OpenLDAP 开启SSL/TLS加密通信

一、前言

Openldap为啥要加密

Openldap默认使用简单验证，对slapd的所有访问都使用明文密码通过未加密通道进行。为了确保信息安全，需要对信息进行加密传输，SSL(Secure Sockets Layer)是一个可靠的解决方案。

它使用X.509证书，由可信任第三方（Certificate Authority(CA)）进行数字签名的一个标准格式的数据。有效的数字签名意味着已签名的数据没有被篡改。如果签名的数据被更改，将不会通过验证。

SSL/TLS加密原理简介

SSL/TLS是基于PKI机制的加密方式，包括证书认证、密钥交换、非对称加密、对称加密。SSL/TLS采用CA作为服务端核客户端都信赖的具有权威性的组织，证书的颁发和认证都依赖于CA，并假定CA颁发的证书是可靠的、可信赖的，证书里面的内容是真实的、有效的，并可用于客户机和服务器进行安全的可靠的通信加密。

SSL/TLS证书用来认证服务器和客户机双方的身份，并用于密钥交换的非对称加密。密钥交换完毕之后，就可以用这个密钥做通信数据的对称加密了，具体的加密算法是由客户机和服务器相互协商得来的。服务器和客户机由于SSL/TLS库的不同以及用户的配置不同，双方支持的算法列表不完全相同，当双方做SSL/TLS握手的时候，就需要将自己支持的算法列表以及优先顺序告知对方，一旦对方按照优先顺序找到了第一个支持的算法，那么协商完成，否则双方协商失败，SSL/TLS连接断开。

二、自生成证书

2.1 自建 CA 中心

2.1.1 CA中心生成自身私钥

[root@localhost openldap]# cd /etc/pki/CA
[root@localhost CA]# openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
............+++
....................+++
e is 65537 (0x10001)

2.1.2 CA签发自身公钥

[root@localhost CA]# openssl  req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:sys.com
Organizational Unit Name (eg, section) []:Devops
Common Name (eg, your name or your server's hostname) []:ldap.sys.com
Email Address []:ldap@sys.com

信息可以随便填写，但后面生成LDAP证书的时候需要和这里的信息保持一致

2.1.3 创建index.txt和serial文件

index.txt 文件用于存放客户端证书信息，serial 文件用于存放客户端证书编号，可以自定义，用于识别客户端证书

1 2	[root@localhost CA]# touch serial index.txt [root@localhost CA]# echo "01" > serial

2.1.4 使用openssl命令获取证书信息

[root@localhost CA]# openssl x509 -noout -text -in /etc/pki/CA/cacert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            99:9d:0e:5e:77:51:2c:38
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BeiJing, L=BeiJing, O=sys.com, OU=Devops, CN=ldap.sys.com/emailAddress=ldap@sys.com
        Validity
            Not Before: Aug 17 09:07:28 2022 GMT
            Not After : Aug 14 09:07:28 2032 GMT
        Subject: C=CN, ST=BeiJing, L=BeiJing, O=sys.com, OU=Devops, CN=ldap.sys.com/emailAddress=ldap@sys.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a6:08:87:0e:0b:cb:85:8b:ef:03:1e:c9:5c:ed:
                    eb:b3:02:77:dd:4d:ad:4b:b5:ca:b3:7c:8c:03:12:
                    63:c5:8c:89:1e:a4:15:c9:4c:c1:68:e0:8c:74:3d:
                    9b:2b:a2:8e:cf:ad:3c:40:42:e7:ff:e8:27:b7:98:
                    73:99:2d:33:b6:c9:39:ce:62:07:cd:ae:65:ea:c2:
                    7a:0a:eb:84:ff:42:db:56:da:e1:6a:ef:fb:fc:29:
                    75:73:1d:00:15:e5:04:f2:fe:d4:4e:f5:00:08:29:
                    b8:f9:89:41:7d:c8:a5:61:ef:10:8f:5d:29:ce:d3:
                    d6:c2:d9:33:4c:ab:e1:d5:49:90:51:b7:3f:a4:6f:
                    7b:6c:2d:1a:8e:8f:73:a6:af:c7:7d:c4:58:7d:36:
                    d4:e7:eb:4c:1a:ba:23:9d:ac:6b:30:54:ba:0a:fb:
                    13:1b:27:7a:a7:f5:ad:3f:e6:be:8b:f7:a3:52:a5:
                    05:23:42:24:56:ba:7d:80:ce:81:fb:00:05:89:19:
                    31:f1:19:66:a7:a8:57:98:5b:5d:b6:9e:4c:bf:a3:
                    15:25:1c:e9:76:cd:84:48:50:0b:e8:f8:cf:df:cb:
                    1e:69:aa:7e:51:73:f6:e8:59:3c:bb:d4:0d:a1:a7:
                    22:3f:54:b2:ae:7c:ea:33:d3:75:64:94:52:aa:2e:
                    b5:33
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                15:E1:DF:F5:24:B8:F2:AD:C2:93:0B:92:48:E6:EC:A8:D5:25:88:B8
            X509v3 Authority Key Identifier:
                keyid:15:E1:DF:F5:24:B8:F2:AD:C2:93:0B:92:48:E6:EC:A8:D5:25:88:B8

