
外部 LDAP。請記住,sysadmin 憑證預設會儲存在 Edge 中
內部 LDAP。切換到「外部」 LDAP 後,您的 sysadmin 憑證
就會改為進行驗證因此,您必須將憑證佈建至
然後在 Edge 中啟用外部驗證。
舉例來說,如果您為私有雲的私有雲設定了並安裝 Apigee Edge 系統管理員憑證用途:
username: edgeuser@mydomain.com password: Secret123
接著,使用者
edgeuser@mydomain.com
和密碼Secret123
也必須出現在外部 LDAP 中。 - 請注意,如果您正在執行管理伺服器叢集,則必須執行所有步驟 。
設定外部驗證
您要執行的主要活動是設定 management-server.properties
檔案。
這類活動包括停止及啟動 Edge Management Server,決定您是否要
想要使用直接或間接繫結、加密機密憑證,
機器學習程式庫提供一系列預先編寫的程式碼
可用來執行機器學習工作
- 重要事項:請立即決定要使用間接或直接 繫結驗證方法。這項決定會影響設定的某些層面。詳情請見 外部驗證。
- 重要事項:您必須在每項 Apigee Edge 管理上進行這些設定步驟 伺服器 (如果您執行不只一個伺服器)。
- 開啟「
/opt/apigee/customer/application/management-server.properties
」 。如果檔案不存在,請建立一個。 - 新增下列程式碼:
conf_security_authentication.user.store=externalized.authentication
這行程式碼會將外部驗證功能新增至 Private Cloud 的 Edge 安裝。
- 為簡化這個步驟,我們建立了兩組有評價良好的設定範例 -- 一個用於直接繫結驗證,另一個用於間接繫結驗證。請見下列範例 要使用的繫結,然後完成設定:
- 重新啟動管理伺服器:
/opt/apigee/apigee-service/bin/apigee-service edge-management-server restart
- 驗證伺服器是否正在執行:
/opt/apigee/apigee-service/bin/apigee-all status
- 重要事項:您必須完成下列其中一項設定 (或兩者皆設定)
下列情況:
- 如果您希望使用者使用
而不是電子郵件地址在這種情況下,您的 sysadmin 使用者也必須以
使用者名稱。
和/或
- 如果外部平台 sysadmin 使用者帳戶的密碼 LDAP 與您首次安裝 Apigee Edge 時設定的密碼不同 私有雲。請參閱不同的 sysadmin 憑證需要設定。
- 如果您希望使用者使用
而不是電子郵件地址在這種情況下,您的 sysadmin 使用者也必須以
使用者名稱。
直接繫結 設定範例
## The first property is always required to enable the external authorization feature. ## Do not change it. conf_security_externalized.authentication.implementation.class=com.apigee.rbac.impl.LdapAuthenticatorImpl ## Identify the type of binding: ## Set to "true" for direct binding ## Set to "false" for indirect binding. conf_security_externalized.authentication.bind.direct.type=true ## The next seven properties are needed regardless of direct or indirect binding. You need to ## configure these per your external authentication installation. ## The IP or domain for your external LDAP instance. conf_security_externalized.authentication.server.url=ldap://localhost:389 ## Your external LDAP server version. conf_security_externalized.authentication.server.version=3 ## The server timeout in milliseconds. conf_security_externalized.authentication.server.conn.timeout=50000 ## Change these baseDN values to match your external LDAP service. This attribute value will be ## provided by your external LDAP administrator, and may have more or fewer dc elements depending ## on your setup. conf_security_externalized.authentication.user.store.baseDN=dc=apigee,dc=com ## Do not change this search string. It is used internally. conf_security_externalized.authentication.user.store.search.query=(&(${userAttribute}=${userId})) ## Identifies the external LDAP property you want to bind against for Authentication. For ## example if you are binding against an email address in Microsoft Active Directory, this would be ## the userPrincipalName property in your external LDAP instance. Alternatively if you are binding ## against the user's ID, this would typically be in the sAMAccountName property: conf_security_externalized.authentication.user.store.user.attribute=userPrincipalName ## The LDAP attribute where the user email value is stored. For direct binding with AD, set it to ## userPrincipalName. conf_security_externalized.authentication.user.store.user.email.attribute=userPrincipalName ## ONLY needed for DIRECT binding. ## The direct.bind.user.directDN property defines the string that is used for the bind against the ## external authentication service. Ensure it is set as follows: conf_security_externalized.authentication.direct.bind.user.directDN=${userDN}
間接繫結設定範例
## Required to enable the external authorization feature. Do not change it. conf_security_externalized.authentication.implementation.class=com.apigee.rbac.impl.LdapAuthenticatorImpl ## Identifies the type of binding: ## Set to "true" for direct binding ## Set to "false" for indirect binding. conf_security_externalized.authentication.bind.direct.type=false ## The next seven properties are needed regardless of direct or indirect binding. You need to ## configure these per your external LDAP installation. ## The IP or domain for your external LDAP instance. conf_security_externalized.authentication.server.url=ldap://localhost:389 ## Replace with your external LDAP server version. conf_security_externalized.authentication.server.version=3 ## Set the server timeout in milliseconds. conf_security_externalized.authentication.server.conn.timeout=50000 ## Change these baseDN values to match your external LDAP service. This attribute value will be # provided by your external LDAP administrator, and may have more or fewer dc elements # depending on your setup. conf_security_externalized.authentication.user.store.baseDN=dc=apigee,dc=com ## Do not change this search string. It is used internally. conf_security_externalized.authentication.user.store.search.query=(&(${userAttribute}=${userId})) ## Identifies the external LDAP property you want to bind against for Authentication. For example ## if you are binding against an email address, this would typically be in the ## userPrincipalName property in your external LDAP instance. Alternatively if you are binding ## against the user's ID, this would typically be in the sAMAccountName property. ## See also "Configuration required for different sysadmin credentials". conf_security_externalized.authentication.user.store.user.attribute=userPrincipalName ## Used by Apigee to perform the Authorization step and currently, Apigee only supports email ## address for Authorization. Make sure to set it to the attribute in your external LDAP that ## stores the user's email address. Typically this will be in the userPrincipalName property. conf_security_externalized.authentication.user.store.user.email.attribute=userPrincipalName ## The external LDAP username (for a user with search privileges on the external LDAP) and ## password and whether the password is encrypted. You must also set the attribute ## externalized.authentication.bind.direct.type to false. ## The password attribute can be encrypted or in plain text. See ## "Indirect binding only: Encrypting the external LDAP user's password" ## for encryption instructions. Set the password.encrypted attribute to "true" if the password is ## encrypted. Set it to "false" if the password is in plain text. conf_security_externalized.authentication.indirect.bind.server.admin.dn=myExtLdapUsername conf_security_externalized.authentication.indirect.bind.server.admin.password=myExtLdapPassword conf_security_externalized.authentication.indirect.bind.server.admin.password.encrypted=true
測試安裝
- 驗證伺服器是否正在執行:
/opt/apigee/apigee-service/bin/apigee-all status
- 執行這個指令,提供一組 Apigee Edge 全域系統管理員
憑證。即將測試的 API 呼叫只能透過 Edge 執行
sysadmin.
curl -v http://management-server-IP:8080/v1/o -u sysadmin_username
例如:
curl -v http://192.168.52.100:8080/v1/o -u jdoe@mydomain.com
- 在系統提示時輸入密碼。
如果指令傳回 200 狀態和機構清單,表示設定正確無誤。 這個指令會驗證對 Edge Management Server 的 API 呼叫是否成功 經外部 LDAP 系統驗證