OpenLDAP自助修改或重置密码服务Self Service Password
Self Service Password是一个PHP应用程序,允许用户在LDAP目录中更改其密码。
该应用程序可以在标准LDAPv3目录(OpenLDAP,OpenDS,ApacheDS,389 DS,RHDS, Sun Oracle DSEE,Novell等)以及Active Directory上。
它具有以下功能:
- Samba模式更改Samba密码
- 活动目录模式
- 本地密码策略:
- 最小/最大长度
- 禁止字符
- 大写,小写,数字或特殊字符计数器
- 重用旧密码检查
- 复杂度(不同类别的字符)
- 帮助信息
- 按问题重置
- 通过邮件重置(通过邮件发送令牌)
- 通过短信重置(通过外部电子邮件2短信服务)
- 验证码(Google API)
- 更改密码后的邮件通知
参考官方文档:https://ltb-project.org/documentation/self-service-password
1、环境介绍
- CentOS 7.7 64位
- OpenLDAP 2.4.44
- Self Service Password v1.3(本此安装版本)
2、配置yum源文件:
# vi /etc/yum.repos.d/ltb-project.repo
[ltb-project-noarch]
name=LTB project packages (noarch)
baseurl=https://ltb-project.org/rpm/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project
3、更新yum源(可选)
yum update #该操作步骤可选,请谨慎操作!!!
4、导入库密钥:
# rpm --import https://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project
5、安装self-service-password
# yum install self-service-password
如下图所示:本次安装self-service-password v1.3版本,以及所需要安装apache和php等相关依赖包。
6、查看self-service-password安装文件及目录
# rpm -ql self-service-password
如下图所示:由此可以看出self-service-password安装目录是:/usr/share/self-service-password,其中config.inc.php是self-service-password的配置文件。
7、修改Apache配置
Apache配置文件所在路径是:/etc/httpd/conf.d/self-service-password.conf
只需要修改其中ServerName为自己所用域名即可,其他配置无需修改。
# vi /etc/httpd/conf.d/self-service-password.conf
<VirtualHost *>
ServerName ssp.example.com
DocumentRoot /usr/share/self-service-password
DirectoryIndex index.php
AddDefaultCharset UTF-8
<Directory /usr/share/self-service-password>
AllowOverride None
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
</Directory>
<Directory /usr/share/self-service-password/scripts>
AllowOverride None
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Directory>
LogLevel warn
ErrorLog /var/log/httpd/ssp_error_log
CustomLog /var/log/httpd/ssp_access_log combined
</VirtualHost>
8、修改Self-Service-Password配置
Self-Service-Password配置文件所在路径是:/usr/share/self-service-password/conf/config.inc.php
官方参考文档:https://ltb-project.org/documentation/self-service-password/1.3/start
# vi /usr/share/self-service-password/conf/config.inc.php
###配置LDAP相关信息及修改37-44行内容
# LDAP
$ldap_url = "ldap://192.168.1.71:389";
$ldap_starttls = false;
$ldap_binddn = "cn=admin,dc=example,dc=com";
$ldap_bindpw = "123456";
$ldap_base = "dc=example,dc=com";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
###配置Tokens密钥为随时字符不少于8位
# Encryption, decryption keyphrase, required if $crypt_tokens = true
# Please change it to anything long, random and complicated, you do not have to remember it
# Changing it will also invalidate all previous tokens and SMS codes
$keyphrase = "secret"; 比如:将默认secret修改为:nweVIywxtPJF1DW5ZYng
###配置邮件服务信息及修改179-211行内容
## Mail
# LDAP mail attribute
$mail_attribute = "mail";
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = false;
# Who the email should come from
$mail_from = "monitor@xxx.com";
$mail_from_name = "Self Service Password";
$mail_signature = "";
# Notify users anytime their password is changed
$notify_on_change = true;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
#$mail_debug_format = 'error_log';
$mail_debug_format = 'html';
$mail_smtp_host = 'smtp.qq.com';
$mail_smtp_auth = true;
$mail_smtp_user = 'monitor@xxx.com';
$mail_smtp_pass = 'MailPassword123';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_smtp_autotls = true;
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;
###配置显示语言、是否显示菜单、logo及背景图片
# Display help messages
$show_help = true;
# Default language
$lang = "cn"; ###默认是:en,修改为中文显示:cn
# List of authorized languages. If empty, all language are allowed.
# If not empty and the user's browser language setting is not in that list, language from $lang will be used.
$allowed_lang = array();
# Display menu on top
$show_menu = true; ###true显示菜单项,false不显示菜单项
# Logo
$logo = "images/ltb-logo.png";
# Background image
$background_image = "images/unsplash-space.jpeg";
###配置是否启用问题及短信服务及修改155行与214行,默认为显示,修改为false即不显示。
$use_questions = true;
$use_sms = true;
###配置密码的复杂度,此处也可不进行修改。
# Local password policy
# This is applied before directory password policy
# Minimal length
$pwd_min_length = 6;
# Maximal length
$pwd_max_length = 16;
# Minimal lower characters
$pwd_min_lower = 0;
# Minimal upper characters
$pwd_min_upper = 0;
# Minimal digit characters
$pwd_min_digit = 0;
# Minimal special characters
$pwd_min_special = 0;
# Definition of special characters
$pwd_special_chars = "^a-zA-Z0-9";
# Forbidden characters
#$pwd_forbidden_chars = "";
# Don't reuse the same password as currently
$pwd_no_reuse = true;
# Check that password is different than login
$pwd_diff_login = true;
# Complexity: number of different class of character required
$pwd_complexity = 2;
# use pwnedpasswords api v2 to securely check if the password has been on a leak
$use_pwnedpasswords = false;
# Show policy constraints message:
# always
# never
# onerror
$pwd_show_policy = "onerror";
# Position of password policy constraints message:
# above - the form
# below - the form
$pwd_show_policy_pos = "above";
9、启动、重启apache服务命令
systemctl start httpd
systemctl restart httpd
systemctl status httpd
10、打开SSP网址
如下图所示,我们可以使用Self Service Password可以直接修改密码,也可以通过“回答问题”、“邮件”及“短信”方式找回密码。
本文链接:
/archives/openldap-ssp
版权声明:
本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自
阳光•雨!
喜欢就支持一下吧