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         01:2e:84:f1:ee:ce:99:b1:77:1b:f3:b4:ab:21:80:8a:8a:04:
         16:23:f9:48:85:d5:db:bf:d1:00:d8:2f:7f:2c:b8:e5:1e:6b:
         0f:f7:10:41:b2:a4:75:84:bf:0b:b6:eb:97:3e:06:07:30:f6:
         c7:f2:6f:9c:ed:9a:0e:70:fd:14:cc:a4:34:b9:ef:a8:69:a7:
         c4:f3:ff:00:b2:2d:c6:ac:3a:35:86:58:25:2a:be:0c:4f:20:
         52:91:98:f3:06:33:79:ce:c7:cb:8c:a2:a3:ca:6d:2a:60:94:
         1d:97:38:d1:f5:55:f6:db:30:ff:67:85:c7:0e:7f:08:eb:88:
         e0:30:b1:f9:6e:01:a8:fa:16:53:53:12:62:af:ca:35:cf:85:
         e2:be:7c:39:70:57:7b:06:19:4a:aa:8a:12:8a:e7:3f:a9:dd:
         11:f4:45:96:6f:1c:82:90:62:bb:24:57:a5:cc:a8:99:96:80:
         8c:48:75:34:94:05:e2:42:9c:64:81:11:d9:f2:1c:c7:c2:4c:
         fa:ad:16:23:7d:ba:a0:26:fc:b5:df:df:5d:34:6d:1c:39:61:
         e2:45:e2:0d:00:22:a2:89:72:d2:25:e0:b0:c0:25:70:8f:bf:
         e3:4c:a9:bd:a5:60:67:d6:d3:77:a2:aa:6e:92:2f:cb:17:fb:
         a4:ef:b2:d3

2.2 生成 LDAP 证书

2.2.1 获取LDAP证书

1 2	[root@localhost CA]# mkdir /etc/openldap/ssl [root@localhost CA]# cd /etc/openldap/ssl

生成服务端密钥

[root@localhost ssl]# openssl genrsa -out ldapkey.pem 2048
Generating RSA private key, 2048 bit long modulus
....................................+++
......................................................+++
e is 65537 (0x10001)

服务端向CA中心申请证书签署请求，相关信息必须和CA所填写一致才可以正常签发

1	[root@localhost ssl]# openssl req -new -key ldapkey.pem -out ldap.csr -days 3650

2.2.2 生成LDAP证书

CA检测用户请求，通过后生成证书

[root@localhost ssl]# openssl ca -in ldap.csr -out ldapcert.pem -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug 17 09:26:34 2022 GMT
            Not After : Aug 14 09:26:34 2032 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            organizationName          = sys.com
            organizationalUnitName    = Devops
            commonName                = ldap.sys.com
            emailAddress              = ldap@sys.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                AD:14:68:D1:B3:1D:4E:34:5A:EA:B0:F5:78:74:C8:51:0B:D8:83:E7
            X509v3 Authority Key Identifier:
                keyid:15:E1:DF:F5:24:B8:F2:AD:C2:93:0B:92:48:E6:EC:A8:D5:25:88:B8

