# /etc/openldap/slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema # cn=Subschema . access to dn.base="" by * read access to dn.base="cn=Subschema" by * read # cn=manager,dc=example,dc=com. # , rootdn . access to dn.regex=".+,dc=example,dc=com$" by self write by dn.exact="cn=manager,dc=example,dc=com" read by anonymous auth # . access to * by self write by anonymous auth by * none pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # . # 1 2, - 256 ( 2048). loglevel 0 modulepath /usr/lib64/openldap/openldap # LDAPS. TLSCertificateFile /etc/ssl/openldap/server.pem TLSCertificateKeyFile /etc/ssl/openldap/server.key ### database hdb # 700 ldap:ldap. directory /var/lib/openldap-data # , . suffix "dc=example,dc=com" # DN (Distinguished Name) . # . rootdn "cn=admin,dc=example,dc=com" # rootdn, slappasswd -s [] # : passwd rootpw {SSHA}70m8+2axDu++Adp6EOLPVpISPxbMVPFv # memberOf DN , . moduleload memberof.la overlay memberof memberof-group-oc groupOfUniqueNames memberof-member-ad uniqueMember memberof-refint true # . # , , . moduleload refint.la overlay refint refint_attributes uniqueMember # . , . refint_nothing "cn=admin,dc=example,dc=com" # . index objectClass eq index uid,uidNumber,gidNumber,memberUid eq
### # (root) . # Ex: ldapadd/ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f [config_update].ldif database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
mkdir -p /etc/openldap/slapd.d # slapd , . slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d chown ldap:ldap -R /etc/openldap/slapd.d /var/lib/openldap-data /etc/openldap/slapd.conf chmod 750 /etc/openldap/slapd.d && chmod 640 /etc/openldap/slapd.conf
# /etc/conf.d/slapd # . #OPTS_CONF="-f /etc/openldap/slapd.conf" # . OPTS_CONF="-F /etc/openldap/slapd.d" # ldaps; - ldap (%2f - ). OPTS="${OPTS_CONF} -h 'ldaps://[_IP]:636 ldap://127.0.0.1:389 ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"
ldapadd -x -D 'cn=admin,dc=example,dc=com' -w 'passwd' -f backup.ldif
slappasswd -s []
ldapsearch -D 'cn=manager,dc=example,dc=com' -w 'passwd' -b 'ou=people,dc=example,dc=com' '(uid=example)' memberOf
… dn: uid=example,ou=people,dc=example,dc=com memberOf: cn=developers,ou=groups,dc=example,dc=com # search result search: 2 result: 0 Success …
# /var/www/redmine.example.com/docker-compose.yml redmine: image: quay.io/sameersbn/redmine:3.2.0-2 # restart: always environment: - TZ=Europe/Moscow # uid:gid , # , , . - USERMAP_UID=[NGINX_UID] - USERMAP_GID=[NGINX_GID] - DB_TYPE=postgres # Docker- , bridge IP (172.17.0.1), # . , # , . IP, # . - DB_HOST=10.0.10.10 - DB_USER=redmine - DB_PASS=[] - DB_NAME=redmine_production - REDMINE_HTTPS=true - REDMINE_PORT=10083 - SMTP_ENABLED=true - SMTP_OPENSSL_VERIFY_MODE=none # MTA Docker- 172.17.0.0/16, . - SMTP_HOST=[_IP] - SMTP_PORT=25 - IMAP_ENABLED=false ports: - "127.0.0.1:10083:80" volumes: - /var/www/redmine.example.com/data:/home/redmine/data # . - /var/www/redmine.example.com/logs:/var/log/redmine
docker-compose -f /var/www/redmine.example.com/docker-compose.yml up -d
Name *: Example.com LDAP Host *: [_IP] Port *: 636; LDAPS: x Account: cn=manager,dc=example,dc=com Password: passwd Base DN *: ou=people,dc=example,dc=com LDAP filter: (&(objectClass=person)(memberOf=cn=developers,ou=groups,dc=example,dc=com)) Timeout (in seconds): On-the-fly user creation: x Login attribute *: uid Firstname attribute: givenName Lastname attribute: sn Email attribute: mail
#!/bin/bash set -e # /var/git/create_repo.sh LOCAL_GIT_DIR="/var/git" SCRIPT_NAME=`basename $0` E_OPTERROR=65 function usage() { echo "USAGE:" echo " $SCRIPT_NAME [repo_name]" echo "OPTIONS:" echo " repo_name - name of the new Git repository." exit $E_OPTERROR } function fatal_error() { echo "$1" > /dev/stderr exit 1 } # . if [ $# -ne 1 ]; then echo "Wrong number of arguments specified." usage fi REPO_NAME=$1 cd ${LOCAL_GIT_DIR} if [ -d "${REPO_NAME}" ]; then fatal_error "Error: the repository already exists!" fi # . mkdir ${REPO_NAME} cd ${REPO_NAME} git --bare init git update-server-info -f # Redmine . cd .. cp ./post-update "${REPO_NAME}/hooks/" chmod 755 "${REPO_NAME}/hooks/post-update" chown -R nginx:nginx ${REPO_NAME} echo "Git repository successfully created." exit 0
