ALex_hha's questions

不能让它工作。我必须使用 stunnel 才能将 Jenkins 与 Google LDAP 服务集成。没有stunnel它工作正常

$ LDAPTLS_CERT=/etc/stunnel/gldap.crt LDAPTLS_KEY=/etc/stunnel/gldap.key \
ldapsearch -H ldaps://ldap.google.com -b "dc=example,dc=com" uid=alex mail

SASL/EXTERNAL authentication started
SASL username: st=California,c=US,ou=GSuite,cn=LDAP Client,l=Mountain View,o=Google Inc.
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: uid=alex
# requesting: mail 
#

# alex, Users, example.com
dn: uid=alex,ou=Users,dc=example,dc=com
mail: [email protected]

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

我都尝试过 - ubuntu-16.04 和 18.04。Stunnel 配置非常简单，基于官方文档

# cat /etc/stunnel/ldap.conf 
debug = 7
output = /tmp/stunnel-gldap.log

[ldap]
client = yes
accept = 127.0.0.1:389
connect = ldap.google.com:636
cert = /etc/stunnel/gldap.crt
key = /etc/stunnel/gldap.key

但不能通过 stunnel 工作

$ ldapsearch -H ldap://127.0.0.1 -b "dc=example,dc=com" uid=alex
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
    additional info: SASL(-4): no mechanism available:

隧道日志

2019.02.08 17:00:24 LOG7[main]: Service [ldap] accepted (FD=3) from 127.0.0.1:42296
2019.02.08 17:00:24 LOG7[0]: Service [ldap] started
2019.02.08 17:00:24 LOG5[0]: Service [ldap] accepted connection from 127.0.0.1:42296
2019.02.08 17:00:24 LOG6[0]: s_connect: connecting 216.239.32.58:636
2019.02.08 17:00:24 LOG7[0]: s_connect: s_poll_wait 216.239.32.58:636: waiting 10 seconds
2019.02.08 17:00:24 LOG5[0]: s_connect: connected 216.239.32.58:636
2019.02.08 17:00:24 LOG5[0]: Service [ldap] connected remote server from 192.168.3.13:59504
2019.02.08 17:00:24 LOG7[0]: Remote descriptor (FD=9) initialized
2019.02.08 17:00:24 LOG6[0]: SNI: sending servername: ldap.google.com
2019.02.08 17:00:24 LOG7[0]: SSL state (connect): before/connect initialization
2019.02.08 17:00:24 LOG7[0]: SSL state (connect): SSLv2/v3 write client hello A
2019.02.08 17:00:24 LOG6[0]: Certificate verification disabled
2019.02.08 17:00:24 LOG6[0]: Certificate verification disabled
2019.02.08 17:00:24 LOG7[0]:      1 client connect(s) requested
2019.02.08 17:00:24 LOG7[0]:      1 client connect(s) succeeded
2019.02.08 17:00:24 LOG7[0]:      0 client renegotiation(s) requested
2019.02.08 17:00:24 LOG7[0]:      0 session reuse(s)
2019.02.08 17:00:24 LOG6[0]: SSL connected: new session negotiated
2019.02.08 17:00:24 LOG7[0]: Peer certificate was cached (3201 bytes)
2019.02.08 17:00:24 LOG6[0]: Negotiated TLSv1.2 ciphersuite ECDHE-RSA-AES128-GCM-SHA256 (128-bit encryption)
2019.02.08 17:00:24 LOG7[0]: Compression: null, expansion: null
2019.02.08 17:00:25 LOG6[0]: Read socket closed (readsocket)
2019.02.08 17:00:25 LOG7[0]: Sending close_notify alert
2019.02.08 17:00:25 LOG7[0]: SSL alert (write): warning: close notify
2019.02.08 17:00:25 LOG6[0]: SSL_shutdown successfully sent close_notify alert
2019.02.08 17:00:25 LOG6[0]: SSL socket closed (SSL_read)
2019.02.08 17:00:25 LOG7[0]: Sent socket write shutdown
2019.02.08 17:00:25 LOG5[0]: Connection closed: 71 byte(s) sent to SSL, 71 byte(s) sent to socket
2019.02.08 17:00:25 LOG7[0]: Remote descriptor (FD=9) closed
2019.02.08 17:00:25 LOG7[0]: Local descriptor (FD=3) closed
2019.02.08 17:00:25 LOG7[0]: Service [ldap] finished (0 left)

我也尝试过带有调试输出的 ldapsearch

$ ldapsearch -d5 -H ldap://127.0.0.1 -b "dc=example,dc=com" uid=alex
ldap_url_parse_ext(ldap://127.0.0.1)
ldap_create
ldap_url_parse_ext(ldap://127.0.0.1:389/??base)
ldap_pvt_sasl_getmech
ldap_search
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS: supportedSASLMechanisms
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 127.0.0.1:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect: 
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 64 bytes to sd 4
ldap_result ld 0x56265b1fd400 msgid 1
wait4msg ld 0x56265b1fd400 msgid 1 (infinite timeout)
wait4msg continue ld 0x56265b1fd400 msgid 1 all 1
** ld 0x56265b1fd400 Connections:
* host: 127.0.0.1  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Feb  8 17:02:39 2019


