php 修改域密码,Self Service Password AD域密码自助重置服务配置指引
Self Service Password AD域密码自助重置服务配置指引
一、安装Self Service Password
1、到官网获取安装包或安装方法
2、dev为开发者版本,stable为最新稳定版,建议使用stable版本,稳定最重要。
3、选择RPM包安装
4、安装官方指引,配置yum源并安装
#配置yum源
[root@localhost ~]# vim /etc/yum.repos.d/ltb-project.repo
[ltb-project-noarch]
name=LTB project packages (noarch)
baseurl=https://ltb-project.org/rpm/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project
#导入GPG私钥
[root@localhost ~]# rpm --import https://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project
#安装self-service-password
[root@localhost ~]# yum install -y self-service-password
二、配置self-service-password
1、修改/usr/share/self-service-password/conf/config.inc.php的配置(具体参数配置,可到官网查看配置文档)
[root@localhost ~]# vim /usr/share/self-service-password/conf/config.inc.php
#==============================================================================
# LTB Self Service Password
#
# Copyright (C) 2009 Clement OUDOT
# Copyright (C) 2009 LTB-project.org
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# GPL License: http://www.gnu.org/licenses/gpl.txt
#
#==============================================================================
#==============================================================================
# All the default values are kept here, you should not modify it but use
# config.inc.local.php file instead to override the settings from here.
#==============================================================================
#==============================================================================
# Configuration
#==============================================================================
# Debug mode
# true: log and display any errors or warnings (use this in configuration/testing)
# false: log only errors and do not display them (use this in production)
$debug = true; //打开调试模式,便于调试
# LDAP
$ldap_url = "ldaps://xxxxxxxxxx:636"; //配置LDAPS 636端口加密
$ldap_starttls = false;
$ldap_binddn = "cn=xxxx,cn=xxx,dc=xxx,dc=xxx,dc=xxx"; //连接LDAP服务器的账号的DN,该账号要有修改AD域用户账号权限
$ldap_bindpw = "xxxxxx"; //连接LDAP服务器账号的密码
$ldap_base = "dc=xxx,dc=xxx,dc=xxx"; // 检索OU范围
$ldap_login_attribute = "cn"; //检索AD域用户cn属性的用户名
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
$ad_mode = true; //启用Active Directory模式
# Force account unlock when password is changed
$ad_options['force_unlock'] = true; //强制解锁:当密码更改将解锁锁定帐户
# Force user change password at next login
$ad_options['force_pwd_change'] = false; //强制用户在下次登录时更改密码
# Allow user with expired password to change password
$ad_options['change_expired_password'] = true; //允许用户更改密码,如果密码过期
# Samba mode
# true: update sambaNTpassword and sambaPwdLastSet attributes too
# false: just update the password
$samba_mode = false;
# Set password min/max age in Samba attributes
#$samba_options['min_age'] = 5;
#$samba_options['max_age'] = 45;
# Shadow options - require shadowAccount objectClass
# Update shadowLastChange
$shadow_options['update_shadowLastChange'] = false;
$shadow_options['update_shadowExpire'] = false;
# Default to -1, never expire
$shadow_options['shadow_expire_days'] = -1;
# Hash mechanism for password:
# SSHA, SSHA256, SSHA384, SSHA512
# SHA, SHA256, SHA384, SHA512
# SMD5
# MD5
# CRYPT
# clear (the default)
# auto (will check the hash of current password)
# This option is not used with ad_mode = true
$hash = "clear";
# Prefix to use for salt with CRYPT
$hash_options['crypt_salt_prefix'] = "$6$";
$hash_options['crypt_salt_length'] = "6";
# Local password policy
# This is applied before directory password policy
# Minimal length
$pwd_min_length = 6; //定义最短密码位数
# Maximal length
$pwd_max_length = 14; //定义最长密码位数
# Minimal lower characters
$pwd_min_lower = 0; //定义密码应包含多少位小写字母
# Minimal upper characters
$pwd_min_upper = 0; //定义密码应包含多少位大写字母
# Minimal digit characters
$pwd_min_digit = 0; //定义密码应包含多少位数字
# Minimal special characters
$pwd_min_special = 0; //定义密码应包含多少位特殊字符
# Definition of special characters
$pwd_special_chars = "^a-zA-Z0-9"; //定义密码正则表达式
# Forbidden characters
#$pwd_forbidden_chars = "@%"; //定义密码禁止的特殊字符
# Don't reuse the same password as currently
$pwd_no_reuse = true; //是否禁止使用重复密码
# Check that password is different than login
$pwd_diff_login = true; //检查密码是否与登录密码不同
# Complexity: number of different class of character required
$pwd_complexity = 3; //定义密码应包含多少种组合
# use pwnedpasswords api v2 to securely check if the password has been on a leak
$use_pwnedpasswords = false;
# Show policy constraints message:
# always
# never
# onerror
$pwd_show_policy = "always"; //是否显示密码更改策略
# Position of password policy constraints message:
# above - the form
# below - the form
$pwd_show_policy_pos = "above"; //定义密码更改策略显示位置
# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_password = "xxxxxxx"; //定义使用什么账户来修改密码