#!/bin/bash set -e # /var/git/migrate_repo.sh LOCAL_GIT_DIR="/var/git" REDMINE_GIT_DIR="/var/www/redmine.example.com/data/git" SCRIPT_NAME=`basename $0` E_OPTERROR=65 function usage() { echo "USAGE:" echo " $SCRIPT_NAME [repo_name]" echo "OPTIONS:" echo " repo_name - name of the existing Git repository." exit $E_OPTERROR } function fatal_error() { echo "$1" > /dev/stderr exit 1 } # . if [ $# -ne 1 ]; then echo "Wrong number of arguments specified." usage fi REPO_NAME=$1 if [ ! -d "${LOCAL_GIT_DIR}/${REPO_NAME}" ]; then fatal_error "Error: the repository does not exists!" fi # , . if [ -f "${LOCAL_GIT_DIR}/${REPO_NAME}/hooks/post-update" ]; then fatal_error "Error: post-update hook already exists! The repository already migrated or should be migrated manually." fi if [ -d "${REDMINE_GIT_DIR}/${REPO_NAME}" ]; then fatal_error "Error: redmine already contains the repository with the same name!" fi # Redmine . cp "${LOCAL_GIT_DIR}/post-update" "${LOCAL_GIT_DIR}/${REPO_NAME}/hooks/" chown nginx:nginx "${LOCAL_GIT_DIR}/${REPO_NAME}/hooks/post-update" chmod 755 "${LOCAL_GIT_DIR}/${REPO_NAME}/hooks/post-update" # Redmine . cd "${REDMINE_GIT_DIR}" git clone --mirror "${LOCAL_GIT_DIR}/${REPO_NAME}" ${REPO_NAME} echo "Git repository successfully migrated." exit 0
#!/bin/bash # /var/git/post-update # , git push . REDMINE_GIT_DIR="/var/www/redmine.example.com/data/git" REPO_PATH=${PWD} REPO_NAME=$(basename "${REPO_PATH}") LOG_FILE="/var/log/nginx/git_hooks_log" function log_message() { echo `date '+%d-%m-%y %H:%M:%S'` "$1" >>"${LOG_FILE}" } if [ -d "${REDMINE_GIT_DIR}" ]; then cd "${REDMINE_GIT_DIR}" if [ -d "${REPO_NAME}" ]; then # , . cd "${REPO_NAME}" log_message "UPDATED: ${PWD}" exec git fetch -q --all -p &>>"${LOG_FILE}" else # . log_message "NEW: ${REPO_PATH} : ${REPO_NAME} : ${PWD}" exec git clone -q --mirror ${REPO_PATH} ${REPO_NAME} &>>"${LOG_FILE}" fi fi
--- nginx-1.8.0.ebuild 2015-08-05 14:31:19.000000000 +0300 +++ nginx-1.8.0.ebuild.new 2015-08-07 08:19:35.899578187 +0300 @@ -126,6 +126,12 @@ HTTP_MOGILEFS_MODULE_URI="http://www.grid.net.ru/nginx/download/nginx_mogilefs_module-${HTTP_MOGILEFS_MODULE_PV}.tar.gz" HTTP_MOGILEFS_MODULE_WD="${WORKDIR}/nginx_mogilefs_module-${HTTP_MOGILEFS_MODULE_PV}" +# http_auth_ldap (https://github.com/kvspb/nginx-auth-ldap, ??? license) +HTTP_AUTH_LDAP_MODULE_PV="master" +HTTP_AUTH_LDAP_MODULE_P="ngx_http_auth_ldap-${HTTP_AUTH_LDAP_MODULE_PV}" +HTTP_AUTH_LDAP_MODULE_URI="https://github.com/kvspb/nginx-auth-ldap/archive/${HTTP_AUTH_LDAP_MODULE_PV}.tar.gz" +HTTP_AUTH_LDAP_MODULE_WD="${WORKDIR}/nginx-auth-ldap-${HTTP_AUTH_LDAP_MODULE_PV}" + inherit eutils ssl-cert toolchain-funcs perl-module flag-o-matic user systemd versionator multilib DESCRIPTION="Robust, small and high performance http and reverse proxy server" @@ -148,7 +154,8 @@ nginx_modules_http_security? ( ${HTTP_SECURITY_MODULE_URI} -> ${HTTP_SECURITY_MODULE_P}.tar.gz ) nginx_modules_http_push_stream? ( ${HTTP_PUSH_STREAM_MODULE_URI} -> ${HTTP_PUSH_STREAM_MODULE_P}.tar.gz ) nginx_modules_http_sticky? ( ${HTTP_STICKY_MODULE_URI} -> ${HTTP_STICKY_MODULE_P}.tar.bz2 ) - nginx_modules_http_mogilefs? ( ${HTTP_MOGILEFS_MODULE_URI} -> ${HTTP_MOGILEFS_MODULE_P}.tar.gz )" + nginx_modules_http_mogilefs? ( ${HTTP_MOGILEFS_MODULE_URI} -> ${HTTP_MOGILEFS_MODULE_P}.tar.gz ) + nginx_modules_http_auth_ldap? ( ${HTTP_AUTH_LDAP_MODULE_URI} -> ${HTTP_AUTH_LDAP_MODULE_P}.tar.gz )" LICENSE="BSD-2 BSD SSLeay MIT GPL-2 GPL-2+ nginx_modules_http_security? ( Apache-2.0 ) @@ -180,7 +187,8 @@ http_push_stream