搭建 OpenLDAP 自助修改密码系统

今日分享一款openldap自助修改密码的开源项目ltb-project/self-service-password。该服务是基于PHP语言开发，该应用程序可以在标准的 LDAPv3目录(OpenLDAP、 OpenDS、 ApacheDS、 Sun Oracle DASE、 Novell 等)上使用，也可以在 Active Directory 上使用。

功能

这里将self- service- password简述为ssp, 支持以下功能：

1. 支持samba模式以及修改 samba密码
2. 支持Active directory
3. 支持本地自定义策略，比如密码的最小长度，密码组合规律等
4. 支持基于问题/邮件/短信找回密码等
5. 支持ldap目录sshkey的修改
6. 密码修改通知等

此服务解决了使用openldap修改密码困难的问题，不仅简化了不懂ldap使用的用户修改密码的流程，还可以通过查找密码自助解决密码丢失遗忘的问题。通过自定义设置密码的组合策略，也进一步巩固安全防护。

项目的详细说明介绍可以参考官方文档

安装

ssp项目对与docker部署说明的较少，对PHP不熟悉的同学来说配置起来也更加麻烦，这里另外一个基于ssp项目进行容器化的开源项目tiredofit/docker-self-service-password来容器化部署，作者将大量的PHP配置通过 shell脚本变量化了，这样再用docker运行就变得更加简单了。

当然你也可以修改此项目的脚本，自己定制环境变量信息。

我们这里为了便于版本化，采用docker-compose进行部署，参考如下:

version: '2'
services:
  ssp-app:
    image: tiredofit/self-service-password:latest #建议修改为指定的版本的镜像
    container_name: ssp-app
    volumes: # 挂载数据目录以及日志
      - ./data/:/www/ssp
      - ./logs/:/www/logs
    ports:
      - 8888:80
    environment:
      - LDAP_SERVER=ldap://172.16.0.3:389 # ldap服务: ldap://ip:port
      - LDAP_STARTTLS=false
      - LDAP_BINDDN=cn=admin,dc=openldap,dc=devopsman,dc=cn # 绑定的dn. 具体根据自己的实际修改(管理员dn)
      - LDAP_BINDPASS=nicaicaikan # 上述cn=admin的密码
      - LDAP_BASE_SEARCH=ou=People,dc=openldap,dc=devopsman,dc=cn
      - LDAP_LOGIN_ATTRIBUTE=uid
      - LDAP_FULLNAME_ATTRIBUTE=cn
# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
      - ADMODE=false
# Force account unlock when password is changed
      - AD_OPT_FORCE_UNLOCK=false
# Force user change password at next login
      - AD_OPT_FORCE_PWD_CHANGE=false
# Allow user with expired password to change password
      - AD_OPT_CHANGE_EXPIRED_PASSWORD=false
# Samba mode
# true: update sambaNTpassword and sambaPwdLastSet attributes too
# false: just update the password
      - SAMBA_MODE=false
# Shadow options - require shadowAccount objectClass
# Update shadowLastChange
      - SHADOW_OPT_UPDATE_SHADOWLASTCHANGE=false
# Hash mechanism for password:
# SSHA
# SHA
# SMD5
# MD5
# CRYPT
# clear (the default)
# auto (will check the hash of current password)
# This option is not used with ad_mode = true
      - PASSWORD_HASH=MD5 # 密码hash类型
# Local password policy
# This is applied before directory password policy
# Minimal length
      - PASSWORD_MIN_LENGTH=12 # 此处定义密码的组合
# Maximal length
      - PASSWORD_MAX_LENGTH=30
# Minimal lower characters
      - PASSWORD_MIN_LOWERCASE=2
# Minimal upper characters
      - PASSWORD_MIN_UPPERCASE=2
# Minimal digit characters
      - PASSWORD_MIN_DIGIT=2
# Minimal special characters
      - PASSWORD_MIN_SPECIAL=2
# Dont reuse the same password as currently
      - PASSWORD_NO_REUSE=true
    # Definition of special characters
      - PASSWORD_SPECIAL_CHARACTERS="^a-zA-Z0-9" # 定义特殊字符
    # Forbidden characters
    # Check that password is different than login
      - PASSWORD_DIFFERENT_LOGIN=true
# Show policy constraints message:
# always
# never
# onerror
      - PASSWORD_SHOW_POLICY=onerror # 何时显示密码策略信息
# Position of password policy constraints message:
# above - the form
# below - the form
      - PASSWORD_SHOW_POLICY_POSITION=above
# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
      - WHO_CAN_CHANGE_PASSWORD=user # 指定谁来修改密码
## Questions/answers
# Use questions/answers?
# true (default)
# false
      - QUESTIONS_ENABLED=false
## Mail
# LDAP mail attribute
      - LDAP_MAIL_ATTRIBUTE=mail
# Who the email should come from
      - MAIL_FROM=cloudnative@qq.com
      - MAIL_FROM_NAME=云原生生态圈认证中心
# Notify users anytime their password is changed
      - NOTIFY_ON_CHANGE=true
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
      - SMTP_DEBUG=0
      - SMTP_HOST=smtp.qq.com # 定义邮件信息，用于发送邮件
      - SMTP_AUTH_ON=true
      - SMTP_USER=cloudnative@qq.com
      - SMTP_PASS=nicaicaikan # 这里是邮箱的授权码
      - SMTP_PORT=465
      - SMTP_SECURE_TYPE=ssl
      - SMTP_AUTOTLS=false
    ## Tokens
    # Use tokens?
    # true
    # false
      - USE_TOKENS=true
    # Crypt tokens?
    # true
    # false
      - TOKEN_CRYPT=true
    # Token lifetime in seconds
      - TOKEN_LIFETIME=1800
 ## SMS
# Use sms (NOT WORKING YET)
      - USE_SMS=false
# Reset URL (if behind a reverse proxy)
      - IS_BEHIND_PROXY=true
# Display help messages
      - SHOW_HELP=true
# Language
      - LANG=en
# Debug mode
      - DEBUG_MODE=false
# Encryption, decryption keyphrase
      - SECRETEKEY=secretkey
## CAPTCHA
# Use Google reCAPTCHA (http://www.google.com/recaptcha)
      - USE_RECAPTCHA=false
# Go on the site to get public and private key
      - RECAPTCHA_PUB_KEY=akjsdnkajnd
      - RECAPTCHA_PRIV_KEY=aksdjnakjdnsa
## Default action
# change
# sendtoken
# sendsms
      - DEFAULT_ACTION=change
      - BACKGROUND_IMAGE="images/unsplash-space.jpeg" # 自定义背景图片
      - LOGO="images/logo.png" # 自定义logo图片

修改完成后，执行运行即可

[root@code self-service-password]# docker-compose up -d
[+] Running 1/1
 ⠿ Container ssp-app  Started

找回密码

点击右上角邮件输入找回信息

重置密码