OpenLDAP 配置用户自助修改密码

发表于 | 分类于
字数统计: 1.9k | 阅读时长 ≈ 10

当我们接入jira或者wiki等等,普通用户肯定有修改密码的需求,为了实现此功能,就得在openldap配置文件中加入权限,允许普通用户自己修改密码。

一、添加用户只能修改自己密码权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[admin@localhost openldap]$ cat updatepass.ldif 
#dn: cn=setpasswd,dc=sys,dc=com
#changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword
        by dn="cn=setpasswd,dc=sys,dc=com" write
        by dn.children="cn=setpasswd,dc=sys,dc=com" write
        by anonymous auth
        by self write
        by * none
olcAccess: {1}to *
        by dn="cn=setpasswd,dc=sys,dc=com" write
        by dn.children="cn=setpasswd,dc=sys,dc=com" write
        by * read

[admin@localhost openldap]$ ../../bin/ldapmodify -h 127.0.0.1 -x -D cn=admin,dc=sys,dc=com -w Abc.123456 -f updatepass.ldif

二、部署前端web页面

通过编译部署(nginx + php7)

2.1 安装 php7

安装依赖包

1
[admin@localhost downloads]$ sudo yum install -y gcc gcc-c++  make zlib zlib-devel pcre pcre-devel  libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5 krb5-devel openssl openssl-devel openldap openldap-devel nss_ldap openldap-clients openldap-servers

下载php7并解压

1
2
[admin@localhost downloads]$ wget https://www.php.net/distributions/php-7.2.34.tar.gz
[admin@localhost downloads]$ tar xf php-7.2.34.tar.gz

编译前配置

在之前编译的源码包中,找到 php.ini-production,复制到/usr/local/php下,并改名为php.ini

1
2
3
4
5
6
7
[admin@localhost downloads]$ cd php-7.2.34
[admin@localhost php-7.2.34]$ mkdir /work/admin/php
[admin@localhost php-7.2.34]$ cp php.ini-production /work/admin/php/php.ini

[可选项] 设置让PHP错误信息打印在页面上
[admin@localhost php-7.2.34]$ vim /work/admin/php/php.ini
display_errors = On

编译安装

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[admin@localhost php-7.2.34]$ ./configure \
--prefix=/work/admin/php \
--exec-prefix=/work/admin/php \
--bindir=/work/admin/php/bin \
--sbindir=/work/admin/php/sbin \
--includedir=/work/admin/php/include \
--libdir=/work/admin/php/lib/php \
--mandir=/work/admin/php/php/man \
--with-config-file-path=/work/admin/php/etc \
--with-openssl \
--enable-mbstring \
--enable-fpm

[admin@localhost php-7.2.34]$ make
[admin@localhost php-7.2.34]$ make install

复制php配置文件

1
2
3
4
[admin@localhost php-7.2.34]$ cp /work/admin/php/etc/php-fpm.conf.default /work/admin/php/etc/php-fpm.conf
[admin@localhost php-7.2.34]$ cp /work/admin/php/etc/php-fpm.d/www.conf.default /work/admin/php/etc/php-fpm.d/www.conf
/work/admin/php/etc/php-fpm.conf
[admin@localhost php-7.2.34]$ mv /work/admin/php/php.ini /work/admin/php/etc/php.ini

2.2 安装php-ldap模块

确保安装了依赖包

1
2
[admin@localhost php-7.2.34]$ sudo yum install -y openldap
[admin@localhost php-7.2.34]$ sudo yum install -y openldap-devel

拷贝库文件

1
[admin@localhost php-7.2.34]$ sudo cp -frp /usr/lib64/libldap* /usr/lib/

编译安装php-ldap模块

1
2
3
4
5
6
[admin@localhost php-7.2.34]$ cd /usr/local/src/php-7.0.21/ext/ldap/  (源码包路径)
[admin@localhost ldap]$ /work/admin/php/bin/phpize         (php安装路径)
Configuring for:
PHP Api Version:         20170718
Zend Module Api No:      20170718
Zend Extension Api No:   320170718

centos中使用phpize编译php扩展的时候出现报错:

Cannot find autoconf. Please check your autoconf installation and the
$PHP_AUTOCONF environment variable. Then, rerun this script.

