LDAP Tool Box Self Service Password-编程知识

手册地址：https://self-service-password.readthedocs.io/en/latest/

安装要求：

Apache or another web server
php (>=7.4)
php-curl (haveibeenpwned api)
php-filter
php-gd (captcha)
php-ldap
php-mbstring (reset mail)
php-openssl (token crypt, probably built-in)
Smarty (version >=3) （php-smarty）

CentOS安装：

yum install yum-utils
yum-config-manager --enable remi-php74
rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
yum  install  php  php-gd  php-fpm  php-mbstring php-ldap php-filter php-curl  php-Smarty
vi etc/php-fpm.d/www.conf   #修改启动用户为nginx
systemctl enable php-fpm
#启动 php-fpm
systemctl start php-fpm
#下载self-service-password代码包
wget --no-check-certificate https://ltb-project.org/archives/ltb-project-self-service-password-1.5.3.tar.gz 
tar -zxvf ltb-project-self-service-password-1.5.3.tar.gz 
mv ltb-project-self-service-password-1.5.3 /usr/share/self-service-password
mv  /usr/share/php/Smarty/ /usr/share/php/smarty3/
chown nginx.nginx -R /usr/share/self-service-password/
chown nginx.nginx -R /var/log/php-fpm

官网Nginx 配置：

server {listen 80;
# Make site accessible from http://localhost/server_name selfpd.test.com.cn; #配置为实际主机名，邮件发送时链接以server_name的地址。
# Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.htmlsendfile off;gzip on;gzip_comp_level 6;gzip_min_length 1000;gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js;gzip_vary on;gzip_proxied any;gzip_disable "MSIE [1-6]\.(?!.*SV1)";access_log /data/logs/openresty/http_access.log http_log_access;
# pass the PHP scripts to FastCGI server listening on socketlocation / {root /usr/share/self-service-password/htdocs;index index.php index.html index.htm;}location ~ \.php {root /usr/share/self-service-password/htdocs;#fastcgi_pass unix:/var/run/php-fpm.socket;fastcgi_pass 127.0.0.1:9000;fastcgi_split_path_info       ^(.+\.php)(/.+)$;fastcgi_param PATH_INFO       $fastcgi_path_info;fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_index index.php;try_files $fastcgi_script_name =404;fastcgi_read_timeout 600;include fastcgi_params;}error_page 404 /404.html;location = /404.html {root /usr/share/nginx/html;internal;}
# deny access to . files, for security
#location ~ /\. {log_not_found off;deny all;}location ~ /scripts {log_not_found off;deny all;}
}

官网建议配置php.ini:
/etc/php.ini

session.save_path = /tmp
upload_max_filesize = 10M
post_max_size = 16M
max_execution_time = 600
request_terminate_timeout = 600
expose_php = Off
output_buffering = 4096

配置提示语

/usr/share/self-service-password/lang/zh-CN.inc.php

配置文件配置示例：
/usr/share/self-service-password/conf/config.inc.php

$use_captcha = true; #开启验证码
$use_sms = false; #关闭短信重置
$use_questions = false;#关闭问题重置
#ldap配置
# LDAP
$ldap_url = "ldap://127.0.0.1:389";
$ldap_starttls = false;
$ldap_binddn = "cn=admin,dc=test,dc=com";
$ldap_bindpw = '********';
// for GSSAPI authentication, comment out ldap_bind* and uncomment ldap_krb5ccname lines
//$ldap_krb5ccname = "/path/to/krb5cc";
$ldap_base = "dc=test,dc=com";
$ldap_login_attribute = "sn";#默认为uid
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
$ldap_use_exop_passwd = false;
$ldap_use_ppolicy_control = false;
$keyphrase = "secret@hssssaaak";#需要更改,不然访问报错
**#邮件配置：**
# Token lifetime in secondst重置密码链接的有效时间
$token_lifetime = "300";## Mail
# LDAP mail attribute
$mail_attributes = array( "mail", "gosaMailAlternateAddress", "proxyAddresses" );
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = true; #密码找回不需要输入邮箱
# Who the email should come from
$mail_from = "xxxxx@163.com";
$mail_from_name = "ldappass";
$mail_signature = "本邮件为通过密码自助修改LDAP账号密码，无需回复,此链接有效时间5分钟";
# Notify users anytime their password is changed
$notify_on_change = false;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'html';
$mail_smtp_host = 'smtphm.qiye.163.com';
$mail_smtp_auth = true;
$mail_smtp_user = 'xxxxx@163.com';
$mail_smtp_pass = '授权码';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = '';
#$mail_smtp_secure = 'tls';
$mail_smtp_autotls = true;
$mail_smtp_options = array();
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;……………………
# Hash mechanism for password:
$hash = "MD5";设置重置密码时的加密算法，默认clear，为明文