公网环境

  • 使用现成的docker镜像

创建数据目录

1
2
mkdir -pv /data/openldap/self-service-password/{htdocs,logs}
mkdir /data/docker-compose/openldap/ssp/

docker-compose文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
cat > /data/docker-compose/openldap/ssp/docker-compose.yml << EOF
version: "3"
services:
  self-service-password:
    container_name: self-service-password
    image: tiredofit/self-service-password:latest
    restart: always
    ports:
      - 8096:80
    environment:
      - LDAP_SERVER=ldap://192.168.2.101:389
      - LDAP_BINDDN=cn=admin,dc=git,dc=com,dc=cn
      - LDAP_BINDPASS=G1T@Ldap
      - LDAP_BASE_SEARCH=ou=People,dc=git,dc=com,dc=cn
      - MAIL_FROM=xxxxxx@sina.com
      - SMTP_DEBUG=0
      - SMTP_HOST=smtp.sina.com
      - SMTP_USER=xxxxxx@sina.com
      - SMTP_PASS=xxxxxx
      - SMTP_PORT=465
      - SMTP_SECURE_TYPE=ssl
      - SMTP_AUTH_ON=true
    volumes:
      - /etc/localtime:/etc/localtime
      - /data/openldap/self-service-password/htdocs:/www/ssp
      - /data/openldap/self-service-password/logs:/www/logs
    networks:
      - openldap
    deploy:
      resources:
        limits:
           memory: 2G
        reservations:
           memory: 512M
EOF

启动self-service-password

1
docker-compose up -d

内网环境

  • 上面的docker镜像十分好用,但是内网环境下无法启动,所以就自己构建个镜像

创建数据目录

1
2
3
mkdir -pv /data/openldap/self-service-password/conf
chmod o+x /data/openldap/self-service-password/conf -R
mkdir -pv /data/docker-compose/openldap/ssp/

构建docker镜像

安装包下载

https://ltb-project.org/download

下载rpm格式安装包,放入dockerfile同级目录

Dockerfile

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
FROM centos:7
RUN rpm -Uvh https://mirror.webtatic.com/yum/el7/epel-release.rpm && \
    rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm && \
    yum clean all &&  yum makecache
RUN yum install -y httpd php70w.x86_64 php70w-cli.x86_64 php70w-common.x86_64 php70w-gd.x86_64 \
                   php70w-ldap.x86_64 php70w-mbstring.x86_64 php70w-mcrypt.x86_64 \
                   php70w-mysql.x86_64 php70w-pdo.x86_64 php-Smarty --nogpgcheck

COPY self-service-password-1.4.3-1.el7.noarch.rpm /home/
RUN yum localinstall -y /home/self-service-password-1.4.3-1.el7.noarch.rpm
ADD self-service-password.conf /etc/httpd/conf.d/

USER root
WORKDIR /usr/share/self-service-password
VOLUME /usr/share/self-service-password
EXPOSE 80

ENTRYPOINT ["/usr/sbin/httpd"]
CMD ["-D","FOREGROUND"]

httpd配置文件

  • 其实就是把默认ssp域名修改成localhost

self-service-password.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<VirtualHost *:80>
        ServerName localhost

        DocumentRoot /usr/share/self-service-password/htdocs
        DirectoryIndex index.php

        AddDefaultCharset UTF-8

        <Directory /usr/share/self-service-password/htdocs>
            AllowOverride None
            <IfVersion >= 2.3>
                Require all granted
            </IfVersion>
            <IfVersion < 2.3>
                Order Deny,Allow
                Allow from all
            </IfVersion>
        </Directory>

        Alias /rest /usr/share/self-service-password/rest

        <Directory /usr/share/self-service-password/rest>
            AllowOverride None
            <IfVersion >= 2.3>
                Require all denied
            </IfVersion>
            <IfVersion < 2.3>
                Order Deny,Allow
                Deny from all
            </IfVersion>
        </Directory>

        LogLevel warn
        ErrorLog /var/log/httpd/ssp_error_log
        CustomLog /var/log/httpd/ssp_access_log combined
</VirtualHost>

构建镜像

1
docker build -t self-service-password-offline:v1.0 .

docker-compose文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
cat > /data/docker-compose/openldap/ssp/docker-compose.yml << EOF
version: "3"
services:
  ssp:
    container_name: ssp
    image: self-service-password-offline:v1.0
    restart: always
    user: root
    ports:
      - 8096:80
    volumes:
      - /etc/localtime:/etc/localtime
      - /data/openldap/self-service-password/conf:/usr/share/self-service-password/conf
    deploy:
      resources:
        limits:
           memory: 2G
        reservations:
           memory: 256M       
EOF

启动self-service-password

1
docker-compose up -d

ssp代码配置文件

  • 配置文件可以从官网下载二进制包提取,也可以启动镜像时候先不挂载配置文件,docker内会生成默认文件,拷贝出来即可

根据需求来改即可

/data/openldap/self-service-password/conf/config.inc.php

几处重要的修改

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
<?php
$debug = false;

# LDAP
$ldap_url = "ldap://192.168.2.101:389";
$ldap_starttls = false;
$ldap_binddn = "cn=admin,dc=git,dc=com,dc=cn";
$ldap_bindpw = 'G1T@Ldap';
$ldap_base = "ou=People,dc=git,dc=com,dc=cn";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
$ldap_use_exop_passwd = false;
$ldap_use_ppolicy_control = false;

# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
$ad_mode = false;
# Force account unlock when password is changed
$ad_options['force_unlock'] = false;
# Force user change password at next login
$ad_options['force_pwd_change'] = false;
# Allow user with expired password to change password
$ad_options['change_expired_password'] = false;


# Hash mechanism for password:
# SSHA, SSHA256, SSHA384, SSHA512
# SHA, SHA256, SHA384, SHA512
# SMD5
# MD5
# CRYPT
# clear (the default)
# auto (will check the hash of current password)
# This option is not used with ad_mode = true
$hash = "auto";

## Token
# Use tokens?
# true (default)
# false
$use_tokens = true;
# Crypt tokens?
# true (default)
# false
$crypt_tokens = true;
# Token lifetime in seconds
$token_lifetime = "3600";

## Mail
# LDAP mail attribute
$mail_attribute = "mail";
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = true;
# Who the email should come from
$mail_from = "xxxxxxx@sina.com";
$mail_from_name = "Self Service Password";
$mail_signature = "";
# Notify users anytime their password is changed
$notify_on_change = false;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'error_log';
$mail_smtp_host = 'smtp.sina.com';
$mail_smtp_auth = true;
$mail_smtp_user = 'xxxxxxxx@sina.com';
$mail_smtp_pass = 'xxxxxxxmailpasswdxxxxxx';
$mail_smtp_port = 465;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'ssl';
$mail_smtp_autotls = false;
$mail_smtp_options = array();
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;

# Encryption, decryption keyphrase, required if $use_tokens = true and $crypt_tokens = true, or $use_sms, or $crypt_answer
# Please change it to anything long, random and complicated, you do not have to remember it
# Changing it will also invalidate all previous tokens and SMS codes
$keyphrase = "selfservicepassword-change";