背景:减轻管理员负担,让用户自己修改密码
openldap 信息:
版本:2.4.44 yum 安装
系统:centos7.4
后端数据库类型:hdb
采用开源的PHP程序self-service-password https://ltb-project.org/documentation
采用yum 安装 的1.3版本,安装连接:https://ltb-project.org/documentation/self-service-password/1.3/install_rpm
配置:
主要修改俩个配置文件,如下:
/etc/httpd/conf.d/self-service-password.conf
/usr/share/self-service-password/conf/config.inc.php
使用rpm -ql self-service-password 查找配置文件路径
self-service-password.conf 配置文件修改内容:
# cat self-service-password.conf
Alias /ssp /usr/share/self-service-password
AllowOverride None
Require all granted
config.inc.php 配置文件内容:
# LDAP
$ldap_url = "ldap://127.0.0.1:389";
$ldap_starttls = false;
$ldap_binddn = "cn=admin,dc=gunfree,dc=com";
$ldap_bindpw = "123456";
$ldap_base = "ou=People,dc=gunfree,dc=com";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=inetOrgPerson)($ldap_login_attribute={login}))";
## Mail
# LDAP mail attribute
$mail_attribute = "mail";
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = false;
# Who the email should come from
$mail_from = "[email protected]";
$mail_from_name = "重置LDAP密码";
$mail_signature = "";
# Notify users anytime their password is changed
$notify_on_change = true;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'error_log';
$mail_smtp_host = 'smtp.exmail.qq.com';
$mail_smtp_auth = true;
$mail_smtp_user = '[email protected]';
$mail_smtp_pass = '123456';
$mail_smtp_port = 465;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'ssl';
$mail_smtp_autotls = true;
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;
配置过程中遇到的问题:
安装好self程序后,用户修改密码不成功,日志报错信息如:
[Wed Nov 28 16:59:37.360390 2018] [:error] [pid 9528] [client 192.168.1.10:50466] LDAP - Modify password error 50 (Insufficient access), referer: http://192.168.1.10/ssp/index.php
[Wed Nov 28 17:08:39.733926 2018] [:error] [pid 9525] [client 192.168.1.10:50530] LDAP - Modify password error 50 (Insufficient access), referer: http://192.168.1.10/ssp/index.php
上网搜索半天,不得所以,后只能自己摸索
尝试在olcDatabase={0}config.ldif 文件添加ACL信息,问题依旧,才尝试给olcDatabase={2}hdb.ldif
文件添加ACL 信息,问题解决,添加命令如下:
ldapmodify -Y EXTERNAL -H ldapi:/// -f updatepass.ldif
updatepass.ldif 文件内容如下:
# cat updatepass.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword
by dn="cn=admin,dc=gnufree,dc=com" write
by dn.children="cn=admin,ou=group,dc=gnufree,dc=com" write
by anonymous auth
by self write
by * none
olcAccess: to *
by dn="cn=admin,dc=gnufree,dc=com" write
by dn.children="cn=admin,ou=group,dc=gnufree,dc=com" write
by * read
问题2 无法发送验证邮件
修改上图中采用的是腾讯企业邮箱,默认值$mail_smtp_secure = 'tls'; 修改成ssl 问题解决。