Self Service Password AD域密码自助重置服务配置指引

一、安装Self Service Password

1、到官网获取安装包或安装方法

2、dev为开发者版本，stable为最新稳定版，建议使用stable版本，稳定最重要。

3、选择RPM包安装

4、安装官方指引，配置yum源并安装

#配置yum源

[root@localhost ~]# vim /etc/yum.repos.d/ltb-project.repo

[ltb-project-noarch]

name=LTB project packages (noarch)

baseurl=https://ltb-project.org/rpm/$releasever/noarch

enabled=1

gpgcheck=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project

#导入GPG私钥

[root@localhost ~]# rpm --import https://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project

#安装self-service-password

[root@localhost ~]# yum install -y self-service-password

二、配置self-service-password

1、修改/usr/share/self-service-password/conf/config.inc.php的配置(具体参数配置，可到官网查看配置文档)

[root@localhost ~]# vim /usr/share/self-service-password/conf/config.inc.php

#==============================================================================

# LTB Self Service Password

#

# Copyright (C) 2009 Clement OUDOT

# Copyright (C) 2009 LTB-project.org

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

# GNU General Public License for more details.

#

# GPL License: http://www.gnu.org/licenses/gpl.txt

#

#==============================================================================

#==============================================================================

# All the default values are kept here, you should not modify it but use

# config.inc.local.php file instead to override the settings from here.

#==============================================================================

#==============================================================================

# Configuration

#==============================================================================

# Debug mode

# true: log and display any errors or warnings (use this in configuration/testing)

# false: log only errors and do not display them (use this in production)

$debug = true; //打开调试模式，便于调试

# LDAP

$ldap_url = "ldaps://xxxxxxxxxx:636"; //配置LDAPS 636端口加密

$ldap_starttls = false;

$ldap_binddn = "cn=xxxx,cn=xxx,dc=xxx,dc=xxx,dc=xxx"; //连接LDAP服务器的账号的DN，该账号要有修改AD域用户账号权限

$ldap_bindpw = "xxxxxx"; //连接LDAP服务器账号的密码

$ldap_base = "dc=xxx,dc=xxx,dc=xxx"; // 检索OU范围

$ldap_login_attribute = "cn"; //检索AD域用户cn属性的用户名

$ldap_fullname_attribute = "cn";

$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";

# Active Directory mode

# true: use unicodePwd as password field

# false: LDAPv3 standard behavior

$ad_mode = true; //启用Active Directory模式

# Force account unlock when password is changed

$ad_options['force_unlock'] = true; //强制解锁：当密码更改将解锁锁定帐户

# Force user change password at next login

$ad_options['force_pwd_change'] = false; //强制用户在下次登录时更改密码

# Allow user with expired password to change password

$ad_options['change_expired_password'] = true; //允许用户更改密码，如果密码过期

# Samba mode

# true: update sambaNTpassword and sambaPwdLastSet attributes too

# false: just update the password

$samba_mode = false;

# Set password min/max age in Samba attributes

#$samba_options['min_age'] = 5;

#$samba_options['max_age'] = 45;

# Shadow options - require shadowAccount objectClass

# Update shadowLastChange

$shadow_options['update_shadowLastChange'] = false;

$shadow_options['update_shadowExpire'] = false;

# Default to -1, never expire

$shadow_options['shadow_expire_days'] = -1;

# Hash mechanism for password:

# SSHA, SSHA256, SSHA384, SSHA512

# SHA, SHA256, SHA384, SHA512

# SMD5

# MD5

# CRYPT

# clear (the default)

# auto (will check the hash of current password)

# This option is not used with ad_mode = true

$hash = "clear";

# Prefix to use for salt with CRYPT

$hash_options['crypt_salt_prefix'] = "$6$";

$hash_options['crypt_salt_length'] = "6";

# Local password policy

# This is applied before directory password policy

# Minimal length

$pwd_min_length = 6; //定义最短密码位数

# Maximal length

$pwd_max_length = 14; //定义最长密码位数

# Minimal lower characters

$pwd_min_lower = 0; //定义密码应包含多少位小写字母

# Minimal upper characters

$pwd_min_upper = 0; //定义密码应包含多少位大写字母

# Minimal digit characters

$pwd_min_digit = 0; //定义密码应包含多少位数字

# Minimal special characters

$pwd_min_special = 0; //定义密码应包含多少位特殊字符

# Definition of special characters

$pwd_special_chars = "^a-zA-Z0-9"; //定义密码正则表达式

# Forbidden characters

#$pwd_forbidden_chars = "@%"; //定义密码禁止的特殊字符

# Don't reuse the same password as currently

$pwd_no_reuse = true; //是否禁止使用重复密码

# Check that password is different than login

$pwd_diff_login = true; //检查密码是否与登录密码不同

# Complexity: number of different class of character required

$pwd_complexity = 3; //定义密码应包含多少种组合

# use pwnedpasswords api v2 to securely check if the password has been on a leak

$use_pwnedpasswords = false;

