1.在活动目录中新建一个用户,并赋予域管理员权限;
2.拷贝conf目录下的config.inc.php为config.inc.local.php;
3.按自己的实际情况及要求修改config.inc.local.php文件中的相关参数,说明如下:
<?php #============================================================================== # LTB Self Service Password # # Copyright (C) 2009 Clement OUDOT # Copyright (C) 2009 LTB-project.org # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # GPL License: http://www.gnu.org/licenses/gpl.txt # #============================================================================== #============================================================================== # All the default values are kept here, you should not modify it but use # config.inc.local.php file instead to override the settings from here. #============================================================================== #============================================================================== # Configuration #============================================================================== # Debug mode # true: log and display any errors or warnings (use this in configuration/testing) # false: log only errors and do not display them (use this in production) $debug = false; //调试模式 # LDAP $ldap_url = "LDAPS://dc.xxxx.cn"; //LDAP服务器地址 $ldap_starttls = false; ////LDAP服务器是否支持TLS $ldap_binddn = "CN=xxx,CN=Users,DC=xxxx,DC=cn"; //连接LDAP服务器的账户DN $ldap_bindpw = "xxxxxx"; //连接LDAP服务器的账户DN的密码 $ldap_base = "OU=1-XXXX,DC=xxxx,DC=cn"; //检索OU的路径 $ldap_login_attribute = "sAMAccountName"; //LDAP用户名字段 $ldap_fullname_attribute = "cn"; //LDAP用户全名字段 $ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"; //过滤LDAP用户规则 # Active Directory mode # true: use unicodePwd as password field # false: LDAPv3 standard behavior $ad_mode = true; //是否启用Active Directory模式 # Force account unlock when password is changed $ad_options['force_unlock'] = true; //强制解锁:当密码更改将解锁锁定帐户 # Force user change password at next login $ad_options['force_pwd_change'] = false; //强制用户在下次登录时更改密码 # Allow user with expired password to change password $ad_options['change_expired_password'] = true; //允许用户更改密码,如果密码过期 # Samba mode # true: update sambaNTpassword and sambaPwdLastSet attributes too # false: just update the password $samba_mode = false; //是否启用Samba模式 # Set password min/max age in Samba attributes #$samba_options['min_age'] = 5; #$samba_options['max_age'] = 45; # Shadow options - require shadowAccount objectClass # Update shadowLastChange $shadow_options['update_shadowLastChange'] = false; $shadow_options['update_shadowExpire'] = false; # Default to -1, never expire $shadow_options['shadow_expire_days'] = -1; # Hash mechanism for password: # SSHA, SSHA256, SSHA384, SSHA512 # SHA, SHA256, SHA384, SHA512 # SMD5 # MD5 # CRYPT # clear (the default) # auto (will check the hash of current password) # This option is not used with ad_mode = true $hash = "clear"; //启用密码加密算法,此选项在Active Directory模式下被忽略。 # Prefix to use for salt with CRYPT $hash_options['crypt_salt_prefix'] = "$6$"; $hash_options['crypt_salt_length'] = "6"; # Local password policy # This is applied before directory password policy # Minimal length $pwd_min_length = 6; //定义最短密码位数 # Maximal length $pwd_max_length = 14; //定义最长密码位数 # Minimal lower characters $pwd_min_lower = 0; //定义密码应包含多少位小写字母 # Minimal upper characters $pwd_min_upper = 0; //定义密码应包含多少位大写字母 # Minimal digit characters $pwd_min_digit = 0; //定义密码应包含多少位数字 # Minimal special characters $pwd_min_special = 0; //定义密码应包含多少位特殊字符 # Definition of special characters $pwd_special_chars = "^a-zA-Z0-9"; //定义密码正则表达式 # Forbidden characters #$pwd_forbidden_chars = "@%"; //定义密码禁止的特殊字符 # Don't reuse the same password as currently $pwd_no_reuse = true; //是否禁止使用重复密码 # Check that password is different than login $pwd_diff_login = true; //检查密码是否与登录密码不同 # Complexity: number of different class of character required $pwd_complexity = 3; //定义密码应包含多少种组合 # use pwnedpasswords api v2 to securely check if the password has been on a leak $use_pwnedpasswords = false; //检查密码是否已在https://haveibeenpwned.com数据库中泄露 # Show policy constraints message: # always # never # onerror $pwd_show_policy = "always"; //是否显示密码更改策略 # Position of password policy constraints message: # above - the form # below - the form $pwd_show_policy_pos = "above"; //定义密码更改策略显示位置 # Who changes the password? # Also applicable for question/answer save # user: the user itself # manager: the above binddn $who_change_password = "manager"; //定义使用什么账户来修改密码,如选用manager请确保binddn用户有修改用户密码的权限(建议域管理员身份) ## Standard change # Use standard change form? $use_change = true; //启用密码更改功能 ## SSH Key Change # Allow changing of sshPublicKey? $change_sshkey = false; # What attribute should be changed by the changesshkey action? $change_sshkey_attribute = "sshPublicKey"; # Who changes the sshPublicKey attribute? # Also applicable for question/answer save # user: the user itself # manager: the above binddn $who_change_sshkey = "user"; # Notify users anytime their sshPublicKey is changed ## Requires mail configuration below $notify_on_sshkey_change = false; ## Questions/answers # Use questions/answers? # true (default) # false $use_questions = true; //启用问题答案修改密码功能 # Answer attribute should be hidden to users! $answer_objectClass = "user"; //如果$answer_attribute属性不是在标准用户对象类,配置对象类与此属性的使用方法,在Active Directory中,extensibleObject的是不知道。您可以使用user, $answer_attribute = "info"; //LDAP用户存储问题密码字段,属性名称必须是小写 # Crypt answers inside the directory $crypt_answers = false; //是否加密问题答案 # Extra questions (built-in questions are in lang/$lang.inc.php) #$messages['questions']['ice'] = "What is your favorite ice cream flavor?"; $messages['questions']['Q3'] = "你少年时代最好的朋友叫什么名字?"; //额外的问题 $messages['questions']['Q4'] = "你的第一个宠物叫什么名字?"; $messages['questions']['Q5'] = "你第一次坐飞机是去哪里?"; $messages['questions']['Q6'] = "你的理想工作是什么?"; $messages['questions']['Q7'] = "你拥有的第一辆车是什么型号?"; $messages['questions']['Q8'] = "你童年时代的绰号是什么?"; $messages['questions']['Q9'] = "你的第一个上司叫什么名字?"; $messages['questions']['Q10'] = "您最喜欢哪个球队?"; ## Token # Use tokens? # true (default) # false $use_tokens = true; //启用邮件修改密码功能 # Crypt tokens? # true (default) # false $crypt_tokens = true; //是否保持会话标识符,就是令牌生命周期 # Token lifetime in seconds $token_lifetime = "3600"; //保持会话标识符时长(秒) ## Mail # LDAP mail attribute $mail_attribute = "wWWHomePage"; //LDAP用户存储邮箱地址字段 # Get mail address directly from LDAP (only first mail entry) # and hide mail input field # default = false $mail_address_use_ldap = false; //是否直接从LDAP获取邮件地址并隐藏邮件输入字段 # Who the email should come from $mail_from = "service@xxxx.cn"; //定义邮件发件人地址 $mail_from_name = "Service"; //定义邮件发件人名称 $mail_signature = ""; //定义邮件发件人签名 # Notify users anytime their password is changed $notify_on_change = true; //定义更改密码时是否通知用户 # PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer) //设置PHPMailer的所有参数 $mail_sendmailpath = '/usr/sbin/sendmail'; $mail_protocol = 'smtp'; $mail_smtp_debug = 0; $mail_debug_format = 'html'; $mail_smtp_host = 'mail.xxxx.cn'; $mail_smtp_auth = true; $mail_smtp_user = 'service@xxxx.cn'; $mail_smtp_pass = 'xxxxxx'; $mail_smtp_port = 587; $mail_smtp_timeout = 30; $mail_smtp_keepalive = false; $mail_smtp_secure = 'tls'; $mail_smtp_autotls = true; $mail_contenttype = 'text/plain'; $mail_wordwrap = 0; $mail_charset = 'utf-8'; $mail_priority = 3; $mail_newline = PHP_EOL; ## SMS # Use sms $use_sms = true; //启用短信修改密码功能 # SMS method (mail, api) $sms_method = "api"; //定义使用哪种方法发送短信 $sms_api_lib = "lib/smsapi.inc.php"; //API脚本配置 # GSM number attribute $sms_attribute = "mobile"; //LDAP用户存储手机号码字段 # Partially hide number $sms_partially_hide_number = true; //页面是否部分隐藏号码 # Send SMS mail to address $smsmailto = "{sms_attribute}@service.provider.com"; //定义使用mail方法发送短信时发送短信到的邮件地址 # Subject when sending email to SMTP to SMS provider $smsmail_subject = "Provider code"; //定义向SMTP提供商发送电子邮件时的主题 # Message $sms_message = "{smsresetmessage} {smstoken}"; //定义消息模板 # Remove non digit characters from GSM number $sms_sanitize_number = false; //从手机号码中删除非数字字符 # Truncate GSM number $sms_truncate_number = false; //是否截断手机号码 $sms_truncate_number_length = 10; # SMS token length $sms_token_length = 6; //短信验证码长度 # Max attempts allowed for SMS token $max_attempts = 3; //单个短信验证码重试次数 # Encryption, decryption keyphrase, required if $crypt_tokens = true # Please change it to anything long, random and complicated, you do not have to remember it # Changing it will also invalidate all previous tokens and SMS codes $keyphrase = "xxxxxx"; //密钥短语,如果$crypt_tokens = true则需要更改为任何内容,不必记住它,更改它也会使所有以前的令牌和短信代码无效。 # Reset URL (if behind a reverse proxy) #$reset_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . "://" . $_SERVER['HTTP_X_FORWARDED_HOST'] . $_SERVER['SCRIPT_NAME']; //默认情况下,重置密码URL使用服务器名称和端口计算的,但如果应用背后是一个反向代理,这些值可能是错误的。在这种情况下,你可以自己设置网址 # Display help messages $show_help = true; //是否显示帮助信息 # Default language $lang = "zh-CN"; //默认显示语言 # List of authorized languages. If empty, all language are allowed. # If not empty and the user's browser language setting is not in that list, language from $lang will be used. $allowed_lang = array(); //定义授权语言列表。 如果为空,则允许使用所有语言。 # Display menu on top $show_menu = true; //是否显示导航栏 # Logo $logo = "images/logo.png"; //LOGO地址 # Background image $background_image = "images/unsplash-lanse.jpg"; //背景图调用 # Where to log password resets - Make sure apache has write permission # By default, they are logged in Apache log $reset_request_log = "logs/self.log"; //定义日志存放路径,默认生成的URL记录在Apache日志中。 # Invalid characters in login # Set at least "*()&|" to prevent LDAP injection # If empty, only alphanumeric characters are accepted $login_forbidden_chars = "*()&|"; //登录保护,以避免LDAP注射。某些字符是被禁止的 ## CAPTCHA //以下为谷歌CAPTCHA验证码调用配置 # Use Google reCAPTCHA (http://www.google.com/recaptcha) $use_recaptcha = false; # Go on the site to get public and private key $recaptcha_publickey = ""; $recaptcha_privatekey = ""; # Customization (see https://developers.google.com/recaptcha/docs/display) $recaptcha_theme = "light"; $recaptcha_type = "image"; $recaptcha_size = "normal"; # reCAPTCHA request method, null for default, Fully Qualified Class Name to override # Useful when allow_url_fopen=0 ex. $recaptcha_request_method = '\ReCaptcha\RequestMethod\CurlPost'; $recaptcha_request_method = null; ## Default action # change # sendtoken # sendsms $default_action = "change"; //配置默认页面 ## Extra messages //编辑消息模板 # They can also be defined in lang/ files #$messages['passwordchangedextramessage'] = NULL; $messages['changehelpextramessage'] = ">>帐户被锁定请使用导航栏中的其他方式解锁账户并重置密码。<br />回答问题重置密码:请确认您已自行设置答案。<br />通过邮件发送链接:请确认您已联系管理员设置邮箱。<br />通过短信重置密码:请确认您已联系管理员设置手机号码。"; # Launch a posthook script after successful password change #$posthook = "/usr/share/self-service-password/posthook.sh"; //密码更改成功后启动posthook脚本 #$display_posthook_error = true; # Hide some messages to not disclose sensitive information # These messages will be replaced by badcredentials error $obscure_failure_messages = array("mailnomatch"); //让一些错误不显示