說明
LDAP服務部署之后,有的時候密碼忘了或者需要重置,可以使用密碼自助服務來由個人自行操作。
服務架構
httpd+php
docker 方式安裝部署
官網下載安裝包:https://ltb-project.org/download
由於官網沒找到docker 鏡像所以自己構建了一個
配置信息
注意只貼出了非注釋的信息,下面是服務的信息,也是php配置
grep -v "^#" config.inc.php <?php $use_sms= false; $ldap_url = "ldap://ldap-host:389"; #地址是docker 啟動的時候鏈接到ldap服務的docker 網絡別名 $ldap_starttls = false; $ldap_binddn = "cn=admin,dc=asdf,dc=def"; $ldap_bindpw = "xxxxxxxx"; $ldap_base = "dc=asdf,dc=def"; $ldap_login_attribute = "cn"; $ldap_fullname_attribute = "cn"; $ldap_filter = "(&(objectClass=inetOrgPerson)($ldap_login_attribute={login}))"; $hash = "clear"; $hash_options['crypt_salt_prefix'] = "$6$"; $pwd_min_length = 8; #密碼最低8位數 $pwd_max_length = 0; $use_pwnedpasswords = false; $pwd_min_lower = 0; $pwd_min_upper = 0; $pwd_min_digit = 0; $pwd_min_special = 0; $pwd_special_chars = "^a-zA-Z0-9@#$%&*()_+!~`?/\|{}[]=-"; $pwd_no_reuse = true; $pwd_diff_login = true; $pwd_complexity = 3; #密碼復雜度最少為3種字符 $pwd_show_policy = "always"; $pwd_show_policy_pos = "above"; $who_change_password = "user"; $use_change = true; $use_questions = false; $answer_objectClass = "user"; $answer_attribute = "info"; $use_tokens = true; $crypt_tokens = true; $token_lifetime = "3600"; $mail_attribute = "mail"; $mail_from = "kzf@qq.com"; $mail_from_name = " LDAP Password Service"; $notify_on_change = true; $mail_address_use_ldap = true; #注意此處配置為true,這樣重制密碼的收信息的郵箱就是用戶LDAP上配置的郵箱信息,用戶重置密碼的時候就不能自己隨意輸入郵箱,以免違規更改他人密碼。 $mail_protocol = 'smtp'; $mail_smtp_debug = 0; $mail_debug_format = 'html'; $mail_smtp_host = 'smtp.exmail.qq.com'; $mail_smtp_auth = true; $mail_smtp_user = 'kzf@qq.com'; $mail_smtp_pass = 'Jkjhsdfkahsk'; $mail_smtp_port = 465; $mail_smtp_timeout = 30; $mail_smtp_keepalive = false; $mail_smtp_secure = 'ssl'; #注意這里ssl不是tls,tls 會導致郵件發不出去。 $mail_contenttype = 'text/plain'; $mail_charset = 'utf-8'; $mail_priority = 3; $mail_newline = PHP_EOL; $show_help = true; $lang ="zh-CN"; $show_menu = true; $logo = "images/ltb-logo.png"; $background_image = "images/unsplash-space.jpeg"; $debug = true; $keyphrase = "jhfs"; #默認是secret,必須改一個其他的字符串 $login_forbidden_chars = "*()&|"; $default_action = "change"; $messages['changehelpextramessage'] = ">>帳戶被鎖定請使用導航欄中的其他方式解鎖賬戶並重置密碼。<br />通過郵件發送鏈接:請確認您已聯系管理員設置郵箱。"; $obscure_failure_messages = array("mailnomatch"); ?>
http
cat self-service-password.conf NameVirtualHost *:80 <VirtualHost *:80> ServerName changepasswd.xxxxx.net DocumentRoot /usr/share/self-service-password DirectoryIndex index.php AddDefaultCharset UTF-8 <Directory "/usr/share/self-service-password"> AllowOverride None Require all granted </Directory> LogLevel warn ErrorLog /var/log/httpd/ssp_error_log CustomLog /var/log/httpd/ssp_access_log combined </VirtualHost>
啟動腳本
#/bin/bash docker stop self-service-passwd docker rm self-service-passwd docker run -itd -p 8080:80 \ --link openldap:ldap-host --net assembly_deploy_ldap \ -v `pwd`/config.inc.php:/usr/share/self-service-password/conf/config.inc.php \ --name self-service-passwd \ docker-self-service-password-kzf:v0.0.1
注意:映射路徑要正確,否則就會使用默認的配置,在服務的路徑下面有一個默認的 config.inc.php
Dockerfile
FROM centos:7 ADD self-service-password-1.3-1.el7.noarch.rpm /home RUN cd /home RUN yum localinstall /home/self-service-password-1.3-1.el7.noarch.rpm -y RUN yum install epel-release httpd -y ADD self-service-password.conf /etc/httpd/conf.d/ ADD config.inc.php /usr/share/self-service-password CMD /usr/sbin/httpd -D FOREGROUND
使用
自助密碼服務
在知道自己現在密碼的情況下,通過輸入舊密碼來更新密碼信息
郵件
在密碼忘記的時候,可以通過點擊此處,服務會給LDAP賬號綁定的郵箱發一個重置密碼的鏈接,點擊后直接重置密碼,無需輸入舊密碼。注意,此處輸入的是LDAP用戶名,所以創建用戶的時候必須配置用戶的郵箱信息,否則收不到郵件。