搭建Self Service Password自助密码服务

  • 内容
  • 评论
  • 相关

一、前言

公司员工一直经常忘记域账户密码,因公司的AD又集成了很多其他业务系统,导致网络管理员经常性协助员工重置密码。所以一直想解放这一类操作,就有个工具。本文采用centos7+apache2.4+php7搭建

二、Self Service Password 介绍

Self Service Password是一个PHP程序,允许用户在一个LDAP目录更改他们的密码。官网地址:https://ltb-project.org

该应用程序可以在标准的LDAPv3目录(OpenLDAP,OpenDS,ApacheDS中被使用, Sun甲骨文DSEE,Novell公司等),并在Active Directory中

它具有以下特点:

  1. Samba 模式改变的Samba密码;
  2. 活动目录Active Directory模式;
  3. 本地密码策略(最小/最大长度,禁用字符,大小写,数字或特殊字符计数器,重新使用旧密码检查,复杂性(不同类的字符));
  4. 帮助信息;
  5. 通过问题重置;
  6. 通过邮件(通过邮件工具发送) 重置 ;
  7. 通过短信重置(通过外部电子邮件2短信服务);
  8. 验证码(谷歌API);
  9. 密码更改后的邮件通知。

注: 使用Self Service Password中的问题,邮件,短信功能重置密码可解锁锁定的域账户,在配置文件中配置。

三、安装 Self Service Password 必要条件

  1. 安装 Self Service Password 可以访问ldap服务器;
  2. Apache或其他Web服务器 ;
  3. PHP (版本5或更高) ;
  4. PHP LDAP(PHP组件);
  5. PHP MBSTRING (PHP组件) ;
  6. PHP MCRYPT (PHP组件, 令牌使用)。

四、下载Self Service Password

打开官方网站即可下载安装包,官网提供压缩包(.tar.gz)、Debian包(.deb文件)、RPM 包 (.rpm文件)下载。本次教程基于压缩包(.tar.gz) 安装。下方提供两个版本下载,一个是官方原版,一个是集成阿里云短信验证包版本。

下载 “ltb-project-self-service-password.tar.gz” ltb-project-self-service-password-1.3.tar.gz – 已下载277次 – 2 MB

下载 “ltb-project-self-service-password-aliyun-dysms” ltb-project-self-service-password-1.3-aliyun-dysms.zip – 已下载244次 – 4 MB

五、安装Self Service Password

1.上传压缩包到服务器并解压缩和取消归档压缩包;

tar zxvf ltb-project-self-service-password-VERSION.tar.gz

2.拷贝解压后的文件到WEB目录;

mv ltb-project-self-service-password-VERSION /data/http/html/self-service-password

3.编辑apache虚拟主机配置文件,本教程采用https访问,示例如下(apache搭建请参考相关文章);

<VirtualHost _default_:443>
    DocumentRoot "/data/http/html/self-service-password"
    ServerName it-adpass.xxxx.cn:443
    ServerAdmin xxx@xxxx.cn
    ErrorLog "/data/http/logs/it-adpass.xxxx.cn-error_log"
    TransferLog "/data/http/logs/it-adpass.xxxx.cn-access_log"

    SSLEngine on
    #   Server Certificate:
    SSLCertificateFile "/etc/apache/ssl/it-adpass.xxxx.cn.crt"
    #   Server Private Key:
    SSLCertificateKeyFile "/etc/apache/ssl/it-adpass.xxxx.cn.key"
    #   Server Certificate Chain:
    SSLCertificateChainFile "/etc/apache/ssl/it-adpass.xxxx.cn-CA.crt"
    #   Certificate Authority (CA):
    #SSLCACertificateFile "/etc/apache/ssl/ca-bundle.crt"
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/data/http/html/self-service-password">
        Allow From All
        AllowOverride All
        Options FollowSymLinks
    </Directory>
    <Directory "/usr/local/apache/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
    BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

    CustomLog "/data/http/logs/it-adpass.xxxx.cn-ssl_request_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

4.重启apache后测试是否可以打开网页。

六、配置Self Service Password

1.在活动目录中新建一个用户,并赋予域管理员权限;

