Self Service Password 密码策略
程序员文章站
2024-01-21 14:54:58
1.在活动目录中新建一个用户,并赋予域管理员权限;2.拷贝conf目录下的config.inc.php为config.inc.local.php;3.按自己的实际情况及要求修改config.inc.local.php文件中的相关参数,说明如下: ......
1.在活动目录中新建一个用户,并赋予域管理员权限;
2.拷贝conf目录下的config.inc.php为config.inc.local.php;
3.按自己的实际情况及要求修改config.inc.local.php文件中的相关参数,说明如下:
<?php
#==============================================================================
# ltb self service password
#
# copyright (c) 2009 clement oudot
# copyright (c) 2009 ltb-project.org
#
# this program is free software; you can redistribute it and/or
# modify it under the terms of the gnu general public license
# as published by the free software foundation; either version 2
# of the license, or (at your option) any later version.
#
# this program is distributed in the hope that it will be useful,
# but without any warranty; without even the implied warranty of
# merchantability or fitness for a particular purpose. see the
# gnu general public license for more details.
#
# gpl license: http://www.gnu.org/licenses/gpl.txt
#
#==============================================================================
#==============================================================================
# all the default values are kept here, you should not modify it but use
# config.inc.local.php file instead to override the settings from here.
#==============================================================================
#==============================================================================
# configuration
#==============================================================================
# debug mode
# true: log and display any errors or warnings (use this in configuration/testing)
# false: log only errors and do not display them (use this in production)
$debug = false; //调试模式
# ldap
$ldap_url = "ldaps://dc.xxxx.cn"; //ldap服务器地址
$ldap_starttls = false; ////ldap服务器是否支持tls
$ldap_binddn = "cn=xxx,cn=users,dc=xxxx,dc=cn"; //连接ldap服务器的账户dn
$ldap_bindpw = "xxxxxx"; //连接ldap服务器的账户dn的密码
$ldap_base = "ou=1-xxxx,dc=xxxx,dc=cn"; //检索ou的路径
$ldap_login_attribute = "samaccountname"; //ldap用户名字段
$ldap_fullname_attribute = "cn"; //ldap用户全名字段
$ldap_filter = "(&(objectclass=user)(samaccountname={login})(samaccounttype=805306368)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))"; //过滤ldap用户规则
# active directory mode
# true: use unicodepwd as password field
# false: ldapv3 standard behavior
$ad_mode = true; //是否启用active directory模式
# force account unlock when password is changed
$ad_options['force_unlock'] = true; //强制解锁:当密码更改将解锁锁定帐户
# force user change password at next login
$ad_options['force_pwd_change'] = false; //强制用户在下次登录时更改密码
# allow user with expired password to change password
$ad_options['change_expired_password'] = true; //允许用户更改密码,如果密码过期
# samba mode
# true: update sambantpassword and sambapwdlastset attributes too
# false: just update the password
$samba_mode = false; //是否启用samba模式
# set password min/max age in samba attributes
#$samba_options['min_age'] = 5;
#$samba_options['max_age'] = 45;
# shadow options - require shadowaccount objectclass
# update shadowlastchange
$shadow_options['update_shadowlastchange'] = false;
$shadow_options['update_shadowexpire'] = false;
# default to -1, never expire
$shadow_options['shadow_expire_days'] = -1;
# hash mechanism for password:
# ssha, ssha256, ssha384, ssha512
# sha, sha256, sha384, sha512
# smd5
# md5
# crypt
# clear (the default)
# auto (will check the hash of current password)
# this option is not used with ad_mode = true
$hash = "clear"; //启用密码加密算法,此选项在active directory模式下被忽略。
# prefix to use for salt with crypt
$hash_options['crypt_salt_prefix'] = "$6$";
$hash_options['crypt_salt_length'] = "6";
