openldap 普通用戶自助修改密碼

背景：減輕管理員負擔，讓用戶自己修改密碼

openldap 信息：

版本：2.4.44 yum 安裝

系統：centos7.4

後端數據庫類型：hdb

 

採用開源的PHP程序self-service-password https://ltb-project.org/documentation

採用yum 安裝 的1.3版本，安裝連接：https://ltb-project.org/documentation/self-service-password/1.3/install_rpm

配置：

主要修改倆個配置文件，如下：

/etc/httpd/conf.d/self-service-password.conf
/usr/share/self-service-password/conf/config.inc.php

使用rpm -ql self-service-password 查找配置文件路徑

self-service-password.conf 配置文件修改內容：

# cat self-service-password.conf
Alias /ssp /usr/share/self-service-password

<Directory /usr/share/self-service-password>
    AllowOverride None
    Require all granted
</Directory>

config.inc.php 配置文件內容：

# LDAP
$ldap_url = "ldap://127.0.0.1:389";
$ldap_starttls = false;
$ldap_binddn = "cn=admin,dc=gunfree,dc=com";
$ldap_bindpw = "123456";
$ldap_base = "ou=People,dc=gunfree,dc=com";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=inetOrgPerson)($ldap_login_attribute={login}))";


## Mail
# LDAP mail attribute
$mail_attribute = "mail";
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = false;
# Who the email should come from
$mail_from = "[email protected]";
$mail_from_name = "重置LDAP密碼";
$mail_signature = "";
# Notify users anytime their password is changed
$notify_on_change = true;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'error_log';
$mail_smtp_host = 'smtp.exmail.qq.com';
$mail_smtp_auth = true;
$mail_smtp_user = '[email protected]';
$mail_smtp_pass = '123456';
$mail_smtp_port = 465;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'ssl';
$mail_smtp_autotls = true;
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;

 

配置過程中遇到的問題：

安裝好self程序後，用戶修改密碼不成功，日誌報錯信息如：

[Wed Nov 28 16:59:37.360390 2018] [:error] [pid 9528] [client 192.168.1.10:50466] LDAP - Modify password error 50 (Insufficient access), referer: http://192.168.1.10/ssp/index.php
[Wed Nov 28 17:08:39.733926 2018] [:error] [pid 9525] [client 192.168.1.10:50530] LDAP - Modify password error 50 (Insufficient access), referer: http://192.168.1.10/ssp/index.php

上網搜索半天，不得所以，後只能自己摸索

嘗試在olcDatabase={0}config.ldif 文件添加ACL信息，問題依舊，才嘗試給olcDatabase={2}hdb.ldif
 文件添加ACL 信息，問題解決，添加命令如下：

ldapmodify -Y EXTERNAL -H ldapi:/// -f updatepass.ldif 

 updatepass.ldif 文件內容如下：

# cat updatepass.ldif 
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword
        by dn="cn=admin,dc=gnufree,dc=com" write
        by dn.children="cn=admin,ou=group,dc=gnufree,dc=com" write
        by anonymous auth
        by self write
        by * none
olcAccess: to *
        by dn="cn=admin,dc=gnufree,dc=com" write
        by dn.children="cn=admin,ou=group,dc=gnufree,dc=com" write
        by * read

 問題2 無法發送驗證郵件

修改上圖中採用的是騰訊企業郵箱，默認值$mail_smtp_secure = 'tls'; 修改成ssl 問題解決。