技术博文 · 2021-04-22 1

openldap自助修改密码服务self-service-password

openldap自助修改密码服务

为了解放管理员的工作,让OpenLDAP用户可以自行进行密码的修改和重置,就需要我们来搭建一套自助修改密码系统。

一、Self Service Password安装

Self Service Password是一个Web应用,可以让用户自行更新、修改和重置LDAP中的用户密码。支持标准的LDAPv3目录服务,包括:OpenLDAP,Active Directory,OpenDS,ApacheDS等。

Self Service Password的官网,如下:

https://ltb-project.org/doku.php

image-20210421160035264

image-20210421162128797

https://ltb-project.org/download#self_service_password

image-20210421162231818

Tarball can be downloaded from this page. Choose the file with the .tar.gz extension.

Uncompress and unarchive the tarball:

# tar zxvf ltb-project-self-service-password-1.4.tar.gz

Install it in /usr/local (or wherever you choose):

# mv ltb-project-self-service-password-1.4 /usr/local/self-service-password

You should have installed these programs before running Self Service Password:

  • Apache or another web server

  • PHP (version 5 or higher)

  • PHP LDAP

  • PHP MBSTRING

  • PHP MCRYPT (for token use)

    修改配置文件:

    vim /usr/share/self-service-password/conf/config.inc.php

     \#关闭 问题验证 和 短信验证(视个人需要):

​      $use_questions=false;
​      $use_sms= false;

   \#配置 LDAP
    $ldap_url = "ldap://ldap.xxxxx.net";
    $ldap_starttls = false;
    $ldap_binddn = "cn=Manager,dc=ldap,dc=xxxxxx,dc=net";  
    $ldap_bindpw = "xxxxxxxxx";   #ldap密码
    $ldap_base = "dc=ldap,dc=xxxxxx,dc=net";
    $ldap_login_attribute = "cn";
    $ldap_fullname_attribute = "cn";
    $ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
      $who_change_password = "manager";  #指定LDAP 以什么用户身份更改密码

   \#配置邮件
    $mail_from = "ldapasswd-reset@XXXX.com";  ##发信邮箱
    $mail_from_name = "企业账号密码重置";
    $mail_signature = "本邮件为通过密码自助修改LDAP账号密码,无需回复,如有重置密码遇到问题可以联系运维同学";
      $notify_on_change = true;   #密码修改成功后,向用户发送通知邮件
    $mail_sendmailpath = '/usr/sbin/sendmail';  #需安装sendmail服务 yum install -y sendmail
    $mail_protocol = 'smtp';
    $mail_smtp_debug = 0;
    $mail_debug_format = 'html';  ###设置为html
    $mail_smtp_host = 'smtp.exmail.qq.com';###具体看邮箱,这里为腾讯企业邮箱
    $mail_smtp_auth = true;  ##设置为true
    $mail_smtp_user = 'ldapasswd-reset@XXXX.com';
    $mail_smtp_pass = 'xxxxxx';
    $mail_smtp_port = 465;
    $mail_smtp_timeout = 30;
    $mail_smtp_keepalive = false;
    $mail_smtp_secure = 'ssl';   ###这里需要注意使用465发信的配置需要为ssl
    $mail_contenttype = 'text/plain';
    $mail_wordwrap = 0;
    $mail_charset = 'utf-8';
    $mail_priority = 3;
    $mail_newline = PHP_EOL;

二、更新php版本至7.0

参考《更新centos6.8的php版本》

三、修改php配置文件

修改 php.ini:

session.save_path = /tmp
upload_maxphp_filesize = 10M
post_max_size = 16M
max_execution_time = 600
request_terminate_timeout = 600
expose_php = Off
output_buffering = 4096

[root@openldap-02 conf.d]# service php-fpm restart
Stopping php-fpm:                                          [  OK  ]
Starting php-fpm:                                          [  OK  ]

四、配置nginx

server {
    listen 80;
    server_name ldappasswd.yuantutech.com;
    root /usr/local/self-service-password;
    location / {
        index index.php;
        location ~ \.php {
        #fastcgi_pass unix:/var/run/php-fpm.pid;
        fastcgi_split_path_info       ^(.+\.php)(/.+)$;
        fastcgi_param PATH_INFO       $fastcgi_path_info;
        fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_read_timeout 600;
        include fastcgi_params;
        }
    }
    error_log logs/ldappasswd_error.log;

五、FAQ

一》发现配置完之后打开提示500错误

image-20210422092249181

nginx+php错误集合参考:https://www.jianshu.com/p/7f65a1f53d2c

出现错误的排错过程:

