项目官网:
https://www.ltb-project.org/documentation/self-service-password.html
github:
https://github.com/ltb-project/self-service-password
文档:
https://self-service-password.readthedocs.io/en/latest/
本文采用oracle linux8系统安装
安装:
1、安装php-smarty
https://pkgs.org/download/php-Smarty
Download latest remi-release rpm from
http://rpms.remirepo.net/enterprise/8/remi/x86_64/
Install remi-release rpm:
rpm -Uvh remi-release*rpm
Install php-Smarty rpm package:
dnf --enablerepo=remi install php-Smarty 2、安装self-service-password
Configure the yum repository:
/etc/yum.repos.d/ltb-project.repo
[ltb-project-noarch]
name=LTB project packages (noarch)
baseurl=https://ltb-project.org/rpm/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project
Then update:
yum update
Import repository key:
rpm --import https://ltb-project.org/documentation/_static/RPM-GPG-KEY-LTB-project
You are now ready to install:
yum install self-service-password 3、安装openldap
yum install -y openldap 4、AD域导出证书
Self Service Password必须以LDAPS方式连接域控,因此需要加载证书
添加角色和功能-AD证书服务
证书颁发机构web注册
配置证书服务
证书颁发机构
开启AD域证书服务
刷新策略
导出证书
个人证书
导出
转换证书
openssl x509 -inform der -in ad01.cer -out ad01.pem
cat ad01.pem >> /etc/openldap/certs/ldaps.pem openldap配置文件
/etc/openldap/ldap.conf
TLS_CACERT /etc/openldap/certs/ldaps.pem
TLS_REQCERT allow 5、Self Service Password配置文件
需生成独立配置文件
cd /usr/share/self-service-password/conf/
cp config.inc.php config.inc.local.php 我的配置文件config.inc.local.php,主要放上改动的部分和注释
<?php
$debug = false; //debug模式关闭
# LDAP
$ldap_url = "ldaps://ad1.90apt.com:636"; //AD服务器
$ldap_starttls = false;
$ldap_binddn = "CN=wangwangjie,CN=Users,DC=90apt,DC=com"; //使用的域控管理员用户
$ldap_bindpw = "passwd@123"; //上面域控管理员密码
$ldap_base = "OU=王工有限公司,OU=用户OU,DC=90apt,DC=com"; //应用的OU范围
$ldap_login_attribute = "sAMAccountName"; //登陆属性
$ldap_fullname_attribute = "cn"; //全名属性
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"; //AD需要这么配置
$ldap_use_exop_passwd = false;
$ldap_use_ppolicy_control = false;
$ad_mode = true; //启用AD模式
$ad_options=[];
# Force account unlock when password is changed
$ad_options['force_unlock'] = true; //更改密码时强制解锁账户
# Force user change password at next login
$ad_options['force_pwd_change'] = false;
# Allow user with expired password to change password
$ad_options['change_expired_password'] = true; //允许过期的用户修改密码
# Local password policy
# This is applied before directory password policy
# Minimal length
$pwd_min_length = 8; //最短密码位数
# Maximal length
$pwd_max_length = 0;
# Minimal lower characters
$pwd_min_lower = 0;
# Minimal upper characters
$pwd_min_upper = 0;
# Minimal digit characters
$pwd_min_digit = 0;
# Minimal special characters
$pwd_min_special = 0;
# Definition of special characters
$pwd_special_chars = "^a-zA-Z0-9"; //特殊字符
# Forbidden characters
#$pwd_forbidden_chars = "@%";
# Don't reuse the same password as currently
$pwd_no_reuse = true; //不使用重复密码
# Check that password is different than login
$pwd_diff_login = true; //密码不能与账号相同
# Check new passwords differs from old one - minimum characters count
$pwd_diff_last_min_chars = 0;
# Forbidden words which must not appear in the password
$pwd_forbidden_words = array();
# Forbidden ldap fields
# Respective values of the user's entry must not appear in the password
# example: $pwd_forbidden_ldap_fields = array('cn', 'givenName', 'sn', 'mail');
$pwd_forbidden_ldap_fields = array();
# Complexity: number of different class of character required
$pwd_complexity = 3; //需要不同类别的字符
# use pwnedpasswords api v2 to securely check if the password has been on a leak
$use_pwnedpasswords = false;
# Show policy constraints message:
# always
# never
# onerror
$pwd_show_policy = "always"; //显示约束信息
# Position of password policy constraints message:
# above - the form
# below - the form
$pwd_show_policy_pos = "above"; //在表格上显示
# disallow use of the only special character as defined in `$pwd_special_chars` at the beginning and end
$pwd_no_special_at_ends = false;
# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_password = "manager"; //谁的权限修改
## Token
# Use tokens?
# true (default)
# false
$use_tokens = true;
# Crypt tokens?
# true (default)
# false
$crypt_tokens = true;
# Token lifetime in seconds
$token_lifetime = "3600";
## Mail
# LDAP mail attribute
$mail_attributes = array( "userPrincipalName","mail", "gosaMailAlternateAddress", "proxyAddresses" ); //邮箱形式
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = true; //直接从域控获取邮箱
# Who the email should come from
$mail_from = "[email protected]";
$mail_from_name = "域账号自助改密解锁服务";
$mail_signature = "本邮件为通过密码自助修改LDAP账号密码,无需回复,如有重置密码遇到问题可以联系运维同学";
# Notify users anytime their password is changed
$notify_on_change = true;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'html';
$mail_smtp_host = 'smtp.90apt.com';
$mail_smtp_auth = true;
$mail_smtp_user = '[email protected]';
$mail_smtp_pass = 'passwd@123';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_smtp_autotls = true;
$mail_smtp_options = array();
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
## SMS
# Use sms
$use_sms = true;
# SMS method (mail, api)
$sms_method = "api";
$sms_api_lib = "lib/smsapi.inc.php"; //自编写短信api,从短信平台的帮助文档里找
# GSM number attribute
$sms_attributes = array( "mobile", "pager", "ipPhone", "homephone" );
# Partially hide number
$sms_partially_hide_number = true;
# Send SMS mail to address. {sms_attribute} will be replaced by real sms number
$smsmailto = "{sms_attribute}@service.provider.com";
# Subject when sending email to SMTP to SMS provider
$smsmail_subject = "Provider code";
# Message
$sms_message = "{smsresetmessage} {smstoken}";
# Remove non digit characters from GSM number
$sms_sanitize_number = false;
# Truncate GSM number
$sms_truncate_number = false;
$sms_truncate_number_length = 10;
# SMS token length
$sms_token_length = 6;
# Max attempts allowed for SMS token
$max_attempts = 5;
# Encryption, decryption keyphrase, required if $use_tokens = true and $crypt_tokens = true, or $use_sms, or $crypt_answer
# Please change it to anything long, random and complicated, you do not have to remember it
# Changing it will also invalidate all previous tokens and SMS codes
$keyphrase = "90apt"; //关键词
# Display menu on top
$show_menu = true; //显示菜单
# Logo
$logo = "images/logo.png"; //logo
# Background image
$background_image = "images/90apt.png"; //壁纸