aa.png
安装升级PHP
https://www.centos.bz/2018/05/centos-6-7-%E5%8D%87%E7%BA%A7-php-5-6-%E5%88%B0-7-1-7-2/
安装Self Service Password
下载地址:https://ltb-project.org/download#self_service_password
参考地址:https://ltb-project.org/documentation/self-service-password/latest/install_rpm
rpm --import https://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project
yum localinstall self-service-password-VERSION.noarch.rpm
配置参考:
配置文件:/usr/share/self-service-password/conf/config.inc.php
- Web server
- General parameters
- LDAP connection
- Password policy
- Reset by questions
- Reset by mail tokens
- Reset by SMS
- reCAPTCHA
- Post Hook
SSL配置:
/etc/openldap/ldap.conf
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/certs
TLS_CACERT /etc/openldap/certs/证书文件
通过回答问题重置密码
# Answer attribute should be hidden to users!
$answer_objectClass = "user";
$answer_attribute = "comment";
# Crypt answers inside the directory
$crypt_answers = true;
# Extra questions (built-in questions are in lang/$lang.inc.php)
#$messages['questions']['ice'] = "What is your favorite ice cream flavor?";
$messages['questions']['Q3'] = "你少年时代最好的朋友叫什么名字?"; //额外的问题
$messages['questions']['Q4'] = "你的第一个宠物叫什么名字?";
$messages['questions']['Q5'] = "你第一次坐飞机是去哪里?";
$messages['questions']['Q6'] = "你的理想工作是什么?";
$messages['questions']['Q7'] = "你拥有的第一辆车是什么型号?";
$messages['questions']['Q8'] = "你童年时代的绰号是什么?";
$messages['questions']['Q9'] = "你的第一个上司叫什么名字?";
$messages['questions']['Q10'] = "您最喜欢哪个球队?";
Questions:
一、修改密码配置:
# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_password = "manager";
测试中用户自己修改不了密码。后来改为了manager可以修改;
二、密保问题设置写入AD:
# Answer attribute should be hidden to users!
$answer_objectClass = "user";
$answer_attribute = "comment";
密保问题对应的属性要对应到AD现有属性,写错了或者乱写将导致问题不能录入AD
三、密码复杂度问题:
# Local password policy
# This is applied before directory password policy
# Minimal length
$pwd_min_length = 7;
# Maximal length
$pwd_max_length = 0;
# Minimal lower characters
$pwd_min_lower = 1;
# Minimal upper characters
$pwd_min_upper = 1;
# Minimal digit characters
$pwd_min_digit = 1;
# Minimal special characters
$pwd_min_special = 1;
# Definition of special characters
$pwd_special_chars = "^a-zA-Z0-9";
# Forbidden characters
#$pwd_forbidden_chars = "@%";
# Don't reuse the same password as currently
$pwd_no_reuse = true;
# Check that password is different than login
$pwd_diff_login = true;
# Complexity: number of different class of character required
$pwd_complexity = 3;
# use pwnedpasswords api v2 to securely check if the password has been on a leak
$use_pwnedpasswords = false;
# Show policy constraints message:
# always
# never
# onerror
$pwd_show_policy = "onerror";
# Position of password policy constraints message:
# above - the form
# below - the form
$pwd_show_policy_pos = "above";
参考AD服务上面的密码复杂度设置