** ld 0x56265b1fd400 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x56265b1fd400 request count 1 (abandoned 0)
** ld 0x56265b1fd400 Response Queue:
   Empty
  ld 0x56265b1fd400 response count 0
ldap_chkResponseList ld 0x56265b1fd400 msgid 1 all 1
ldap_chkResponseList returns ld 0x56265b1fd400 NULL
ldap_int_select
read1msg: ld 0x56265b1fd400 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 55 contents:
read1msg: ld 0x56265b1fd400 msgid 1 message type search-entry
wait4msg continue ld 0x56265b1fd400 msgid 1 all 1
** ld 0x56265b1fd400 Connections:
* host: 127.0.0.1  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Feb  8 17:02:39 2019


** ld 0x56265b1fd400 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x56265b1fd400 request count 1 (abandoned 0)
** ld 0x56265b1fd400 Response Queue:
 * msgid 1,  type 100
  ld 0x56265b1fd400 response count 1
ldap_chkResponseList ld 0x56265b1fd400 msgid 1 all 1
ldap_chkResponseList returns ld 0x56265b1fd400 NULL
ldap_int_select
read1msg: ld 0x56265b1fd400 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x56265b1fd400 msgid 1 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x56265b1fd400 0 new referrals
read1msg:  mark request completed, ld 0x56265b1fd400 msgid 1
request done: ld 0x56265b1fd400 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
adding response ld 0x56265b1fd400 msgid 1 type 101:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_get_values
ber_scanf fmt ({x{{a) ber:
ber_scanf fmt ([v]) ber:
ldap_msgfree
ldap_sasl_interactive_bind: server supports: EXTERNAL PLAIN
ldap_int_sasl_bind: EXTERNAL PLAIN
ldap_int_sasl_open: host=ws-alex
SASL/EXTERNAL authentication started
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
    additional info: SASL(-4): no mechanism available: 
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
ldap_free_connection: actually freed

当我尝试使用 stunnel 时，Jenkins 也是如此。

Login
Authentication: failed for user "uid=alex,ou=Users,dc=example,dc=com"

Lookup
User lookup: user "uid=alex,ou=Users,dc=example,dc=com" does not exist.
Does looking up user details require a Manager Dn and password?
Are the user search base and user search filter settings correct?

LDAP Group lookup: could not verify.
Please try with a user that is a member of at least one LDAP group.

Lockout
The user "uid=alex,ou=Users,dc=example,dc=com" will be unable to login with the supplied password.
If this is your own account this would mean you would be locked out!
Are you sure you want to save this configuration?

我错过了什么？或者也许还有其他解决方法？

提前致谢

更新1

我能够使用以下命令成功使用 ldapsearch（必须使用 bind_dn 用户）

$ ldapsearch -x -D "BIND_USER" -w 123456789 -H ldap://127.0.0.1 -b "dc=example,dc=com" uid=alex
ldap_bind: Success (0)
    additional info: Valid access code
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: uid=alex
# requesting: ALL
#

# alex, Users, example.com
dn: uid=alex,ou=Users,dc=example,dc=com

但是詹金斯还是不行

我需要创建一个非常简单的 IAM 策略并将其授予特定队列。我需要仅向特定 IAM 用户授予对队列的访问权限（应该是完全访问权限）。

因为目前默认情况下，所有具有策略AmazonSQSFullAccess / AdministratorAccess的 IAM 用户都可以向队列发送/读取消息。

我尝试了以下策略但没有成功

政策一

{
  "Version": "2012-10-17",
  "Id": "arn:aws:sqs:us-east-1:930XXXXXX332:task-queue/SQSDefaultPolicy",
  "Statement": [
    {
      "Sid": "Sid1487598389851",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:us-east-1:930XXXXXX332:task-queue",
      "Condition": {
        "ArnNotEquals": {
          "aws:SourceArn": "arn:aws:iam::930XXXXXX332:user/test-sqs"
        }
      }
    },
    {
      "Sid": "Sid1487599825058",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::930XXXXXX332:user/test-sqs"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:us-east-1:930XXXXXX332:task-queue"
    }
  ]
}

策略 2（与上述相同，但我尝试了另一种情况）

"Condition": {
        "NotPrincipal": { 
             "AWS": "arn:aws:iam::930XXXXXX332:user/test-sqs" 
        }
  }

