Windows Active Directory 配置self-service-password进行密码修改
一: 我们线下采用windows AD来实现文件的共享
Windows AD的部署方法,参考连接:https://www.cnblogs.com/cf-cf/p/12027495.html
这里windows 一定要采用 ldap over ssl的方式进行部署。 因为self-service-passsword要求Windows AD 修改用户名的密码必须要通过SSL的方式进行。
二: 安装self-service-password
这里通过yum进行安装,其他的安装方式,可以参考官方网址。
官方网址:https://ltb-project.org/start
yum安装的官方网址:https://ltb-project.org/documentation/self-service-password/1.3/install_rpm
这里由于centos 7默认的php版本为5.4,版本过低。这里我们添加php的源,会自动安装php72.
添加php72的yum源。
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
然后进行安装。
yum install self-service-password
rpm -ql self-service-password
三: 配置修改文件
这里需要进行配置文件的修改,配置文件的路径为:
/usr/share/self-service-password/conf/config.inc.php
主要修改内容如下:
# LDAP $ldap_url = "ldaps://dc1.example.com:636"; $ldap_starttls = false; $ldap_binddn = "cn=Administrator,cn=Users,dc=example,dc=com"; $ldap_bindpw = "xxxx"; $ldap_base = "ou=People,dc=example,dc=com"; $ldap_login_attribute = "sAMAccountName"; $ldap_fullname_attribute = "cn"; $ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
关于Windows AD
# false: LDAPv3 standard behavior $ad_mode = true; # Force account unlock when password is changed $ad_options['force_unlock'] = true; # Force user change password at next login $ad_options['force_pwd_change'] = false; # Allow user with expired password to change password $ad_options['change_expired_password'] = true;
邮件参数
$mail_from = "abc@example.com"; $mail_from_name = "Self Service Password"; $mail_signature = ""; # Notify users anytime their password is changed $notify_on_change = false; # PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer) $mail_sendmailpath = '/usr/sbin/sendmail'; $mail_protocol = 'smtp'; $mail_smtp_debug = 0; $mail_debug_format = 'html'; $mail_smtp_host = 'smtp.exmail.qq.com'; $mail_smtp_auth = true; $mail_smtp_user = 'abc@example.com'; $mail_smtp_pass = 'SPZhBboW7YA3nZs6'; $mail_smtp_port = 25; $mail_smtp_timeout = 30; $mail_smtp_keepalive = false; $mail_smtp_secure = 'tls'; #$mail_smtp_autotls = true; $mail_contenttype = 'text/plain'; $mail_wordwrap = 0; $mail_charset = 'utf-8'; $mail_priority = 3; $mail_newline = PHP_EOL;
$keyphrase = "aixbx";
配置ldap.conf
/etc/openldap/ldap.conf
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example,dc=com #BASE dc=aixbx,dc=cn #URI ldaps://dc1.aixbx.cn #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/certs TLS_CACERT /etc/openldap/certs/ca.cer # Turning this off breaks GSSAPI used with krb5 when rdns = false #SASL_NOCANON on TLS_REQCERT allow TLS_CIPHER_SUITE TLSv1+RSA
然后重启httpd即可。
四: windows 下安装xampp进行配置
由于想省一台服务器,直接就想在windows下安装了。
安装xampp的时候,要选择安装发送邮件的组件,其他组件可以部安装,只安装php和apahce即可。
1. 在php的配置文件中,开启ldap的扩展。
extension=ldap
xampp安装在D盘。
这里我直接把xampp里的htdoc中的文件删除,然后下载self-service-password的源码,拷贝到此目录。
然后直接访问80端口即可。
2. 完整的self-service-password的配置文件
<?php #============================================================================== # LTB Self Service Password # # Copyright (C) 2009 Clement OUDOT # Copyright (C) 2009 LTB-project.org # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # GPL License: http://www.gnu.org/licenses/gpl.txt # #============================================================================== #============================================================================== # All the default values are kept here, you should not modify it but use # config.inc.local.php file instead to override the settings from here. #============================================================================== #============================================================================== # Configuration #============================================================================== # Debug mode # true: log and display any errors or warnings (use this in configuration/testing) # false: log only errors and do not display them (use this in production) $debug = false; # LDAP $ldap_url = "ldaps://192.168.5.207:636"; $ldap_starttls = false; $ldap_binddn = "cn=Administrator,cn=Users,dc=example,dc=cn"; $ldap_bindpw = "xxxxx"; $ldap_base = "ou=People,dc=example,dc=cn"; $ldap_login_attribute = "sAMAccountName"; $ldap_fullname_attribute = "cn"; $ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"; #$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))"; # Active Directory mode # true: use unicodePwd as password field # false: LDAPv3 standard behavior $ad_mode = true; # Force account unlock when password is changed $ad_options['force_unlock'] = true; # Force user change password at next login $ad_options['force_pwd_change'] = false; # Allow user with expired password to change password $ad_options['change_expired_password'] = true; # Samba mode # true: update sambaNTpassword and sambaPwdLastSet attributes too # false: just update the password $samba_mode = false; # Set password min/max age in Samba attributes #$samba_options['min_age'] = 5; #$samba_options['max_age'] = 45; # Shadow options - require shadowAccount objectClass # Update shadowLastChange $shadow_options['update_shadowLastChange'] = false; $shadow_options['update_shadowExpire'] = false; # Default to -1, never expire $shadow_options['shadow_expire_days'] = -1; # Hash mechanism for password: # SSHA, SSHA256, SSHA384, SSHA512 # SHA, SHA256, SHA384, SHA512 # SMD5 # MD5 # CRYPT # clear (the default) # auto (will check the hash of current password) # This option is not used with ad_mode = true $hash = "clear"; # Prefix to use for salt with CRYPT $hash_options['crypt_salt_prefix'] = "$6$"; $hash_options['crypt_salt_length'] = "6"; # Local password policy # This is applied before directory password policy # Minimal length $pwd_min_length = 7; # Maximal length $pwd_max_length = 20; # Minimal lower characters $pwd_min_lower = 0; # Minimal upper characters $pwd_min_upper = 0; # Minimal digit characters $pwd_min_digit = 0; # Minimal special characters $pwd_min_special = 0; # Definition of special characters $pwd_special_chars = "^a-zA-Z0-9"; # Forbidden characters #$pwd_forbidden_chars = "@%"; # Don't reuse the same password as currently $pwd_no_reuse = true; # Check that password is different than login $pwd_diff_login = true; # Complexity: number of different class of character required $pwd_complexity = 3; # use pwnedpasswords api v2 to securely check if the password has been on a leak $use_pwnedpasswords = false; # Show policy constraints message: # always # never # onerror $pwd_show_policy = "always"; # Position of password policy constraints message: # above - the form # below - the form $pwd_show_policy_pos = "above"; # Who changes the password? # Also applicable for question/answer save # user: the user itself # manager: the above binddn $who_change_password = "manager"; ## Standard change # Use standard change form? $use_change = true; ## SSH Key Change # Allow changing of sshPublicKey? $change_sshkey = false; # What attribute should be changed by the changesshkey action? $change_sshkey_attribute = "sshPublicKey"; # Who changes the sshPublicKey attribute? # Also applicable for question/answer save # user: the user itself # manager: the above binddn $who_change_sshkey = "user"; # Notify users anytime their sshPublicKey is changed ## Requires mail configuration below $notify_on_sshkey_change = false; ## Questions/answers # Use questions/answers? # true (default) # false $use_questions = false; # Answer attribute should be hidden to users! $answer_objectClass = "extensibleObject"; $answer_attribute = "info"; # Crypt answers inside the directory $crypt_answers = true; # Extra questions (built-in questions are in lang/$lang.inc.php) #$messages['questions']['ice'] = "What is your favorite ice cream flavor?"; ## Token # Use tokens? # true (default) # false $use_tokens = true; # Crypt tokens? # true (default) # false $crypt_tokens = true; # Token lifetime in seconds $token_lifetime = "3600"; ## Mail # LDAP mail attribute $mail_attribute = "mail"; # Get mail address directly from LDAP (only first mail entry) # and hide mail input field # default = false $mail_address_use_ldap = false; # Who the email should come from $mail_from = "abc@example.com"; $mail_from_name = "Self Service Password"; $mail_signature = ""; # Notify users anytime their