項目官網:
https://www.ltb-project.org/documentation/self-service-password.html
github:
https://github.com/ltb-project/self-service-password
文檔:
https://self-service-password.readthedocs.io/en/latest/
本文采用oracle linux8系統安裝
安裝:
1、安裝php-smarty
https://pkgs.org/download/php-Smarty
Download latest remi-release rpm from
http://rpms.remirepo.net/enterprise/8/remi/x86_64/
Install remi-release rpm:
rpm -Uvh remi-release*rpm
Install php-Smarty rpm package:
dnf --enablerepo=remi install php-Smarty 2、安裝self-service-password
Configure the yum repository:
/etc/yum.repos.d/ltb-project.repo
[ltb-project-noarch]
name=LTB project packages (noarch)
baseurl=https://ltb-project.org/rpm/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project
Then update:
yum update
Import repository key:
rpm --import https://ltb-project.org/documentation/_static/RPM-GPG-KEY-LTB-project
You are now ready to install:
yum install self-service-password 3、安裝openldap
yum install -y openldap 4、AD域導出證書
Self Service Password必須以LDAPS方式連接配接域控,是以需要加載證書
添加角色和功能-AD證書服務
證書頒發機構web注冊
配置證書服務
證書頒發機構
開啟AD域證書服務
重新整理政策
導出證書
個人證書
導出
轉換證書
openssl x509 -inform der -in ad01.cer -out ad01.pem
cat ad01.pem >> /etc/openldap/certs/ldaps.pem openldap配置檔案
/etc/openldap/ldap.conf
TLS_CACERT /etc/openldap/certs/ldaps.pem
TLS_REQCERT allow 5、Self Service Password配置檔案
需生成獨立配置檔案
cd /usr/share/self-service-password/conf/
cp config.inc.php config.inc.local.php 我的配置檔案config.inc.local.php,主要放上改動的部分和注釋
<?php
$debug = false; //debug模式關閉
# LDAP
$ldap_url = "ldaps://ad1.90apt.com:636"; //AD伺服器
$ldap_starttls = false;
$ldap_binddn = "CN=wangwangjie,CN=Users,DC=90apt,DC=com"; //使用的域控管理者使用者
$ldap_bindpw = "passwd@123"; //上面域控管理者密碼
$ldap_base = "OU=王工有限公司,OU=使用者OU,DC=90apt,DC=com"; //應用的OU範圍
$ldap_login_attribute = "sAMAccountName"; //登陸屬性
$ldap_fullname_attribute = "cn"; //全名屬性
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"; //AD需要這麼配置
$ldap_use_exop_passwd = false;
$ldap_use_ppolicy_control = false;
$ad_mode = true; //啟用AD模式
$ad_options=[];
# Force account unlock when password is changed
$ad_options['force_unlock'] = true; //更改密碼時強制解鎖賬戶
# Force user change password at next login
$ad_options['force_pwd_change'] = false;
# Allow user with expired password to change password
$ad_options['change_expired_password'] = true; //允許過期的使用者修改密碼
# Local password policy
# This is applied before directory password policy
# Minimal length
$pwd_min_length = 8; //最短密碼位數
# Maximal length
$pwd_max_length = 0;
# Minimal lower characters
$pwd_min_lower = 0;
# Minimal upper characters
$pwd_min_upper = 0;
# Minimal digit characters
$pwd_min_digit = 0;
# Minimal special characters
$pwd_min_special = 0;
# Definition of special characters
$pwd_special_chars = "^a-zA-Z0-9"; //特殊字元
# Forbidden characters
#$pwd_forbidden_chars = "@%";
# Don't reuse the same password as currently
$pwd_no_reuse = true; //不使用重複密碼
# Check that password is different than login
$pwd_diff_login = true; //密碼不能與賬号相同
# Check new passwords differs from old one - minimum characters count
$pwd_diff_last_min_chars = 0;
# Forbidden words which must not appear in the password
$pwd_forbidden_words = array();
# Forbidden ldap fields
# Respective values of the user's entry must not appear in the password
# example: $pwd_forbidden_ldap_fields = array('cn', 'givenName', 'sn', 'mail');
$pwd_forbidden_ldap_fields = array();
# Complexity: number of different class of character required
$pwd_complexity = 3; //需要不同類别的字元
# use pwnedpasswords api v2 to securely check if the password has been on a leak
$use_pwnedpasswords = false;
# Show policy constraints message:
# always
# never
# onerror
$pwd_show_policy = "always"; //顯示限制資訊
# Position of password policy constraints message:
# above - the form
# below - the form
$pwd_show_policy_pos = "above"; //在表格上顯示
# disallow use of the only special character as defined in `$pwd_special_chars` at the beginning and end
$pwd_no_special_at_ends = false;
# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_password = "manager"; //誰的權限修改
## Token
# Use tokens?
# true (default)
# false
$use_tokens = true;
# Crypt tokens?
# true (default)
# false
$crypt_tokens = true;
# Token lifetime in seconds
$token_lifetime = "3600";
## Mail
# LDAP mail attribute
$mail_attributes = array( "userPrincipalName","mail", "gosaMailAlternateAddress", "proxyAddresses" ); //郵箱形式
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = true; //直接從域控擷取郵箱
# Who the email should come from
$mail_from = "[email protected]";
$mail_from_name = "域賬号自助改密解鎖服務";
$mail_signature = "本郵件為通過密碼自助修改LDAP賬号密碼,無需回複,如有重置密碼遇到問題可以聯系運維同學";
# Notify users anytime their password is changed
$notify_on_change = true;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'html';
$mail_smtp_host = 'smtp.90apt.com';
$mail_smtp_auth = true;
$mail_smtp_user = '[email protected]';
$mail_smtp_pass = 'passwd@123';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_smtp_autotls = true;
$mail_smtp_options = array();
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
## SMS
# Use sms
$use_sms = true;
# SMS method (mail, api)
$sms_method = "api";
$sms_api_lib = "lib/smsapi.inc.php"; //自編寫短信api,從短信平台的幫助文檔裡找
# GSM number attribute
$sms_attributes = array( "mobile", "pager", "ipPhone", "homephone" );
# Partially hide number
$sms_partially_hide_number = true;
# Send SMS mail to address. {sms_attribute} will be replaced by real sms number
$smsmailto = "{sms_attribute}@service.provider.com";
# Subject when sending email to SMTP to SMS provider
$smsmail_subject = "Provider code";
# Message
$sms_message = "{smsresetmessage} {smstoken}";
# Remove non digit characters from GSM number
$sms_sanitize_number = false;
# Truncate GSM number
$sms_truncate_number = false;
$sms_truncate_number_length = 10;
# SMS token length
$sms_token_length = 6;
# Max attempts allowed for SMS token
$max_attempts = 5;
# Encryption, decryption keyphrase, required if $use_tokens = true and $crypt_tokens = true, or $use_sms, or $crypt_answer
# Please change it to anything long, random and complicated, you do not have to remember it
# Changing it will also invalidate all previous tokens and SMS codes
$keyphrase = "90apt"; //關鍵詞
# Display menu on top
$show_menu = true; //顯示菜單
# Logo
$logo = "images/logo.png"; //logo
# Background image
$background_image = "images/90apt.png"; //桌面