Self Service Password 自助修改密碼 - Debian
BUBU 因公司有使用 Univention Corporate Server LDAP 及 AD 網域 服務,但發現到如果是從 Windows 上修改密碼可能會造成其他服務在做登入的時候會登入失敗,原因是出在密碼的 key 可能不對造成服務無法登入,那有想到之前 省節哥 有介紹過一套可以自助修改密碼 Self Service Password 這個套件
運行環境
環境都是在 「Proxmox VE 」 虛擬系統上架設,都是以 「 LXC 」模式為主,除非有特殊狀況會告知使用 「 VM 」 模式
- 系統環境: Debian 12
- Web 服務: Nginx 1.26.1
- PHP 服務: PHP 8.3
安裝過程
安裝 Nginx 服務
- 可以參考本站所編寫的文章 Nginx 模組擴充 - Debian \ Ubuntu
設定 PHP 來源庫服務
- 安裝 php 必要套件
apt install -y apt-transport-https lsb-release ca-certificates wget
- 新增 php 金鑰
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
- 新增 PHP 來源庫
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/sury-php.list && apt update
安裝相關必要套件
- 下載
smarty3套件
wget http://ftp.us.debian.org/debian/pool/main/s/smarty3/smarty3_3.1.47-2_all.deb
- 安裝
smarty3套件
dpkg -i smarty3_3.1.47-2_all.deb
安裝 Self Service Password 服務
- 新增加
Self Service Password來源庫vim /etc/apt/sources.list.d/ltb-project.list
deb [arch=amd64 signed-by=/usr/share/keyrings/ltb-project.gpg] https://ltb-project.org/debian/stable stable main
- 匯入
Self Service Password金鑰
wget -O - https://ltb-project.org/documentation/_static/RPM-GPG-KEY-LTB-project | gpg --dearmor | sudo tee /usr/share/keyrings/ltb-project.gpg >/dev/null
- 這是剛剛
smarty3會協助安裝有關於php相關套件
sudo apt --fix-broken install
- 安裝相關必要的套件
sudo apt install sendmail libphp-phpmailer php8.3 php8.3-{fpm,curl,gd,ldap,mbstring,cli,common} -y
- 因該服務是採用
sendmail服務進行郵件傳寄送需要啟動該服務,不然郵件服務會沒有作用
systemctl enable sendmail --now
- 安裝
Self Service Password服務,安裝完後相關服務會在/usr/share/self-service-password這下面
sudo apt update && sudo apt install self-service-password -y
設定相關服務
設定 PHP 服務
- 處理
PHP相關設定
sed -i "s|^;request_terminate_timeout = 0.*$|request_terminate_timeout = 600|" /etc/php/8.3/fpm/pool.d/www.conf
sed -i "s|^;date.timezone =.*$|date.timezone = Asia/Taipei|" /etc/php/8.3/fpm/php.ini
sed -i "s|^;date.timezone =.*$|date.timezone = Asia/Taipei|" /etc/php/8.3/cli/php.ini
sed -i "s|^upload_max_filesize = 2M.*$|upload_max_filesize = 10M|" /etc/php/8.3/fpm/php.ini
sed -i "s|^upload_max_filesize = 2M.*$|upload_max_filesize = 10M|" /etc/php/8.3/cli/php.ini
sed -i "s|^post_max_size = 8M.*$|post_max_size = 16M|" /etc/php/8.3/fpm/php.ini
sed -i "s|^post_max_size = 8M.*$|post_max_size = 16M|" /etc/php/8.3/cli/php.ini
sed -i "s|^memory_limit = 128M.*$|memory_limit = 512M|" /etc/php/8.3/fpm/php.ini
sed -i "s|^memory_limit = 128M.*$|memory_limit = 512M|" /etc/php/8.3/cli/php.ini
sed -i "s|^max_execution_time = 30.*$|max_execution_time = 600|" /etc/php/8.3/fpm/php.ini
sed -i "s|^max_execution_time = 30.*$|max_execution_time = 600|" /etc/php/8.3/cli/php.ini
sed -i "s|^max_input_time = 60.*$|max_input_time = 600|" /etc/php/8.3/fpm/php.ini
sed -i "s|^max_input_time = 60.*$|max_input_time = 600|" /etc/php/8.3/cli/php.ini
sed -i "s|^default_socket_timeout = 60.*$|default_socket_timeout = 600|" /etc/php/8.3/fpm/php.ini
sed -i "s|^default_socket_timeout = 60.*$|default_socket_timeout = 600|" /etc/php/8.3/cli/php.ini
- 重啟
php-fpm服務
sudo systemctl enable php8.3-fpm --now
設定 Nginx 服務
- 備份預設全域
mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
- 全域設定
vim /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
#
events {
worker_connections 1024;
}
#
http {
log_format main
'$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#
access_log /var/log/nginx/access.log main;
#
#
client_body_timeout 120s;
#
server_tokens off;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
#
include /etc/nginx/mime.types;
include /etc/nginx/conf.d/*.conf;
default_type application/octet-stream;
}
- 設定服務
vim /etc/nginx/conf.d/ssp.conf
server {
listen 80;
server_name 站台連線位置;
rewrite ^(.*)$ https://${server_name}$1 permanent;
}
#
server {
listen 443 ssl;
http2 on;
listen [::]:443 ssl;
server_name 站台連線位置;
root /usr/share/self-service-password/htdocs;
index index.php index.html index.htm;
#
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
#
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets on;
