aa.png

安裝升級PHP

https://www.centos.bz/2018/05/centos-6-7-%E5%8D%87%E7%BA%A7-php-5-6-%E5%88%B0-7-1-7-2/

安裝Self Service Password

下載地址：https://ltb-project.org/download#self_service_password

參考地址：https://ltb-project.org/documentation/self-service-password/latest/install_rpm

rpm --import https://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project

yum localinstall self-service-password-VERSION.noarch.rpm

配置參考：

配置文件：/usr/share/self-service-password/conf/config.inc.php

• Web server
• General parameters
• LDAP connection
• Password policy
• Reset by questions
• Reset by mail tokens
• Reset by SMS
• Mail
• reCAPTCHA
• Post Hook

SSL配置:

/etc/openldap/ldap.conf

# LDAP Defaults

#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

#BASE   dc=example,dc=com

#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT  12

#TIMELIMIT  15

#DEREF      never

TLS_CACERTDIR /etc/openldap/certs

TLS_CACERT /etc/openldap/certs/證書文件

通過回答問題重置密碼

# Answer attribute should be hidden to users!

$answer_objectClass = "user";

$answer_attribute = "comment";

# Crypt answers inside the directory

$crypt_answers = true;

# Extra questions (built-in questions are in lang/$lang.inc.php)

#$messages['questions']['ice'] = "What is your favorite ice cream flavor?";

$messages['questions']['Q3'] = "你少年時(shí)代最好的朋友叫什么名字？";  //額外的問題

$messages['questions']['Q4'] = "你的第一個(gè)寵物叫什么名字？";

$messages['questions']['Q5'] = "你第一次坐飛機(jī)是去哪里？";

$messages['questions']['Q6'] = "你的理想工作是什么？";

$messages['questions']['Q7'] = "你擁有的第一輛車是什么型號？";

$messages['questions']['Q8'] = "你童年時(shí)代的綽號是什么？";

$messages['questions']['Q9'] = "你的第一個(gè)上司叫什么名字？";

$messages['questions']['Q10'] = "您最喜歡哪個(gè)球隊(duì)？";

Questions：

一、修改密碼配置：

# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_password = "manager";

測試中用戶自己修改不了密碼。后來改為了manager可以修改；

二、密保問題設(shè)置寫入AD：

# Answer attribute should be hidden to users!
$answer_objectClass = "user";
$answer_attribute = "comment";

密保問題對應(yīng)的屬性要對應(yīng)到AD現(xiàn)有屬性，寫錯(cuò)了或者亂寫將導(dǎo)致問題不能錄入AD

三、密碼復(fù)雜度問題：

# Local password policy
# This is applied before directory password policy
# Minimal length
$pwd_min_length = 7;
# Maximal length
$pwd_max_length = 0;
# Minimal lower characters
$pwd_min_lower = 1;
# Minimal upper characters
$pwd_min_upper = 1;
# Minimal digit characters
$pwd_min_digit = 1;
# Minimal special characters
$pwd_min_special = 1;
# Definition of special characters
$pwd_special_chars = "^a-zA-Z0-9";
# Forbidden characters
#$pwd_forbidden_chars = "@%";
# Don't reuse the same password as currently
$pwd_no_reuse = true;
# Check that password is different than login
$pwd_diff_login = true;
# Complexity: number of different class of character required
$pwd_complexity = 3;
# use pwnedpasswords api v2 to securely check if the password has been on a leak
$use_pwnedpasswords = false;
# Show policy constraints message:
# always
# never
# onerror
$pwd_show_policy = "onerror";
# Position of password policy constraints message:
# above - the form
# below - the form
$pwd_show_policy_pos = "above";

參考AD服務(wù)上面的密碼復(fù)雜度設(shè)置