今日分享一款openldap自助修改密码的开源项目ltb-project/self-service-password。该服务是基于PHP语言开发,该应用程序可以在标准的 LDAPv3目录(OpenLDAP、 OpenDS、 ApacheDS、 Sun Oracle DASE、 Novell 等)上使用,也可以在 Active Directory 上使用。
功能
这里将self- service- password简述为ssp, 支持以下功能:
- 支持samba模式以及修改 samba密码
- 支持Active directory
- 支持本地自定义策略,比如密码的最小长度,密码组合规律等
- 支持基于问题/邮件/短信找回密码等
- 支持ldap目录sshkey的修改
- 密码修改通知等
此服务解决了使用openldap修改密码困难的问题,不仅简化了不懂ldap使用的用户修改密码的流程,还可以通过查找密码自助解决密码丢失遗忘的问题。通过自定义设置密码的组合策略,也进一步巩固安全防护。
项目的详细说明介绍可以参考官方文档
安装
ssp项目对与docker部署说明的较少,对PHP不熟悉的同学来说配置起来也更加麻烦,这里另外一个基于ssp项目进行容器化的开源项目tiredofit/docker-self-service-password来容器化部署,作者将大量的PHP配置通过 shell脚本变量化了,这样再用docker运行就变得更加简单了。
当然你也可以修改此项目的脚本,自己定制环境变量信息。
我们这里为了便于版本化,采用docker-compose进行部署,参考如下:
version: '2'
services:
ssp-app:
image: tiredofit/self-service-password:latest #建议修改为指定的版本的镜像
container_name: ssp-app
volumes: # 挂载数据目录以及日志
- ./data/:/www/ssp
- ./logs/:/www/logs
ports:
- 8888:80
environment:
- LDAP_SERVER=ldap://172.16.0.3:389 # ldap服务: ldap://ip:port
- LDAP_STARTTLS=false
- LDAP_BINDDN=cn=admin,dc=openldap,dc=devopsman,dc=cn # 绑定的dn. 具体根据自己的实际修改(管理员dn)
- LDAP_BINDPASS=nicaicaikan # 上述cn=admin的密码
- LDAP_BASE_SEARCH=ou=People,dc=openldap,dc=devopsman,dc=cn
- LDAP_LOGIN_ATTRIBUTE=uid
- LDAP_FULLNAME_ATTRIBUTE=cn
# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
- ADMODE=false
# Force account unlock when password is changed
- AD_OPT_FORCE_UNLOCK=false
# Force user change password at next login
- AD_OPT_FORCE_PWD_CHANGE=false
# Allow user with expired password to change password
- AD_OPT_CHANGE_EXPIRED_PASSWORD=false
# Samba mode
# true: update sambaNTpassword and sambaPwdLastSet attributes too
# false: just update the password
- SAMBA_MODE=false
# Shadow options - require shadowAccount objectClass
# Update shadowLastChange
- SHADOW_OPT_UPDATE_SHADOWLASTCHANGE=false
# Hash mechanism for password:
# SSHA
# SHA
# SMD5
# MD5
# CRYPT
# clear (the default)
# auto (will check the hash of current password)
# This option is not used with ad_mode = true
- PASSWORD_HASH=MD5 # 密码hash类型
# Local password policy
# This is applied before directory password policy
# Minimal length
- PASSWORD_MIN_LENGTH=12 # 此处定义密码的组合
# Maximal length
- PASSWORD_MAX_LENGTH=30
# Minimal lower characters
- PASSWORD_MIN_LOWERCASE=2
# Minimal upper characters
- PASSWORD_MIN_UPPERCASE=2
# Minimal digit characters
- PASSWORD_MIN_DIGIT=2
# Minimal special characters
- PASSWORD_MIN_SPECIAL=2
# Dont reuse the same password as currently
- PASSWORD_NO_REUSE=true
# Definition of special characters
- PASSWORD_SPECIAL_CHARACTERS="^a-zA-Z0-9" # 定义特殊字符
# Forbidden characters
# Check that password is different than login
- PASSWORD_DIFFERENT_LOGIN=true
# Show policy constraints message:
# always
# never
# onerror
- PASSWORD_SHOW_POLICY=onerror # 何时显示密码策略信息
# Position of password policy constraints message:
# above - the form
# below - the form
- PASSWORD_SHOW_POLICY_POSITION=above
# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
- WHO_CAN_CHANGE_PASSWORD=user # 指定谁来修改密码
## Questions/answers
# Use questions/answers?
# true (default)
# false
- QUESTIONS_ENABLED=false
## Mail
# LDAP mail attribute
- LDAP_MAIL_ATTRIBUTE=mail
# Who the email should come from
- MAIL_FROM=cloudnative@qq.com
- MAIL_FROM_NAME=云原生生态圈认证中心
# Notify users anytime their password is changed
- NOTIFY_ON_CHANGE=true
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
- SMTP_DEBUG=0
- SMTP_HOST=smtp.qq.com # 定义邮件信息,用于发送邮件
- SMTP_AUTH_ON=true
- SMTP_USER=cloudnative@qq.com
- SMTP_PASS=nicaicaikan # 这里是邮箱的授权码
- SMTP_PORT=465
- SMTP_SECURE_TYPE=ssl
- SMTP_AUTOTLS=false
## Tokens
# Use tokens?
# true
# false
- USE_TOKENS=true
# Crypt tokens?
# true
# false
- TOKEN_CRYPT=true
# Token lifetime in seconds
- TOKEN_LIFETIME=1800
## SMS
# Use sms (NOT WORKING YET)
- USE_SMS=false
# Reset URL (if behind a reverse proxy)
- IS_BEHIND_PROXY=true
# Display help messages
- SHOW_HELP=true
# Language
- LANG=en
# Debug mode
- DEBUG_MODE=false
# Encryption, decryption keyphrase
- SECRETEKEY=secretkey
## CAPTCHA
# Use Google reCAPTCHA (http://www.google.com/recaptcha)
- USE_RECAPTCHA=false
# Go on the site to get public and private key
- RECAPTCHA_PUB_KEY=akjsdnkajnd
- RECAPTCHA_PRIV_KEY=aksdjnakjdnsa
## Default action
# change
# sendtoken
# sendsms
- DEFAULT_ACTION=change
- BACKGROUND_IMAGE="images/unsplash-space.jpeg" # 自定义背景图片
- LOGO="images/logo.png" # 自定义logo图片
修改完成后,执行运行即可
[root@code self-service-password]# docker-compose up -d
[+] Running 1/1
⠿ Container ssp-app Started
找回密码
点击右上角邮件
输入找回信息