項(xiàng)目官網(wǎng)：
https://www.ltb-project.org/documentation/self-service-password.html
github：
https://github.com/ltb-project/self-service-password
文檔：
https://self-service-password.readthedocs.io/en/latest/

本文采用oracle linux8系統(tǒng)安裝

安裝：
1、安裝php-smarty
https://pkgs.org/download/php-Smarty

Download latest remi-release rpm from
http://rpms.remirepo.net/enterprise/8/remi/x86_64/

Install remi-release rpm:
rpm -Uvh remi-release*rpm

Install php-Smarty rpm package:
dnf --enablerepo=remi install php-Smarty

2、安裝self-service-password

Configure the yum repository:
/etc/yum.repos.d/ltb-project.repo

[ltb-project-noarch]
name=LTB project packages (noarch)
baseurl=https://ltb-project.org/rpm/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project

Then update:
yum update

Import repository key:
rpm --import https://ltb-project.org/documentation/_static/RPM-GPG-KEY-LTB-project

You are now ready to install:
yum install self-service-password

3、安裝openldap

yum install -y openldap

4、AD域?qū)С鲎C書
Self Service Password必須以LDAPS方式連接域控，因此需要加載證書
添加角色和功能-AD證書服務(wù)

證書頒發(fā)機(jī)構(gòu)web注冊(cè)

配置證書服務(wù)

證書頒發(fā)機(jī)構(gòu)

開啟AD域證書服務(wù)

刷新策略

導(dǎo)出證書

個(gè)人證書

導(dǎo)出

轉(zhuǎn)換證書

openssl x509 -inform der -in ad01.cer -out ad01.pem
cat ad01.pem >> /etc/openldap/certs/ldaps.pem

openldap配置文件

/etc/openldap/ldap.conf

TLS_CACERT /etc/openldap/certs/ldaps.pem
TLS_REQCERT allow

5、Self Service Password配置文件
需生成獨(dú)立配置文件

cd /usr/share/self-service-password/conf/
cp config.inc.php config.inc.local.php

我的配置文件config.inc.local.php，主要放上改動(dòng)的部分和注釋

<?php
$debug = false; //debug模式關(guān)閉

# LDAP
$ldap_url = "ldaps://ad1.90apt.com:636"; //AD服務(wù)器
$ldap_starttls = false;
$ldap_binddn = "CN=wangwangjie,CN=Users,DC=90apt,DC=com"; ?//使用的域控管理員用戶
$ldap_bindpw = "passwd@123"; ?//上面域控管理員密碼

$ldap_base = "OU=王工有限公司,OU=用戶OU,DC=90apt,DC=com"; ?//應(yīng)用的OU范圍
$ldap_login_attribute = "sAMAccountName"; ?//登陸屬性
$ldap_fullname_attribute = "cn"; ?//全名屬性
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"; ?//AD需要這么配置
$ldap_use_exop_passwd = false;
$ldap_use_ppolicy_control = false;


$ad_mode = true; ?//啟用AD模式
$ad_options=[];
# Force account unlock when password is changed ?
$ad_options['force_unlock'] = true; ?//更改密碼時(shí)強(qiáng)制解鎖賬戶
# Force user change password at next login
$ad_options['force_pwd_change'] = false;
# Allow user with expired password to change password
$ad_options['change_expired_password'] = true; ?//允許過(guò)期的用戶修改密碼


