openldap 普通用户自助修改密码

背景:减轻管理员负担,让用户自己修改密码

openldap 信息:

版本:2.4.44 yum 安装

系统:centos7.4

后端数据库类型:hdb

 

采用开源的PHP程序self-service-password https://ltb-project.org/documentation

采用yum 安装 的1.3版本,安装连接:https://ltb-project.org/documentation/self-service-password/1.3/install_rpm

配置:

主要修改俩个配置文件,如下:

/etc/httpd/conf.d/self-service-password.conf
/usr/share/self-service-password/conf/config.inc.php

使用rpm -ql self-service-password 查找配置文件路径

self-service-password.conf 配置文件修改内容:

# cat self-service-password.conf
Alias /ssp /usr/share/self-service-password


    AllowOverride None
    Require all granted

config.inc.php 配置文件内容:

# LDAP
$ldap_url = "ldap://127.0.0.1:389";
$ldap_starttls = false;
$ldap_binddn = "cn=admin,dc=gunfree,dc=com";
$ldap_bindpw = "123456";
$ldap_base = "ou=People,dc=gunfree,dc=com";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=inetOrgPerson)($ldap_login_attribute={login}))";


## Mail
# LDAP mail attribute
$mail_attribute = "mail";
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = false;
# Who the email should come from
$mail_from = "[email protected]";
$mail_from_name = "重置LDAP密码";
$mail_signature = "";
# Notify users anytime their password is changed
$notify_on_change = true;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'error_log';
$mail_smtp_host = 'smtp.exmail.qq.com';
$mail_smtp_auth = true;
$mail_smtp_user = '[email protected]';
$mail_smtp_pass = '123456';
$mail_smtp_port = 465;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'ssl';
$mail_smtp_autotls = true;
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;

 

配置过程中遇到的问题:

安装好self程序后,用户修改密码不成功,日志报错信息如:

[Wed Nov 28 16:59:37.360390 2018] [:error] [pid 9528] [client 192.168.1.10:50466] LDAP - Modify password error 50 (Insufficient access), referer: http://192.168.1.10/ssp/index.php
[Wed Nov 28 17:08:39.733926 2018] [:error] [pid 9525] [client 192.168.1.10:50530] LDAP - Modify password error 50 (Insufficient access), referer: http://192.168.1.10/ssp/index.php

上网搜索半天,不得所以,后只能自己摸索

尝试在olcDatabase={0}config.ldif 文件添加ACL信息,问题依旧,才尝试给olcDatabase={2}hdb.ldif
 文件添加ACL 信息,问题解决,添加命令如下:

ldapmodify -Y EXTERNAL -H ldapi:/// -f updatepass.ldif 

 updatepass.ldif 文件内容如下:

# cat updatepass.ldif 
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword
        by dn="cn=admin,dc=gnufree,dc=com" write
        by dn.children="cn=admin,ou=group,dc=gnufree,dc=com" write
        by anonymous auth
        by self write
        by * none
olcAccess: to *
        by dn="cn=admin,dc=gnufree,dc=com" write
        by dn.children="cn=admin,ou=group,dc=gnufree,dc=com" write
        by * read

 问题2 无法发送验证邮件

修改上图中采用的是腾讯企业邮箱,默认值$mail_smtp_secure = 'tls'; 修改成ssl 问题解决。

你可能感兴趣的:(openldap)