LDAP自助修改密码服务
说明
LDAP服务部署之后,有的时候密码忘了或者需要重置,可以使用密码自助服务来由个人自行操作。
服务架构
httpd+php
docker 方式安装部署
官网下载安装包:https://ltb-project.org/download
由于官网没找到docker 镜像所以自己构建了一个
配置信息
注意只贴出了非注释的信息,下面是服务的信息,也是php配置
grep -v "^#" config.inc.php <?php $use_sms= false; $ldap_url = "ldap://ldap-host:389"; #地址是docker 启动的时候链接到ldap服务的docker 网络别名 $ldap_starttls = false; $ldap_binddn = "cn=admin,dc=asdf,dc=def"; $ldap_bindpw = "xxxxxxxx"; $ldap_base = "dc=asdf,dc=def"; $ldap_login_attribute = "cn"; $ldap_fullname_attribute = "cn"; $ldap_filter = "(&(objectClass=inetOrgPerson)($ldap_login_attribute={login}))"; $hash = "clear"; $hash_options['crypt_salt_prefix'] = "$6$"; $pwd_min_length = 8; #密码最低8位数 $pwd_max_length = 0; $use_pwnedpasswords = false; $pwd_min_lower = 0; $pwd_min_upper = 0; $pwd_min_digit = 0; $pwd_min_special = 0; $pwd_special_chars = "^a-zA-Z0-9@#$%&*()_+!~`?/\|{}[]=-"; $pwd_no_reuse = true; $pwd_diff_login = true; $pwd_complexity = 3; #密码复杂度最少为3种字符 $pwd_show_policy = "always"; $pwd_show_policy_pos = "above"; $who_change_password = "user"; $use_change = true; $use_questions = false; $answer_objectClass = "user"; $answer_attribute = "info"; $use_tokens = true; $crypt_tokens = true; $token_lifetime = "3600"; $mail_attribute = "mail"; $mail_from = "kzf@qq.com"; $mail_from_name = " LDAP Password Service"; $notify_on_change = true; $mail_address_use_ldap = true; #注意此处配置为true,这样重制密码的收信息的邮箱就是用户LDAP上配置的邮箱信息,用户重置密码的时候就不能自己随意输入邮箱,以免违规更改他人密码。 $mail_protocol = 'smtp'; $mail_smtp_debug = 0; $mail_debug_format = 'html'; $mail_smtp_host = 'smtp.exmail.qq.com'; $mail_smtp_auth = true; $mail_smtp_user = 'kzf@qq.com'; $mail_smtp_pass = 'Jkjhsdfkahsk'; $mail_smtp_port = 465; $mail_smtp_timeout = 30; $mail_smtp_keepalive = false; $mail_smtp_secure = 'ssl'; #注意这里ssl不是tls,tls 会导致邮件发不出去。 $mail_contenttype = 'text/plain'; $mail_charset = 'utf-8'; $mail_priority = 3; $mail_newline = PHP_EOL; $show_help = true; $lang ="zh-CN"; $show_menu = true; $logo = "images/ltb-logo.png"; $background_image = "images/unsplash-space.jpeg"; $debug = true; $keyphrase = "jhfs"; #默认是secret,必须改一个其他的字符串 $login_forbidden_chars = "*()&|"; $default_action = "change"; $messages['changehelpextramessage'] = ">>帐户被锁定请使用导航栏中的其他方式解锁账户并重置密码。<br />通过邮件发送链接:请确认您已联系管理员设置邮箱。"; $obscure_failure_messages = array("mailnomatch"); ?>
http
cat self-service-password.conf NameVirtualHost *:80 <VirtualHost *:80> ServerName changepasswd.xxxxx.net DocumentRoot /usr/share/self-service-password DirectoryIndex index.php AddDefaultCharset UTF-8 <Directory "/usr/share/self-service-password"> AllowOverride None Require all granted </Directory> LogLevel warn ErrorLog /var/log/httpd/ssp_error_log CustomLog /var/log/httpd/ssp_access_log combined </VirtualHost>
启动脚本
#/bin/bash docker stop self-service-passwd docker rm self-service-passwd docker run -itd -p 8080:80 \ --link openldap:ldap-host --net assembly_deploy_ldap \ -v `pwd`/config.inc.php:/usr/share/self-service-password/conf/config.inc.php \ --name self-service-passwd \ docker-self-service-password-kzf:v0.0.1
注意:映射路径要正确,否则就会使用默认的配置,在服务的路径下面有一个默认的 config.inc.php
Dockerfile
FROM centos:7 ADD self-service-password-1.3-1.el7.noarch.rpm /home RUN cd /home RUN yum localinstall /home/self-service-password-1.3-1.el7.noarch.rpm -y RUN yum install epel-release httpd -y ADD self-service-password.conf /etc/httpd/conf.d/ ADD config.inc.php /usr/share/self-service-password CMD /usr/sbin/httpd -D FOREGROUND
使用
自助密码服务
在知道自己现在密码的情况下,通过输入旧密码来更新密码信息
邮件
在密码忘记的时候,可以通过点击此处,服务会给LDAP账号绑定的邮箱发一个重置密码的链接,点击后直接重置密码,无需输入旧密码。注意,此处输入的是LDAP用户名,所以创建用户的时候必须配置用户的邮箱信息,否则收不到邮件。