# Local password policy
# This is applied before directory password policy
# Minimal length
$pwd_min_length = 8; ?//最短密碼位數(shù)
# Maximal length
$pwd_max_length = 0;
# Minimal lower characters
$pwd_min_lower = 0;
# Minimal upper characters
$pwd_min_upper = 0;
# Minimal digit characters
$pwd_min_digit = 0;
# Minimal special characters
$pwd_min_special = 0;
# Definition of special characters
$pwd_special_chars = "^a-zA-Z0-9"; ?//特殊字符
# Forbidden characters
#$pwd_forbidden_chars = "@%";
# Don't reuse the same password as currently
$pwd_no_reuse = true; ?//不使用重復(fù)密碼
# Check that password is different than login
$pwd_diff_login = true; //密碼不能與賬號(hào)相同
# Check new passwords differs from old one - minimum characters count
$pwd_diff_last_min_chars = 0;
# Forbidden words which must not appear in the password
$pwd_forbidden_words = array();
# Forbidden ldap fields
# Respective values of the user's entry must not appear in the password
# example: $pwd_forbidden_ldap_fields = array('cn', 'givenName', 'sn', 'mail');
$pwd_forbidden_ldap_fields = array();
# Complexity: number of different class of character required
$pwd_complexity = 3; ?//需要不同類別的字符
# use pwnedpasswords api v2 to securely check if the password has been on a leak
$use_pwnedpasswords = false;
# Show policy constraints message:
# always
# never
# onerror
$pwd_show_policy = "always"; ?//顯示約束信息
# Position of password policy constraints message:
# above - the form
# below - the form
$pwd_show_policy_pos = "above"; ?//在表格上顯示

# disallow use of the only special character as defined in `$pwd_special_chars` at the beginning and end
$pwd_no_special_at_ends = false;

# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_password = "manager"; ?//誰(shuí)的權(quán)限修改



## Token
# Use tokens?
# true (default)
# false
$use_tokens = true;
# Crypt tokens?
# true (default)
# false
$crypt_tokens = true;
# Token lifetime in seconds
$token_lifetime = "3600";

## Mail
# LDAP mail attribute
$mail_attributes = array( "userPrincipalName","mail", "gosaMailAlternateAddress", "proxyAddresses" ); ?//郵箱形式
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = true; ?//直接從域控獲取郵箱
# Who the email should come from
$mail_from = "wangwangjie@90apt.com";
$mail_from_name = "域賬號(hào)自助改密解鎖服務(wù)";
$mail_signature = "本郵件為通過(guò)密碼自助修改LDAP賬號(hào)密碼，無(wú)需回復(fù)，如有重置密碼遇到問(wèn)題可以聯(lián)系運(yùn)維同學(xué)";
# Notify users anytime their password is changed
$notify_on_change = true;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'html';
$mail_smtp_host = 'smtp.90apt.com';
$mail_smtp_auth = true;
$mail_smtp_user = 'wangwangjie@90apt.com';
$mail_smtp_pass = 'passwd@123';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_smtp_autotls = true;
$mail_smtp_options = array();
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;

## SMS
# Use sms
$use_sms = true;
# SMS method (mail, api)
$sms_method = "api";
$sms_api_lib = "lib/smsapi.inc.php"; ?//自編寫短信api，從短信平臺(tái)的幫助文檔里找
# GSM number attribute
$sms_attributes = array( "mobile", "pager", "ipPhone", "homephone" );
# Partially hide number
$sms_partially_hide_number = true;
# Send SMS mail to address. {sms_attribute} will be replaced by real sms number
$smsmailto = "{sms_attribute}@service.provider.com";
# Subject when sending email to SMTP to SMS provider
$smsmail_subject = "Provider code";
# Message
$sms_message = "{smsresetmessage} {smstoken}";
# Remove non digit characters from GSM number
$sms_sanitize_number = false;
# Truncate GSM number
$sms_truncate_number = false;
$sms_truncate_number_length = 10;
# SMS token length
$sms_token_length = 6;
# Max attempts allowed for SMS token
$max_attempts = 5;

# Encryption, decryption keyphrase, required if $use_tokens = true and $crypt_tokens = true, or $use_sms, or $crypt_answer
# Please change it to anything long, random and complicated, you do not have to remember it
# Changing it will also invalidate all previous tokens and SMS codes
$keyphrase = "90apt"; ?//關(guān)鍵詞

# Display menu on top
$show_menu = true; ?//顯示菜單

# Logo
$logo = "images/logo.png"; ?//logo

# Background image
$background_image = "images/90apt.png"; ?//壁紙