概述

我们已经部署了OpenLDAP服务,使得我们有了实现集中管理用户账号和集中式认证的基础。接下来更进一步需求就是让用户可以自己自行管理密码。本文将尝试使用Self Service Password实现这个需求。

Self Service Password是一个PHP的Web应用,能够让用户修改在LDAP中的密码,支持标准的LDAPv3目录OpenLDAP, OpenDS, ApacheDS, Active Directory等。

快速体验

Self Service Password的安装可以参考这里。本文将不再描述具体的安装过程,而直接使用grams/ltb-self-service-password这个Docker镜像来快速体验一下Self Service Password。

1
docker pull grams/ltb-self-service-password

下载配置文件config.inc.php:

1
2
cd ~
wget https://raw.githubusercontent.com/grams/docker-LTB-self-service-password/master/assets/config.inc.php

修改config.inc.php中的内容:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ldap_url = "ldap://192.168.61.100:389";
$ldap_binddn = "cn=manager,dc=frognew,dc=com";
$ldap_bindpw = "password of manager";
$ldap_base = "dc=frognew,dc=com";

$hash = "SSHA";
$pwd_min_length = 8;
$pwd_max_length = 12;
$pwd_min_lower = 1;
$pwd_min_upper = 1;
$pwd_min_digit = 1;

$use_questions = false;

$mail_from = "xxx@163.com";
$notify_on_change = true;
$mail_smtp_host = 'smtp.163.com';
$mail_smtp_auth = true;
$mail_smtp_user = 'xxx@163.com';
$mail_smtp_pass = 'smtppass';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;

$use_sms = false;

启动docker容器:

1
2
3
4
docker run -p 8765:80 -d \
-v ~/config.inc.php:/usr/share/self-service-password/conf/config.inc.php \
--name ldap-ssp \
grams/ltb-self-service-password

浏览器中打开http://192.168.61.100:8765,用户就可以在这个页面上修改自己的密码或基于邮箱进行密码重置了。

self-service-password

参考