安装self-service-password目的是解决LDAP或Windows AD管理员手动改密码的痛点,一般企业部署的LDAP都是有密码过期策略,需要用户自己在规定时间内自己修改密码,来更新密码使用周期。
一、安装self-service-password依赖环境
1.1 这里有介绍需要哪些依赖
- Apache or another web server (这里是用Nginx)
- php (>=7.4) (这里是用PHP 8.0)
- php-curl (haveibeenpwned api)
- php-filter
- php-gd (captcha)
- php-ldap
- php-mbstring (reset mail) (这个需要安装epel源才能yum安装)
- php-openssl (token crypt, probably built-in)
- Smarty (version >=3) (这个安装时注意版本,在修改默认的php库文件路径)
⚠️ 注意 以下编译安装默认是已安装gcc或gcc-c++的编译情况下,没安装则根据自己的需求安装,以及在编译安装PHP时缺少相应的库文件,则需要根据情况安装相应的安装包。
1.2 编译安装openssl 在openssl官网下载最新版本openssl
tar -xvf openssl-1.1.1v.tar.gz -C /usr/local/src/cd /usr/local/src/openssl-1.1.1v./config --prefix=/opt/opensslmake && make install1.3 编译安装openldap 我这边安装的是TLS版本
tar -xvf openldap-2.5.16.tar.gz -C /usr/local/src/cd /usr/local/src/openldap-2.5.16export PKG_CONFIG_PATH=/opt/openssl/lib/pkgconfigenv CPPFLAGS="-I/opt/openssl/include" LDFLAGS="-L/opt/openssl/lib -D_GNU_SOURCE" ./configure --prefix=/opt/openldapmake && make install1.4 编译安装Nginx
tar -xvf nginx-1.24.0.tar.gz -C /usr/local/src/cd /usr/local/src/nginx-1.24.0./configure \--prefix=/usr/local/nginx \--with-http_realip_module \--with-http_sub_module \--with-http_gzip_static_module \--with-http_stub_status_module \--with-http_ssl_module \--with-http_v2_module \--with-openssl=/usr/local/src/openssl-1.1.1v \--with-pcre=/usr/local/src/pcre-8.45 \--with-zlib=/usr/local/src/zlib-1.2.12
make && make install1.5 编译安装php
tar -xvf php-8.0.30.tar.gz -C /usr/local/src/cd /usr/local/src/php-8.0.30./configure \--prefix=/usr/local/php8 \--exec-prefix=/usr/local/php8 \--bindir=/usr/local/php8/bin \--sbindir=/usr/local/php8/sbin \--includedir=/usr/local/php8/include \--libdir=/usr/local/php8/lib/php \--mandir=/usr/local/php8/php/man \--with-config-file-path=/usr/local/php8/etc \--enable-fpm \--enable-fastcgi \--with-curl \--enable-filter \--enable-gd \--with-ldap=/opt/openldap \--enable-mbstring \--with-openssl=/opt/openssl
make && make install1.5.1 编译安装php扩展gd.so模块 按照上面编译完php后,默认是没有gd.so模块,由于使用self-service-password图片验证码功能,这个模块必须要有 首先安装图片依赖包
tar -xvf libpng-1.6.40.tar.gz -C /usr/local/src/tar -xvf jpegsrc.v9e.tar.gz -C /usr/local/src/tar -xvf freetype-2.13.1.tar.gz -C /usr/local/src/
cd /usr/local/src/libpng-1.6.40./configure --prefix=/opt/libpngmake && make install
cd /usr/local/src/jpegsrc.v9e./configure --prefix=/opt/jpegmake && make install
cd /usr/local/src/freetype-2.13.1./configure --prefix=/opt/freetypemake && make install再编译php扩展gd
yum install autoconfcd /usr/local/src/php-8.0.30/ext/gd/usr/local/php/bin/phpize./configure \--with-php-config=/usr/local/php8/bin/php-config \--with-libdir=/opt/libpng/lib \--with-freetype=/opt/freetype/lib \--with-jpeg=/opt/jpeg/lib
make && make install此时类似/usr/local/php8/lib/php/extensions/no-debug-non-zts-20200930目录下有gd.so模块
二、编辑服务配置文件
2.1 php服务 编译php.ini
######避免PHP信息暴露在http头中expose_php = Off