2.拷贝conf目录下的config.inc.php为config.inc.local.php;

3.按自己的实际情况及要求修改config.inc.local.php文件中的相关参数,说明如下:

<?php
#==============================================================================
# LTB Self Service Password
#
# Copyright (C) 2009 Clement OUDOT
# Copyright (C) 2009 LTB-project.org
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# GPL License: http://www.gnu.org/licenses/gpl.txt
#
#==============================================================================

#==============================================================================
# All the default values are kept here, you should not modify it but use
# config.inc.local.php file instead to override the settings from here.
#==============================================================================

#==============================================================================
# Configuration
#==============================================================================

# Debug mode
# true: log and display any errors or warnings (use this in configuration/testing)
# false: log only errors and do not display them (use this in production)
$debug = false; //调试模式

# LDAP
$ldap_url = "LDAPS://dc.xxxx.cn";  //LDAP服务器地址
$ldap_starttls = false;  ////LDAP服务器是否支持TLS
$ldap_binddn = "CN=xxx,CN=Users,DC=xxxx,DC=cn";  //连接LDAP服务器的账户DN
$ldap_bindpw = "xxxxxx";  //连接LDAP服务器的账户DN的密码
$ldap_base = "OU=1-XXXX,DC=xxxx,DC=cn";  //检索OU的路径
$ldap_login_attribute = "sAMAccountName";  //LDAP用户名字段
$ldap_fullname_attribute = "cn";  //LDAP用户全名字段
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";  //过滤LDAP用户规则

# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
$ad_mode = true;  //是否启用Active Directory模式
# Force account unlock when password is changed
$ad_options['force_unlock'] = true; //强制解锁:当密码更改将解锁锁定帐户
# Force user change password at next login
$ad_options['force_pwd_change'] = false;  //强制用户在下次登录时更改密码
# Allow user with expired password to change password
$ad_options['change_expired_password'] = true;  //允许用户更改密码,如果密码过期

# Samba mode
# true: update sambaNTpassword and sambaPwdLastSet attributes too
# false: just update the password
$samba_mode = false;  //是否启用Samba模式
# Set password min/max age in Samba attributes
#$samba_options['min_age'] = 5;
#$samba_options['max_age'] = 45;

# Shadow options - require shadowAccount objectClass
# Update shadowLastChange
$shadow_options['update_shadowLastChange'] = false;
$shadow_options['update_shadowExpire'] = false;

# Default to -1, never expire
$shadow_options['shadow_expire_days'] = -1;

# Hash mechanism for password:
# SSHA, SSHA256, SSHA384, SSHA512
# SHA, SHA256, SHA384, SHA512
# SMD5
# MD5
# CRYPT
# clear (the default)
# auto (will check the hash of current password)
# This option is not used with ad_mode = true
$hash = "clear";  //启用密码加密算法,此选项在Active Directory模式下被忽略。 

# Prefix to use for salt with CRYPT
$hash_options['crypt_salt_prefix'] = "$6$";
$hash_options['crypt_salt_length'] = "6";

# Local password policy
# This is applied before directory password policy
# Minimal length
$pwd_min_length = 6;  //定义最短密码位数
# Maximal length
$pwd_max_length = 14;  //定义最长密码位数
# Minimal lower characters
$pwd_min_lower = 0;  //定义密码应包含多少位小写字母
# Minimal upper characters
$pwd_min_upper = 0;  //定义密码应包含多少位大写字母
# Minimal digit characters
$pwd_min_digit = 0;  //定义密码应包含多少位数字
# Minimal special characters
$pwd_min_special = 0;  //定义密码应包含多少位特殊字符
# Definition of special characters
$pwd_special_chars = "^a-zA-Z0-9";  //定义密码正则表达式
# Forbidden characters
#$pwd_forbidden_chars = "@%";  //定义密码禁止的特殊字符
# Don't reuse the same password as currently
$pwd_no_reuse = true;  //是否禁止使用重复密码
# Check that password is different than login
$pwd_diff_login = true;  //检查密码是否与登录密码不同
# Complexity: number of different class of character required
$pwd_complexity = 3;  //定义密码应包含多少种组合
# use pwnedpasswords api v2 to securely check if the password has been on a leak
$use_pwnedpasswords = false;  //检查密码是否已在https://haveibeenpwned.com数据库中泄露
# Show policy constraints message:
# always
# never
# onerror
$pwd_show_policy = "always";  //是否显示密码更改策略
# Position of password policy constraints message:
# above - the form
# below - the form
$pwd_show_policy_pos = "above";  //定义密码更改策略显示位置

# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_password = "manager";  //定义使用什么账户来修改密码,如选用manager请确保binddn用户有修改用户密码的权限(建议域管理员身份)

## Standard change
# Use standard change form?
$use_change = true;  //启用密码更改功能

## SSH Key Change
# Allow changing of sshPublicKey?
$change_sshkey = false;

# What attribute should be changed by the changesshkey action?
$change_sshkey_attribute = "sshPublicKey";

# Who changes the sshPublicKey attribute?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_sshkey = "user";

# Notify users anytime their sshPublicKey is changed
## Requires mail configuration below
$notify_on_sshkey_change = false;

## Questions/answers
# Use questions/answers?
# true (default)
# false
$use_questions = true;  //启用问题答案修改密码功能

# Answer attribute should be hidden to users!
$answer_objectClass = "user";  //如果$answer_attribute属性不是在标准用户对象类,配置对象类与此属性的使用方法,在Active Directory中,extensibleObject的是不知道。您可以使用user,
$answer_attribute = "info";  //LDAP用户存储问题密码字段,属性名称必须是小写

# Crypt answers inside the directory
$crypt_answers = false;  //是否加密问题答案

# Extra questions (built-in questions are in lang/$lang.inc.php)
#$messages['questions']['ice'] = "What is your favorite ice cream flavor?";
$messages['questions']['Q3'] = "你少年时代最好的朋友叫什么名字?";  //额外的问题
$messages['questions']['Q4'] = "你的第一个宠物叫什么名字?";
$messages['questions']['Q5'] = "你第一次坐飞机是去哪里?";
$messages['questions']['Q6'] = "你的理想工作是什么?";
$messages['questions']['Q7'] = "你拥有的第一辆车是什么型号?";
$messages['questions']['Q8'] = "你童年时代的绰号是什么?";
$messages['questions']['Q9'] = "你的第一个上司叫什么名字?";
$messages['questions']['Q10'] = "您最喜欢哪个球队?";

## Token
# Use tokens?
# true (default)
# false
$use_tokens = true;  //启用邮件修改密码功能
# Crypt tokens?
# true (default)
# false
$crypt_tokens = true;  //是否保持会话标识符,就是令牌生命周期
# Token lifetime in seconds
$token_lifetime = "3600";  //保持会话标识符时长(秒)

## Mail
# LDAP mail attribute
$mail_attribute = "wWWHomePage";  //LDAP用户存储邮箱地址字段
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = false;  //是否直接从LDAP获取邮件地址并隐藏邮件输入字段
# Who the email should come from
$mail_from = "service@xxxx.cn";  //定义邮件发件人地址
$mail_from_name = "Service";  //定义邮件发件人名称
$mail_signature = "";  //定义邮件发件人签名
# Notify users anytime their password is changed
$notify_on_change = true;  //定义更改密码时是否通知用户
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)    //设置PHPMailer的所有参数
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'html';
$mail_smtp_host = 'mail.xxxx.cn';
$mail_smtp_auth = true;
$mail_smtp_user = 'service@xxxx.cn';
$mail_smtp_pass = 'xxxxxx';
$mail_smtp_port = 587;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_smtp_autotls = true;
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;