## Standard change
# Use standard change form?
$use_change = true; //启用密码更改功能
## SSH Key Change
# Allow changing of sshPublicKey?
$change_sshkey = false;
# What attribute should be changed by the changesshkey action?
$change_sshkey_attribute = "sshPublicKey";
# Who changes the sshPublicKey attribute?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_sshkey = "xxxxxxx"; //定义使用什么账户来修改sshPublicKey属性
# Notify users anytime their sshPublicKey is changed
## Requires mail configuration below
$notify_on_sshkey_change = false;
## Questions/answers
# Use questions/answers?
# true (default)
# false
$use_questions = false; //启用问题答案修改密码功能
# Answer attribute should be hidden to users!
$answer_objectClass = "extensibleObject";
$answer_attribute = "info";
# Crypt answers inside the directory
$crypt_answers = true;
# Extra questions (built-in questions are in lang/$lang.inc.php)
#$messages['questions']['ice'] = "What is your favorite ice cream flavor?";
## Token
# Use tokens?
# true (default)
# false
$use_tokens = true; //启用邮件修改密码功能
# Crypt tokens?
# true (default)
# false
$crypt_tokens = true;
# Token lifetime in seconds
$token_lifetime = "3600";
# LDAP mail attribute
$mail_attribute = "mail"; //对比LDAP的mail属性
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = false;
# Who the email should come from
$mail_from = "xxxxxx@xxxx.com"; //发件人
$mail_from_name = "Self Service Password";
$mail_signature = "";
# Notify users anytime their password is changed
$notify_on_change = true; //当用户的密码被更改时通知他们
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp'; //smtp协议
$mail_smtp_debug = 0;
$mail_debug_format = 'error_log';
$mail_smtp_host = 'xxxxxxxxx'; //发送服务器
$mail_smtp_auth = true;
$mail_smtp_user = 'xxxx@xxx.com'; //发件邮箱账号
$mail_smtp_pass = 'xxxxx'; //发件邮箱密码
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_smtp_autotls = true;
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;
# Encryption, decryption keyphrase, required if $crypt_tokens = true
# Please change it to anything long, random and complicated, you do not have to remember it
# Changing it will also invalidate all previous tokens and SMS codes
$keyphrase = "xxxx"; 修改keyphrase,任意字符串,与默认配置内容不一致即可
三、安装和配置openldap
1、安装openldap
[root@localhost ~]# yum install -y openldap
2、从域内的CA服务器内申请CA证书,格式:DER编码二进制 X.509 或 Base64 编码 X.509(操作 略)
3、将证书从.cer 转成.pem 格式,并导入openldap
[root@localhost ~]# openssl x509 -inform der -in xxx.cer -out xxx.pem
[root@localhost ~]# cat xxx.pem >>/etc/openldap/certs/xxx.pem
4、修改ldap.conf配置
[root@localhost ~]# vim /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/certs
TLS_CACERT /etc/openldap/certs/xxxx.pem //配置openldap中证书的路径
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
四、最后测试
1、重启httpd服务,并设置开机自启
[root@localhost ~]# systemctl restart httpd
[root@localhost ~]# systemctl enable httpd
2、验证
五、一般问题
1、无法连接LDAP
①检查配置的LDAP账号是否有权限、账号密码是否正确;②AD域636端口是否打开;③证书是否有效,颁发者是否被信任;④openldap配置是否正确
2、提示修改成功后,AD域用户密码并没有修改
①、检查是否配置ldaps 636而非 ldap 389;②检查配置文件 $who_change_password 和$who_change_sshkey 这两个参数;
3、找不到错误日志
①日志功能是否打开;②错误日志一般在httpd或apache日志的错误日志下,取决于你用那个软件来提供web服务;
php 修改域密码,Self Service Password AD域密码自助重置服务配置指引相关推荐
- Windows AD域功能介绍、Windows AD域方案介绍
Windows AD域功能介绍.Windows AD域方案介绍 功能一.AD域管理 https://www.manageengine.cn/products/ad-manager/ 1.AD域管理 通 ...
- ad域服务器用户登录限制,AD域监控用户登录, 活动目录监控用户, AD登录历史审核...
