-
OpenLDAP 自助修改密码系统——筑梦之路
self-service-password简述为ssp, 支持以下功能:
-
支持samba模式以及修改 samba密码
-
支持Active directory
-
支持本地自定义策略,比如密码的最小长度,密码组合规律等
-
支持基于问题/邮件/短信找回密码等
-
支持ldap目录sshkey的修改
-
密码修改通知等
此服务解决了使用openldap修改密码困难的问题,不仅简化了不懂ldap使用的用户修改密码的流程,还可以通过查找密码自助解决密码丢失遗忘的问题。通过自定义设置密码的组合策略,也进一步巩固安全防护。
- version: '2'
- services:
- ssp-app:
- image: tiredofit/self-service-password:latest #建议修改为指定的版本的镜像
- container_name: ssp-app
- volumes: # 挂载数据目录以及日志
- - ./data/:/www/ssp
- - ./logs/:/www/logs
- ports:
- - 8888:80
- environment:
- - LDAP_SERVER=ldap://172.16.0.3:389 # ldap服务: ldap://ip:port
- - LDAP_STARTTLS=false
- - LDAP_BINDDN=cn=admin,dc=openldap,dc=devopsman,dc=cn # 绑定的dn. 具体根据自己的实际修改(管理员dn)
- - LDAP_BINDPASS=nicaicaikan # 上述cn=admin的密码
- - LDAP_BASE_SEARCH=ou=People,dc=openldap,dc=devopsman,dc=cn
- - LDAP_LOGIN_ATTRIBUTE=uid
- - LDAP_FULLNAME_ATTRIBUTE=cn
- # Active Directory mode
- # true: use unicodePwd as password field
- # false: LDAPv3 standard behavior
- - ADMODE=false
- # Force account unlock when password is changed
- - AD_OPT_FORCE_UNLOCK=false
- # Force user change password at next login
- - AD_OPT_FORCE_PWD_CHANGE=false
- # Allow user with expired password to change password
- - AD_OPT_CHANGE_EXPIRED_PASSWORD=false
- # Samba mode
- # true: update sambaNTpassword and sambaPwdLastSet attributes too
- # false: just update the password
- - SAMBA_MODE=false
- # Shadow options - require shadowAccount objectClass
- # Update shadowLastChange
- - SHADOW_OPT_UPDATE_SHADOWLASTCHANGE=false
- # Hash mechanism for password:
- # SSHA
- # SHA
- # SMD5
- # MD5
- # CRYPT
- # clear (the default)
- # auto (will check the hash of current password)
- # This option is not used with ad_mode = true
- - PASSWORD_HASH=MD5 # 密码hash类型
- # Local password policy
- # This is applied before directory password policy
- # Minimal length
- - PASSWORD_MIN_LENGTH=12 # 此处定义密码的组合
- # Maximal length
- - PASSWORD_MAX_LENGTH=30
- # Minimal lower characters
- - PASSWORD_MIN_LOWERCASE=2
- # Minimal upper characters
- - PASSWORD_MIN_UPPERCASE=2
- # Minimal digit characters
- - PASSWORD_MIN_DIGIT=2
- # Minimal special characters
- - PASSWORD_MIN_SPECIAL=2
- # Dont reuse the same password as currently
- - PASSWORD_NO_REUSE=true
- # Definition of special characters
- - PASSWORD_SPECIAL_CHARACTERS="^a-zA-Z0-9" # 定义特殊字符
- # Forbidden characters
- # Check that password is different than login
- - PASSWORD_DIFFERENT_LOGIN=true
- # Show policy constraints message:
- # always
- # never
- # onerror
- - PASSWORD_SHOW_POLICY=onerror # 何时显示密码策略信息
- # Position of password policy constraints message:
- # above - the form
- # below - the form
- - PASSWORD_SHOW_POLICY_POSITION=above
- # Who changes the password?
- # Also applicable for question/answer save
- # user: the user itself
- # manager: the above binddn
- - WHO_CAN_CHANGE_PASSWORD=user # 指定谁来修改密码
- ## Questions/answers
- # Use questions/answers?
- # true (default)
- # false
- - QUESTIONS_ENABLED=false
- ## Mail
- # LDAP mail attribute
- - LDAP_MAIL_ATTRIBUTE=mail
- # Who the email should come from
- - MAIL_FROM=cloudnative@qq.com
- - MAIL_FROM_NAME=云原生生态圈认证中心
- # Notify users anytime their password is changed
- - NOTIFY_ON_CHANGE=true
- # PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
- - SMTP_DEBUG=0
- - SMTP_HOST=smtp.qq.com # 定义邮件信息,用于发送邮件
- - SMTP_AUTH_ON=true
- - SMTP_USER=cloudnative@qq.com
- - SMTP_PASS=nicaicaikan # 这里是邮箱的授权码
- - SMTP_PORT=465
- - SMTP_SECURE_TYPE=ssl
- - SMTP_AUTOTLS=false
- ## Tokens
- # Use tokens?
- # true
- # false
- - USE_TOKENS=true
- # Crypt tokens?
- # true
- # false
- - TOKEN_CRYPT=true
- # Token lifetime in seconds
- - TOKEN_LIFETIME=1800
- ## SMS
- # Use sms (NOT WORKING YET)
- - USE_SMS=false
- # Reset URL (if behind a reverse proxy)
- - IS_BEHIND_PROXY=true
- # Display help messages
- - SHOW_HELP=true
- # Language
- - LANG=en
- # Debug mode
- - DEBUG_MODE=false
- # Encryption, decryption keyphrase
- - SECRETEKEY=secretkey
- ## CAPTCHA
- # Use Google reCAPTCHA (http://www.google.com/recaptcha)
- - USE_RECAPTCHA=false
- # Go on the site to get public and private key
- - RECAPTCHA_PUB_KEY=akjsdnkajnd
- - RECAPTCHA_PRIV_KEY=aksdjnakjdnsa
- ## Default action
- # change
- # sendtoken
- # sendsms
- - DEFAULT_ACTION=change
- - BACKGROUND_IMAGE="images/unsplash-space.jpeg" # 自定义背景图片
- - LOGO="images/logo.png" # 自定义logo图片
[1]self-service-password:https://github.com/ltb-project/self-service-password
[2]ssp官方文档:https://self-service-password.readthedocs.io/en/latest/
[3]ssp的docker实现:https://github.com/tiredofit/docker-self-service-password
[4]docker-self-service-password支持的变量:https://github.com/tiredofit/docker-self-service-password#ldap-settings
-
-
相关阅读:
JSTL(jsp标准标签库)
GSAman | 我「玩着游戏」就把「科研做了」
漏刻有时API接口实战开发系列(14):身份证实名鉴权验证
【附源码】计算机毕业设计JAVA中小学教务管理平台
木聚糖-聚乙二醇-聚乙烯亚胺|PEI-PEG-Xylan|聚乙烯亚胺-PEG-木聚糖
表单重复提交:
内存泄露的最直接表现
基于java+springboot+mybatis+vue+elementui的球鞋销售商城网站
NBlog Java定时任务-备份MySQL数据
二叉树的后序遍历-力扣
- 原文地址:https://blog.csdn.net/qq_34777982/article/details/127097741