http_sticky http_ajp - http_mogilefs" + http_mogilefs + http_auth_ldap" IUSE="aio debug +http +http-cache ipv6 libatomic luajit +pcre pcre-jit rtmp selinux ssl userland_GNU vim-syntax" @@ -220,7 +228,8 @@ nginx_modules_http_auth_pam? ( virtual/pam ) nginx_modules_http_metrics? ( dev-libs/yajl ) nginx_modules_http_dav_ext? ( dev-libs/expat ) - nginx_modules_http_security? ( >=dev-libs/libxml2-2.7.8 dev-libs/apr-util www-servers/apache )" + nginx_modules_http_security? ( >=dev-libs/libxml2-2.7.8 dev-libs/apr-util www-servers/apache ) + nginx_modules_http_auth_ldap? ( net-nds/openldap )" RDEPEND="${CDEPEND} selinux? ( sec-policy/selinux-nginx ) " @@ -440,6 +449,11 @@ myconf+=" --add-module=${HTTP_MOGILEFS_MODULE_WD}" fi + if use nginx_modules_http_auth_ldap; then + http_enabled=1 + myconf+=" --add-module=${HTTP_AUTH_LDAP_MODULE_WD}" + fi + if use http || use http-cache; then http_enabled=1 fi
# /etc/nginx/conf.d/git.example.com.ssl.conf # fcgiwrap, nginx:nginx. upstream fastcgi-server { server unix:/run/fcgiwrap.sock-1; } ldap_server ldap_git_users { # ldap[s]://hostname:port/base_dn?attributes?scope?filter url "ldap://127.0.0.1:389/ou=people,dc=example,dc=com?uid?sub?(objectClass=person)"; # DN . binddn "cn=manager,dc=example,dc=com"; binddn_passwd passwd; # memberOf . group_attribute uniqueMember; # DN . group_attribute_is_dn on; # satisfy any; require group "cn=developers,ou=groups,dc=example,dc=com"; } # LDAP. # $repo - URL location; $repo_login - . map $repo $repo_login { default ""; # . "example.com" "example"; } # HTTPS server { listen [_IP]:80; server_name git.example.com; return 301 https://git.example.com$request_uri; } # HTTPS server { listen [_IP]:443 ssl; add_header Strict-Transport-Security max-age=2592000; server_name git.example.com; charset utf-8; ssl_certificate /etc/ssl/nginx/git.example.com.pem; ssl_certificate_key /etc/ssl/nginx/git.example.com.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; access_log /var/log/nginx/nginx_git.example.com-ssl_access_log main; error_log /var/log/nginx/nginx_git.example.com-ssl_error_log info; # . # , . root /var/git/empty; # Git . location ~ "^/(?<repo>[^/]+)/objects/([0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(pack|idx))$" { auth_ldap "git::repository"; auth_ldap_servers ldap_git_users; # $repo_login map $repo if ($remote_user = $repo_login) { root /var/git; } } # , git-http-backend. location ~ "^/(?<repo>[^/]+)/(HEAD|info/refs|objects/info/[^/]+|git-(upload|receive)-pack)$" { auth_ldap "git::repository"; auth_ldap_servers ldap_git_users; fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend; fastcgi_param PATH_INFO $uri; fastcgi_param GIT_HTTP_EXPORT_ALL ""; fastcgi_param GIT_PROJECT_ROOT /var/git; fastcgi_param REMOTE_USER $remote_user; include fastcgi_params; if ($remote_user = $repo_login) { fastcgi_pass fastcgi-server; } } # 404. location / { return 404; } }
SERVER: 127.0.0.1; Port: 389 DN: cn=manager,dc=example,dc=com PASS: passwd BASEDN: ou=ou=people,dc=example,dc=com
Group Display Name Field: cn Base Group Tree: ou=groups,dc=example,dc=com Group-Member association: uniqueMember
Users: (&(objectClass=person)(memberOf=cn=developers,ou=groups,dc=example,dc=com)) Login Attributes: (&(objectClass=person)(memberOf=cn=developers,ou=groups,dc=example,dc=com)(uid=%uid)) Groups: , ownCloud .
use_locks 0
/home/<user>/workspace/example/cloud example "passwd"
https://cloud.example.com/remote.php/webdav /home/<user>/workspace/example/cloud davfs user,noauto 0 0
# ~/.bashrc alias wo=" \ mkdir -p ~/workspace/example/cloud && \ (mountpoint -q ~/workspace/example/cloud || mount ~/workspace/example/cloud) && \ cp -u ~/workspace/example/cloud/deploy/settings_local.py ~/workspace/example/src/project/settings_local.py && \ source ~/VEnvs/example/bin/activate && \ cd ~/workspace/example/src \ "
Source: https://habr.com/ru/post/274187/