yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
0b3a43371a4bcc99577594de0a685249d676a567
doc-exports/docs/mrs/umn/admin_guide_000274.html
Yang, Tong 2195db241c MRS UMN 20231220 version update 
Reviewed-by: Pruthi, Vineet <vineet.pruthi@t-systems.com>
Reviewed-by: Rechenburg, Matthias <matthias.rechenburg@t-systems.com>
Co-authored-by: Yang, Tong <yangtong2@huawei.com>
Co-committed-by: Yang, Tong <yangtong2@huawei.com>
2024-05-16 09:40:21 +00:00

68 lines
15 KiB
HTML
Raw Blame History

<a name="admin_guide_000274"></a><a name="admin_guide_000274"></a>
<h1 class="topictitle1">Configuring a Trusted IP Address to Access LDAP</h1>
<div id="body1530067731235"><div class="section" id="admin_guide_000274__sa6e92d3e96a449ceb538d27eb5a7209f"><h4 class="sectiontitle">Scenario</h4><p id="admin_guide_000274__en-us_topic_0046736701_p57482668">By default, the LDAP service deployed in the OMS and cluster can be accessed by any IP address. To enable the LDAP service to be accessed by only trusted IP addresses, you can configure the INPUT policy in the iptables filtering list.</p>
</div>
<div class="section" id="admin_guide_000274__sa494c29a5201459eb81d0c35196c86ea"><h4 class="sectiontitle">Impact on the System</h4><p id="admin_guide_000274__en-us_topic_0046736701_p25584516">After the configuration, the LDAP service cannot be accessed by IP addresses that are not configured. Before the expansion, the added IP addresses need to be configured as trusted IP addresses.</p>
</div>
<div class="section" id="admin_guide_000274__s054c83a4f74c4d36a38c0b5cf96a62ac"><h4 class="sectiontitle">Prerequisites</h4><ul id="admin_guide_000274__en-us_topic_0046736701_ul59079892"><li id="admin_guide_000274__en-us_topic_0046736701_li61956985">You have collected the management plane IP addresses and service plane IP addresses of all nodes in the cluster and all floating IP addresses.</li><li id="admin_guide_000274__en-us_topic_0046736701_li20741957">You have obtained the <strong id="admin_guide_000274__b2043619184615">root</strong> user account for all nodes in the cluster.</li></ul>
</div>
<div class="section" id="admin_guide_000274__saeab6358042e4f05986a84acf19d9630"><h4 class="sectiontitle">Procedure</h4><p class="tableheading" id="admin_guide_000274__en-us_topic_0046736701_p2376958"><strong id="admin_guide_000274__b21154500195011">Configuring trusted IP addresses for the LDAP service on the OMS</strong></p>
<ol id="admin_guide_000274__ol25142301195029"><li id="admin_guide_000274__li48156443195016"><span>Confirm the management node IP address. For details, see <a href="admin_guide_000005.html">Logging In to the Management Node</a>.</span></li><li id="admin_guide_000274__li8357850195016"><span>Log in to <span id="admin_guide_000274__text67509419010">MRS</span> Manager. For details, see <a href="admin_guide_000004.html">Logging In to MRS Manager</a>.</span></li><li id="admin_guide_000274__li8111794195016"><span>Choose <span class="menucascade" id="admin_guide_000274__menucascade531519219713"><b><span class="uicontrol" id="admin_guide_000274__uicontrol83151213720">System</span></b> &gt; <b><span class="uicontrol" id="admin_guide_000274__uicontrol777935673">OMS</span></b></span> and choose <span class="menucascade" id="admin_guide_000274__menucascade0164539179"><b><span class="uicontrol" id="admin_guide_000274__uicontrol1316412399711">oldap</span></b> &gt; <b><span class="uicontrol" id="admin_guide_000274__uicontrol141032411074">Modify Configuration</span></b></span> to view the OMS LDAP port number, that is, the value of <strong id="admin_guide_000274__b2040018715311">LDAP Listening Port</strong>. The default port number is <strong id="admin_guide_000274__b942451350115223">21750</strong>.</span></li><li id="admin_guide_000274__li5897282195016"><span>Log in to the active management node as user <strong id="admin_guide_000274__b993892575416">root</strong> using the IP address of the active management node.</span></li><li id="admin_guide_000274__li727167195016"><a name="admin_guide_000274__li727167195016"></a><a name="li727167195016"></a><span>Run the following command to check the INPUT policy in the iptables filtering list:</span><p><p class="litext" id="admin_guide_000274__p7917818195016"><strong id="admin_guide_000274__b53075540195016">iptables -L</strong></p>
