Self Service Password部署

Self Service Password部署


通过Self Service Password 自助修改和重置AD域账号密码

一、准备

操作系统 :192.168.1.8 CentOS7.6 

AD域:192.168.1.10  ad01.test.com (已安装CA证书服务) ,创建ssp AD域账号,用于登录验证

Self Service Password官网文档:Index of /documentation/self-service-password

1、配置yum源

cat /etc/yum.repos.d/ltb-project.repo
[ltb-project-noarch]
name=LTB project packages (noarch)
baseurl=https://ltb-project.org/rpm/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project

2、导入GPG私钥

rpm --import https://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project

3、添加php72的yum源

yum -y install epel-release
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm

4、修改host文件

vim /etc/hosts
192.168.1.10    ad01.test.com

二、安装self service password

yum -y install self-service-password

执行安装后,apache未安装成功,需要执行

yum -y install httpd

四、修改self-service-password配置文件

只启用AD账号修改密码和通过邮箱重置密码功能,以下都是需要配置的项。

vim /usr/share/self-service-password/conf/config.inc.php
# LDAP配置
$ldap_url = "ldaps://ad01.test.com:636";
$ldap_starttls = false;
$ldap_binddn = "cn=ssp,cn=users,dc=test,dc=com";
$ldap_bindpw = "Test2021";
$ldap_base = "dc=test,dc=com";
$ldap_login_attribute = "sAMAccountName";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";

# AD域配置
$ad_mode = true;
$ad_options['force_unlock'] = true;
$ad_options['force_pwd_change'] = false; 
$ad_options['change_expired_password'] = true;

$who_change_password = "manager";

# 邮箱配置
$mail_from = "ssp@test.com";
$mail_from_name = "Self Service Password";
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'html';
$mail_smtp_host = 'smtp.test.com';
$mail_smtp_auth = true;
$mail_smtp_user = 'ssp@test.com';
$mail_smtp_pass = 'Test2021';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
# $mail_smtp_secure = 'tls';
# $mail_smtp_autotls = true;

## SMS
# Use sms
$use_sms = false;

$keyphrase = "abd2021aa";

五、安装和配置openldap

1、安装openldap

yum install -y openldap

2、修改ldap.conf配置

vim /etc/openldap/ldap.conf

增加

TLS_CACERT /etc/openldap/certs/ad01.pem
TLS_REQCERT allow
TLS_CIPHER_SUITE TLSv1+RSA

六、配置CA证书

1、导出AD域服务器CA证书

导出对应AD域服务器证书,右击证书名-选择“所有任务”-“导出”

2、转换CA证书

上传ad01.cer到 Self Service Password 服务器中的 /root/目录下

openssl x509 -inform der -in ad01.cer -out ad01.pem
cat ad01.pem >> /etc/openldap/certs/ad01.pem

七、启动服务

service httpd start

访问地址:http://192.168.1.8

八、问题处理

1、修改密码,提示“密码被 LDAP 服务器拒绝”

$who_change_password配置错误导致修改时出错

vim /usr/share/self-service-password/conf/config.inc.php
$who_change_password = "manager";

2、通过email找回密码,“口令无效”

通过email找回密码,点击重置密码链接后,提示“口令无效

查询 /etc/httpd/logs/ssp_error_log 日志文件  /var/lib/php/session 只有root控制权限

PHP Warning:  session_start(): Failed to read session data: files (path: /var/lib/php/session) in /usr/share/self-service-password/pages/resetbytoken.php on line 66

修改/var/lib/php/session权限

chmod -R 777 /var/lib/php/session

评论 27
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值