password is changed $notify_on_change = false; # PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer) $mail_sendmailpath = 'D:\xampp\sendmail\sendmail.exe'; $mail_protocol = 'smtp'; $mail_smtp_debug = 0; $mail_debug_format = 'html'; $mail_smtp_host = 'smtp.exmail.qq.com'; $mail_smtp_auth = true; $mail_smtp_user = 'abc@example.com'; $mail_smtp_pass = 'SPZhBboW7YsA3nZs6'; $mail_smtp_port = 25; $mail_smtp_timeout = 30; $mail_smtp_keepalive = false; $mail_smtp_secure = 'tls'; #$mail_smtp_autotls = true; $mail_contenttype = 'text/plain'; $mail_wordwrap = 0; $mail_charset = 'utf-8'; $mail_priority = 3; $mail_newline = PHP_EOL; ## SMS # Use sms $use_sms = true; # SMS method (mail, api) $sms_method = "mail"; $sms_api_lib = "lib/smsapi.inc.php"; # GSM number attribute $sms_attribute = "mobile"; # Partially hide number $sms_partially_hide_number = true; # Send SMS mail to address $smsmailto = "{sms_attribute}@service.provider.com"; # Subject when sending email to SMTP to SMS provider $smsmail_subject = "Provider code"; # Message $sms_message = "{smsresetmessage} {smstoken}"; # Remove non digit characters from GSM number $sms_sanitize_number = false; # Truncate GSM number $sms_truncate_number = false; $sms_truncate_number_length = 10; # SMS token length $sms_token_length = 6; # Max attempts allowed for SMS token $max_attempts = 3; # Encryption, decryption keyphrase, required if $crypt_tokens = true # Please change it to anything long, random and complicated, you do not have to remember it # Changing it will also invalidate all previous tokens and SMS codes $keyphrase = "abcdef"; # Reset URL (if behind a reverse proxy) #$reset_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . "://" . $_SERVER['HTTP_X_FORWARDED_HOST'] . $_SERVER['SCRIPT_NAME']; # Display help messages $show_help = true; # Default language $lang = "en"; # List of authorized languages. If empty, all language are allowed. # If not empty and the user's browser language setting is not in that list, language from $lang will be used. $allowed_lang = array(); # Display menu on top $show_menu = true; # Logo $logo = "images/ltb-logo.png"; # Background image $background_image = "images/unsplash-space.jpeg"; # Where to log password resets - Make sure apache has write permission # By default, they are logged in Apache log #$reset_request_log = "/var/log/self-service-password"; # Invalid characters in login # Set at least "*()&|" to prevent LDAP injection # If empty, only alphanumeric characters are accepted $login_forbidden_chars = "*()&|"; ## CAPTCHA # Use Google reCAPTCHA (http://www.google.com/recaptcha) $use_recaptcha = false; # Go on the site to get public and private key $recaptcha_publickey = ""; $recaptcha_privatekey = ""; # Customization (see https://developers.google.com/recaptcha/docs/display) $recaptcha_theme = "light"; $recaptcha_type = "image"; $recaptcha_size = "normal"; # reCAPTCHA request method, null for default, Fully Qualified Class Name to override # Useful when allow_url_fopen=0 ex. $recaptcha_request_method = '\ReCaptcha\RequestMethod\CurlPost'; $recaptcha_request_method = null; ## Default action # change # sendtoken # sendsms $default_action = "change"; ## Extra messages # They can also be defined in lang/ files #$messages['passwordchangedextramessage'] = NULL; #$messages['changehelpextramessage'] = NULL; # Launch a posthook script after successful password change #$posthook = "/usr/share/self-service-password/posthook.sh"; #$display_posthook_error = true; # Hide some messages to not disclose sensitive information # These messages will be replaced by badcredentials error #$obscure_failure_messages = array("mailnomatch"); # Allow to override current settings with local configuration if (file_exists (__DIR__ . '/config.inc.local.php')) { require __DIR__ . '/config.inc.local.php'; }
然后需要创建C:\OpenLDAP\sysconf 目录,
然后创建ldap.conf的配置文件
#TLS_CACERTDIR C:\OpenLDAP\certs
#TLS_CACERT C:\OpenLDAP\certs\client.crt
TLS_REQCERT never
#TLS_CIPHER_SUITE TLSv1+RSA
这里我导出了证书,但是配置怎么写都不对,估计是Windows 无法正确读取证书吧,所以这里使用never,从部验证,反正服务器是在内网。
然后重启apache 即可。