<p class="litext" id="admin_guide_000274__p4151499195016">For example, if no rule is configured, the INPUT policy is displayed as follows:</p>
<pre class="screen" id="admin_guide_000274__screen37363498195016">Chain INPUT (policy ACCEPT)
target prot opt source destination </pre>
</p></li><li id="admin_guide_000274__li54403823195016"><span>Run the following command to configure all IP addresses used by the cluster as trusted IP addresses. Each IP address needs to be added independently.</span><p><p class="litext" id="admin_guide_000274__p35633985195016"><strong id="admin_guide_000274__b6544507195016">iptables -A INPUT -s </strong><em id="admin_guide_000274__i1053782105919">Trusted IP address </em><strong id="admin_guide_000274__b6216636195016">-p tcp --dport </strong><em id="admin_guide_000274__i199211216185911">Port number </em><strong id="admin_guide_000274__b33785493195016">-j ACCEPT</strong></p>
<p class="litext" id="admin_guide_000274__p52270411195016">For example, to configure <strong id="admin_guide_000274__b108820291303">10.0.0.1</strong> as a trusted IP address and enable it to access port <strong id="admin_guide_000274__b1829113113113">21750</strong>, you need to run the following command:</p>
<p class="litext" id="admin_guide_000274__p6044869195016"><strong id="admin_guide_000274__b671652195016">iptables -A INPUT -s 10.0.0.1 -p tcp --dport 21750 -j ACCEPT</strong></p>
</p></li><li id="admin_guide_000274__li66459090195016"><span>Run the following command to configure all IP addresses as untrusted IP addresses. The trusted IP addresses will not be affected by this rule.</span><p><p class="litext" id="admin_guide_000274__p58547551195016"><strong id="admin_guide_000274__b19872363195016">iptables -A INPUT -p tcp --dport </strong><em id="admin_guide_000274__i779111915210">Port number </em><strong id="admin_guide_000274__b66157607195016">-j DROP</strong></p>
<p class="litext" id="admin_guide_000274__p57165918195016">For example, to disable all IP addresses to access port <strong id="admin_guide_000274__b1884992214514">21750</strong>, run the following command:</p>
<p class="litext" id="admin_guide_000274__p67036666195016"><strong id="admin_guide_000274__b44731220195016">iptables -A INPUT -p tcp --dport 21750 -j DROP</strong></p>
</p></li><li id="admin_guide_000274__li17775546195016"><span>Run the following command to view the modified INPUT policy in the iptables filtering list:</span><p><p class="litext" id="admin_guide_000274__p14477184195016"><strong id="admin_guide_000274__b61260899195016">iptables -L</strong></p>
<p class="litext" id="admin_guide_000274__p63185792195016">For example, after a trusted IP address is configured, the INPUT policy is displayed as follows:</p>
<pre class="screen" id="admin_guide_000274__screen31801222195016">Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 10.0.0.1 anywhere tcp dpt:21750
DROP tcp -- anywhere anywhere tcp dpt:21750 </pre>
</p></li><li id="admin_guide_000274__li57263011195016"><span>Run the following command to view the rules and rule numbers in the iptables filtering list:</span><p><p class="litext" id="admin_guide_000274__p30533112195016"><strong id="admin_guide_000274__b25762189195016">iptables -L -n --line-number</strong></p>
