背景:減輕管理員負擔,讓用戶自己修改密碼
openldap 信息:
版本:2.4.44 yum 安裝
系統:centos7.4
後端數據庫類型:hdb
採用開源的PHP程序self-service-password https://ltb-project.org/documentation
採用yum 安裝 的1.3版本,安裝連接:https://ltb-project.org/documentation/self-service-password/1.3/install_rpm
配置:
主要修改倆個配置文件,如下:
/etc/httpd/conf.d/self-service-password.conf
/usr/share/self-service-password/conf/config.inc.php
使用rpm -ql self-service-password 查找配置文件路徑
self-service-password.conf 配置文件修改內容:
# cat self-service-password.conf
Alias /ssp /usr/share/self-service-password
<Directory /usr/share/self-service-password>
AllowOverride None
Require all granted
</Directory>
config.inc.php 配置文件內容:
# LDAP
$ldap_url = "ldap://127.0.0.1:389";
$ldap_starttls = false;
$ldap_binddn = "cn=admin,dc=gunfree,dc=com";
$ldap_bindpw = "123456";
$ldap_base = "ou=People,dc=gunfree,dc=com";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=inetOrgPerson)($ldap_login_attribute={login}))";
## Mail
# LDAP mail attribute
$mail_attribute = "mail";
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = false;
# Who the email should come from
$mail_from = "[email protected]";
$mail_from_name = "重置LDAP密碼";
$mail_signature = "";
# Notify users anytime their password is changed
$notify_on_change = true;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'error_log';
$mail_smtp_host = 'smtp.exmail.qq.com';
$mail_smtp_auth = true;
$mail_smtp_user = '[email protected]';
$mail_smtp_pass = '123456';
$mail_smtp_port = 465;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'ssl';
$mail_smtp_autotls = true;
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;
配置過程中遇到的問題:
安裝好self程序後,用戶修改密碼不成功,日誌報錯信息如:
[Wed Nov 28 16:59:37.360390 2018] [:error] [pid 9528] [client 192.168.1.10:50466] LDAP - Modify password error 50 (Insufficient access), referer: http://192.168.1.10/ssp/index.php
[Wed Nov 28 17:08:39.733926 2018] [:error] [pid 9525] [client 192.168.1.10:50530] LDAP - Modify password error 50 (Insufficient access), referer: http://192.168.1.10/ssp/index.php
上網搜索半天,不得所以,後只能自己摸索
嘗試在olcDatabase={0}config.ldif 文件添加ACL信息,問題依舊,才嘗試給olcDatabase={2}hdb.ldif
文件添加ACL 信息,問題解決,添加命令如下:
ldapmodify -Y EXTERNAL -H ldapi:/// -f updatepass.ldif
updatepass.ldif 文件內容如下:
# cat updatepass.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword
by dn="cn=admin,dc=gnufree,dc=com" write
by dn.children="cn=admin,ou=group,dc=gnufree,dc=com" write
by anonymous auth
by self write
by * none
olcAccess: to *
by dn="cn=admin,dc=gnufree,dc=com" write
by dn.children="cn=admin,ou=group,dc=gnufree,dc=com" write
by * read
問題2 無法發送驗證郵件
修改上圖中採用的是騰訊企業郵箱,默認值$mail_smtp_secure = 'tls'; 修改成ssl 問題解決。