【Ldap】docker-compose启动Ldap+web管理+自助密码修改

前言
本文提供使用docker-compose快速搭建Ldap的一套方案。
包括三个部分：
1）openldap ：ldap本尊
2）phpldapadmin：一个管理服务，可以在web上管理ldap
3）self-service-password：用户自助修改密码服务

1. openldap

1.1 yaml文件

version: '3'
services:
  ldap:
    image: osixia/openldap:1.3.0
    ports:
      - "389:389"
      - "636:636"
    volumes:
      - ./ldap:/var/lib/ldap
      - ./slapd.d:/etc/ldap/slapd.d
    restart: always

说明：

• 两个目录必须同时挂载出来。

原因：如果只挂载出数据目录 /var/lib/ldap。再次启动容器的时候，程序会发现配置文件的目录里没有文件，于是开始初始化，但是又发现数据目录中有数据了，因此会报错。坑的是报错说数据目录找不到~~~~。如果两个都挂载出来，启动的时候程序发现配置文件目录中文件有了，便不进行初始化了。

• 389 是业务端口，客户端链接的时候使用这个端口

1.2 配置的说明

• 默认配置

dn ： dc=example,dc=org
admin ： cn=admin,dc=example,dc=org
password ： admin

登陆使用 cn=admin,dc=example,dc=org/ admin

• 输出配置的命令

docker exec -it ldap_ldap_1 ldapsearch -x -H ldap://localhost:389 -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin

输出内容

# extended LDIF
#
# LDAPv3
# base <dc=example,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.org
dn: dc=example,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Inc.
dc: example

# admin, example.org
dn: cn=admin,dc=example,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9VGpERTFMN1FuZGJDT3pKT0poQnhnQnNxRDN6QTV5WFE=

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

2. phpldapadmin

• yml文件

version: '3'
  phpldapadmin:
    container_name: phpldapadmin
    image: osixia/phpldapadmin:0.9.0
    ports:
      - "8080:80"
    environment:
      - PHPLDAPADMIN_HTTPS="false"
      - PHPLDAPADMIN_LDAP_HOSTS=openldap
    links:
      - openldap
    depends_on:
      - openldap

• 启动
• 登陆
  登陆使用 cn=admin,dc=example,dc=org/ admin
  

3. self-service-password

说明：用户自助修改密码服务

• docker-compose.yml

version: '3'
services:
  openldap:
    image: kadimasolutions/self-service-password
    container_name: self-service-password
    ports:
      - "80:80"
    volumes:
      - ./config.inc.php:/var/www/html/conf/config.inc.php
    restart: always

• 配置文件
  ./config.inc.php

<?php
#==============================================================================
# LTB Self Service Password
#
# Copyright (C) 2009 Clement OUDOT
# Copyright (C) 2009 LTB-project.org
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# GPL License: http://www.gnu.org/licenses/gpl.txt
#
#==============================================================================

#==============================================================================
# All the default values are kept here, you should not modify it but use
# config.inc.local.php file instead to override the settings from here.
#==============================================================================

#==============================================================================
# Configuration
#==============================================================================

# Debug mode
# true: log and display any errors or warnings (use this in configuration/testing)
# false: log only errors and do not display them (use this in production)
$debug = false;

# LDAP
#此处修改server的信息
$ldap_url = "ldap://10.10.xxx.xxx:389";
$ldap_starttls = false;
$ldap_binddn = "cn=admin,dc=example,dc=org";
$ldap_bindpw = "admin";
# 以下是server的架构里要修改密码的用户所在组织
$ldap_base = "ou=智能物联首席技术官组织,dc=example,dc=org";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";



#修改121行 ，配置用户修改权限，使用user则需要在ldap中开启用户修改权限，使用admin,则给予用户在此服务使用的权限 。
# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_password = "admin";

#修改231行 $keyphrase = "secret";中 secret 为其它字符，最好超过6个不常用字符。
$keyphrase = "liubei@2021";

#设置密码复杂度，可以不修改。
# Local password policy
# This is applied before directory password policy
# Minimal length
##最小8位最大30位
$pwd_min_length = 8;
# Maximal length
$pwd_max_length = 30;
##大小写和数字都最少有一个
# Minimal lower characters
$pwd_min_lower = 1;
# Minimal upper characters
$pwd_min_upper = 1;
# Minimal digit characters
$pwd_min_digit = 1;
# Minimal special characters
$pwd_min_special = 0;
# Definition of special characters
$pwd_special_chars = "^a-zA-Z0-9";
# Forbidden characters
#$pwd_forbidden_chars = "@%";
# Don't reuse the same password as currently
$pwd_no_reuse = true;
# Check that password is different than login
$pwd_diff_login = true;
# Complexity: number of different class of character required
$pwd_complexity = 0;
# Show policy constraints message:
# always
# never
# onerror
$pwd_show_policy = "never";
# Position of password policy constraints message:
# above - the form
# below - the form
$pwd_show_policy_pos = "above";

---