Certificate is to be certified until Aug 14 09:26:34 2032 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

2.2.3 验证证书

成功生成证书后，可以 openssl 验证服务端证书的合法性

1 2	[root@localhost ssl]# openssl verify -CAfile /etc/pki/CA/cacert.pem /etc/openldap/ssl/ldapcert.pem /etc/openldap/ssl/ldapcert.pem: OK

2.2.4 准备证书文件

后面ldap开启SSL需要使用到cacert.pem,ldapcert.pem,ldapkey.pem

1
2
3

[root@localhost ssl]# cp /etc/pki/CA/cacert.pem /etc/openldap/ssl/
[root@localhost ssl]# ls /etc/openldap/ssl/
cacert.pem  ldapcert.pem  ldap.csr  ldapkey.pem

三、OpenLDAP 开启 TLS

3.1 自建 OpenLDAP

这里以我之前手动部署了一个openldap 2.4.44为例，开启TLS，不需要重新生成数据直接开启TLS认证就行

3.1.1 创建TLS的ldif配置文件

[root@localhost schema]# vim enable_tls.ldif
dn: cn=config
changetype: modify
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/ssl/cacert.pem
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/ssl/ldapcert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/ssl/ldapkey.pem
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never

3.1.2 导入ssl配置

[root@localhost schema]# ldapmodify -Y EXTERNAL -H ldapi:/// -D "cn=admin,dc=sys,dc=com" -w Abc.123456 -f enable_tls.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=config"

3.1.3 配置只开启ldaps安全端口

1 2	[root@localhost schema]# vim /etc/sysconfig/slapd SLAPD_URLS="ldapi:/// ldaps:///"

3.1.4 重启slapd服务

[root@localhost schema]# systemctl restart slapd
[root@localhost schema]# netstat -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      957/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1152/master
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN      5650/slapd

已经开启了636端口

3.1.5 测试连接

##命令行连接需要开启
[root@localhost schema]# echo "TLS_REQCERT allow" >> /etc/openldap/ldap.conf

##测试是否可以匿名访问，关闭匿名访问可以参考我的另一篇OpenLDAP 禁止匿名访问
[root@localhost schema]# ldapwhoami -v -x -Z
ldap_initialize( <DEFAULT> )
anonymous
Result: Success (0)

##测试连接
[root@localhost schema]# ldapwhoami -D "cn=admin,dc=sys,dc=com" -w Abc.123456 -H ldaps://192.168.126.145:636 -v
ldap_initialize( ldaps://192.168.126.145:636/??base )
dn:cn=admin,dc=sys,dc=com
Result: Success (0)
[root@localhost schema]#

可以正常连接ldap，说明配置成功了
同时也可以测试当前套接字是否能通过CA的验证

[root@localhost schema]# openssl s_client -connect 192.168.126.145:636 -showcerts -state -CAfile /etc/openldap/ssl/cacert.pem
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 C = CN, ST = BeiJing, L = BeiJing, O = sys.com, OU = Devops, CN = ldap.sys.com, emailAddress = ldap@sys.com
verify return:1
depth=0 C = CN, ST = BeiJing, O = sys.com, OU = Devops, CN = ldap.sys.com, emailAddress = ldap@sys.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read server session ticket A
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/C=CN/ST=BeiJing/O=sys.com/OU=Devops/CN=ldap.sys.com/emailAddress=ldap@sys.com
   i:/C=CN/ST=BeiJing/L=BeiJing/O=sys.com/OU=Devops/CN=ldap.sys.com/emailAddress=ldap@sys.com
-----BEGIN CERTIFICATE-----
MIID9TCCAt2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCQ04x
EDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB0JlaUppbmcxEDAOBgNVBAoMB3N5
cy5jb20xDzANBgNVBAsMBkRldm9wczEVMBMGA1UEAwwMbGRhcC5zeXMuY29tMRsw
GQYJKoZIhvcNAQkBFgxsZGFwQHN5cy5jb20wHhcNMjIwODE3MDkyNjM0WhcNMzIw
ODE0MDkyNjM0WjB2MQswCQYDVQQGEwJDTjEQMA4GA1UECAwHQmVpSmluZzEQMA4G
A1UECgwHc3lzLmNvbTEPMA0GA1UECwwGRGV2b3BzMRUwEwYDVQQDDAxsZGFwLnN5
cy5jb20xGzAZBgkqhkiG9w0BCQEWDGxkYXBAc3lzLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANLIIW1esDMAfv/WVFMvHWjeOfkzHxj7U3Npi5o6
m/TYY7tklQYVLl+qdXhVyqOFIxPqISDaIov/33ubgI+2QS6YAGUtaXiNLjrd4G5P
yZ1eOMBR567OojiroF6ZX+ukwp/YK1qD/FjY1lhd2PXnqKmKRfD/6JXmx8fPFsXf
OI2dlMzwE7R+A8O02QUkVtm3fPDKOV67wld2dlrr9F0pf7i3CVW8nQr7ys+487a8
jXEI/AwIsLX1tmJxMZBuswJn+Q3If0n4R9agzfTOm+PuTCCOHbDvBQtSnhogLSRy
OZnkEfAZpSVoo8qZ6rTkZdXbkfN10XJvT2E5f7dhZe+Kj9sCAwEAAaN7MHkwCQYD
VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm
aWNhdGUwHQYDVR0OBBYEFK0UaNGzHU40Wuqw9Xh0yFEL2IPnMB8GA1UdIwQYMBaA
FBXh3/UkuPKtwpMLkkjm7KjVJYi4MA0GCSqGSIb3DQEBCwUAA4IBAQB1jIRE0C4c
RAsQTkGEr1p+xkhnkIcBm+ryIyLDRDSPBa6Knd00L//VhM0IcIQCWVRG2LwbfVAD
b8EszOVXB5UHPNyOWUO5aO1jzfeCmMw+IIurYW4iLftMRAwKakwpUobdPmgfuDy9
4SrGAbLEAS3nYt/scM6sGJnQ4cCM9E7kGwyM7a2HqB/XKl6bOESTZ2yhtjaOHT32
vzsr5iQAzSf0Kytp63Y3nYewLO/nE5FlBT84c32nMsliBwN7Tl3CSu1844cnJAPE
pZlBZoGKZGWRGDY4Dw1Tk6PxfrmpmGzVoU7NiyshyThBMx/89Mxx7xQgP4zWtWkA
l0Fyzr3jF3z0
-----END CERTIFICATE-----
 1 s:/C=CN/ST=BeiJing/L=BeiJing/O=sys.com/OU=Devops/CN=ldap.sys.com/emailAddress=ldap@sys.com
   i:/C=CN/ST=BeiJing/L=BeiJing/O=sys.com/OU=Devops/CN=ldap.sys.com/emailAddress=ldap@sys.com
-----BEGIN CERTIFICATE-----
MIID5TCCAs2gAwIBAgIJAJmdDl53USw4MA0GCSqGSIb3DQEBCwUAMIGIMQswCQYD
VQQGEwJDTjEQMA4GA1UECAwHQmVpSmluZzEQMA4GA1UEBwwHQmVpSmluZzEQMA4G
A1UECgwHc3lzLmNvbTEPMA0GA1UECwwGRGV2b3BzMRUwEwYDVQQDDAxsZGFwLnN5