<pre class="screen" id="admin_guide_000274__screen6362556195016">Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21750 </pre>
</p></li><li id="admin_guide_000274__li28581039195016"><a name="admin_guide_000274__li28581039195016"></a><a name="li28581039195016"></a><span>Run the following command to delete the desired rule from the iptables filtering list based on site requirement:</span><p><p class="litext" id="admin_guide_000274__p3021749195016"><strong id="admin_guide_000274__b45605052195016">iptables -D INPUT </strong><em id="admin_guide_000274__i142141840161217">Number of the rule to be deleted</em></p>
<p class="litext" id="admin_guide_000274__p27195742195016">For example, to delete rule 1, run the following command:</p>
<p class="litext" id="admin_guide_000274__p55371454195016"><strong id="admin_guide_000274__b43435086195016">iptables -D INPUT 1</strong></p>
</p></li><li id="admin_guide_000274__li18033643195016"><span>Log in to the standby management node as user <strong id="admin_guide_000274__b1994724969115223">root</strong> using the standby IP address. Repeat <a href="#admin_guide_000274__li727167195016">5</a> to <a href="#admin_guide_000274__li28581039195016">10</a>.</span></li></ol>
<p class="tableheading" id="admin_guide_000274__p61456230195033"><strong id="admin_guide_000274__b1029092913145">Configuring trusted IP addresses for the LDAP service in the cluster</strong></p>
<ol start="12" id="admin_guide_000274__ol27562636195042"><li id="admin_guide_000274__li28085065195016"><span>Log in to <span id="admin_guide_000274__text3680834122412">MRS</span> Manager.</span></li><li id="admin_guide_000274__li51438998195016"><span>Click <strong id="admin_guide_000274__b1383125619140">Cluster</strong>, click the name of the desired cluster, and choose <strong id="admin_guide_000274__b1443118300152">Service</strong> &gt; <strong id="admin_guide_000274__b10402113319159">LdapServer</strong>. On the displayed page, click <strong id="admin_guide_000274__b322515171620">Instance</strong> to view the nodes where the LDAP services locate.</span></li><li id="admin_guide_000274__li60297803195016"><span>Go to the <strong id="admin_guide_000274__b1431715011164">Configurations</strong> page, and view the LDAP port number of the cluster, that is, the value of <strong id="admin_guide_000274__b161677820252">LDAP_SERVER_PORT</strong>. The default value is <strong id="admin_guide_000274__b1309967979115223">21780</strong>.</span></li><li id="admin_guide_000274__li5809322195016"><span>Log in to the LDAP node as user <strong id="admin_guide_000274__b537635317265">root</strong> using the LDAP service IP address.</span></li><li id="admin_guide_000274__li41253757195016"><a name="admin_guide_000274__li41253757195016"></a><a name="li41253757195016"></a><span>Run the following command to view the INPUT policy in the iptables filtering list:</span><p><p class="litext" id="admin_guide_000274__p793037195016"><strong id="admin_guide_000274__b52283898195016">iptables -L</strong></p>
<p class="litext" id="admin_guide_000274__p7137341195016">For example, if no rule is configured, the INPUT policy is displayed as follows:</p>
<pre class="screen" id="admin_guide_000274__screen64236074195016">Chain INPUT (policy ACCEPT)
target prot opt source destination </pre>
</p></li><li id="admin_guide_000274__li50503607195016"><span>Run the following command to configure all IP addresses used by the cluster as trusted IP addresses. Each IP address needs to be added independently.</span><p><p class="litext" id="admin_guide_000274__p13979760195016"><strong id="admin_guide_000274__b1469912508274">iptables -A INPUT -s </strong><em id="admin_guide_000274__i10699115011279">Trusted IP address </em><strong id="admin_guide_000274__b9700250202717">-p tcp --dport </strong><em id="admin_guide_000274__i570017506278">Port number </em><strong id="admin_guide_000274__b137004500275">-j ACCEPT</strong></p>