报错意思的是找到一个叫autoconf的工具,我们执行一下yum命令去安装即可

yum install -y autoconf

1
2
3
[admin@localhost ldap]$ ./configure --with-php-config=/work/admin/php/bin/php-config  (php安装路径)
[admin@localhost ldap]$ make
[admin@localhost ldap]$ make install

修改php.ini配置引入ldap模块

1
2
[admin@localhost ldap]$ vim /work/admin/php/etc/php.ini
extension=ldap.so

修改完后用 ./php/bin/php -m 查看是否有 ldap 模块

2.3 安装nginx

1
2
3
4
5
6
[admin@localhost downloads]$ wget http://nginx.org/download/nginx-1.15.4.tar.gz
[admin@localhost downloads]$ tar xf nginx-1.15.4.tar.gz
[admin@localhost downloads]$ cd nginx-1.15.4
[admin@localhost nginx-1.15.4]$ ./configure --prefix=/work/admin/nginx
[admin@localhost nginx-1.15.4]$ make
[admin@localhost nginx-1.15.4]$ make install

2.4 安装 self-service-password 服务

配置Self Service Password的yum仓库源

1
2
3
4
5
6
7
[admin@localhost downloads]$ cat /etc/yum.repos.d/self-service-password.repo
[ltb-project-noarch]
name=LTB project packages (noarch)
baseurl=https://ltb-project.org/rpm/$releasever/noarch
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project

使用如下命令进行安装

1
[admin@localhost downloads]$ sudo yum -y install self-service-password

在安装Self Service Password的同时,也会安装apache和php 5.4等相关依赖;因为前面我们手动安装了php7和nginx可以把php5.4和apache卸载掉。

2.5 修改配置

修改Self Service Password配置

主要修改以下几部分

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
[admin@localhost ~]$ grep -vE '^#|^$' /usr/share/self-service-password/conf/config.inc.php

#LDAP部分
$ldap_url = "ldap://192.168.48.136:389";
$ldap_starttls = false;
$ldap_binddn = "cn=admin,dc=sys,dc=com";
$ldap_bindpw = "Abc.123456";
$ldap_base = "dc=sys,dc=com";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";

#mail部分
## Mail
$mail_attribute = "mail";
$mail_address_use_ldap = false;
$mail_from = "dogotsn@duojia369.com";
$mail_from_name = "企业账号密码重置";
$mail_signature = "LDAP系统后台";
$notify_on_change = true;
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'error_log';
$mail_smtp_host = 'smtp.exmail.qq.com';
$mail_smtp_auth = true;
$mail_smtp_user = 'dogotsn@duojia369.com';
$mail_smtp_pass = '********';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_smtp_autotls = false;
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;


$keyphrase = "11111111"; #随意修改,只要不是默认的值secret就行,否则会报错

#密码复杂度策略
# 最小长度
$pwd_min_length = 8;
# 最大长度
$pwd_max_length = 28;
# 最小小写字符
$pwd_min_lower = 1;
# 最小大写字符
$pwd_min_upper = 1;
# 最小数字
$pwd_min_digit = 1;
# 最小特殊字符,除数字和大小写字母外的特殊字符
$pwd_min_special = 0;
# Definition of special characters
$pwd_special_chars = "^a-zA-Z0-9";

修改nginx配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
server {
    listen       8080;
    server_name  dogo_ldap.dogotsn.com;

    root  /usr/share/self-service-password;
    index index.php;
    access_log  logs/ldappass.log;

    location / {
        root /usr/share/self-service-password;
        index index.html index.htm index.php;
    }
		
    error_page  404              /404.html;
    location = /404.html {
        root   html;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   html;
    }


	location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;

    }
}

启动服务

启动php服务

1
2
3
[admin@localhost ~]$ /work/admin/php/sbin/php-fpm 
[03-Nov-2020 09:15:36] NOTICE: [pool www] 'user' directive is ignored when FPM is not running as root
[03-Nov-2020 09:15:36] NOTICE: [pool www] 'group' directive is ignored when FPM is not running as root

