[toc]
Self Service Password
Self Service Password github地址
遇到的报错
报错1 访问报错 Token encryption requires a random string in keyphrase setting
解决方法
修改
$keyphrase = "secret";
修改为任意字符的随机字符串
$keyphrase = "yaldnfaopewnrganadnfa";
报错2 无法修改密码,日志报错用户未发现
[Sat Sep 18 08:06:20.175684 2021] [php7:notice] [pid 18] [client 10.0.17.251:56444] LDAP - User xiaoming not found, referer: http://172.30.100.4:8000/index.php
10.0.17.251 - - [18/Sep/2021:08:06:20 +0000] "POST /index.php HTTP/1.1" 200 1841 "http://172.30.100.4:8000/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36"
问题所在,需要修改以下配置,objectClass=person
是官方示例的写法,需要把person修改为具体的过滤内容,例如修改为 *
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
修改为如下
$ldap_filter = "(&(objectClass=*)($ldap_login_attribute={login}))";
报错3 密码被LDAP服务器拒绝
日志报错如下
[Thu Jul 28 09:17:27.537279 2022] [php7:warn] [pid 18] [client 172.20.20.2:54960] PHP Warning: ldap_mod_replace(): Modify: Insufficient access in /var/www/lib/functions.inc.php on line 499, referer: http://172.20.20.4:8000/
[Thu Jul 28 09:17:27.537321 2022] [php7:notice] [pid 18] [client 172.20.20.2:54960] LDAP - Modify password error 50 (Insufficient access), referer: http://172.20.20.4:8000/
172.20.20.2 - - [28/Jul/2022:09:17:27 +0000] "POST / HTTP/1.1" 200 2016 "http://172.20.20.4:8000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
[Thu Jul 28 09:18:16.669056 2022] [php7:warn] [pid 19] [client 172.20.20.2:54991] PHP Warning: ldap_mod_replace(): Modify: Insufficient access in /var/www/lib/functions.inc.php on line 499, referer: http://172.20.20.4:8000/
[Thu Jul 28 09:18:16.669104 2022] [php7:notice] [pid 19] [client 172.20.20.2:54991] LDAP - Modify password error 50 (Insufficient access), referer: http://172.20.20.4:8000/
172.20.20.2 - - [28/Jul/2022:09:18:16 +0000] "POST / HTTP/1.1" 200 2012 "http://172.20.20.4:8000/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
172.20.20.2 - - [28/Jul/2022:09:19:07 +0000] "-" 408 0 "-" "-"
解决方法
修改 $who_change_password = "user";
修改为 $who_change_password = "manager";
Self Service Password简介
简介
-
Self Service Password是一个PHP应用程序,允许用户在LDAP目录中更改密码。
-
该应用程序可以用于标准的LDAPv3目录(OpenLDAP、OpenDS、ApacheDS、Sun Oracle DSEE、Novell等),也可以用于Active Directory。
特点:
-
Samba模式,修改Samba密码
-
活动目录模式
-
本地密码策略:
-
最小/最大长度
-
禁止字符
-
上、下、数字或特殊字符计数器
-
重用旧密码检查
-
密码与登录名相同
-
复杂性(不同类型的字符)
-
-
帮助信息
-
重置的问题
-
通过邮件挑战重置(通过邮件发送的令牌)
-
通过短信重置(通过外部Email 2短信服务或短信API)
-
修改LDAP目录下的SSH Key
-
验证码(内置)
-
更改密码后的邮件通知
-
修改密码之前和之后的挂钩脚本
安装
标准安装
安装php
安装 remi 源
yum -y install epel-release && \
yum -y install https://rpms.remirepo.net/enterprise/remi-release-9.rpm
安装php7.4
说明
self-service-password依赖的php>=7.4
export PHP_VERSION=php74
yum -y install \
${PHP_VERSION}-php-fpm \
${PHP_VERSION}-php-cli \
${PHP_VERSION}-php-bcmath \
${PHP_VERSION}-php-gd \
${PHP_VERSION}-php-json \
${PHP_VERSION}-php-mbstring \
${PHP_VERSION}-php-mcrypt \
${PHP_VERSION}-php-mysqlnd \
${PHP_VERSION}-php-opcache \
${PHP_VERSION}-php-pdo \
${PHP_VERSION}-php-pecl-crypto \
${PHP_VERSION}-php-pecl-mcrypt \
${PHP_VERSION}-php-pecl-geoip \
${PHP_VERSION}-php-recode \
${PHP_VERSION}-php-snmp \
${PHP_VERSION}-php-soap \
${PHP_VERSION}-php-xml \
${PHP_VERSION}-php-ldap \
${PHP_VERSION}-php-common