cy5jb20xGzAZBgkqhkiG9w0BCQEWDGxkYXBAc3lzLmNvbTAeFw0yMjA4MTcwOTA3
MjhaFw0zMjA4MTQwOTA3MjhaMIGIMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHQmVp
SmluZzEQMA4GA1UEBwwHQmVpSmluZzEQMA4GA1UECgwHc3lzLmNvbTEPMA0GA1UE
CwwGRGV2b3BzMRUwEwYDVQQDDAxsZGFwLnN5cy5jb20xGzAZBgkqhkiG9w0BCQEW
DGxkYXBAc3lzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKYI
hw4Ly4WL7wMeyVzt67MCd91NrUu1yrN8jAMSY8WMiR6kFclMwWjgjHQ9myuijs+t
PEBC5//oJ7eYc5ktM7bJOc5iB82uZerCegrrhP9C21ba4Wrv+/wpdXMdABXlBPL+
1E71AAgpuPmJQX3IpWHvEI9dKc7T1sLZM0yr4dVJkFG3P6Rve2wtGo6Pc6avx33E
WH021OfrTBq6I52sazBUugr7Exsneqf1rT/mvov3o1KlBSNCJFa6fYDOgfsABYkZ
MfEZZqeoV5hbXbaeTL+jFSUc6XbNhEhQC+j4z9/LHmmqflFz9uhZPLvUDaGnIj9U
sq586jPTdWSUUqoutTMCAwEAAaNQME4wHQYDVR0OBBYEFBXh3/UkuPKtwpMLkkjm
7KjVJYi4MB8GA1UdIwQYMBaAFBXh3/UkuPKtwpMLkkjm7KjVJYi4MAwGA1UdEwQF
MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAAEuhPHuzpmxdxvztKshgIqKBBYj+UiF
1du/0QDYL38suOUeaw/3EEGypHWEvwu265c+Bgcw9sfyb5ztmg5w/RTMpDS576hp
p8Tz/wCyLcasOjWGWCUqvgxPIFKRmPMGM3nOx8uMoqPKbSpglB2XONH1VfbbMP9n
hccOfwjriOAwsfluAaj6FlNTEmKvyjXPheK+fDlwV3sGGUqqihKK5z+p3RH0RZZv
HIKQYrskV6XMqJmWgIxIdTSUBeJCnGSBEdnyHMfCTPqtFiN9uqAm/LXf3100bRw5
YeJF4g0AIqKJctIl4LDAJXCPv+NMqb2lYGfW03eiqm6SL8sX+6TvstM=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CN/ST=BeiJing/O=sys.com/OU=Devops/CN=ldap.sys.com/emailAddress=ldap@sys.com
issuer=/C=CN/ST=BeiJing/L=BeiJing/O=sys.com/OU=Devops/CN=ldap.sys.com/emailAddress=ldap@sys.com
---
No client certificate CA names sent
---
SSL handshake has read 2334 bytes and written 607 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: 47754753CC89AABE4A33D4E89C6C382C3557F074D1F20EE69C5E07CE3284F7B2
    Session-ID-ctx:
    Master-Key: F115E963EF46F2C6608D0DF61CD676404B54B400E081A56E3C49CC2C8C73D74F59F6D524F5B96AD94F8497737848C71E
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e8 74 39 03 64 ab 5b 66-f8 bc 5c e6 1e cc 55 de   .t9.d.[f..\...U.
    0010 - 99 de 08 3c da ef 99 3f-a9 52 13 e6 34 57 ec a5   ...<...?.R..4W..
    0020 - 4f 49 54 77 df 89 66 93-b1 d6 9f f0 76 39 1b 15   OITw..f.....v9..
    0030 - fc 16 a3 fd 23 ad 7f 6d-a7 dc b4 01 89 3c 9e f4   ....#..m.....<..
    0040 - 0a cd d0 80 fe 90 b5 ff-42 03 31 f2 93 5a f7 af   ........B.1..Z..
    0050 - 92 be 04 5e 22 16 3a 0d-36 46 7c 53 c1 6a f3 71   ...^".:.6F|S.j.q
    0060 - e8 00 3c 01 0a d4 0f 23-6d 27 23 fd fc 91 25 a1   ..<....#m'#...%.
    0070 - 15 d5 da ce 95 f3 bb 74-e1 60 6a 3d 7e a9 81 e3   .......t.`j=~...
    0080 - 5d 6c 2e 5d bb 9e 89 26-23 ab 08 99 66 ee 82 f7   ]l.]...&#...f...
    0090 - 37 2f 1c 0b b1 88 47 6f-45 2e ac ca 11 c2 7e 98   7/....GoE.....~.

