LDAP统一账户管理self-service-password修改用户密码部署

1、PHP部署配置

yum install http://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum install yum-utils
yum install php72 php72-php-fpm php72-php-gd php72-php-json php72-php-mbstring php72-php-mysqlnd php72-php-xml php72-php-xmlrpc php72-php-opcache  php72-php-ldap


PHP修改配置
vim /etc/php.ini
## 修改对应如下配置
session.save_path = /tmp
upload_max_filesize = 10M
post_max_size = 16M
max_execution_time = 600
request_terminate_timeout = 600
expose_php = Off
output_buffering = 4096

PHP启动
systemctl enable php72-php-fpm.service
systemctl start php72-php-fpm.service

2、nginx 安装

yum安装
yum install -y nginx


配置修改
vim etc/nginx/conf.d/ssp.conf                                                                                                                                                       
server {
listen 8080;

root /usr/share/self-service-password/htdocs;
index index.php index.html index.htm;

# Make site accessible from http://localhost/
server_name _;

# Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
sendfile off;

    gzip on;
    gzip_comp_level 6;
    gzip_min_length 1000;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;
    gzip_vary on;
    gzip_proxied any;
    gzip_disable "MSIE [1-6].(?!.*SV1)";

# Add stdout logging



# pass the PHP scripts to FastCGI server listening on socket
#
location ~ .php {
    #fastcgi_pass unix:/var/run/php-fpm.socket;
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_split_path_info       ^(.+.php)(/.+)$;
    fastcgi_param PATH_INFO       $fastcgi_path_info;
    fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_index index.php;
        try_files $fastcgi_script_name =404;
    fastcgi_read_timeout 600;
    include fastcgi_params;
}

    error_page 404 /404.html;
    location = /404.html {
            root /usr/share/nginx/html;
            internal;
}

# deny access to . files, for security
#
location ~ /. {
        log_not_found off;
        deny all;
}

location ~ /scripts {
        log_not_found off;
        deny all;
}

}

3、安装self-service-password

## Configure the yum repository:
vim /etc/yum.repos.d/ltb-project.repo

[ltb-project-noarch]
name=LTB project packages (noarch)
baseurl=https://ltb-project.org/rpm/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project

安装服务
rpm --import https://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project

yum install self-service-password

修改配置文件
vim /usr/share/self-service-password/conf/config.inc.php

## ldap 
# LDAP
$ldap_url = "ldap://10.9.0.0:389"; # ldap地址
$ldap_starttls = false;
$ldap_binddn = "cn=ldapadm,dc=liuwq,dc=com";
$ldap_bindpw = 'password';
$ldap_base = "dc=liuwq,dc=com";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
$ldap_use_exop_passwd = false;
$ldap_use_ppolicy_control = false;

$who_change_password = "ldapadm";

## mail 信息配置
$mail_attribute = "mail";
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = true;
# Who the email should come from
$mail_from = "[email protected]";
$mail_from_name = "Self Service Password";
$mail_signature = "本邮件为通过密码自助修改LDAP账号密码,无需回复,如有重置密码遇到问题可以联系运维同学";
# Notify users anytime their password is changed
$notify_on_change = true;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'html';
$mail_smtp_host = 'smtp.qiye.aliyun.com'; #smtp地址
$mail_smtp_auth = true;
$mail_smtp_user = '[email protected]';
$mail_smtp_pass = 'password';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_smtp_autotls = false;
$mail_smtp_options = array();
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;

4、浏览器输入:IP:8080,上面配置过的nginx端口

结果发现这时打开web界面会提示:Token encryption requires a random string in keyphrase setting

LDAP统一账户管理self-service-password修改用户密码部署_php

原因和解决办法:

LDAP统一账户管理self-service-password修改用户密码部署_html_02

修改完成后刷新浏览器:

LDAP统一账户管理self-service-password修改用户密码部署_html_03

5、附加配置,关闭其它验证

问题:$use_questions = false;

邮件:$use_tokens = false;

短信:$use_sms = false;