LDAP密码修改系统 Self Service Password

aa.png

安装升级PHP

https://www.centos.bz/2018/05/centos-6-7-%E5%8D%87%E7%BA%A7-php-5-6-%E5%88%B0-7-1-7-2/

安装Self Service Password

下载地址:https://ltb-project.org/download#self_service_password

参考地址:https://ltb-project.org/documentation/self-service-password/latest/install_rpm

rpm --import https://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project

yum localinstall self-service-password-VERSION.noarch.rpm

配置参考:

配置文件:/usr/share/self-service-password/conf/config.inc.php

  • Web server
  • General parameters
  • LDAP connection
  • Password policy
  • Reset by questions
  • Reset by mail tokens
  • Reset by SMS
  • Mail
  • reCAPTCHA
  • Post Hook

SSL配置:

/etc/openldap/ldap.conf

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

#BASE   dc=example,dc=com

#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT  12

#TIMELIMIT  15

#DEREF      never

TLS_CACERTDIR /etc/openldap/certs

TLS_CACERT /etc/openldap/certs/证书文件

通过回答问题重置密码

# Answer attribute should be hidden to users!

$answer_objectClass = "user";

$answer_attribute = "comment";

# Crypt answers inside the directory

$crypt_answers = true;

# Extra questions (built-in questions are in lang/$lang.inc.php)

#$messages['questions']['ice'] = "What is your favorite ice cream flavor?";

$messages['questions']['Q3'] = "你少年时代最好的朋友叫什么名字?";  //额外的问题

$messages['questions']['Q4'] = "你的第一个宠物叫什么名字?";

$messages['questions']['Q5'] = "你第一次坐飞机是去哪里?";

$messages['questions']['Q6'] = "你的理想工作是什么?";

$messages['questions']['Q7'] = "你拥有的第一辆车是什么型号?";

$messages['questions']['Q8'] = "你童年时代的绰号是什么?";

$messages['questions']['Q9'] = "你的第一个上司叫什么名字?";

$messages['questions']['Q10'] = "您最喜欢哪个球队?";

Questions:

一、修改密码配置:

# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_password = "manager";

测试中用户自己修改不了密码。后来改为了manager可以修改;

二、密保问题设置写入AD:

# Answer attribute should be hidden to users!
$answer_objectClass = "user";
$answer_attribute = "comment";

密保问题对应的属性要对应到AD现有属性,写错了或者乱写将导致问题不能录入AD

三、密码复杂度问题:

# Local password policy
# This is applied before directory password policy
# Minimal length
$pwd_min_length = 7;
# Maximal length
$pwd_max_length = 0;
# Minimal lower characters
$pwd_min_lower = 1;
# Minimal upper characters
$pwd_min_upper = 1;
# Minimal digit characters
$pwd_min_digit = 1;
# Minimal special characters
$pwd_min_special = 1;
# Definition of special characters
$pwd_special_chars = "^a-zA-Z0-9";
# Forbidden characters
#$pwd_forbidden_chars = "@%";
# Don't reuse the same password as currently
$pwd_no_reuse = true;
# Check that password is different than login
$pwd_diff_login = true;
# Complexity: number of different class of character required
$pwd_complexity = 3;
# use pwnedpasswords api v2 to securely check if the password has been on a leak
$use_pwnedpasswords = false;
# Show policy constraints message:
# always
# never
# onerror
$pwd_show_policy = "onerror";
# Position of password policy constraints message:
# above - the form
# below - the form
$pwd_show_policy_pos = "above";

参考AD服务上面的密码复杂度设置

你可能感兴趣的:(LDAP密码修改系统 Self Service Password)