Self Service Password部署
Self Service Password部署
通过Self Service Password 自助修改和重置AD域账号密码
一、准备
操作系统 :192.168.1.8 CentOS7.6
AD域:192.168.1.10 ad01.test.com (已安装CA证书服务) ,创建ssp AD域账号,用于登录验证
Self Service Password官网文档:Index of /documentation/self-service-password
1、配置yum源
cat /etc/yum.repos.d/ltb-project.repo[ltb-project-noarch]
name=LTB project packages (noarch)
baseurl=https://ltb-project.org/rpm/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project2、导入GPG私钥
rpm --import https://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project3、添加php72的yum源
yum -y install epel-release
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm4、修改host文件
vim /etc/hosts192.168.1.10 ad01.test.com二、安装self service password
yum -y install self-service-password执行安装后,apache未安装成功,需要执行
yum -y install httpd
四、修改self-service-password配置文件
只启用AD账号修改密码和通过邮箱重置密码功能,以下都是需要配置的项。
vim /usr/share/self-service-password/conf/config.inc.php# LDAP配置
$ldap_url = "ldaps://ad01.test.com:636";
$ldap_starttls = false;
$ldap_binddn = "cn=ssp,cn=users,dc=test,dc=com";
$ldap_bindpw = "Test2021";
$ldap_base = "dc=test,dc=com";
$ldap_login_attribute = "sAMAccountName";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
# AD域配置
$ad_mode = true;
$ad_options['force_unlock'] = true;
$ad_options['force_pwd_change'] = false;
$ad_options['change_expired_password'] = true;
$who_change_password = "manager";
# 邮箱配置
$mail_from = "[email protected]";
$mail_from_name = "Self Service Password";
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'html';
$mail_smtp_host = 'smtp.test.com';
$mail_smtp_auth = true;
$mail_smtp_user = '[email protected]';
$mail_smtp_pass = 'Test2021';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
# $mail_smtp_secure = 'tls';
# $mail_smtp_autotls = true;
## SMS
# Use sms
$use_sms = false;
$keyphrase = "abd2021aa";五、安装和配置openldap
1、安装openldap
yum install -y openldap2、修改ldap.conf配置
vim /etc/openldap/ldap.conf增加
TLS_CACERT /etc/openldap/certs/ad01.pem
TLS_REQCERT allow
TLS_CIPHER_SUITE TLSv1+RSA六、配置CA证书
1、导出AD域服务器CA证书
导出对应AD域服务器证书,右击证书名-选择“所有任务”-“导出”
2、转换CA证书
上传ad01.cer到 Self Service Password 服务器中的 /root/目录下
openssl x509 -inform der -in ad01.cer -out ad01.pem
cat ad01.pem >> /etc/openldap/certs/ad01.pem七、启动服务
service httpd start访问地址:http://192.168.1.8
八、问题处理
1、修改密码,提示“密码被 LDAP 服务器拒绝”
$who_change_password配置错误导致修改时出错
vim /usr/share/self-service-password/conf/config.inc.php$who_change_password = "manager";2、通过email找回密码,“口令无效”
通过email找回密码,点击重置密码链接后,提示“口令无效
查询 /etc/httpd/logs/ssp_error_log 日志文件 /var/lib/php/session 只有root控制权限
PHP Warning: session_start(): Failed to read session data: files (path: /var/lib/php/session) in /usr/share/self-service-password/pages/resetbytoken.php on line 66
修改/var/lib/php/session权限
chmod -R 777 /var/lib/php/session