## SMS
# Use sms
$use_sms = true;  //启用短信修改密码功能
# SMS method (mail, api)
$sms_method = "api";  //定义使用哪种方法发送短信
$sms_api_lib = "lib/smsapi.inc.php";  //API脚本配置
# GSM number attribute
$sms_attribute = "mobile";  //LDAP用户存储手机号码字段
# Partially hide number
$sms_partially_hide_number = true;  //页面是否部分隐藏号码
# Send SMS mail to address
$smsmailto = "{sms_attribute}@service.provider.com";  //定义使用mail方法发送短信时发送短信到的邮件地址
# Subject when sending email to SMTP to SMS provider
$smsmail_subject = "Provider code";  //定义向SMTP提供商发送电子邮件时的主题
# Message
$sms_message = "{smsresetmessage} {smstoken}";  //定义消息模板
# Remove non digit characters from GSM number
$sms_sanitize_number = false;  //从手机号码中删除非数字字符
# Truncate GSM number
$sms_truncate_number = false;  //是否截断手机号码
$sms_truncate_number_length = 10;
# SMS token length
$sms_token_length = 6;  //短信验证码长度
# Max attempts allowed for SMS token
$max_attempts = 3;  //单个短信验证码重试次数

# Encryption, decryption keyphrase, required if $crypt_tokens = true
# Please change it to anything long, random and complicated, you do not have to remember it
# Changing it will also invalidate all previous tokens and SMS codes
$keyphrase = "xxxxxx";  //密钥短语,如果$crypt_tokens = true则需要更改为任何内容,不必记住它,更改它也会使所有以前的令牌和短信代码无效。

# Reset URL (if behind a reverse proxy)
#$reset_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . "://" . $_SERVER['HTTP_X_FORWARDED_HOST'] . $_SERVER['SCRIPT_NAME'];  //默认情况下,重置密码URL使用服务器名称和端口计算的,但如果应用背后是一个反向代理,这些值可能是错误的。在这种情况下,你可以自己设置网址

# Display help messages
$show_help = true;  //是否显示帮助信息

# Default language
$lang = "zh-CN";  //默认显示语言

# List of authorized languages. If empty, all language are allowed.
# If not empty and the user's browser language setting is not in that list, language from $lang will be used.
$allowed_lang = array();  //定义授权语言列表。 如果为空,则允许使用所有语言。

# Display menu on top
$show_menu = true;  //是否显示导航栏

# Logo
$logo = "images/logo.png";  //LOGO地址

# Background image
$background_image = "images/unsplash-lanse.jpg";  //背景图调用

# Where to log password resets - Make sure apache has write permission
# By default, they are logged in Apache log
$reset_request_log = "logs/self.log";  //定义日志存放路径,默认生成的URL记录在Apache日志中。

# Invalid characters in login
# Set at least "*()&|" to prevent LDAP injection
# If empty, only alphanumeric characters are accepted
$login_forbidden_chars = "*()&|";  //登录保护,以避免LDAP注射。某些字符是被禁止的

## CAPTCHA  //以下为谷歌CAPTCHA验证码调用配置
# Use Google reCAPTCHA (http://www.google.com/recaptcha)
$use_recaptcha = false;
# Go on the site to get public and private key
$recaptcha_publickey = "";
$recaptcha_privatekey = "";
# Customization (see https://developers.google.com/recaptcha/docs/display)
$recaptcha_theme = "light";
$recaptcha_type = "image";
$recaptcha_size = "normal";
# reCAPTCHA request method, null for default, Fully Qualified Class Name to override
# Useful when allow_url_fopen=0 ex. $recaptcha_request_method = '\ReCaptcha\RequestMethod\CurlPost';
$recaptcha_request_method = null;

## Default action
# change
# sendtoken
# sendsms
$default_action = "change";  //配置默认页面

## Extra messages  //编辑消息模板
# They can also be defined in lang/ files
#$messages['passwordchangedextramessage'] = NULL;
$messages['changehelpextramessage'] = ">>帐户被锁定请使用导航栏中的其他方式解锁账户并重置密码。<br />回答问题重置密码:请确认您已自行设置答案。<br />通过邮件发送链接:请确认您已联系管理员设置邮箱。<br />通过短信重置密码:请确认您已联系管理员设置手机号码。";

# Launch a posthook script after successful password change
#$posthook = "/usr/share/self-service-password/posthook.sh";  //密码更改成功后启动posthook脚本
#$display_posthook_error = true;

# Hide some messages to not disclose sensitive information
# These messages will be replaced by badcredentials error
$obscure_failure_messages = array("mailnomatch");  //让一些错误不显示

