Self Service Password是一个PHP应用程序,允许用户在LDAP目录中更改其密码。

该应用程序可以在标准LDAPv3目录(OpenLDAP,OpenDS,ApacheDS,389 DS,RHDS, Sun Oracle DSEE,Novell等)以及Active Directory上。

它具有以下功能:

  • Samba模式更改Samba密码
  • 活动目录模式
  • 本地密码策略:
    • 最小/最大长度
    • 禁止字符
    • 大写,小写,数字或特殊字符计数器
    • 重用旧密码检查
    • 复杂度(不同类别的字符)
  • 帮助信息
  • 按问题重置
  • 通过邮件重置(通过邮件发送令牌)
  • 通过短信重置(通过外部电子邮件2短信服务)
  • 验证码(Google API)
  • 更改密码后的邮件通知

参考官方文档:https://ltb-project.org/documentation/self-service-password

1、环境介绍

  • CentOS 7.7 64位
  • OpenLDAP 2.4.44
  • Self Service Password v1.3(本此安装版本)

2、配置yum源文件:

# vi /etc/yum.repos.d/ltb-project.repo

[ltb-project-noarch]
name=LTB project packages (noarch)
baseurl=https://ltb-project.org/rpm/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project

3、更新yum源(可选)

yum update   #该操作步骤可选,请谨慎操作!!!

4、导入库密钥:

# rpm --import https://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project

5、安装self-service-password

# yum install self-service-password

如下图所示:本次安装self-service-password v1.3版本,以及所需要安装apache和php等相关依赖包。
image-e60cb99ebaa143cea31baed13a6cc755

6、查看self-service-password安装文件及目录

# rpm -ql self-service-password

如下图所示:由此可以看出self-service-password安装目录是:/usr/share/self-service-password,其中config.inc.php是self-service-password的配置文件。
image-09aaf4fcb7774879a955b0e63883a70c

7、修改Apache配置

Apache配置文件所在路径是:/etc/httpd/conf.d/self-service-password.conf
只需要修改其中ServerName为自己所用域名即可,其他配置无需修改。

# vi /etc/httpd/conf.d/self-service-password.conf
<VirtualHost *>
        ServerName ssp.example.com

        DocumentRoot /usr/share/self-service-password
        DirectoryIndex index.php

        AddDefaultCharset UTF-8

        <Directory /usr/share/self-service-password>
            AllowOverride None
            <IfVersion >= 2.3>
                Require all granted
            </IfVersion>
            <IfVersion < 2.3>
                Order Deny,Allow
                Allow from all
            </IfVersion>
        </Directory>

        <Directory /usr/share/self-service-password/scripts>
            AllowOverride None
            <IfVersion >= 2.3>
                Require all denied
            </IfVersion>
            <IfVersion < 2.3>
                Order Deny,Allow
                Deny from all
            </IfVersion>
        </Directory>

        LogLevel warn
        ErrorLog /var/log/httpd/ssp_error_log
        CustomLog /var/log/httpd/ssp_access_log combined
</VirtualHost>

8、修改Self-Service-Password配置

Self-Service-Password配置文件所在路径是:/usr/share/self-service-password/conf/config.inc.php

官方参考文档:https://ltb-project.org/documentation/self-service-password/1.3/start

# vi /usr/share/self-service-password/conf/config.inc.php
###配置LDAP相关信息及修改37-44行内容
# LDAP
$ldap_url = "ldap://192.168.1.71:389";
$ldap_starttls = false;
$ldap_binddn = "cn=admin,dc=example,dc=com";
$ldap_bindpw = "123456";
$ldap_base = "dc=example,dc=com";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";

###配置Tokens密钥为随时字符不少于8位
# Encryption, decryption keyphrase, required if $crypt_tokens = true
# Please change it to anything long, random and complicated, you do not have to remember it
# Changing it will also invalidate all previous tokens and SMS codes
$keyphrase = "secret"; 比如:将默认secret修改为:nweVIywxtPJF1DW5ZYng
###配置邮件服务信息及修改179-211行内容
## Mail
# LDAP mail attribute
$mail_attribute = "mail";
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = false;
# Who the email should come from
$mail_from = "monitor@xxx.com";
$mail_from_name = "Self Service Password";
$mail_signature = "";
# Notify users anytime their password is changed
$notify_on_change = true;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
#$mail_debug_format = 'error_log';
$mail_debug_format = 'html';
$mail_smtp_host = 'smtp.qq.com';
$mail_smtp_auth = true;
$mail_smtp_user = 'monitor@xxx.com';
$mail_smtp_pass = 'MailPassword123';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_smtp_autotls = true;
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;
###配置显示语言、是否显示菜单、logo及背景图片
# Display help messages
$show_help = true;

# Default language
$lang = "cn";   ###默认是:en,修改为中文显示:cn

# List of authorized languages. If empty, all language are allowed.
# If not empty and the user's browser language setting is not in that list, language from $lang will be used.
$allowed_lang = array();

# Display menu on top
$show_menu = true;   ###true显示菜单项,false不显示菜单项

# Logo
$logo = "images/ltb-logo.png";

# Background image
$background_image = "images/unsplash-space.jpeg";
###配置是否启用问题及短信服务及修改155行与214行,默认为显示,修改为false即不显示。
$use_questions = true; 
$use_sms = true; 
###配置密码的复杂度,此处也可不进行修改。
# Local password policy
# This is applied before directory password policy
# Minimal length
$pwd_min_length = 6;  
# Maximal length
$pwd_max_length = 16;
# Minimal lower characters
$pwd_min_lower = 0;
# Minimal upper characters
$pwd_min_upper = 0;
# Minimal digit characters
$pwd_min_digit = 0;
# Minimal special characters
$pwd_min_special = 0;
# Definition of special characters
$pwd_special_chars = "^a-zA-Z0-9";
# Forbidden characters
#$pwd_forbidden_chars = "";
# Don't reuse the same password as currently
$pwd_no_reuse = true;
# Check that password is different than login
$pwd_diff_login = true;
# Complexity: number of different class of character required
$pwd_complexity = 2;
# use pwnedpasswords api v2 to securely check if the password has been on a leak
$use_pwnedpasswords = false;
# Show policy constraints message:
# always
# never
# onerror
$pwd_show_policy = "onerror";
# Position of password policy constraints message:
# above - the form
# below - the form
$pwd_show_policy_pos = "above";

9、启动、重启apache服务命令

systemctl start httpd
systemctl restart httpd
systemctl status httpd

10、打开SSP网址

如下图所示,我们可以使用Self Service Password可以直接修改密码,也可以通过“回答问题”、“邮件”及“短信”方式找回密码。
image-f9535ada0e8440ce9f355eec877b8cfa

文章作者: 阳光•雨
本文链接:
版权声明: 本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 阳光•雨
LDAP 自助修改或重置密码服务Self Service Password
喜欢就支持一下吧