启动nginx服务

1
/work/admin/nginx/sbin/nginx

通过docker部署

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
[admin@localhost ~]$ cat docker-compose.yml

version: '2'
services:
  ssp-app:
    image: registry.cn-hangzhou.aliyuncs.com/eryajf/self-service-password
    container_name: ssp-app
    volumes:
      - ./data/:/www/ssp
      - ./logs/:/www/logs
    ports:
      - 8888:80
    environment:
      - VIRTUAL_HOST=http://10.3.0.42
      - VIRTUAL_NETWORK=nginx-proxy
      - LETSENCRYPT_HOST=10.3.0.42
      - LETSENCRYPT_EMAIL=Linuxlql@163.com
      - LDAP_SERVER=ldap://10.3.0.42:389
      - LDAP_STARTTLS=false
      - LDAP_BINDDN=cn=admin,dc=eryajf,dc=net
      - LDAP_BINDPASS=eryajf@456
      - LDAP_BASE_SEARCH=ou=People,dc=eryajf,dc=net
      - LDAP_LOGIN_ATTRIBUTE=uid
      - LDAP_FULLNAME_ATTRIBUTE=cn
# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
      - ADMODE=false
# Force account unlock when password is changed
      - AD_OPT_FORCE_UNLOCK=false
# Force user change password at next login
      - AD_OPT_FORCE_PWD_CHANGE=false
# Allow user with expired password to change password
      - AD_OPT_CHANGE_EXPIRED_PASSWORD=false
# Samba mode
# true: update sambaNTpassword and sambaPwdLastSet attributes too
# false: just update the password
      - SAMBA_MODE=false
# Shadow options - require shadowAccount objectClass
# Update shadowLastChange
      - SHADOW_OPT_UPDATE_SHADOWLASTCHANGE=false
# Hash mechanism for password:
# SSHA
# SHA
# SMD5
# MD5
# CRYPT
# clear (the default)
# auto (will check the hash of current password)
# This option is not used with ad_mode = true
      - PASSWORD_HASH=SHA
# Local password policy
# This is applied before directory password policy
# Minimal length
      - PASSWORD_MIN_LENGTH=6
# Maximal length
      - PASSWORD_MAX_LENGTH=30
# Minimal lower characters
      - PASSWORD_MIN_LOWERCASE=2
# Minimal upper characters
      - PASSWORD_MIN_UPPERCASE=1
# Minimal digit characters
      - PASSWORD_MIN_DIGIT=1
# Minimal special characters
      - PASSWORD_MIN_SPECIAL=0
# Dont reuse the same password as currently
      - PASSWORD_NO_REUSE=true
# Show policy constraints message:
# always
# never
# onerror
      - PASSWORD_SHOW_POLICY=never
# Position of password policy constraints message:
# above - the form
# below - the form
      - PASSWORD_SHOW_POLICY_POSITION=above
# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
      - WHO_CAN_CHANGE_PASSWORD=user
## Questions/answers
# Use questions/answers?
# true (default)
# false
      - QUESTIONS_ENABLED=false
## Mail
# LDAP mail attribute
      - LDAP_MAIL_ATTRIBUTE=mail
# Who the email should come from
      - MAIL_FROM=Linuxlql@163.com
      - MAIL_FROM_NAME=Password Reset
# Notify users anytime their password is changed
      - NOTIFY_ON_CHANGE=true
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
      - SMTP_DEBUG=0
      - SMTP_HOST=smtp.163.com
      - SMTP_AUTH_ON=true
      - SMTP_USER=Linuxlql@163.com
      - SMTP_PASS=xxxxxx # 这里是邮箱的授权码,经常配置邮箱的你,一定明白我的意思
      - SMTP_PORT=25
      - SMTP_SECURE_TYPE=tls
      - SMTP_AUTOTLS=false
 ## SMS
# Use sms (NOT WORKING YET)
      - USE_SMS=false
# Reset URL (if behind a reverse proxy)
      - IS_BEHIND_PROXY=true
# Display help messages
      - SHOW_HELP=true
# Language
      - LANG=en
# Debug mode
      - DEBUG_MODE=false
# Encryption, decryption keyphrase
      - SECRETEKEY=secretkey
## CAPTCHA
# Use Google reCAPTCHA (http://www.google.com/recaptcha)
      - USE_RECAPTCHA=false
# Go on the site to get public and private key
      - RECAPTCHA_PUB_KEY=akjsdnkajnd
      - RECAPTCHA_PRIV_KEY=aksdjnakjdnsa
## Default action
# change
# sendtoken
# sendsms
      - DEFAULT_ACTION=change
    networks:
      - proxy-tier
    restart: always
networks:
  proxy-tier:
    external:
      name: nginx-proxy

以上两种安装方式都可以,具体看自己想用哪种方式,个人觉得通过编译部署方式一步一步操作可以更好理解其原理。

配置好后访问8080端口便可以得到以下页面

图片1

-------------本文结束感谢您的阅读-------------
分享到: 收藏夹 复制网址 邮件 微信 QQ空间 腾讯微博 豆瓣 一键分享 更多