4.配置完成后测试,如有问题的可查看相关错误日志。

七、集成阿里云短信验证码

注:在ltb-project-self-service-password-aliyun-dysms.zip文件包中已集成阿里云短信API,大家也可自行集成或集成其他厂商。

1.下载阿里云API并解压到lib目录下;

2.拷贝lib目录下的smsapi-example.inc.php为smsapi.inc.php并编辑,示例如下:

function send_sms_by_api($mobile, $message) {

    # PHP code
    # ...

    # Or call to external script
    # $command = escapeshellcmd(/path/to/script).' '.escapeshellarg($mobile).' '.escapeshellarg($message);
    # exec($command);
	include_once 'aliyun-dysms-php-sdk/api_demo/Dysmsapi.php';
	$response = Dysmsapi::sendSms($mobile, $message);

    return 1;
}

3.配置lib/aliyun-dysms-php-sdk/api_demo/Dysmsapi.php中的阿里云短信相关参数,示例如下:

class Dysmsapi
{

    static $acsClient = null;

    /**
     * 取得AcsClient
     *
     * @return DefaultAcsClient
     */
    public static function getAcsClient() {
        //产品名称:云通信短信服务API产品,开发者无需替换
        $product = "Dysmsapi";

        //产品域名,开发者无需替换
        $domain = "dysmsapi.aliyuncs.com";

        // TODO 此处需要替换成开发者自己的AK (https://ak-console.aliyun.com/)
        $accessKeyId = "xxxxxx"; // AccessKeyId

        $accessKeySecret = "xxxxxxxx"; // AccessKeySecret

        // 暂时不支持多Region
        $region = "cn-hangzhou";

        // 服务结点
        $endPointName = "cn-hangzhou";


        if(static::$acsClient == null) {

            //初始化acsClient,暂不支持region化
            $profile = DefaultProfile::getProfile($region, $accessKeyId, $accessKeySecret);

            // 增加服务结点
            DefaultProfile::addEndpoint($endPointName, $region, $product, $domain);

            // 初始化AcsClient用于发起请求
            static::$acsClient = new DefaultAcsClient($profile);
        }
        return static::$acsClient;
    }

    /**
     * 发送短信
     * @return stdClass
     */
    public static function sendSms($mobile, $message) {

        // 初始化SendSmsRequest实例用于设置发送短信的参数
        $request = new SendSmsRequest();

        //可选-启用https协议
        //$request->setProtocol("https");

        // 必填,设置短信接收号码
        $request->setPhoneNumbers($mobile);

        // 必填,设置签名名称,应严格按"签名名称"填写,请参考: https://dysms.console.aliyun.com/dysms.htm#/develop/sign
        $request->setSignName("xxxx");

        // 必填,设置模板CODE,应严格按"模板CODE"填写, 请参考: https://dysms.console.aliyun.com/dysms.htm#/develop/template
        $request->setTemplateCode("xxxx");

        // 可选,设置模板参数, 假如模板中存在变量需要替换则为必填项
        $request->setTemplateParam(json_encode(array(  // 短信模板中字段的值
            "code"=>$message,
        ), JSON_UNESCAPED_UNICODE));

        // 可选,设置流水号
        $request->setOutId("yourOutId");

        // 选填,上行短信扩展码(扩展码字段控制在7位或以下,无特殊需求用户请忽略此字段)
        $request->setSmsUpExtendCode("1234567");

        // 发起访问请求
        $acsResponse = static::getAcsClient()->getAcsResponse($request);

        return $acsResponse;
    }

4.测试Self Service Password的短信功能。

评论

16条评论
  1. Gravatar 头像

    john 回复

    一开始连接LDAP一直不成功,后来换成官方包就可以了。
    就是集成这里的阿里短信api后,短信还收不到呢,系统日志看起来已经成功传递到SMS API了。

  2. Gravatar 头像

    cyj 回复

    参考你这个设置阿里云短信好像没有效果,一直都没有发送短信,也没有日志报错

  3. Gravatar 头像

    二少 回复

    您好!我按您的配置方法,也是出现了Windows Active Directory (LDAP)配置 Self Service Password 老是报错连接不上 LDAP,其中我看到apache虚拟主机配置中使用的是证书,我windows AD中导出的证书是.cer的,而你配置文件中的证书为.crt、。key,请问下这方面应该要怎么操作。也就是导入LINUX中的证书。实现ldaps连接。