    Start Time: 1660732009
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

3.2 容器 OpenLDAP

为了节省资源现在很多服务都采用容器方式部署，OpenLDAP也不例可以使用容器运行，这里以2.6.3为例，镜像使用的bitnami/openldap 目前只有这个OpenLDAP镜像在长期更新

OpenLDAP 2.5版本开始支持很多新功能，像多重身份认证,密码过期提醒等，更多信息可前往官网查看

3.2.1 创建 OpenLDAP pvc

[ec2-user@localhost ldap2.6]$ vim openldap-pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: openldap-data-pvc
  namespace: monitor
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
  storageClassName: nfs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: openldap-config-pvc
  namespace: monitor
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
  storageClassName: nfs

[ec2-user@localhost ldap2.6]$ kubectl apply -f openldap-pvc.yaml

注意：根据自己的环境修改storageClassName:存储类名称

3.2.2 导入 OpenLDAP 证书

将生成的OpenLDAP证书导入到k8s的secret中

[ec2-user@localhost ssl]$ kubectl create secret generic openldap-certs -nmonitor --from-file=./cacert.pem --from-file=./ldapcert.pem --from-file=./ldapkey.pem
secret/openldap-certs created
[ec2-user@localhost ssl]$ kubectl get secret -nmonitor |grep openldap
openldap-certs                      Opaque                                3      12s

3.2.3 创建 OpenLDAP deployment

[ec2-user@localhost ldap2.6]$ vim openldap-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    app.kubernetes.io/alias-name: LDAP
    app.kubernetes.io/description: 认证中心
  labels:
    app: openldap
  name: openldap
  namespace: monitor
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: openldap
  strategy:
    type: Recreate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: openldap
    spec:
      containers:
      - env:
        - name: LDAP_ROOT
          value: dc=sys,dc=com
        - name: LDAP_ADMIN_USERNAME
          value: admin
        - name: LDAP_ADMIN_PASSWORD
          value: 6&g0hbSRZJovaqjsA
        - name: LDAP_TLS_CERT_FILE
          value: /opt/bitnami/openldap/certs/ldapcert.pem
        - name: LDAP_TLS_KEY_FILE
          value: /opt/bitnami/openldap/certs/ldapkey.pem
        - name: LDAP_TLS_CA_FILE
          value: /opt/bitnami/openldap/certs/cacert.pem
        - name: LDAP_ENABLE_TLS
          value: "yes"
        - name: BITNAMI_DEBUG
          value: "true"
        image: bitnami/openldap:2.6.3
        imagePullPolicy: IfNotPresent
        name: openldap
        ports:
        - containerPort: 1389
          name: tcp-389
          protocol: TCP
        - containerPort: 1636
          name: tcp-636
          protocol: TCP
        resources:
          limits:
            cpu: 500m
            memory: 500Mi
          requests:
            cpu: 100m
            memory: 64Mi
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /bitnami/openldap/
          name: ldap-data-pvc
        - mountPath: /opt/bitnami/openldap/certs
          name: ldap-certs
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
      volumes:
      - name: ldap-data-pvc
        persistentVolumeClaim:
          claimName: openldap-data-pvc
      - name: ldap-certs
        secret:
          defaultMode: 420
          secretName: openldap-certs

[ec2-user@localhost ldap2.6]$ kubectl apply -f openldap-deployment.yaml

3.2.4 创建 OpenLDAP service

[ec2-user@localhost ldap2.6]$ cat openldap-svc.yaml
apiVersion: v1
kind: Service
metadata:
  name: openldap-svc
  namespace: monitor
  labels:
    app: openldap-svc
spec:
  ports:
  - name: tcp-389
    nodePort: 30402
    port: 1389
    protocol: TCP
    targetPort: 1389
  - name: tcp-636
    nodePort: 30381
    port: 1636
    protocol: TCP
    targetPort: 1636
  selector:
    app: openldap
  type: LoadBalancer

[ec2-user@localhost ldap2.6]$ kubectl apply -f openldap-svc.yaml

3.2.5 测试连接

这里使用ldapadmin连接