# local password policy
# this is applied before directory password policy
# minimal length
$pwd_min_length = 6; //定义最短密码位数
# maximal length
$pwd_max_length = 14; //定义最长密码位数
# minimal lower characters
$pwd_min_lower = 0; //定义密码应包含多少位小写字母
# minimal upper characters
$pwd_min_upper = 0; //定义密码应包含多少位大写字母
# minimal digit characters
$pwd_min_digit = 0; //定义密码应包含多少位数字
# minimal special characters
$pwd_min_special = 0; //定义密码应包含多少位特殊字符
# definition of special characters
$pwd_special_chars = "^a-za-z0-9"; //定义密码正则表达式
# forbidden characters
#$pwd_forbidden_chars = "@%"; //定义密码禁止的特殊字符
# don't reuse the same password as currently
$pwd_no_reuse = true; //是否禁止使用重复密码
# check that password is different than login
$pwd_diff_login = true; //检查密码是否与登录密码不同
# complexity: number of different class of character required
$pwd_complexity = 3; //定义密码应包含多少种组合
# use pwnedpasswords api v2 to securely check if the password has been on a leak
$use_pwnedpasswords = false; //检查密码是否已在https://haveibeenpwned.com数据库中泄露
# show policy constraints message:
# always
# never
# onerror
$pwd_show_policy = "always"; //是否显示密码更改策略
# position of password policy constraints message:
# above - the form
# below - the form
$pwd_show_policy_pos = "above"; //定义密码更改策略显示位置
# who changes the password?
# also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_password = "manager"; //定义使用什么账户来修改密码,如选用manager请确保binddn用户有修改用户密码的权限(建议域管理员身份)
## standard change
# use standard change form?
$use_change = true; //启用密码更改功能
## ssh key change
# allow changing of sshpublickey?
$change_sshkey = false;
# what attribute should be changed by the changesshkey action?
$change_sshkey_attribute = "sshpublickey";
# who changes the sshpublickey attribute?
# also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_sshkey = "user";
# notify users anytime their sshpublickey is changed
## requires mail configuration below
$notify_on_sshkey_change = false;
## questions/answers
# use questions/answers?
# true (default)
# false
$use_questions = true; //启用问题答案修改密码功能
# answer attribute should be hidden to users!
$answer_objectclass = "user"; //如果$answer_attribute属性不是在标准用户对象类,配置对象类与此属性的使用方法,在active directory中,extensibleobject的是不知道。您可以使用user,
$answer_attribute = "info"; //ldap用户存储问题密码字段,属性名称必须是小写
# crypt answers inside the directory
$crypt_answers = false; //是否加密问题答案
# extra questions (built-in questions are in lang/$lang.inc.php)
#$messages['questions']['ice'] = "what is your favorite ice cream flavor?";
$messages['questions']['q3'] = "你少年时代最好的朋友叫什么名字?"; //额外的问题
$messages['questions']['q4'] = "你的第一个宠物叫什么名字?";
$messages['questions']['q5'] = "你第一次坐飞机是去哪里?";
$messages['questions']['q6'] = "你的理想工作是什么?";
$messages['questions']['q7'] = "你拥有的第一辆车是什么型号?";
$messages['questions']['q8'] = "你童年时代的绰号是什么?";
$messages['questions']['q9'] = "你的第一个上司叫什么名字?";
$messages['questions']['q10'] = "您最喜欢哪个球队?";
## token
# use tokens?
# true (default)
# false
$use_tokens = true; //启用邮件修改密码功能
# crypt tokens?
# true (default)
# false
$crypt_tokens = true; //是否保持会话标识符,就是令牌生命周期
# token lifetime in seconds
$token_lifetime = "3600"; //保持会话标识符时长(秒)
## mail
# ldap mail attribute
$mail_attribute = "wwwhomepage"; //ldap用户存储邮箱地址字段
# get mail address directly from ldap (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = false; //是否直接从ldap获取邮件地址并隐藏邮件输入字段
# who the email should come from
$mail_from = "service@xxxx.cn"; //定义邮件发件人地址
$mail_from_name = "service"; //定义邮件发件人名称
$mail_signature = ""; //定义邮件发件人签名
# notify users anytime their password is changed
$notify_on_change = true; //定义更改密码时是否通知用户
# phpmailer configuration (see https://github.com/phpmailer/phpmailer) //设置phpmailer的所有参数
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'html';
$mail_smtp_host = 'mail.xxxx.cn';
$mail_smtp_auth = true;
$mail_smtp_user = 'service@xxxx.cn';
$mail_smtp_pass = 'xxxxxx';
$mail_smtp_port = 587;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_smtp_autotls = true;
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = php_eol;
## sms
# use sms
$use_sms = true; //启用短信修改密码功能
# sms method (mail, api)
$sms_method = "api"; //定义使用哪种方法发送短信
$sms_api_lib = "lib/smsapi.inc.php"; //api脚本配置
# gsm number attribute
$sms_attribute = "mobile"; //ldap用户存储手机号码字段
# partially hide number
$sms_partially_hide_number = true; //页面是否部分隐藏号码
# send sms mail to address
$smsmailto = "{sms_attribute}@service.provider.com"; //定义使用mail方法发送短信时发送短信到的邮件地址
# subject when sending email to smtp to sms provider
$smsmail_subject = "provider code"; //定义向smtp提供商发送电子邮件时的主题
# message
$sms_message = "{smsresetmessage} {smstoken}"; //定义消息模板
# remove non digit characters from gsm number
$sms_sanitize_number = false; //从手机号码中删除非数字字符
# truncate gsm number
$sms_truncate_number = false; //是否截断手机号码
$sms_truncate_number_length = 10;
# sms token length
$sms_token_length = 6; //短信验证码长度
# max attempts allowed for sms token
$max_attempts = 3; //单个短信验证码重试次数
# encryption, decryption keyphrase, required if $crypt_tokens = true
# please change it to anything long, random and complicated, you do not have to remember it
# changing it will also invalidate all previous tokens and sms codes
$keyphrase = "xxxxxx"; //密钥短语,如果$crypt_tokens = true则需要更改为任何内容,不必记住它,更改它也会使所有以前的令牌和短信代码无效。
# reset url (if behind a reverse proxy)
#$reset_url = $_server['http_x_forwarded_proto'] . "://" . $_server['http_x_forwarded_host'] . $_server['script_name']; //默认情况下,重置密码url使用服务器名称和端口计算的,但如果应用背后是一个反向代理,这些值可能是错误的。在这种情况下,你可以自己设置网址
# display help messages
$show_help = true; //是否显示帮助信息
# default language
$lang = "zh-cn"; //默认显示语言
# list of authorized languages. if empty, all language are allowed.
# if not empty and the user's browser language setting is not in that list, language from $lang will be used.
$allowed_lang = array(); //定义授权语言列表。 如果为空,则允许使用所有语言。
# display menu on top
$show_menu = true; //是否显示导航栏
# logo
$logo = "images/logo.png"; //logo地址
# background image
$background_image = "images/unsplash-lanse.jpg"; //背景图调用
# where to log password resets - make sure apache has write permission
# by default, they are logged in apache log
$reset_request_log = "logs/self.log"; //定义日志存放路径,默认生成的url记录在apache日志中。
# invalid characters in login
# set at least "*()&|" to prevent ldap injection
# if empty, only alphanumeric characters are accepted
$login_forbidden_chars = "*()&|"; //登录保护,以避免ldap注射。某些字符是被禁止的
## captcha //以下为谷歌captcha验证码调用配置
# use google recaptcha (http://www.google.com/recaptcha)
$use_recaptcha = false;
# go on the site to get public and private key
$recaptcha_publickey = "";
$recaptcha_privatekey = "";
# customization (see https://developers.google.com/recaptcha/docs/display)
$recaptcha_theme = "light";
$recaptcha_type = "image";
$recaptcha_size = "normal";
# recaptcha request method, null for default, fully qualified class name to override
# useful when allow_url_fopen=0 ex. $recaptcha_request_method = '\recaptcha\requestmethod\curlpost';
$recaptcha_request_method = null;
## default action
# change
# sendtoken
# sendsms
$default_action = "change"; //配置默认页面
## extra messages //编辑消息模板
# they can also be defined in lang/ files
#$messages['passwordchangedextramessage'] = null;
$messages['changehelpextramessage'] = ">>帐户被锁定请使用导航栏中的其他方式解锁账户并重置密码。<br />回答问题重置密码:请确认您已自行设置答案。<br />通过邮件发送链接:请确认您已联系管理员设置邮箱。<br />通过短信重置密码:请确认您已联系管理员设置手机号码。";
# launch a posthook script after successful password change
#$posthook = "/usr/share/self-service-password/posthook.sh"; //密码更改成功后启动posthook脚本
#$display_posthook_error = true;
# hide some messages to not disclose sensitive information
# these messages will be replaced by badcredentials error
$obscure_failure_messages = array("mailnomatch"); //让一些错误不显示