1、查看nginx日志,发现并没有错误日志

2、500错误基本肯定就是服务器内部解析错误

3、使用phpinfo.php,查看php是否正常解析

<?php
phpinfo();
?>

4、查看php-fpm的错误日志

image-20210422092754488

[root@openldap-02 php-fpm]# tail -100f www-error.log
[21-Apr-2021 20:14:32 UTC] PHP Warning:  require_once(/usr/share/php/smarty3/Smarty.class.php): failed to open stream: No such file or directory in /usr/local/self-service-password/htdocs/index.php on line 184
[21-Apr-2021 20:14:32 UTC] PHP Fatal error:  require_once(): Failed opening required '/usr/share/php/smarty3/Smarty.class.php' (include_path='.:/usr/share/pear:/usr/share/php') in /usr/local/self-service-password/htdocs/index.php on line 184

5、问题基本定位,缺少文件

6、解决方法,使用源码安装的版本有问题,更换成rpm安装

7、源码安装self-service-password

# vi /etc/yum.repos.d/ltb-project.repo
[ltb-project-noarch]
name=LTB project packages (noarch)
baseurl=https://ltb-project.org/rpm/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project

Then update:

# yum update

Import repository key:

# rpm --import https://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project

You are now ready to install:

# yum install self-service-password

8、nginx配置文件修改

[root@openldap-02 conf.d]# vim self-service-password.conf 

server {
    listen 80;
    server_name xxxxx.com;#####自行设置域名
    return 301 https://$server_name$request_uri;
}
server {
    listen 443 ssl;
    server_name          xxxx.com;###自行设置域名XXX
    ssl_certificate      /opt/nginx/sslkey/XXX.com.crt;  # 自行设置证书
    ssl_certificate_key  /opt/nginx/sslkey/XXX.com.key;  # 自行设置证书
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;XXX
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_protocols TLSv1.1 TLSv1.2;
    add_header Strict-Transport-Security "max-age=63072000" always;
    location / {
        index index.php;
        root /usr/share/self-service-password;
        location ~ \.php {
        #fastcgi_pass unix:/var/run/php-fpm.pid;
        fastcgi_split_path_info       ^(.+\.php)(/.+)$;
        fastcgi_param PATH_INFO       $fastcgi_path_info;
        fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_read_timeout 600;
        include fastcgi_params;
        }
    }
    error_log logs/ldappasswd_error.log;
}

二》发现发送不了重置邮件

image-20210422121057147

tail -100f /var/log/php-fpm/error.log

[22-Apr-2021 12:04:18 Asia/Shanghai] send_mail: SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting
[22-Apr-2021 12:04:18 Asia/Shanghai] Error while sending token to shiwenqiang@yuantutech.com (user shiwenqiang)

因为senmail没有安装

service  postfix  stop
yum remove postfix
yum -y install sendmail
service sendmail start

最后定位到是因为配置文件里面关于mail发送的协议需要使用ssl

$mail_smtp_secure = 'ssl';   ###这里需要注意使用465发信的配置需要为ssl

三》还有一个问题就是邮件无内容

image-20210422171123154

收到的重置邮件无内容,目前怀疑是因为php 7.0版本+self-service-password 1.1版本问题。

还在测试中

六、完成

image-20210422111827485

image-20210422112225444

image-20210422112949064

ldap中文介绍链接:http://blog.leanote.com/post/benmo/e98d072f2b28

 

俗话曰:“君子食无求饱,居无求安。敏于事而慎于言,就有道而正焉,可谓好学也己。”

打赏微海报分享

标签:

俗话曰yue

俗话曰(yuē)

利用3年时间让自己的薪资翻10倍。 和大家一起分享技术、生活感悟;一起交流学习共同成长! 邮箱地址:shiwenqiang@suhuayue.com 微信号码:suhuayue001(添加时备注来源俗话曰博客)

您可能还喜欢...

1 条回复

  1. 俗话曰yue Mr shi说道:
    2021-04-24 15:03

    当出现500错误的时候一直怀疑是源码的问题。其实是因为php7.0他的目录/usr/share/php/smarty3目录不存在了

    PS:找了几天之后终于找到问题的原因,终于明白日志里面说的/usr/share/php/smarty3/ 目录不存在,真实存在的目录是/usr/share/php/Smarty**

    **所以做一个软连接 ln -s /usr/share/php/Smarty /usr/share/php/smarty3/**

    **这样子就ok了~**

    回复

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注