#
# intermediate configuration. tweak to your needs.
#
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;
ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';
ssl_prefer_server_ciphers on;
#
# Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
sendfile off;
gzip on;
gzip_comp_level 6;
gzip_min_length 1000;
gzip_types text/plain
text/css
application/json
application/x-javascript
text/xml
application/xml
application/xml+rss
text/javascript
application/javascript
text/x-js;
gzip_vary on;
gzip_proxied any;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
# Add stdout logging
access_log /var/log/nginx/ssp_access.log main;
error_log /var/log/nginx/ssp_error.log warn;
# pass the PHP scripts to FastCGI server listening on socket
#
location ~ \.php {
fastcgi_pass unix:/run/php/php8.3-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
try_files $fastcgi_script_name =404;
fastcgi_read_timeout 600;
include fastcgi_params;
}
error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
internal;
}
# deny access to . files, for security
#
location ~ /\. {
log_not_found off;
deny all;
}
location ~ /scripts {
log_not_found off;
deny all;
}
}
- 重啟服務
sudo systemctl restart nginx
設定 Self Service Password 服務
- 連線時出現此畫面是系統要求要修改
Token值,訊息Token encryption requires a random string in keyphrase setting
- 修改
Token位置vim /etc/self-service-password/config.inc.php
# Encryption, decryption keyphrase, required if $use_tokens = true and $crypt_tokens = true, or $use_sms, or $crypt_answer
# Please change it to anything long, random and complicated, you do not have to remember it
# Changing it will also invalidate all previous tokens and SMS codes
# 修改您想要的值就正常使用
$keyphrase = "secret";
- 設定
Self Service Password串UCS服務,vim /etc/self-service-password/config.inc.php
# LDAP
$ldap_url = "ldap://ucs站台位置:7389";
$ldap_starttls = false;
$ldap_binddn = "uid=administrator,cn=users,dc=xxx,dc=local";
$ldap_bindpw = 'password';
// for GSSAPI authentication, comment out ldap_bind* and uncomment ldap_krb5ccname lines
//$ldap_krb5ccname = "/path/to/krb5cc";
$ldap_base = "dc=xxx,dc=local";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
$ldap_use_exop_passwd = false;
$ldap_use_ppolicy_control = false;
$ldap_network_timeout = 10;
- 如果您的 UCS 有啟用
AD網域服務需要注意這個參數,預設是user需修改成manager
# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_password = "manager";
- 修改密碼傳送方式,預設是明碼
clear
# Hash mechanism for password:
# SSHA, SSHA256, SSHA384, SSHA512
# SHA, SHA256, SHA384, SHA512
# SMD5
# MD5
# CRYPT
# ARGON2
# clear (the default)
# auto (will check the hash of current password)
# This option is not used with ad_mode = true
$hash = "clear";
- 設定郵件服務
## Token
# Use tokens?
# true (default)
# false
$use_tokens = true;
# Crypt tokens?
# true (default)
# false
$crypt_tokens = true;
# Token lifetime in seconds
# 這是設定連結有效時間,預設是 3600 秒,BUBU 是修改成 180 秒
$token_lifetime = "180";
# Reset URL (mandatory)
# 此參數是修改站台連線位置
$reset_url = "https://ssp.xxx.com/";
# If inside a virtual host
#$reset_url = ($_SERVER['HTTPS'] ? "https" : "http") . "://" . $_SERVER['SERVER_NAME'] . $_SERVER['SCRIPT_NAME'];
# If behind a reverse proxy with a virtual host
#$reset_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . "://" . $_SERVER['HTTP_X_FORWARDED_HOST'] . $_SERVER['SCRIPT_NAME'];
## Mail
# LDAP mail attribute
$mail_attributes = array( "mail", "gosaMailAlternateAddress", "proxyAddresses" );
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
# 此參數是直接用 ldap 所提供的電子信箱來發送信件給當使用者
$mail_address_use_ldap = true;
# Who the email should come from
# 寄件者信箱
$mail_from = "[email protected]";
# 寄件者名稱
$mail_from_name = "自助重設密碼";
# 信箱內容
$mail_signature = "本郵件是透過自助重設密碼服務發送的,此連結有效時間為五分鐘,重置密碼有問題請洽系統管理員處理。";
# Notify users anytime their password is changed
$notify_on_change = true;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'error_log';
# 設定 smtp 位置
$mail_smtp_host = 'smtp.xxx.xxx.com';
# 設定需登入
$mail_smtp_auth = true;
# 登入的帳號
$mail_smtp_user = '[email protected]';
# 登入的密碼
$mail_smtp_pass = 'password';
$mail_smtp_port = 587;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_smtp_autotls = true;
$mail_smtp_options = array();
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
- 停用 簡訊 及 問題 功能
# 停用 問題
$use_questions = false;
# 停用 簡訊
$use_sms = false;
- 選用功能
# 啟用 防機器人圖形驗證碼
## Captcha
$use_captcha = true;
# 修改語系
# Default language
$lang = "zh-TW";
補充說明
- 系統畫面
- 系統郵件畫面
- 收到電件畫面
