一.LDAP安装环节此处省略,LDAP 安装
二.安装self-service-password
[root@ldap-35~]#yum -y install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
[root@ldap-35 ~]#yum -y install yum-utils
[root@ldap-35 ~]#yum-config-manager --enable remi-php56
[root@ldap-35 ~]#yum -y install php php-mcrypt php-cli php-gd php-curl php-mysql php-ldap php-zip php-fileinfo php-xml httpd
[root@ldap-35~]#yum install https://ltb-project.org/rpm/6Server/noarch/self-service-password-1.1-1.el6.noarch.rpm
[root@ldap-35~]#cat/usr/share/self-service-password/conf/config.inc.php
# LDAP
$ldap_url = "ldap://192.168.1.35";
$ldap_starttls = false;
$ldap_binddn= "cn=Manger,dc=ldap.xxx,dc=com";
$ldap_bindpw = "admin@123";
#$ldap_base= "ou=People,dc=ldap.xxx,dc=com";
###这里根据情况配置组织,我因为做gitlab的密码修改,所以注释了此行。
$ldap_base= "ou=Gitlab,dc=ldap.xx,dc=com";
$ldap_login_attribute = "cn";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
$who_change_password = "manager";
# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
$ad_mode = false;
# Force account unlock when password is changed
$ad_options['force_unlock'] = false;
# Force user change password at next login
$ad_options['force_pwd_change'] = false;
# Allow user with expired password to change password
$ad_options['change_expired_password'] = false;
#$use_questions= false;
#$use_sms = true;
# LDAP mail attribute
$mail_attribute = "mail";
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = false;
# Who the email should come from
$mail_from= "itsupport@escopetech.com";
$mail_from_name = "PassWord Update";
$mail_signature = "";
# Notify users anytime their password is changed
$notify_on_change = true;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath= '/usr/sbin/sendmail';###需要安装yum -y install sendmail
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'html';
$mail_smtp_host = 'smtp.mxhichina.com';
$mail_smtp_auth = true;
$mail_smtp_user = 'itsupport@xxxx.com';#邮箱账号
$mail_smtp_pass = 'admin@123';#邮箱密码
$mail_smtp_port = 465;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'ssl';
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;
[root@ldap-35 ~]#systemctl restart httpd
三.测试密码验证
四.Gitlab Ldap配置
因为我正式环境是Ubuntu18.04版本,若是centos 7版本仅供参考
root@gitlab21:~# cat /etc/gitlab/gitlab.rb
#### LDAP Settings
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <
label: 'LDAP'
host: '192.168.1.35'
port: 389
uid: 'cn'
bind_dn: 'cn=Manager,dc=ldap.XXX,dc=com'
password: 'admin@123'
encryption: 'plain'#"start_tls"or "simple_tls" or "plain"
active_directory: false
allow_username_or_email_login: false
block_auto_created_users: false
base: 'ou=Gitlab,dc=ldap.XXX,dc=com'
user_filter: ''
EOS
五.Gitlab登录页面插入密码修改超链接
gitlab的sign_in页面的页脚内容在/opt/gitlab/embedded/service/gitlab-rails/app/views/layouts/下的devise*.haml两个ruby文件中。
devise.html.haml
devise_empty.html.haml
root@gitlab21:/opt/gitlab/embedded/service/gitlab-rails/app/views/layouts# cat devise_empty.html.haml
.footer-links
= link_to _("Explore"), explore_root_path
= link_to _("Help"), help_path
= link_to _("Change Password GitLab LDAP"), "http://192.168.1.35/index.php?action=sendtoken",target:' _blank' ##修改为加红的字段
= footer_message
root@gitlab21:/opt/gitlab/embedded/service/gitlab-rails/app/views/layouts# cat devise.html.haml
.footer-links
= link_to _("Explore"), explore_root_path
= link_to _("Help"), help_path
= link_to _("Change Password GitLab LDAP"), "http://192.168.1.35/index.php?action=sendtoke",target:' _blank' ##修改为加红的字段
= footer_message
root@gitlab21:~# gitlab-ctl restart