OpenLDAP:使用Self Service Password管理用户密码
卸载旧版本(如果安装过旧版本的话)
yum remove docker docker-common docker-selinux dockesr-engine
安装需要的软件包, yum-util 提供yum-config-manager功能,另外两个是devicemapper驱动依赖的
yum install -y yum-utils device-mapper-persistent-data lvm2
设置yum源
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
安装docker
yum install docker-ce
更换docker源
vi /etc/docker/daemon.json
{ "registry-mirrors": ["https://hub.fast360.xyz"] }
sudo systemctl daemon-reload
sudo systemctl restart docker
拉取镜像
docker pull grams/ltb-self-service-password
编辑配置文件
vi /root/config.inc.php<?php#==============================================================================
# LTB Self Service Password # # Copyright (C) 2009 Clement OUDOT # Copyright (C) 2009 LTB-project.org # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # GPL License: http://www.gnu.org/licenses/gpl.txt # #============================================================================== #============================================================================== # Configuration #============================================================================== # LDAP
$ldap_url = "ldap://x.x.x.x:389"; $ldap_starttls = false; $ldap_binddn = "cn=admin,dc=xxx,dc=com"; $ldap_bindpw = "xxx"; $ldap_base = "dc=xxx,dc=com"; $ldap_login_attribute = "uid"; $ldap_fullname_attribute = "cn"; $ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))"; # Active Directory mode # true: use unicodePwd as password field # false: LDAPv3 standard behavior $ad_mode = false; # Force account unlock when password is changed $ad_options['force_unlock'] = false; # Force user change password at next login $ad_options['force_pwd_change'] = false; # Allow user with expired password to change password $ad_options['change_expired_password'] = false; # Samba mode # true: update sambaNTpassword and sambaPwdLastSet attributes too # false: just update the password $samba_mode = false; # Set password min/max age in Samba attributes #$samba_options['min_age'] = 5; #$samba_options['max_age'] = 45; # Shadow options - require shadowAccount objectClass # Update shadowLastChange $shadow_options['update_shadowLastChange'] = false; # Hash mechanism for password: # SSHA # SHA # SMD5 # MD5 # CRYPT # clear (the default) # auto (will check the hash of current password) # This option is not used with ad_mode = true $hash = "SHA"; # Prefix to use for salt with CRYPT $hash_options['crypt_salt_prefix'] = "$6$"; # Local password policy # This is applied before directory password policy # Minimal length $pwd_min_length = 8; # Maximal length $pwd_max_length = 12; # Minimal lower characters $pwd_min_lower = 1; # Minimal upper characters $pwd_min_upper = 1; # Minimal digit characters $pwd_min_digit = 1; # Minimal special characters $pwd_min_special = 0; # Definition of special characters $pwd_special_chars = "^a-zA-Z0-9"; # Forbidden characters #$pwd_forbidden_chars = "@%"; # Don't reuse the same password as currently $pwd_no_reuse = true; # Check that password is different than login $pwd_diff_login = true; # Complexity: number of different class of character required $pwd_complexity = 0; # Show policy constraints message: # always # never # onerror $pwd_show_policy = "never"; # Position of password policy constraints message: # above - the form # below - the form $pwd_show_policy_pos = "above"; # Who changes the password? # Also applicable for question/answer save # user: the user itself # manager: the above binddn $who_change_password = "user"; ## Standard change # Use standard change form? $use_change = true; ## Questions/answers # Use questions/answers? # true (default) # false $use_questions = false; # Answer attribute should be hidden to users! $answer_objectClass = "extensibleObject"; $answer_attribute = "info"; # Extra questions (built-in questions are in lang/$lang.inc.php) #$messages['questions']['ice'] = "What is your favorite ice cream flavor?"; ## Token # Use tokens? # true (default) # false $use_tokens = true; # Crypt tokens? # true (default) # false $crypt_tokens = true; # Token lifetime in seconds $token_lifetime = "3600"; ## Mail # LDAP mail attribute $mail_attribute = "mail"; # Who the email should come from $mail_from = "xxx@xx.com"; $mail_from_name = "Self Service Password"; # Notify users anytime their password is changed $notify_on_change = true; # PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer) $mail_sendmailpath = '/usr/sbin/sendmail'; $mail_protocol = 'smtp'; $mail_smtp_debug = 0; $mail_debug_format = 'html'; $mail_smtp_host = 'smtp.exmail.qq.com'; $mail_smtp_auth = true; $mail_smtp_user = 'xx@xx.com';
$mail_smtp_pass = 'xxx';
$mail_smtp_port = 465; $mail_smtp_timeout = 30; $mail_smtp_keepalive = false;
#ssl还是tls根据情况改写 $mail_smtp_secure = 'ssl'; $mail_contenttype = 'text/plain'; $mail_charset = 'utf-8'; $mail_priority = 3; $mail_newline = PHP_EOL; ## SMS # Use sms $use_sms = false; # GSM number attribute $sms_attribute = "mobile"; # Partially hide number $sms_partially_hide_number = true; # Send SMS mail to address $smsmailto = "{sms_attribute}@service.provider.com"; # Subject when sending email to SMTP to SMS provider $smsmail_subject = "Provider code"; # Message $sms_message = "{smsresetmessage} {smstoken}"; # SMS token length $sms_token_length = 6; # Max attempts allowed for SMS token $max_attempts = 3; # Reset URL (if behind a reverse proxy) #$reset_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . "://" . $_SERVER['HTTP_X_FORWARDED_HOST'] . $_SERVER['SCRIPT_NAME']; # Display help messages $show_help = true; # Language $lang ="en"; # Display menu on top $show_menu = true; # Logo $logo = "images/ltb-logo.png"; # Background image $background_image = "images/unsplash-space.jpeg"; # Debug mode $debug = false; # Encryption, decryption keyphrase $keyphrase = "secret"; # Where to log password resets - Make sure apache has write permission # By default, they are logged in Apache log #$reset_request_log = "/var/log/self-service-password"; # Invalid characters in login # Set at least "*()&|" to prevent LDAP injection # If empty, only alphanumeric characters are accepted $login_forbidden_chars = "*()&|"; ## CAPTCHA # Use Google reCAPTCHA (http://www.google.com/recaptcha) $use_recaptcha = false; # Go on the site to get public and private key $recaptcha_publickey = ""; $recaptcha_privatekey = ""; # Customization (see https://developers.google.com/recaptcha/docs/display) $recaptcha_theme = "light"; $recaptcha_type = "image"; $recaptcha_size = "normal"; ## Default action # change # sendtoken # sendsms $default_action = "change"; ## Extra messages # They can also be defined in lang/ files #$messages['passwordchangedextramessage'] = NULL; #$messages['changehelpextramessage'] = NULL; # Launch a posthook script after successful password change #$posthook = "/usr/share/self-service-password/posthook.sh"; ?>
启动docker
docker run -p 8000:80 -d \ -v ~/config.inc.php:/usr/share/self-service-password/conf/config.inc.php \ --name ldap-ssp \ grams/ltb-self-service-password
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 【自荐】一款简洁、开源的在线白板工具 Drawnix
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY
· Docker 太简单,K8s 太复杂?w7panel 让容器管理更轻松!