<p class="litext" id="admin_guide_000274__p58708984195016">For example, to configure <strong id="admin_guide_000274__b12156752142814">10.0.0.1</strong> as a trusted IP address and enable it to access port <strong id="admin_guide_000274__b1815645222814">21780</strong>, you need to run the following command:</p>
<p class="litext" id="admin_guide_000274__p57807295195016"><strong id="admin_guide_000274__b58618815195016">iptables -A INPUT -s 10.0.0.1 -p tcp --dport 21780 -j ACCEPT</strong></p>
</p></li><li id="admin_guide_000274__li25265865195016"><span>Run the following command to configure all IP addresses as untrusted IP addresses. The trusted IP addresses will not be affected by this rule.</span><p><p class="litext" id="admin_guide_000274__p37705919195016"><strong id="admin_guide_000274__b3448152412292">iptables -A INPUT -p tcp --dport </strong><em id="admin_guide_000274__i1144992419295">Port number </em><strong id="admin_guide_000274__b64501124192915">-j DROP</strong></p>
<p class="litext" id="admin_guide_000274__p3808956195016">For example, to disable all IP addresses to access port <strong id="admin_guide_000274__b83217296297">21780</strong>, run the following command:</p>
<p class="litext" id="admin_guide_000274__p40090020195016"><strong id="admin_guide_000274__b34280608195016">iptables -A INPUT -p tcp --dport 21780 -j DROP</strong></p>
</p></li><li id="admin_guide_000274__li26961352195016"><span>Run the following command to view the modified INPUT policy in the iptables filtering list:</span><p><p class="litext" id="admin_guide_000274__p33269219195016"><strong id="admin_guide_000274__b26066201195016">iptables -L</strong></p>
<p class="litext" id="admin_guide_000274__p30987522195016">For example, after a trusted IP address is configured, the INPUT policy is displayed as follows:</p>
<pre class="screen" id="admin_guide_000274__screen10452246195016">Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 10.0.0.1 anywhere tcp dpt:21780
DROP tcp -- anywhere anywhere tcp dpt:21780 </pre>
</p></li><li id="admin_guide_000274__li61574664195016"><span>Run the following command to view the rules and rule numbers in the iptables filtering list:</span><p><p class="litext" id="admin_guide_000274__p36385874195016"><strong id="admin_guide_000274__b41325577195016">iptables -L -n --line-number</strong></p>
<pre class="screen" id="admin_guide_000274__screen59037412195016">Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21780 </pre>
</p></li><li id="admin_guide_000274__li48007687195016"><a name="admin_guide_000274__li48007687195016"></a><a name="li48007687195016"></a><span>Run the following command to delete the desired rule from the iptables filtering list based on site requirement:</span><p><p class="litext" id="admin_guide_000274__p59209588195016"><strong id="admin_guide_000274__b165691831183010">iptables -D INPUT </strong><em id="admin_guide_000274__i15569133163019">Number of the rule to be deleted</em></p>
<p class="litext" id="admin_guide_000274__p63124251195016">For example, to delete rule 1, run the following command:</p>
<p class="litext" id="admin_guide_000274__p12790727195016"><strong id="admin_guide_000274__b31247353195016">iptables -D INPUT 1</strong></p>
</p></li><li id="admin_guide_000274__li33885805195016"><span>Log in to the LDAP node as user <strong id="admin_guide_000274__b662844713303">root</strong> using the IP address of another LDAP service, and repeat <a href="#admin_guide_000274__li41253757195016">16</a> to <a href="#admin_guide_000274__li48007687195016">21</a>.</span></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="admin_guide_000271.html">Security Hardening</a></div>
</div>
</div>
View Git Blame Copy Permalink