Self Service Password 密碼策略

1.在活動目錄中新建一個用戶，並賦予域管理員許可權；
2.拷貝conf目錄下的config.inc.php為config.inc.local.php；
3.按自己的實際情況及要求修改config.inc.local.php文件中的相關參數，說明如下：

<?php
#==============================================================================
# LTB Self Service Password
#
# Copyright (C) 2009 Clement OUDOT
# Copyright (C) 2009 LTB-project.org
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# GPL License: http://www.gnu.org/licenses/gpl.txt
#
#==============================================================================
#==============================================================================
# All the default values are kept here, you should not modify it but use
# config.inc.local.php file instead to override the settings from here.
#==============================================================================
#==============================================================================
# Configuration
#==============================================================================
# Debug mode
# true: log and display any errors or warnings (use this in configuration/testing)
# false: log only errors and do not display them (use this in production)
$debug = false; //調試模式
# LDAP
$ldap_url = "LDAPS://dc.xxxx.cn";  //LDAP伺服器地址
$ldap_starttls = false;  ////LDAP伺服器是否支持TLS
$ldap_binddn = "CN=xxx,CN=Users,DC=xxxx,DC=cn";  //連接LDAP伺服器的賬戶DN
$ldap_bindpw = "xxxxxx";  //連接LDAP伺服器的賬戶DN的密碼
$ldap_base = "OU=1-XXXX,DC=xxxx,DC=cn";  //檢索OU的路徑
$ldap_login_attribute = "sAMAccountName";  //LDAP用戶名欄位
$ldap_fullname_attribute = "cn";  //LDAP用戶全名欄位
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";  //過濾LDAP用戶規則
# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
$ad_mode = true;  //是否啟用Active Directory模式
# Force account unlock when password is changed
$ad_options['force_unlock'] = true; //強制解鎖：當密碼更改將解鎖鎖定帳戶
# Force user change password at next login
$ad_options['force_pwd_change'] = false;  //強制用戶在下次登錄時更改密碼
# Allow user with expired password to change password
$ad_options['change_expired_password'] = true;  //允許用戶更改密碼，如果密碼過期
# Samba mode
# true: update sambaNTpassword and sambaPwdLastSet attributes too
# false: just update the password
$samba_mode = false;  //是否啟用Samba模式
# Set password min/max age in Samba attributes
#$samba_options['min_age'] = 5;
#$samba_options['max_age'] = 45;
# Shadow options - require shadowAccount objectClass
# Update shadowLastChange
$shadow_options['update_shadowLastChange'] = false;
$shadow_options['update_shadowExpire'] = false;
# Default to -1, never expire
$shadow_options['shadow_expire_days'] = -1;
# Hash mechanism for password:
# SSHA, SSHA256, SSHA384, SSHA512
# SHA, SHA256, SHA384, SHA512
# SMD5
# MD5
# CRYPT
# clear (the default)
# auto (will check the hash of current password)
# This option is not used with ad_mode = true
$hash = "clear";  //啟用密碼加密演算法，此選項在Active Directory模式下被忽略。 
# Prefix to use for salt with CRYPT
$hash_options['crypt_salt_prefix'] = "$6$";
$hash_options['crypt_salt_length'] = "6";
# Local password policy
# This is applied before directory password policy
# Minimal length
$pwd_min_length = 6;  //定義最短密碼位數
# Maximal length
$pwd_max_length = 14;  //定義最長密碼位數
# Minimal lower characters
$pwd_min_lower = 0;  //定義密碼應包含多少位小寫字母
# Minimal upper characters
$pwd_min_upper = 0;  //定義密碼應包含多少位大寫字母
# Minimal digit characters
$pwd_min_digit = 0;  //定義密碼應包含多少位數字
# Minimal special characters
$pwd_min_special = 0;  //定義密碼應包含多少位特殊字元
# Definition of special characters
$pwd_special_chars = "^a-zA-Z0-9";  //定義密碼正則表達式
# Forbidden characters
#$pwd_forbidden_chars = "@%";  //定義密碼禁止的特殊字元
# Don't reuse the same password as currently
$pwd_no_reuse = true;  //是否禁止使用重覆密碼
# Check that password is different than login
$pwd_diff_login = true;  //檢查密碼是否與登錄密碼不同
# Complexity: number of different class of character required
$pwd_complexity = 3;  //定義密碼應包含多少種組合
# use pwnedpasswords api v2 to securely check if the password has been on a leak
$use_pwnedpasswords = false;  //檢查密碼是否已在https://haveibeenpwned.com資料庫中泄露
# Show policy constraints message:
# always
# never
# onerror
$pwd_show_policy = "always";  //是否顯示密碼更改策略
# Position of password policy constraints message:
# above - the form
# below - the form
$pwd_show_policy_pos = "above";  //定義密碼更改策略顯示位置
# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_password = "manager";  //定義使用什麼賬戶來修改密碼，如選用manager請確保binddn用戶有修改用戶密碼的許可權（建議域管理員身份）