实时监控用户登录操作 用户登录到其域计算机是在任何企业都会发生的日常活动.一开始,这看起来可能是一个简单的Active Directory事件,但分配有不同角色的管理员可将这个宝贵的数据用于各种审核. ...
- win10ad域 用户和计算机,Windows AD域通过GPO设置客户端电脑本地管理员账号密
0x01 介绍 在实际生产环境中,由于Windows AD域的限制,桌面对客户端电脑进行软件安装或其他系统配置时,均需要管理员权限,而网内客户端众多,不同客户端电脑密码可能都是不同的,也经常忘记本地管 ...
- 域服务器禁止复制文件,ad域可以禁止拷贝数据库
ad域可以禁止拷贝数据库 内容精选 换一换 华为云帮助中心,为用户提供产品简介.价格说明.购买指南.用户指南.API参考.最佳实践.常见问题.视频帮助等技术文档,帮助您快速上手使用华为云服务. 文档数 ...
- Centos 7加入Windows AD域及搭建基于Windows AD域(即ldap)认证的samba共享
在我的windows server系列的文章中已经搭建好了windows AD域,现在要求Centos 7服务器加入AD域并实现基于AD认证的samba共享. 物理环境: Windows Server ...
- 域控服务器迁移步骤,AD域控制器迁移方法
AD域控制器迁移方法 1:新DC安装系统,配置IP DNS指向老DC (新DC可以加入现有域,也可以不加). 2:提升新DC为辅助域控制器后重启. 3:重启完成后,安装DNS服务.然后等老DC的DNS ...
- ad域 禁用账号_通过AD域控平台统一批量管理公司电脑的桌面
一.说明: 最近我们公司流行一种特别强大的风气,走进职场办公区后,给人一种特别不好的影响,就是每个工位上的电脑屏上显示着五花八门的图案.壁纸,于是信息部领导发话了,要求职场办公电脑必须统一管理桌面壁纸 ...
- 域策略怎么分发计算机软件,AD域中如何布置软件自动分发
本篇文章介绍了如何使用组策略自动将程序分发到客户端计算机或用户.您可以通过以下方法使用组策略分发计算机程序: • 分配软件 您可以将程序分发分配到用户或计算机.如果将程序分配给一个用户,在该用户登录到 ...
- 记一次AD域域管理员密码更改导致某系统群集管理器故障排查解决过程
环境描述 某公司有一套系统,2台Windows2003系统,采用自带的群集管理器功能实现双机热备功能,正常情况下,服务器10.1.1.1承载中间件应用服务,服务器10.1.1.2承载数据库服务,仅当其 ...
最新文章
- with语句和上下文管理器
- opencv 斑马线,条纹检测
- 利用curl命令测试服务端
- linux shell脚本的执行方式与区别
- 基于visual Studio2013解决C语言竞赛题之1083人机博弈
- 从内部重启python脚本
- CentOS上完全卸载gitlab
- 对.Net 垃圾回收的C#编程相关方面(Finalize 和Dispose(bool disposing)和 Dispose())的一些理解体会...
- 伯努利分布方差_学计量经济学,你应该知道的六种6个概率分布
- 【GNN】图神经网络综述
- 使用gson和fastjson来解析json
- k2pbreed刷高恪教程_斐讯K2刷高恪固件教程,通过breed刷入,详细图文教程
- ICIP2019论文合集
- 有了这款神器,什么吃灰文件都统统现形~极速搜索工具Everthing
- java 获取本机ip地址吗_java 获取本机ip地址
- 正则表达式(以校验qq是否合法等为例)
- freeswitch呼叫中心之freeswitch集成百度MRCP智能语音
- vivo是安卓手机吗_vivo新机Y73s评测:谁说买手机一定要买旗舰机?_安卓手机
- 周末参加“北京干部管理职业技术学院”关于高职课程改革的专家讨论会
- springboot实战派PDF文档
热门文章
- matlab 数值范围,matlab中怎么样表示自变量的取值范围
- 锐捷云课堂计算机教室,锐捷云课堂2.0 计算机教学的专属云
- 如何用 Sprite Kit 和 Swift 制作一个逃逸游戏-第一部分
- 单片机 STM32F103C8T6 cubeMX HAL库 从环境到开发 正点原子工程移植 freeRTOS
- spring redis cluster Lettuce 拓扑刷新
- 文章7:多功能智能跟随行李箱控制系统设计 | 本科毕业设计 - 【模块器件选型、清单、资料】
- Windows系统下在Anaconda中使用bash
- 找数据分析工作,为什么简历投出去没动静?
- 文法G[E]: E→E+T|T ,T→T*F|F ,F→i|(E) 求FIRST集,FOLLOW集
- 小米手机利用MIUI手机管家“自动任务”实现“自动打卡”