######避免暴露php调用mysql的错误信息display_errors = Off
######在关闭display_errors后开启PHP错误日志(路径在php-fpm.conf中配置)log_errors = On
######设置PHP的扩展库路径extension_dir = "/usr/local/php8/lib/php/extensions/no-debug-non-zts-20200930/"
######设置PHP的opcache和mysql动态库zend_extension=opcache.soextension=gd.so
######设置PHP的时区date.timezone = PRC
######开启opcache[opcache]; Determines if Zend OPCache is enabledopcache.enable=1
######设置PHP脚本允许访问的目录(需要根据实际情况配置);open_basedir = /usr/local/nginx/www;编译php-fpm.conf
error_log = /var/log/php-fpm/error.log######引入www.conf文件中的配置include=/usr/local/php8/etc/php-fpm.d/*.conf编辑www.conf
######设置用户和用户组user = nginxgroup = nginx
######根据nginx.conf中的配置fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;设置PHP监听; listen = 127.0.0.1:9000 #####不建议使用listen = /var/run/php-fpm/php-fpm.sock
######开启慢日志slowlog = /var/log/php-fpm/$pool-slow.logrequest_slowlog_timeout = 10s
######设置php的session目录(所属用户和用户组都是nginx)php_value[session.save_handler] = filesphp_value[session.save_path] = /var/lib/php/session2.2 Nginx服务 编辑nginx.conf
user nginx nginx;
worker_processes auto;
...省略...
events { use epoll; worker_connections 65535;}
http { include mime.types; default_type application/octet-stream; server_tokens off;
...省略...
server { listen 80; server_name localhost;
root www/self/htdocs; index index.php index.html index.htm;
location ~* \.php$ { fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_TRANSLATED /usr/local/nginx/www/self/htdocs$fastcgi_path_info; fastcgi_param SCRIPT_FILENAME /usr/local/nginx/www/self/htdocs$fastcgi_script_name; fastcgi_index index.php; try_files $fastcgi_script_name =404; fastcgi_read_timeout 600; include fastcgi_params; }
...省略...
}
}⚠️ 注意 由于我使用的是/sbin/nologin属性的nginx用户,定义web项目目录权限为nginx:nginx,通过GET访问页面提示403,只能把web项目目录放到nginx安装目录下,再次通过GET访问页面才正常。
2.3 配置self-service-password服务Smarty库
此时self-service-password php服务还不能正常访问,因为它默认Smarty库文件是指向/usr/share/目录,服务找不到,而且要下载最新版本,这个页面有标注对应版本使用指定php版本,下载则点这里
tar -xvf smarty-4.3.2.tar.gzcd smarty-4.3.2mv libs /usr/local/nginx/www/self/smarty编辑/usr/local/nginx/www/self/conf/config.inc.php
### 修改410行左右if (!defined("SMARTY")) { define("SMARTY", "/usr/share/self/smarty/Smarty.class.php");}
修改成
if (!defined("SMARTY")) { define("SMARTY", "/usr/local/nginx/www/self/smarty/Smarty.class.php");}
取消397-398行左右注释$smarty_compile_dir = "/usr/local/nginx/www/self/templates_c";$smarty_cache_dir = "/usr/local/nginx/www/self/cache";
将路径换成自己设置的路径三、配置self-service-password服务
编辑/usr/local/nginx/www/self/conf/config.inc.php
$keyphrase 这个参数后面随便输入一串随机字符,不然页面无法正常显示$use_questions = false; 关闭问题找回$use_sms = false; 关闭短信找回use_tokens = false; 关闭邮箱找回
# 以上这些功能我用不到,所以全部关闭了,要是需要则开启进行相应配置
$use_captcha = true; 开启图片验证码$pwd_min_length = 8; 密码最小长度$pwd_max_length = 32; 密码最大长度$pwd_complexity = 3; 密码包含几种字符类型$pwd_show_policy = "always"; 页面显示密码策略
最后就是LDAP相关配置,按照参数对应填写就可以了。四、最后成品图
CentOS7下部署self-service-password
https://huoshen.pages.dev/cn/p/5af3baa2/