Self Service Password (SSP)
安装SSP, 依赖包包括php5, php5-ldap, php5-mcrypt
启用mcrypt功能: sudo php5enmod mcrypt
第一部分: Apache
安装Apache, 并且启用SSL模块: sudo a2enmod ssl
在/etc/apache2/apache2.conf中加入以下字段:
<Directory /usr/share/self-service-password>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
新建/etc/apache2/sites-available/self-service-password.conf, 插入以下字段:
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /usr/share/self-service-password
SSLEngine on
SSLCertificateFile /home/chen/ssp.crt
SSLCertificateKeyFile /home/chen/ssp.key
SSLCACertificateFile /home/chen/ca.crt
</VirtualHost>
</IfModule>
启用该网站: sudo a2ensite self-service-password
若想让用户强制访问HTTPS, 则先运行sudo a2enmod rewrite, 然后在/etc/apache2/apache2.conf里面加入下列代码:
RewriteEngine On RewriteCond %{HTTPS} !on RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
第二部分: LDAP
修改/usr/share/self-service-password/conf/config.inc.php
# LDAP $ldap_url = "ldaps://dc1.abc.local"; $ldap_binddn = "cn=administrator,cn=users,dc=abc,dc=local"; $ldap_bindpw = 'XXXXXX'; $ldap_base = "ou=vb-user,dc=abc,dc=local"; $ldap_login_attribute = "uid"; $ldap_fullname_attribute = "cn"; $ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"; # Active Directory mode # true: use unicodePwd as password field # false: LDAPv3 standard behavior $ad_mode = true; # Force account unlock when password is changed $ad_options['force_unlock'] = true; # Force user change password at next login $ad_options['force_pwd_change'] = false; ....略... # Who changes the password? # Also applicable for question/answer save # user: the user itself # manager: the above binddn $who_change_password = "manager";
修改/etc/ldap/ldap.conf
TLS_CACERT /home/chen/ca.crt ##指定CA证书的路径
若有问题, 可以尝试查看/var/log/apaches2下的各种日志文件.
第三部分: Mail
安装sendmail. 修改/usr/share/self-service-password/conf/config.inc.php
## Mail # LDAP mail attribute $mail_attribute = "mail"; # Who the email should come from $mail_from = "VBPR@abc.cn"; # Notify users anytime their password is changed $notify_on_change = false;
Self Service Password: http://ltb-project.org/wiki/start
中文语言包: http://tools.ltb-project.org/issues/632
PWM: https://github.com/jrivard/pwm
