Self Service Password AD域密碼自助重置服務配置指引

Self Service Password AD域密碼自助重置服務配置指引

1、安裝Self Service Password

一、到官網獲取安裝包或安裝方法

https://ltb-project.org/start

二、dev爲開發者版本，stable爲最新穩定版，建議使用stable版本，穩定最重要。

三、選擇RPM包安裝

四、安裝官方指引，配置yum源並安裝

#配置yum源
[root@localhost ~]# vim /etc/yum.repos.d/ltb-project.repo
[ltb-project-noarch]
name=LTB project packages (noarch)
baseurl=https://ltb-project.org/rpm/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project
#導入GPG私鑰
[root@localhost ~]# rpm --import https://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project
#安裝self-service-password
[root@localhost ~]# yum install -y self-service-password

2、配置self-service-password

一、修改/usr/share/self-service-password/conf/config.inc.php的配置(具體參數配置，可到官網查看配置文檔)

[root@localhost ~]# vim /usr/share/self-service-password/conf/config.inc.php
<?php
#==============================================================================
# LTB Self Service Password
#
# Copyright (C) 2009 Clement OUDOT
# Copyright (C) 2009 LTB-project.org
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# GPL License: http://www.gnu.org/licenses/gpl.txt
#
#==============================================================================

#==============================================================================
# All the default values are kept here, you should not modify it but use
# config.inc.local.php file instead to override the settings from here.
#==============================================================================

#==============================================================================
# Configuration
#==============================================================================

# Debug mode
# true: log and display any errors or warnings (use this in configuration/testing)
# false: log only errors and do not display them (use this in production)
$debug = true;  //打開調試模式，便於調試

# LDAP

$ldap_url = "ldaps://xxxxxxxxxx:636";  //配置LDAPS 636端口加密
$ldap_starttls = false;
$ldap_binddn = "cn=xxxx,cn=xxx,dc=xxx,dc=xxx,dc=xxx";  //鏈接LDAP服務器的帳號的DN，該帳號要有修改AD域用戶帳號權限
$ldap_bindpw = "xxxxxx";  //鏈接LDAP服務器帳號的密碼
$ldap_base = "dc=xxx,dc=xxx,dc=xxx"; // 檢索OU範圍
$ldap_login_attribute = "cn";  //檢索AD域用戶cn屬性的用戶名
$ldap_fullname_attribute = "cn"; 
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";

# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
$ad_mode = true;  //啓用Active Directory模式
# Force account unlock when password is changed
$ad_options['force_unlock'] = true;  //強制解鎖：當密碼更改將解鎖鎖定賬戶
# Force user change password at next login
$ad_options['force_pwd_change'] = false;  //強制用戶在下次登陸時更改密碼
# Allow user with expired password to change password
$ad_options['change_expired_password'] = true;  //容許用戶更改密碼，若是密碼過時

# Samba mode
# true: update sambaNTpassword and sambaPwdLastSet attributes too
# false: just update the password
$samba_mode = false;
# Set password min/max age in Samba attributes
#$samba_options['min_age'] = 5;
#$samba_options['max_age'] = 45;

# Shadow options - require shadowAccount objectClass
# Update shadowLastChange
$shadow_options['update_shadowLastChange'] = false;
$shadow_options['update_shadowExpire'] = false;

# Default to -1, never expire
$shadow_options['shadow_expire_days'] = -1;

# Hash mechanism for password:
# SSHA, SSHA256, SSHA384, SSHA512
# SHA, SHA256, SHA384, SHA512
# SMD5
# MD5
# CRYPT
# clear (the default)
# auto (will check the hash of current password)
# This option is not used with ad_mode = true
$hash = "clear";

# Prefix to use for salt with CRYPT
$hash_options['crypt_salt_prefix'] = "$6$";
$hash_options['crypt_salt_length'] = "6";

# Local password policy
# This is applied before directory password policy
# Minimal length
$pwd_min_length = 6;  //定義最短密碼位數
# Maximal length
$pwd_max_length = 14;  //定義最長密碼位數
# Minimal lower characters
$pwd_min_lower = 0;  //定義密碼應包含多少位小寫字母
# Minimal upper characters
$pwd_min_upper = 0;  //定義密碼應包含多少位大寫字母
# Minimal digit characters
$pwd_min_digit = 0;  //定義密碼應包含多少位數字
# Minimal special characters
$pwd_min_special = 0; //定義密碼應包含多少位特殊字符
# Definition of special characters
$pwd_special_chars = "^a-zA-Z0-9";   //定義密碼正則表達式
# Forbidden characters 
#$pwd_forbidden_chars = "@%";  //定義密碼禁止的特殊字符
# Don't reuse the same password as currently
$pwd_no_reuse = true;  //是否禁止使用重複密碼
# Check that password is different than login
$pwd_diff_login = true;  //檢查密碼是否與登陸密碼不一樣
# Complexity: number of different class of character required
$pwd_complexity = 3;   //定義密碼應包含多少種組合
# use pwnedpasswords api v2 to securely check if the password has been on a leak
$use_pwnedpasswords = false; 
# Show policy constraints message:
# always
# never
# onerror
$pwd_show_policy = "always";  //是否顯示密碼更改策略
# Position of password policy constraints message:
# above - the form
# below - the form
$pwd_show_policy_pos = "above";  //定義密碼更改策略顯示位置

# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_password = "xxxxxxx";  //定義使用什麼帳戶來修改密碼

## Standard change
# Use standard change form?
$use_change = true;  //啓用密碼更改功能

## SSH Key Change
# Allow changing of sshPublicKey?
$change_sshkey = false;

# What attribute should be changed by the changesshkey action?
$change_sshkey_attribute = "sshPublicKey";

# Who changes the sshPublicKey attribute?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_sshkey = "xxxxxxx"; //定義使用什麼帳戶來修改sshPublicKey屬性

# Notify users anytime their sshPublicKey is changed
## Requires mail configuration below
$notify_on_sshkey_change = false;

## Questions/answers
# Use questions/answers?
# true (default)
# false
$use_questions = false;  //啓用問題答案修改密碼功能

# Answer attribute should be hidden to users!
$answer_objectClass = "extensibleObject";
$answer_attribute = "info";

# Crypt answers inside the directory
$crypt_answers = true;

# Extra questions (built-in questions are in lang/$lang.inc.php)
#$messages['questions']['ice'] = "What is your favorite ice cream flavor?";

## Token
# Use tokens?
# true (default)
# false
$use_tokens = true;  //啓用郵件修改密碼功能
# Crypt tokens?
# true (default)
# false
$crypt_tokens = true;
# Token lifetime in seconds
$token_lifetime = "3600";

## Mail
# LDAP mail attribute
$mail_attribute = "mail"; //對比LDAP的mail屬性
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = false;
# Who the email should come from
$mail_from = "xxxxxx@xxxx.com";  //發件人
$mail_from_name = "Self Service Password";
$mail_signature = "";
# Notify users anytime their password is changed
$notify_on_change = true;  //當用戶的密碼被更改時通知他們
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail'; 
$mail_protocol = 'smtp';  //smtp協議
$mail_smtp_debug = 0;
$mail_debug_format = 'error_log';
$mail_smtp_host = 'xxxxxxxxx';  //發送服務器
$mail_smtp_auth = true;
$mail_smtp_user = 'xxxx@xxx.com';  //發件郵箱帳號
$mail_smtp_pass = 'xxxxx';  //發件郵箱密碼
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_smtp_autotls = true;
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;

# Encryption, decryption keyphrase, required if $crypt_tokens = true
# Please change it to anything long, random and complicated, you do not have to remember it
# Changing it will also invalidate all previous tokens and SMS codes
$keyphrase = "xxxx"; 修改keyphrase，任意字符串，與默認配置內容不一致便可

3、安裝和配置openldap

一、安裝openldap

[root@localhost ~]# yum install -y openldap

二、從域內的CA服務器內申請CA證書，格式：DER編碼二進制 X.509 或 Base64 編碼 X.509(操做 略)

三、將證書從.cer 轉成.pem 格式,並導入openldap

[root@localhost ~]# openssl x509 -inform der -in xxx.cer -out xxx.pem
[root@localhost ~]# cat xxx.pem >>/etc/openldap/certs/xxx.pem

四、修改ldap.conf配置

[root@localhost ~]# vim /etc/openldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

TLS_CACERTDIR   /etc/openldap/certs
TLS_CACERT /etc/openldap/certs/xxxx.pem //配置openldap中證書的路徑
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on

4、最後測試

一、重啓httpd服務，並設置開機自啓

[root@localhost ~]# systemctl restart httpd
[root@localhost ~]# systemctl enable httpd

二、驗證

5、通常問題

一、沒法鏈接LDAP
①檢查配置的LDAP帳號是否有權限、帳號密碼是否正確；②AD域636端口是否打開；③證書是否有效，頒發者是否被信任；④openldap配置是否正確

二、提示修改爲功後，AD域用戶密碼並無修改

①、檢查是否配置ldaps 636而非 ldap 389；②檢查配置文件 $who_change_password 和$who_change_sshkey 這兩個參數；

三、找不到錯誤日誌

①日誌功能是否打開；②錯誤日誌通常在httpd或apache日誌的錯誤日誌下，取決於你用那個軟件來提供web服務；