换句话说 - 我需要得到类似以下的东西

Allow: user1, user2
Deny: *

有可能吗？

目前我必须在拒绝效果中明确指定每个用户。这非常不方便

我遇到了配置两个鱿鱼服务器的问题。我有以下方案 -

主要思想是通过父squid从rackspace和amazon下载所有文件，并将所有文件存储在他的缓存中。

在 main_squid 服务器上配置了 PBR（iptables + ip 路由）。所有数据包都通过接收请求的相同通道

# ip ru sh
0:      from all lookup local
1000:   from all fwmark 0x3e8 lookup ISP1
2000:   from all fwmark 0x7d0 lookup ISP2
3011:   from all fwmark 0xbc3 lookup ISP3
32762:  from xxx.xxx.xxx.62 lookup ISP1
32763:  from yyy.yyy.yyy.239 lookup ISP2
32764:  from zzz.zzz.zzz.10 lookup ISP3
32766:  from all lookup main
32767:  from all lookup default

main_squid squid.conf http_port 192.168.210.1:3128 透明

cache_peer 192.168.220.2 sibling 3128 3130
dead_peer_timeout 5 seconds

acl AMAZON dstdom_regex -i (.*)s3\.amazonaws\.com
cache_peer_access 192.168.220.2 allow AMAZON

acl RACKSPACE dstdom_regex -i (.*)rackcdn\.com
cache_peer_access 192.168.220.2 allow RACKSPACE

url_rewrite_program /usr/bin/squidguard
url_rewrite_children 32

cache_dir null /tmp
cache_store_log none
cache deny all

acl local_net src 192.168.0.0/16
http_access allow local_net

parent_squid squid.conf

http_port 192.168.220.2:3128
acl main_squid src 192.168.220.1

http_access allow main_squid
http_access allow manager localhost
http_access allow manager main_squid

icp_access allow main_squid

cache_mem 30 GB
maximum_object_size_in_memory 128 MB
cache_dir aufs /squid 400000 16 256
minimum_object_size 16384 KB
maximum_object_size 1024 MB
cache_swap_low 93
cache_swap_high 98

acl PSD urlpath_regex -i \.psd$
cache allow PSD

acl ZIP urlpath_regex -i \.zip$
cache allow ZIP

acl OTHER url_regex -i ^http://*
cache deny OTHER

refresh_pattern \.psd$ 2592000 100 2592000 override-lastmod
override-expire ignore-reload ignore-no-cache
refresh_pattern \.zip$ 2592000 100 2592000 override-lastmod
override-expire ignore-reload ignore-no-cache

一切正常，直到我取消对 main_squid 以下行的注释

tcp_outgoing_address yyy.yyy.yyy.239

当我尝试从亚马逊下载任何 zip 文件时，我在 cache.log 中看到以下消息

2013/04/22 01:00:41| TCP connection to 192.168.220.2/3128 failed

如果我在 yyy.yyy.yyy.239 上运行 tcpdump，我会看到 main_squid 试图通过外部接口连接到父级但没有成功。

所以我的问题。我如何配置 main_squid，即使配置了 tcp_outgoing_address 选项，它也可以连接到父级？

聚苯乙烯

# squid -v
Squid Cache: Version 2.6.STABLE21
configure options:  '--host=x86_64-unknown-linux-gnu'
'--build=x86_64-unknown-linux-gnu' '--program-prefix=' '--prefix=/usr'
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--sysconfdir=/etc' '--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--exec_prefix=/usr' '--bindir=/usr/sbin'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share' '--sysconfdir=/etc/squid' '--enable-arp-acl'
'--enable-epoll' '--enable-snmp' '--enable-removal-policies=heap,lru'
'--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-ssl'
'--with-openssl=/usr/kerberos' '--enable-delay-pools'
'--enable-linux-netfilter' '--with-pthreads'
'--enable-ntlm-auth-helpers=SMB,fakeauth'
'--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-digest-auth-helpers=password'
'--with-winbind-auth-challenge' '--enable-useragent-log'
'--enable-referer-log' '--disable-dependency-tracking'
'--enable-cachemgr-hostname=localhost' '--enable-underscores'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL'
'--enable-cache-digests' '--enable-ident-lookups'
'--enable-follow-x-forwarded-for' '--enable-wccpv2'
'--enable-fd-config' '--with-maxfd=16384'
'build_alias=x86_64-unknown-linux-gnu'
'host_alias=x86_64-unknown-linux-gnu' 'CFLAGS=-D_FORTIFY_SOURCE=2
-fPIE -Os -g -pipe -fsigned-char' 'LDFLAGS=-pie'

任何帮助将不胜感激

我们需要从我们的亚马逊 S3 存储中缓存所有 psd/zip 文件。缓存量在 150-200 Gb 之间（我们需要至少存储 2 个月的文件）。现在我们使用没有任何缓存的透明代理squid。

所以我的问题是：是否可以配置“主”鱿鱼，以便所有对 s3.amazonaws.com 的查询都将代理到父鱿鱼。在父 squid 中，我们只需要缓存来自 s3.amazonaws.com 的所有 zip 和 psd 文件。如果缓存中没有这样的文件，父 squid 将下载并将“新”文件放入缓存中。

squid 如何处理 1-2 GB 的文件？有什么限制吗？

此设置的主要证明是来自亚马逊存储的所有 psd/zip 文件都以本地缓存的最大速度传送到本地客户端。因为不同的员工同时使用相同的文件，我们花了很多时间来下载每个员工的那些文件

这个问题可以用不同的方式解决吗？