CentOS7 deployment of self-service-password

The purpose of installing self-service-password is to solve the pain point of manually changing passwords for LDAP or Windows AD administrators. Generally, LDAP deployed by enterprises has a password expiration policy, which requires users to change their passwords themselves within a specified period of time to update the password usage cycle.

1、Installation of self-service-password dependencies

1.1 There is a description here of what is required to rely on the

Apache or another web server (Here it is with Nginx)

php (>=7.4) (Here it is with PHP 8.0)

php-curl (haveibeenpwned api)

php-filter

php-gd (captcha)

php-ldap

php-mbstring (reset mail) (This requires the epel source to be installed in order for yum to work.)

php-openssl (token crypt, probably built-in)

Smarty (version >=3) (Note the version for this installation, after modifying the default php library file paths)

⚠️ 注意 The following compilation and installation default is already installed gcc or gcc-c++ compilation, not installed according to their own needs to install, as well as in the compilation and installation of PHP is missing the appropriate library files, you need to install the appropriate installation package according to the situation.

1.2 Compile and install openssl Download the latest version of openssl at openssl official website.

1
tar -xvf openssl-1.1.1v.tar.gz -C /usr/local/src/
2
cd /usr/local/src/openssl-1.1.1v
3
./config --prefix=/opt/openssl
4
make && make install

1.3 Compile and install openldap I have the TLS version installed on my side

1
tar -xvf openldap-2.5.16.tar.gz -C /usr/local/src/
2
cd /usr/local/src/openldap-2.5.16
3
export PKG_CONFIG_PATH=/opt/openssl/lib/pkgconfig
4
env CPPFLAGS="-I/opt/openssl/include" LDFLAGS="-L/opt/openssl/lib -D_GNU_SOURCE" ./configure --prefix=/opt/openldap
5
make && make install

1.4 Compile and Install Nginx

1
tar -xvf nginx-1.24.0.tar.gz -C /usr/local/src/
2
cd /usr/local/src/nginx-1.24.0
3
./configure \
4
--prefix=/usr/local/nginx \
5
--with-http_realip_module \
6
--with-http_sub_module \
7
--with-http_gzip_static_module \
8
--with-http_stub_status_module \
9
--with-http_ssl_module  \
10
--with-http_v2_module \
11
--with-openssl=/usr/local/src/openssl-1.1.1v \
12
--with-pcre=/usr/local/src/pcre-8.45 \
13
--with-zlib=/usr/local/src/zlib-1.2.12
14

15
make && make install

1.5 Compile and install php

1
tar -xvf php-8.0.30.tar.gz -C /usr/local/src/
2
cd /usr/local/src/php-8.0.30
3
./configure \
4
--prefix=/usr/local/php8 \
5
--exec-prefix=/usr/local/php8 \
6
--bindir=/usr/local/php8/bin \
7
--sbindir=/usr/local/php8/sbin \
8
--includedir=/usr/local/php8/include \
9
--libdir=/usr/local/php8/lib/php \
10
--mandir=/usr/local/php8/php/man \
11
--with-config-file-path=/usr/local/php8/etc \
12
--enable-fpm \
13
--enable-fastcgi \
14
--with-curl \
15
--enable-filter \
16
--enable-gd \
17
--with-ldap=/opt/openldap \
18
--enable-mbstring \
19
--with-openssl=/opt/openssl
20

21
make && make install

1.5.1 Compile and install php extension gd.so module After compiling php according to the above, there is no gd.so module by default, due to the use of self-service-password image verification code function, this module must have First install the image dependency packages

1
tar -xvf libpng-1.6.40.tar.gz -C /usr/local/src/
2
tar -xvf jpegsrc.v9e.tar.gz -C /usr/local/src/
3
tar -xvf freetype-2.13.1.tar.gz -C /usr/local/src/
4

5
cd /usr/local/src/libpng-1.6.40
6
./configure --prefix=/opt/libpng
7
make && make install
8

9

10
cd /usr/local/src/jpegsrc.v9e
11
./configure --prefix=/opt/jpeg
12
make && make install
13

14
cd /usr/local/src/freetype-2.13.1
15
./configure --prefix=/opt/freetype
16
make && make install

Compile the php extension gd again

1
yum install autoconf
2
cd /usr/local/src/php-8.0.30/ext/gd
3
/usr/local/php/bin/phpize
4
./configure \
5
--with-php-config=/usr/local/php8/bin/php-config \
6
--with-libdir=/opt/libpng/lib \
7
--with-freetype=/opt/freetype/lib \
8
--with-jpeg=/opt/jpeg/lib
9

10
make && make install

At this point something like /usr/local/php8/lib/php/extensions/no-debug-non-zts-20200930 directory with gd.so module

2、Editing Service Configuration Files

2.1 php services Compiling php.ini

1
###### Avoid exposing PHP information in http headers
2
expose_php = Off
3

4
###### Avoid exposing php calls to mysql error messages
5
display_errors = Off
6

7
###### Turn on PHP error logging with display_errors turned off (path configured in php-fpm.conf)
8
log_errors = On
9

