OpenLDAP 自助修改密码系统——筑梦之路

self-service-password简述为ssp, 支持以下功能：

1. 支持samba模式以及修改 samba密码

2. 支持Active directory

3. 支持本地自定义策略，比如密码的最小长度，密码组合规律等

4. 支持基于问题/邮件/短信找回密码等

5. 支持ldap目录sshkey的修改

6. 密码修改通知等

此服务解决了使用openldap修改密码困难的问题，不仅简化了不懂ldap使用的用户修改密码的流程，还可以通过查找密码自助解决密码丢失遗忘的问题。通过自定义设置密码的组合策略，也进一步巩固安全防护。

version: '2'
services:
  ssp-app:
    image: tiredofit/self-service-password:latest #建议修改为指定的版本的镜像
    container_name: ssp-app
    volumes: # 挂载数据目录以及日志
      - ./data/:/www/ssp
      - ./logs/:/www/logs
    ports:
      - 8888:80
    environment:
      - LDAP_SERVER=ldap://172.16.0.3:389 # ldap服务: ldap://ip:port
      - LDAP_STARTTLS=false
      - LDAP_BINDDN=cn=admin,dc=openldap,dc=devopsman,dc=cn # 绑定的dn. 具体根据自己的实际修改(管理员dn)
      - LDAP_BINDPASS=nicaicaikan # 上述cn=admin的密码
      - LDAP_BASE_SEARCH=ou=People,dc=openldap,dc=devopsman,dc=cn
      - LDAP_LOGIN_ATTRIBUTE=uid
      - LDAP_FULLNAME_ATTRIBUTE=cn
# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
      - ADMODE=false
# Force account unlock when password is changed
      - AD_OPT_FORCE_UNLOCK=false
# Force user change password at next login
      - AD_OPT_FORCE_PWD_CHANGE=false
# Allow user with expired password to change password
      - AD_OPT_CHANGE_EXPIRED_PASSWORD=false
# Samba mode
# true: update sambaNTpassword and sambaPwdLastSet attributes too
# false: just update the password
      - SAMBA_MODE=false
# Shadow options - require shadowAccount objectClass
# Update shadowLastChange
      - SHADOW_OPT_UPDATE_SHADOWLASTCHANGE=false
# Hash mechanism for password:
# SSHA
# SHA
# SMD5
# MD5
# CRYPT
# clear (the default)
# auto (will check the hash of current password)
# This option is not used with ad_mode = true
      - PASSWORD_HASH=MD5 # 密码hash类型
# Local password policy
# This is applied before directory password policy
# Minimal length
      - PASSWORD_MIN_LENGTH=12 # 此处定义密码的组合
# Maximal length
      - PASSWORD_MAX_LENGTH=30
# Minimal lower characters
      - PASSWORD_MIN_LOWERCASE=2
# Minimal upper characters
      - PASSWORD_MIN_UPPERCASE=2
# Minimal digit characters
      - PASSWORD_MIN_DIGIT=2
# Minimal special characters
      - PASSWORD_MIN_SPECIAL=2
# Dont reuse the same password as currently
      - PASSWORD_NO_REUSE=true
    # Definition of special characters
      - PASSWORD_SPECIAL_CHARACTERS="^a-zA-Z0-9" # 定义特殊字符
    # Forbidden characters
    # Check that password is different than login
      - PASSWORD_DIFFERENT_LOGIN=true
# Show policy constraints message:
# always
# never
# onerror
      - PASSWORD_SHOW_POLICY=onerror # 何时显示密码策略信息
# Position of password policy constraints message:
# above - the form
# below - the form
      - PASSWORD_SHOW_POLICY_POSITION=above
# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
      - WHO_CAN_CHANGE_PASSWORD=user # 指定谁来修改密码
## Questions/answers
# Use questions/answers?
# true (default)
# false
      - QUESTIONS_ENABLED=false
## Mail
# LDAP mail attribute
      - LDAP_MAIL_ATTRIBUTE=mail
# Who the email should come from
      - MAIL_FROM=cloudnative@qq.com
      - MAIL_FROM_NAME=云原生生态圈认证中心
# Notify users anytime their password is changed
      - NOTIFY_ON_CHANGE=true
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
      - SMTP_DEBUG=0
      - SMTP_HOST=smtp.qq.com # 定义邮件信息，用于发送邮件
      - SMTP_AUTH_ON=true
      - SMTP_USER=cloudnative@qq.com
      - SMTP_PASS=nicaicaikan # 这里是邮箱的授权码
      - SMTP_PORT=465
      - SMTP_SECURE_TYPE=ssl
      - SMTP_AUTOTLS=false
    ## Tokens
    # Use tokens?
    # true
    # false
      - USE_TOKENS=true
    # Crypt tokens?
    # true
    # false
      - TOKEN_CRYPT=true
    # Token lifetime in seconds
      - TOKEN_LIFETIME=1800
 ## SMS
# Use sms (NOT WORKING YET)
      - USE_SMS=false
# Reset URL (if behind a reverse proxy)
      - IS_BEHIND_PROXY=true
# Display help messages
      - SHOW_HELP=true
# Language
      - LANG=en
# Debug mode
      - DEBUG_MODE=false
# Encryption, decryption keyphrase
      - SECRETEKEY=secretkey
## CAPTCHA
# Use Google reCAPTCHA (http://www.google.com/recaptcha)
      - USE_RECAPTCHA=false
# Go on the site to get public and private key
      - RECAPTCHA_PUB_KEY=akjsdnkajnd
      - RECAPTCHA_PRIV_KEY=aksdjnakjdnsa
## Default action
# change
# sendtoken
# sendsms
      - DEFAULT_ACTION=change
      - BACKGROUND_IMAGE="images/unsplash-space.jpeg" # 自定义背景图片
      - LOGO="images/logo.png" # 自定义logo图片

 

[1]self-service-password:https://github.com/ltb-project/self-service-password

[2]ssp官方文档:https://self-service-password.readthedocs.io/en/latest/

[3]ssp的docker实现:https://github.com/tiredofit/docker-self-service-password

[4]docker-self-service-password支持的变量:https://github.com/tiredofit/docker-self-service-password#ldap-settings