搭建OpenLDAP自助修改密码系统Self Service Password

一、Self Service Password安装

Configure the yum repository :

# vi /etc/yum.repos.d/ltb-project.repo

[ltb-project-noarch]
name=LTB project packages (noarch)
baseurl=https://ltb-project.org/rpm/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project

Then update:

# yum update

Import repository key:

# rpm --import https://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project

You are now ready to install:

# yum install self-service-password

From package

RPM can be downloaded from this page. Choose the file with the .rpm extension.

Install it:

# yum localinstall self-service-password-VERSION.noarch.rpm

Dependencies should be installed automatically by yum.

You should import LTB GPG key first:

# rpm --import https://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project

二、修改apache配置文件

cat > /etc/httpd/conf.d/self-service-password.conf << "EOF"
<VirtualHost *>
DocumentRoot /usr/share/self-service-password
DirectoryIndex index.php
AddDefaultCharset UTF-8
Alias /ssp /usr/share/self-service-password
<Directory “/usr/share/self-service-password”>
AllowOverride None
Require all granted
</Directory>
LogLevel warn
ErrorLog /var/log/httpd/ssp_error_log
CustomLog /var/log/httpd/ssp_access_log combined
</VirtualHost>
EOF

启动：

service httpd start

三、修改Self Service Password的配置文件

vim /usr/share/self-service-password/conf/config.inc.php

# LDAP
$ldap_url = "ldap://10.15.152.239";
$ldap_starttls = false;
$ldap_binddn = "cn=manager,dc=qlbigdata,dc=com";
$ldap_bindpw = "admin#ldap";
$ldap_base = "dc=qlbigdata,dc=com";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";

 

## Mail
# LDAP mail attribute
$mail_attribute = "mail";
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = true;
# Who the email should come from
$mail_from = "qlzabbix@mobanker.com";
$mail_from_name = "Self Service Password";
$mail_signature = "";
# Notify users anytime their password is changed
$notify_on_change = false;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'html';
$mail_smtp_host = 'smtp.qiye.163.com';
$mail_smtp_auth = false;
$mail_smtp_user = 'qlzabbix@mobanker.com';
$mail_smtp_pass = '***';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;

$keyphrase = "mysecret";

四、使用Self Service Password修改密码

在ldap配置文件slapd.conf里增加用户可以自己修改的配置。

access to dn.subtree="ou=People,dc=qlbigdata,dc=com" attrs=userPassword,shadowLastChange
    by dn="cn=Manager,dc=qlbigdata,dc=com" write
    by self write
    by anonymous auth
    by * read

 注意修改slapd.conf文件后要重新生成

# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
config file testing succeeded
# chown -R ldap:ldap /etc/openldap/slapd.d/*
# service slapd restart

参考： https://www.ilanni.com/?p=13822

官网文档  https://ltb-project.org/documentation/self-service-password/1.2/start