10
###### Setting the path to PHP's extension libraries
11
extension_dir = "/usr/local/php8/lib/php/extensions/no-debug-non-zts-20200930/"
12

13
###### Setting up PHP opcache and mysql dynamic libraries
14
zend_extension=opcache.so
15
extension=gd.so
16

17
###### Setting the PHP time zone
18
date.timezone = PRC
19

20
###### Enable opcache
21
[opcache]
22
; Determines if Zend OPCache is enabled
23
opcache.enable=1
24

25
###### Set the directories that PHP scripts are allowed to access (needs to be configured accordingly)
26
;open_basedir = /usr/local/nginx/www;

Compiling php-fpm.conf

1
error_log = /var/log/php-fpm/error.log
2
###### Introducing configuration in the www.conf file
3
include=/usr/local/php8/etc/php-fpm.d/*.conf

Edit www.conf

1
###### Setting up users and user groups
2
user = nginx
3
group = nginx
4

5
###### According to the configuration fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock in nginx.conf; set up PHP listening
6
; listen = 127.0.0.1:9000   ##### Not recommended
7
listen = /var/run/php-fpm/php-fpm.sock
8

9
###### Enable slow logging
10
slowlog = /var/log/php-fpm/$pool-slow.log
11
request_slowlog_timeout = 10s
12

13
###### Setting up the session directory for php (users and usergroups belonging to it are nginx)
14
php_value[session.save_handler] = files
15
php_value[session.save_path] = /var/lib/php/session

2.2 Nginx Services Editing nginx.conf

1
user nginx nginx;
2

3
worker_processes  auto;
4

5
...omission...
6

7
events {
8
  use epoll;
9
  worker_connections 65535;
10
}
11

12
http {
13
  include       mime.types;
14
  default_type  application/octet-stream;
15
  server_tokens off;
16

17
  ...omission...
18

19
  server {
20
    listen       80;
21
    server_name  localhost;
22

23
    root    www/self/htdocs;
24
    index   index.php index.html index.htm;
25

26
    location ~* \.php$ {
27
      fastcgi_pass  unix:/var/run/php-fpm/php-fpm.sock;
28
      fastcgi_split_path_info       ^(.+\.php)(/.+)$;
29
      fastcgi_param PATH_INFO       $fastcgi_path_info;
30
      fastcgi_param PATH_TRANSLATED /usr/local/nginx/www/self/htdocs$fastcgi_path_info;
31
      fastcgi_param SCRIPT_FILENAME /usr/local/nginx/www/self/htdocs$fastcgi_script_name;
32
      fastcgi_index index.php;
33
        try_files $fastcgi_script_name =404;
34
      fastcgi_read_timeout 600;
35
      include fastcgi_params;
36
    }
37

38
    ...omission...
39

40
  }
41

42
}

⚠️ 注意 Since I am using nginx user with /sbin/nologin attribute, defining the web project directory permissions as nginx:nginx, accessing the page via GET prompts 403, and I can only put the web project directory under the nginx installation directory, and then accessing the page via GET again is normal.

2.3 Configuring the self-service-password service Smarty library At this time self-service-password php service can not yet be accessed normally, because its default Smarty library files are pointing to the /usr/share/ directory, the service can not be found, and you have to download the latest version of this page is labeled > corresponds to the Version use the specified php version, to download then point here

1
tar -xvf smarty-4.3.2.tar.gz
2
cd smarty-4.3.2
3
mv libs /usr/local/nginx/www/self/smarty

Edit /usr/local/nginx/www/self/conf/config.inc.php

1
### Change around 410 lines
2
if (!defined("SMARTY")) {
3
     define("SMARTY", "/usr/share/self/smarty/Smarty.class.php");
4
}
5

6
modify to
7

8
if (!defined("SMARTY")) {
9
     define("SMARTY", "/usr/local/nginx/www/self/smarty/Smarty.class.php");
10
}
11

12
Eliminate comments around lines 397-398
13
$smarty_compile_dir = "/usr/local/nginx/www/self/templates_c";
14
$smarty_cache_dir = "/usr/local/nginx/www/self/cache";
15

16
Change the path to the path you set

3、Configuring the self-service-password service

Edit /usr/local/nginx/www/self/conf/config.inc.php

1
$keyphrase                    # This parameter is followed by a random string of random characters, otherwise the page will not display correctly
2
$use_questions = false;       # Close issue retrieval
3
$use_sms = false;            # Disable SMS retrieval
4
use_tokens = false;           # Disable Email retrieval
5

6
# I don't use any of these features, so I turned them all off, but if you need them, turn them on and configure them accordingly.
7

8
$use_captcha = true;          # Enable Image Captcha
9
$pwd_min_length = 8;          # Minimum password length
10
$pwd_max_length = 32;         # Maximum password length
11
$pwd_complexity = 3;          # Passwords contain several character types
12
$pwd_show_policy = "always";  # Page Display Password Policy
13

14
The last is the LDAP-related configuration, according to the parameters corresponding to fill in on it.

4、The final picture of the finished product

CentOS7 deployment of self-service-password

https://huoshen.pages.dev/p/5af3baa2/

Author

Koevn

Published at

August 17, 2023

License

CC BY-NC-SA 4.0