Self Service Password是什么,Self Service Password提供的什么功能
Self Service Password是一个用于重置和更改密码的Web应用程序,旨在提供一种方便的方式来管理密码。它是一个基于PHP的工具,可以与LDAP目录进行交互,以允许用户在不需要依赖管理员或访问密码的情况下更改其密码。通过Self Service Password,用户可以通过一个简单的Web界面访问其密码,并在需要时进行更改。这个应用程序还提供了许多安全功能,例如密码重置链接和双因素身份验证,以保护用户的账户和数据安全。
Self Service Password可以与各种LDAP目录服务进行交互,包括OpenLDAP、OpenDS、ApacheDS和Active Directory等。这意味着它可以在各种不同的环境中使用,而不仅仅是限制于特定于Microsoft Windows的环境的Active Directory。
总之,Self Service Password是一个功能强大的Web应用程序,可帮助用户更轻松地管理其密码,并提供各种安全功能以保护用户的账户和数据安全。
手册地址:https://self-service-password.readthedocs.io/en/latest/
安装要求:
Apache or another web server
php (>=7.4)
php-curl (haveibeenpwned api)
php-filter
php-gd (captcha)
php-ldap
php-mbstring (reset mail)
php-openssl (token crypt, probably built-in)
Smarty (version >=3) (php-smarty)
CentOS安装:
yum install yum-utils
rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
yum-config-manager --enable remi-php74
yum install php php-gd php-fpm php-mbstring php-ldap php-filter php-curl php-Smarty
vi etc/php-fpm.d/www.conf #修改启动用户为nginx
systemctl enable php-fpm
#启动 php-fpm
systemctl start php-fpm
#下载self-service-password代码包
wget --no-check-certificate https://ltb-project.org/archives/ltb-project-self-service-password-1.5.3.tar.gz
tar -zxvf ltb-project-self-service-password-1.5.3.tar.gz
mv ltb-project-self-service-password-1.5.3 /usr/share/self-service-password
mv /usr/share/php/Smarty/ /usr/share/php/smarty3/
chown nginx.nginx -R /usr/share/self-service-password/
chown nginx.nginx -R /var/log/php-fpm
官网Nginx 配置:
server {
listen 80;
# Make site accessible from http://localhost/
server_name selfpd.test.com.cn; #配置为实际主机名,邮件发送时链接以server_name的地址。
# Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
sendfile off;
gzip on;
gzip_comp_level 6;
gzip_min_length 1000;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;
gzip_vary on;
gzip_proxied any;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
access_log /data/logs/openresty/http_access.log http_log_access;
# pass the PHP scripts to FastCGI server listening on socket
location / {
root /usr/share/self-service-password/htdocs;
index index.php index.html index.htm;
}
location ~ \.php {
root /usr/share/self-service-password/htdocs;
#fastcgi_pass unix:/var/run/php-fpm.socket;
fastcgi_pass 127.0.0.1:9000;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
try_files $fastcgi_script_name =404;
fastcgi_read_timeout 600;
include fastcgi_params;
}
error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
internal;
}
# deny access to . files, for security
#
location ~ /\. {
log_not_found off;
deny all;
}
location ~ /scripts {
log_not_found off;
deny all;
}
}
官网建议配置php.ini:
/etc/php.ini
session.save_path = /tmp
upload_max_filesize = 10M
post_max_size = 16M
max_execution_time = 600
request_terminate_timeout = 600
expose_php = Off
output_buffering = 4096
配置提示语
/usr/share/self-service-password/lang/zh-CN.inc.php
配置文件配置示例:
/usr/share/self-service-password/conf/config.inc.php
$use_captcha = true; #开启验证码
$use_sms = false; #关闭短信重置
$use_questions = false;#关闭问题重置
#ldap配置
# LDAP
$ldap_url = "ldap://127.0.0.1:389";
$ldap_starttls = false;
$ldap_binddn = "cn=admin,dc=test,dc=com";
$ldap_bindpw = '********';
// for GSSAPI authentication, comment out ldap_bind* and uncomment ldap_krb5ccname lines
//$ldap_krb5ccname = "/path/to/krb5cc";
$ldap_base = "dc=test,dc=com";
$ldap_login_attribute = "sn";#默认为uid
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
$ldap_use_exop_passwd = false;
$ldap_use_ppolicy_control = false;
$keyphrase = "secret@hssssaaak";#需要更改,不然访问报错
**#邮件配置:**
# Token lifetime in secondst重置密码链接的有效时间
$token_lifetime = "300";
## Mail
# LDAP mail attribute
$mail_attributes = array( "mail", "gosaMailAlternateAddress", "proxyAddresses" );
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = true; #密码找回不需要输入邮箱
# Who the email should come from
$mail_from = "xxxxx@163.com";
$mail_from_name = "ldappass";
$mail_signature = "本邮件为通过密码自助修改LDAP账号密码,无需回复,此链接有效时间5分钟";
# Notify users anytime their password is changed
$notify_on_change = false;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'html';
$mail_smtp_host = 'smtphm.qiye.163.com';
$mail_smtp_auth = true;
$mail_smtp_user = 'xxxxx@163.com';
$mail_smtp_pass = '授权码';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = '';
#$mail_smtp_secure = 'tls';
$mail_smtp_autotls = true;
$mail_smtp_options = array();
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
……………………
# Hash mechanism for password:
$hash = "MD5";设置重置密码时的加密算法,默认clear,为明文
在这里插入图片描述
如果有异常可以查看php-fpm的日志/var/log/php-fpm/www-error.log
扫一扫
1234
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
