Self Service Password部署
Self Service Password部署
通過Self Service Password 自助修改和重置AD域賬號密碼
一、準備
操作系統 :192.168.1.8 CentOS7.6?
AD域:192.168.1.10? ad01.test.com (已安裝CA證書服務) ,創建ssp AD域賬號,用于登錄驗證
Self Service Password官網文檔:https://ltb-project.org/documentation/self-service-password
1、配置yum源
cat /etc/yum.repos.d/ltb-project.repo [ltb-project-noarch] name=LTB project packages (noarch) baseurl=https://ltb-project.org/rpm/$releasever/noarch enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project2、導入GPG私鑰
rpm --import https://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project3、添加php72的yum源
yum -y install epel-release rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm4、修改host文件
vim /etc/hosts 192.168.1.10? ??ad01.test.com?
二、安裝self service password
yum -y install self-service-password執行安裝后,apache未安裝成功,需要執行
yum -y install httpd四、修改self-service-password配置文件
只啟用AD賬號修改密碼和通過郵箱重置密碼功能,以下都是需要配置的項。
vim /usr/share/self-service-password/conf/config.inc.php # LDAP配置 $ldap_url = "ldaps://ad01.test.com:636"; $ldap_starttls = false; $ldap_binddn = "cn=ssp,cn=users,dc=test,dc=com"; $ldap_bindpw = "Test2021"; $ldap_base = "dc=test,dc=com"; $ldap_login_attribute = "sAMAccountName"; $ldap_fullname_attribute = "cn"; $ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";# AD域配置 $ad_mode = true; $ad_options['force_unlock'] = true; $ad_options['force_pwd_change'] = false; $ad_options['change_expired_password'] = true;$who_change_password = "manager";# 郵箱配置 $mail_from = "ssp@test.com"; $mail_from_name = "Self Service Password"; $mail_protocol = 'smtp'; $mail_smtp_debug = 0; $mail_debug_format = 'html'; $mail_smtp_host = 'smtp.test.com'; $mail_smtp_auth = true; $mail_smtp_user = 'ssp@test.com'; $mail_smtp_pass = 'Test2021'; $mail_smtp_port = 25; $mail_smtp_timeout = 30; $mail_smtp_keepalive = false; # $mail_smtp_secure = 'tls'; # $mail_smtp_autotls = true;## SMS # Use sms $use_sms = false;$keyphrase = "abd2021aa";五、安裝和配置openldap
1、安裝openldap
yum install -y openldap2、修改ldap.conf配置
vim /etc/openldap/ldap.conf增加
TLS_CACERT /etc/openldap/certs/ad01.pem TLS_REQCERT allow TLS_CIPHER_SUITE TLSv1+RSA六、配置CA證書
1、導出AD域服務器CA證書
導出對應AD域服務器證書,右擊證書名-選擇“所有任務”-“導出”
2、轉換CA證書
上傳ad01.cer到?Self Service Password 服務器中的 /root/目錄下
openssl x509 -inform der -in ad01.cer -out ad01.pem cat ad01.pem >>?/etc/openldap/certs/ad01.pem七、啟動服務
service httpd start訪問地址:http://192.168.1.8
?
八、問題處理
1、修改密碼,提示“密碼被 LDAP 服務器拒絕”
$who_change_password配置錯誤導致修改時出錯
vim /usr/share/self-service-password/conf/config.inc.php $who_change_password = "manager";2、通過email找回密碼,“口令無效”
通過email找回密碼,點擊重置密碼鏈接后,提示“口令無效
查詢 /etc/httpd/logs/ssp_error_log 日志文件 ?/var/lib/php/session 只有root控制權限
PHP Warning:? session_start(): Failed to read session data: files (path: /var/lib/php/session) in /usr/share/self-service-password/pages/resetbytoken.php on line 66
修改/var/lib/php/session權限
chmod -R 777 /var/lib/php/session?
?
?
?
?
總結
以上是生活随笔為你收集整理的Self Service Password部署的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 基于Java毕业设计学校旧书交易网站源码
- 下一篇: JVM 面试都问些啥?看这一篇就够了