让用户自行管理 LDAP 密码 -- Self Service Password

把OpenLDAP整合进GitLab后(详见《GitLab接入OpenLDAP配置》),账户管理是一大难题,因为GitLab上没有入口给用户自行管理密码,也总不能把所有用户的密码都让LDAP管理员重设或管理吧,工作量大的同时也有着不小的风险。所以,如何让用户能够自行修改LDAP密码,成为一大迫切的需求。

通过一系列查找与比对,我们决定采用Self Service Password来作为用户自行重置LDAP密码的平台。Self Service Password不仅可以让用户使用旧密码来设定新密码,还可以使用安全问题,邮箱,短信来重置密码,很是方便。以下是安装配置过程。

安装Apache和PHP

参照《LAMP手动安装小结》安装Apache和PHP。

  • 添加PHP mbstring,PHP ldap和PHP mcrypt模块
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
cd php-5.6.28/ext/mbstring
sudo /usr/local/php-5.6.28/bin/phpize
sudo ./configure --with-php-config=/usr/local/php-5.6.28/bin/php-config
sudo make && sudo make install
sudo sh -c 'echo "extension=/usr/local/php-5.6.28/lib/php/extensions/no-debug-zts-20131226/mbstring.so" >> /usr/local/php-5.6.28/etc/php.ini'
cd -

sudo yum install epel-release
# 由于有些旧的epel源未包含需要的组件,而install有不能进行更新,所以最好reinstall一下
sudo yum reinstall epel-release
sudo yum install libmcrypt libmcrypt-*
cd php-5.6.28/ext/mcrypt
sudo /usr/local/php-5.6.28/bin/phpize
sudo ./configure --with-php-config=/usr/local/php-5.6.28/bin/php-config
sudo make && sudo make install
sudo sh -c 'echo "extension=/usr/local/php-5.6.28/lib/php/extensions/no-debug-zts-20131226/mcrypt.so" >> /usr/local/php-5.6.28/etc/php.ini'
cd -

sudo cp /usr/lib64/libldap* /usr/lib
cd php-5.6.28/ext/ldap
sudo /usr/local/php-5.6.28/bin/phpize
sudo ./configure --with-php-config=/usr/local/php-5.6.28/bin/php-config
sudo make && sudo make install
sudo sh -c 'echo "extension=/usr/local/php-5.6.28/lib/php/extensions/no-debug-zts-20131226/ldap.so" >> /usr/local/php-5.6.28/etc/php.ini'
cd -

下载self-service-password并解压到指定目录

由于官网下载较慢,如果不嫌烦的话呢,可手动从本站下载(请勿外传哦)。

1
2
3
wget http://tools.ltb-project.org/attachments/download/889/ltb-project-self-service-password-1.0.tar.gz
tar zxvf ltb-project-self-service-password-1.0.tar.gz
mv ltb-project-self-service-password-1.0 /usr/local/httpd-2.4.23/htdocs/self-service-password

设置访问别名

1
2
3
4
5
6
7
8
echo "
Alias /ssp /usr/local/httpd-2.4.23/htdocs/self-service-password

<Directory /usr/local/httpd-2.4.23/htdocs/self-service-password>
DirectoryIndex index.php
AddDefaultCharset UTF-8
</Directory>
" > /usr/local/httpd-2.4.23/conf.d/self-service-password.conf

配置self-service-password

按需求修改/usr/local/httpd-2.4.23/htdocs/self-service-password/conf/config.inc.php文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#==============================================================================
# Configuration
#==============================================================================
# LDAP
$ldap_url = "ldap://127.0.0.1:389";
$ldap_starttls = false;
$ldap_binddn = "cn=hzz,dc=huangzhongzhang,dc=cn";
$ldap_bindpw = "123456";
$ldap_base = "dc=huangzhongzhang,dc=cn";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";

...

# Hash mechanism for password:
# SSHA
# SHA
# SMD5
# MD5
# CRYPT
# clear (the default)
# auto (will check the hash of current password)
# This option is not used with ad_mode = true
# 选择新密码的加密方式,默认的clear为明文存储
$hash = "SSHA";

...

# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
# 选择以谁的权限进行修改
$who_change_password = "manager";

...

特别值得说明的是$who_change_password = "manager";这个配置,由于默认情况下,普通用户是没有修改ldap权限的,所以如果填user,则需要在ldap配置中开启用户修改自己信息的权限。manager的意思是普通用户使用$ldap_binddn配置的用户的权限对自己的密码进行修改,这样就无需对ldap中的用户权限进行修改。

重启apache

1
/usr/local/httpd-2.4.23/bin/apachectl restart

重启apache后,普通用户就可以访问http://127.0.0.1/ssp进行LDAP密码修改了:

self-service-password

self-service-password