      • Gravatar 头像

        二少 回复

        @yeboyzq 首先感谢您的回复,但是在实操过程中还是遇到了一些问题,主要还是在与Windows Active Directory (LDAP)的对接上出现问题,希望可以得到您的支持下。
        SSLEngine on
        # Server Certificate:
        SSLCertificateFile "/etc/apache/ssl/it-adpass.xxxx.cn.crt"
        # Server Private Key:
        SSLCertificateKeyFile "/etc/apache/ssl/it-adpass.xxxx.cn.key"
        # Server Certificate Chain:
        SSLCertificateChainFile "/etc/apache/ssl/it-adpass.xxxx.cn-CA.crt"
        # Certificate Authority (CA):
        #SSLCACertificateFile "/etc/apache/ssl/ca-bundle.crt"
        以上这些证书文件看着有点头大,请博主可否详细的说明下这方面的操作步骤。

        • Gravatar 头像

          yeboyzq 回复

          @二少 这个跟LDAP连接没有关系,这个地方是配置成https访问Self Service Password,如你不需要也可直接使用http访问即可

          • Gravatar 头像

            二少 回复

            @yeboyzq # LDAP
            $ldap_url = "LDAPS://dc.xxxx.cn"; //LDAP服务器地址
            $ldap_starttls = false; ////LDAP服务器是否支持TLS
            $ldap_binddn = "CN=xxx,CN=Users,DC=xxxx,DC=cn"; //连接LDAP服务器的账户DN
            $ldap_bindpw = "xxxxxx"; //连接LDAP服务器的账户DN的密码
            $ldap_base = "OU=1-XXXX,DC=xxxx,DC=cn"; //检索OU的路径
            $ldap_login_attribute = "sAMAccountName"; //LDAP用户名字段
            $ldap_fullname_attribute = "cn"; //LDAP用户全名字段
            $ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"; //过滤LDAP用户规则
            # Active Directory mode
            # true: use unicodePwd as password field
            # false: LDAPv3 standard behavior
            $ad_mode = true; //是否启用Active Directory模式
            # Force account unlock when password is changed
            $ad_options['force_unlock'] = true; //强制解锁:当密码更改将解锁锁定帐户
            # Force user change password at next login
            $ad_options['force_pwd_change'] = false; //强制用户在下次登录时更改密码
            # Allow user with expired password to change password
            $ad_options['change_expired_password'] = true; //允许用户更改密码,如果密码过期
            我大体上是安您这边的配置样式配置的。但是更改密码时提示:
            不能访问 LDAP 服务器
            这个LDAPS连接除了配置文件中要做外,是否还要在openssl的ldap.conf中加入从AD个人证书中导出的那个证书才可以使用ldaps连接,因为我看到你的配置文件是中以LDAPS连接的

      • Gravatar 头像

        二少 回复

        @yeboyzq 博主可否加个微信号,对这个方面的配置想和您咨询下。QQ:498092705

  4. Gravatar 头像

    Smaser 回复

    你好,参考你这个阿里云短信验证一直收不到短信,不知道是哪里还需配置,需要修改的地方就xxx地方吗?

  5. Gravatar 头像

    Kester 回复

    Windows Active Directory (LDAP)配置 Self Service Password 老是报错连接不上 LDAP,AD需要配置那些字段,有例子的指导的吗,谢谢!

    • Gravatar 头像

      yeboyzq 回复

      @Kester 文章里及配置文件里已经说得很清楚了哈。

    • Gravatar 头像

      yeboyzq 回复

      @Kester 报错有三种情况,LDAP加密方式不对,账户密码不对,防火墙拦截

    • Gravatar 头像

      二少 回复

      @Kester 你的问题解决了不?

发表评论

电子邮件地址不会被公开。 必填项已用*标注