# Show policy constraints message:

# always

# never

# onerror

$pwd_show_policy = "always"; //是否显示密码更改策略

# Position of password policy constraints message:

# above - the form

# below - the form

$pwd_show_policy_pos = "above"; //定义密码更改策略显示位置

# Who changes the password?

# Also applicable for question/answer save

# user: the user itself

# manager: the above binddn

$who_change_password = "xxxxxxx"; //定义使用什么账户来修改密码

## Standard change

# Use standard change form?

$use_change = true; //启用密码更改功能

## SSH Key Change

# Allow changing of sshPublicKey?

$change_sshkey = false;

# What attribute should be changed by the changesshkey action?

$change_sshkey_attribute = "sshPublicKey";

# Who changes the sshPublicKey attribute?

# Also applicable for question/answer save

# user: the user itself

# manager: the above binddn

$who_change_sshkey = "xxxxxxx"; //定义使用什么账户来修改sshPublicKey属性

# Notify users anytime their sshPublicKey is changed

## Requires mail configuration below

$notify_on_sshkey_change = false;

## Questions/answers

# Use questions/answers?

# true (default)

# false

$use_questions = false; //启用问题答案修改密码功能

# Answer attribute should be hidden to users!

$answer_objectClass = "extensibleObject";

$answer_attribute = "info";

# Crypt answers inside the directory

$crypt_answers = true;

# Extra questions (built-in questions are in lang/$lang.inc.php)

#$messages['questions']['ice'] = "What is your favorite ice cream flavor?";

## Token

# Use tokens?

# true (default)

# false

$use_tokens = true; //启用邮件修改密码功能

# Crypt tokens?

# true (default)

# false

$crypt_tokens = true;

# Token lifetime in seconds

$token_lifetime = "3600";

## Mail

# LDAP mail attribute

$mail_attribute = "mail"; //对比LDAP的mail属性

# Get mail address directly from LDAP (only first mail entry)

# and hide mail input field

# default = false

$mail_address_use_ldap = false;

# Who the email should come from

$mail_from = "xxxxxx@xxxx.com"; //发件人

$mail_from_name = "Self Service Password";

$mail_signature = "";

# Notify users anytime their password is changed

$notify_on_change = true; //当用户的密码被更改时通知他们

# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)

$mail_sendmailpath = '/usr/sbin/sendmail';

$mail_protocol = 'smtp'; //smtp协议

$mail_smtp_debug = 0;

$mail_debug_format = 'error_log';

$mail_smtp_host = 'xxxxxxxxx'; //发送服务器

$mail_smtp_auth = true;

$mail_smtp_user = 'xxxx@xxx.com'; //发件邮箱账号

$mail_smtp_pass = 'xxxxx'; //发件邮箱密码

$mail_smtp_port = 25;

$mail_smtp_timeout = 30;

$mail_smtp_keepalive = false;

$mail_smtp_secure = 'tls';

$mail_smtp_autotls = true;

$mail_contenttype = 'text/plain';

$mail_wordwrap = 0;

$mail_charset = 'utf-8';

$mail_priority = 3;

$mail_newline = PHP_EOL;

# Encryption, decryption keyphrase, required if $crypt_tokens = true

# Please change it to anything long, random and complicated, you do not have to remember it

# Changing it will also invalidate all previous tokens and SMS codes

$keyphrase = "xxxx"; 修改keyphrase，任意字符串，与默认配置内容不一致即可

三、安装和配置openldap

1、安装openldap

[root@localhost ~]# yum install -y openldap

2、从域内的CA服务器内申请CA证书，格式：DER编码二进制 X.509 或 Base64 编码 X.509(操作 略)

3、将证书从.cer 转成.pem 格式,并导入openldap

[root@localhost ~]# openssl x509 -inform der -in xxx.cer -out xxx.pem

[root@localhost ~]# cat xxx.pem >>/etc/openldap/certs/xxx.pem

4、修改ldap.conf配置

[root@localhost ~]# vim /etc/openldap/ldap.conf

#

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

#BASE dc=example,dc=com

#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12

#TIMELIMIT 15

#DEREF never

TLS_CACERTDIR /etc/openldap/certs

TLS_CACERT /etc/openldap/certs/xxxx.pem //配置openldap中证书的路径

# Turning this off breaks GSSAPI used with krb5 when rdns = false

SASL_NOCANON on

四、最后测试

1、重启httpd服务，并设置开机自启

[root@localhost ~]# systemctl restart httpd

[root@localhost ~]# systemctl enable httpd

2、验证

五、一般问题

1、无法连接LDAP

①检查配置的LDAP账号是否有权限、账号密码是否正确；②AD域636端口是否打开；③证书是否有效，颁发者是否被信任；④openldap配置是否正确

2、提示修改成功后，AD域用户密码并没有修改

①、检查是否配置ldaps 636而非 ldap 389；②检查配置文件 $who_change_password 和$who_change_sshkey 这两个参数；

3、找不到错误日志

①日志功能是否打开；②错误日志一般在httpd或apache日志的错误日志下，取决于你用那个软件来提供web服务；