Docker部署LDAP自助密码服务self-service-password
巩衡
公网环境
- 使用现成的docker镜像
创建数据目录
mkdir -pv /data/openldap/self-service-password/{htdocs,logs}
mkdir /data/docker-compose/openldap/ssp/
docker-compose文件
cat > /data/docker-compose/openldap/ssp/docker-compose.yml << EOF
version: "3"
services:
self-service-password:
container_name: self-service-password
image: tiredofit/self-service-password:latest
restart: always
ports:
- 8096:80
environment:
- LDAP_SERVER=ldap://192.168.2.101:389
- LDAP_BINDDN=cn=admin,dc=git,dc=com,dc=cn
- LDAP_BINDPASS=G1T@Ldap
- LDAP_BASE_SEARCH=ou=People,dc=git,dc=com,dc=cn
- MAIL_FROM=xxxxxx@sina.com
- SMTP_DEBUG=0
- SMTP_HOST=smtp.sina.com
- SMTP_USER=xxxxxx@sina.com
- SMTP_PASS=xxxxxx
- SMTP_PORT=465
- SMTP_SECURE_TYPE=ssl
- SMTP_AUTH_ON=true
volumes:
- /etc/localtime:/etc/localtime
- /data/openldap/self-service-password/htdocs:/www/ssp
- /data/openldap/self-service-password/logs:/www/logs
networks:
- openldap
deploy:
resources:
limits:
memory: 2G
reservations:
memory: 512M
EOF
启动self-service-password
docker-compose up -d
内网环境
- 上面的docker镜像十分好用,但是内网环境下无法启动,所以就自己构建个镜像
创建数据目录
mkdir -pv /data/openldap/self-service-password/conf
chmod o+x /data/openldap/self-service-password/conf -R
mkdir -pv /data/docker-compose/openldap/ssp/
构建docker镜像
安装包下载
https://ltb-project.org/download
下载rpm格式安装包,放入dockerfile同级目录
Dockerfile
FROM centos:7
RUN rpm -Uvh https://mirror.webtatic.com/yum/el7/epel-release.rpm && \
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm && \
yum clean all && yum makecache
RUN yum install -y httpd php70w.x86_64 php70w-cli.x86_64 php70w-common.x86_64 php70w-gd.x86_64 \
php70w-ldap.x86_64 php70w-mbstring.x86_64 php70w-mcrypt.x86_64 \
php70w-mysql.x86_64 php70w-pdo.x86_64 php-Smarty --nogpgcheck
COPY self-service-password-1.4.3-1.el7.noarch.rpm /home/
RUN yum localinstall -y /home/self-service-password-1.4.3-1.el7.noarch.rpm
ADD self-service-password.conf /etc/httpd/conf.d/
USER root
WORKDIR /usr/share/self-service-password
VOLUME /usr/share/self-service-password
EXPOSE 80
ENTRYPOINT ["/usr/sbin/httpd"]
CMD ["-D","FOREGROUND"]
httpd配置文件
- 其实就是把默认ssp域名修改成localhost
self-service-password.conf
<VirtualHost *:80>
ServerName localhost
DocumentRoot /usr/share/self-service-password/htdocs
DirectoryIndex index.php
AddDefaultCharset UTF-8
<Directory /usr/share/self-service-password/htdocs>
AllowOverride None
<IfVersion >= 2.3>
Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Allow from all
</IfVersion>
</Directory>
Alias /rest /usr/share/self-service-password/rest
<Directory /usr/share/self-service-password/rest>
AllowOverride None
<IfVersion >= 2.3>
Require all denied
</IfVersion>
<IfVersion < 2.3>
Order Deny,Allow
Deny from all
</IfVersion>
</Directory>
LogLevel warn
ErrorLog /var/log/httpd/ssp_error_log
CustomLog /var/log/httpd/ssp_access_log combined
</VirtualHost>
构建镜像
docker build -t self-service-password-offline:v1.0 .
docker-compose文件
cat > /data/docker-compose/openldap/ssp/docker-compose.yml << EOF
version: "3"
services:
ssp:
container_name: ssp
image: self-service-password-offline:v1.0
restart: always
user: root
ports:
- 8096:80
volumes:
- /etc/localtime:/etc/localtime
- /data/openldap/self-service-password/conf:/usr/share/self-service-password/conf
deploy:
resources:
limits:
memory: 2G
reservations:
memory: 256M
EOF
启动self-service-password
docker-compose up -d
ssp代码配置文件
- 配置文件可以从官网下载二进制包提取,也可以启动镜像时候先不挂在配置文件,docker内会生成默认文件,拷贝出来即可
根据需求来改即可
/data/openldap/self-service-password/conf/config.inc.php
几处重要的修改
<?php
$debug = false;
# LDAP
$ldap_url = "ldap://192.168.2.101:389";
$ldap_starttls = false;
$ldap_binddn = "cn=admin,dc=git,dc=com,dc=cn";
$ldap_bindpw = 'G1T@Ldap';
$ldap_base = "ou=People,dc=git,dc=com,dc=cn";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
$ldap_use_exop_passwd = false;
$ldap_use_ppolicy_control = false;
# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
$ad_mode = false;
# Force account unlock when password is changed
$ad_options['force_unlock'] = false;
# Force user change password at next login
$ad_options['force_pwd_change'] = false;
# Allow user with expired password to change password
$ad_options['change_expired_password'] = false;
# Hash mechanism for password:
# SSHA, SSHA256, SSHA384, SSHA512
# SHA, SHA256, SHA384, SHA512
# SMD5
# MD5
# CRYPT
# clear (the default)
# auto (will check the hash of current password)
# This option is not used with ad_mode = true
$hash = "auto";
## Token
# Use tokens?
# true (default)
# false
$use_tokens = true;
# Crypt tokens?
# true (default)
# false
$crypt_tokens = true;
# Token lifetime in seconds
$token_lifetime = "3600";
## Mail
# LDAP mail attribute
$mail_attribute = "mail";
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = true;
# Who the email should come from
$mail_from = "xxxxxxx@sina.com";
$mail_from_name = "Self Service Password";
$mail_signature = "";
# Notify users anytime their password is changed
$notify_on_change = false;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'error_log';
$mail_smtp_host = 'smtp.sina.com';
$mail_smtp_auth = true;
$mail_smtp_user = 'xxxxxxxx@sina.com';
$mail_smtp_pass = 'xxxxxxxmailpasswdxxxxxx';
$mail_smtp_port = 465;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'ssl';
$mail_smtp_autotls = false;
$mail_smtp_options = array();
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
# Encryption, decryption keyphrase, required if $use_tokens = true and $crypt_tokens = true, or $use_sms, or $crypt_answer
# Please change it to anything long, random and complicated, you do not have to remember it
# Changing it will also invalidate all previous tokens and SMS codes
$keyphrase = "selfservicepassword-change";
类似资料: