259
227
1Panel docker容器版-1分钟部署Self Service Password域账号自助服务台
2024-01-09 19:53:29
2点赞
19收藏
0评论
lr5z4da7.png注意:
1、docker版主要目的是快速部署连接域控实现域账号改密,太详细的配置请查看过往安装版。
2、本教程使用1Panel安装更简单
一、前提条件
按过往安装版教程为域控服务器开启AD域证书服务,但不需要导出证书,Self Service Password这边我们会配置忽略证书
二、快速部署
1、新建存储卷
self-service-password 存放Self Service Password配置文件
self-service-password-ldap 存放openldap配置文件
lr5ymh33.png2、拉取镜像
ltbproject/self-service-password:latest
lr5yimfj.png3、创建容器
名称、镜像
暴露端口:我把主机的12345映射到容器的80端口
网络:桥接网卡即可,1panel-network也是桥接网卡
挂载卷:
self-service-password 挂载容器 /var/www/conf/ 目录
self-service-password-ldap 挂载容器 /etc/ldap/ 目录
创建即可
lr5ymvbj.png
lr5yoiu9.png4、容器运行
点击端口12345可跳转Self Service Password首页
lr5yqoin.png三、对接域控
修改挂载卷文件
lr5ysp2t.pngself-service-password卷 config.inc.php文件
连接域控关键配置
# LDAP
$ldap_url = "ldaps://10.0.0.2:636"; //域IP地址,必须是LDAPS协议
$ldap_starttls = false;
$ldap_binddn = "CN=admin,CN=Users,DC=test,DC=com"; //域控管理员账号
$ldap_bindpw = 'adminpaword'; //密码
// for GSSAPI authentication, comment out ldap_bind* and uncomment ldap_krb5ccname lines
//$ldap_krb5ccname = "/path/to/krb5cc";
$ldap_base = "dc=test,dc=com";
$ldap_login_attribute = "sAMAccountName";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"; //连接域控用这个
$ldap_use_exop_passwd = false;
$ldap_use_ppolicy_control = false;
$ad_mode = true; //域控模式
# Force account unlock when password is changed
$ad_options['force_unlock'] = true; //打开
# Force user change password at next login
$ad_options['force_pwd_change'] = false;
# Allow user with expired password to change password
$ad_options['change_expired_password'] = true; //打开
# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_password = "manager"; //管理员修改密码
# Encryption, decryption keyphrase, required if $use_tokens = true and $crypt_tokens = true, or $use_sms, or $crypt_answer
# Please change it to anything long, random and complicated, you do not have to remember it
# Changing it will also invalidate all previous tokens and SMS codes
$keyphrase = "tntsec"; //这个随便改,不是默认就行
self-service-password-ldap卷 ldap.conf文件
此参数用来忽略windows域控的证书验证
TLS_REQCERT allow
四、改密测试
修改test11用户的密码
lr5z16jk.png
修改成功
lr5z1pxq.png五、小结
1Panel面板管理容器真的太方便了!