## Standard change
# Use standard change form?
$use_change = true;  //啟用密碼更改功能
## SSH Key Change
# Allow changing of sshPublicKey?
$change_sshkey = false;
# What attribute should be changed by the changesshkey action?
$change_sshkey_attribute = "sshPublicKey";
# Who changes the sshPublicKey attribute?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_sshkey = "user";
# Notify users anytime their sshPublicKey is changed
## Requires mail configuration below
$notify_on_sshkey_change = false;
## Questions/answers
# Use questions/answers?
# true (default)
# false
$use_questions = true;  //啟用問題答案修改密碼功能
# Answer attribute should be hidden to users!
$answer_objectClass = "user";  //如果$answer_attribute屬性不是在標準用戶對象類，配置對象類與此屬性的使用方法，在Active Directory中，extensibleObject的是不知道。您可以使用user，
$answer_attribute = "info";  //LDAP用戶存儲問題密碼欄位，屬性名稱必須是小寫
# Crypt answers inside the directory
$crypt_answers = false;  //是否加密問題答案
# Extra questions (built-in questions are in lang/$lang.inc.php)
#$messages['questions']['ice'] = "What is your favorite ice cream flavor?";
$messages['questions']['Q3'] = "你少年時代最好的朋友叫什麼名字？";  //額外的問題
$messages['questions']['Q4'] = "你的第一個寵物叫什麼名字？";
$messages['questions']['Q5'] = "你第一次坐飛機是去哪裡？";
$messages['questions']['Q6'] = "你的理想工作是什麼？";
$messages['questions']['Q7'] = "你擁有的第一輛車是什麼型號？";
$messages['questions']['Q8'] = "你童年時代的綽號是什麼？";
$messages['questions']['Q9'] = "你的第一個上司叫什麼名字？";
$messages['questions']['Q10'] = "您最喜歡哪個球隊？";
## Token
# Use tokens?
# true (default)
# false
$use_tokens = true;  //啟用郵件修改密碼功能
# Crypt tokens?
# true (default)
# false
$crypt_tokens = true;  //是否保持會話標識符，就是令牌生命周期
# Token lifetime in seconds
$token_lifetime = "3600";  //保持會話標識符時長（秒）
## Mail
# LDAP mail attribute
$mail_attribute = "wWWHomePage";  //LDAP用戶存儲郵箱地址欄位
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = false;  //是否直接從LDAP獲取郵件地址並隱藏郵件輸入欄位
# Who the email should come from
$mail_from = "[email protected]";  //定義郵件發件人地址
$mail_from_name = "Service";  //定義郵件發件人名稱
$mail_signature = "";  //定義郵件發件人簽名
# Notify users anytime their password is changed
$notify_on_change = true;  //定義更改密碼時是否通知用戶
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)    //設置PHPMailer的所有參數
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'html';
$mail_smtp_host = 'mail.xxxx.cn';
$mail_smtp_auth = true;
$mail_smtp_user = '[email protected]';
$mail_smtp_pass = 'xxxxxx';
$mail_smtp_port = 587;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_smtp_autotls = true;
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;
## SMS
# Use sms
$use_sms = true;  //啟用簡訊修改密碼功能
# SMS method (mail, api)
$sms_method = "api";  //定義使用哪種方法發送簡訊
$sms_api_lib = "lib/smsapi.inc.php";  //API腳本配置
# GSM number attribute
$sms_attribute = "mobile";  //LDAP用戶存儲手機號碼欄位
# Partially hide number
$sms_partially_hide_number = true;  //頁面是否部分隱藏號碼
# Send SMS mail to address
$smsmailto = "{sms_attribute}@service.provider.com";  //定義使用mail方法發送簡訊時發送簡訊到的郵件地址
# Subject when sending email to SMTP to SMS provider
$smsmail_subject = "Provider code";  //定義向SMTP提供商發送電子郵件時的主題
# Message
$sms_message = "{smsresetmessage} {smstoken}";  //定義消息模板
# Remove non digit characters from GSM number
$sms_sanitize_number = false;  //從手機號碼中刪除非數字字元
# Truncate GSM number
$sms_truncate_number = false;  //是否截斷手機號碼
$sms_truncate_number_length = 10;
# SMS token length
$sms_token_length = 6;  //簡訊驗證碼長度
# Max attempts allowed for SMS token
$max_attempts = 3;  //單個簡訊驗證碼重試次數
# Encryption, decryption keyphrase, required if $crypt_tokens = true
# Please change it to anything long, random and complicated, you do not have to remember it
# Changing it will also invalidate all previous tokens and SMS codes
$keyphrase = "xxxxxx";  //密鑰短語，如果$crypt_tokens = true則需要更改為任何內容，不必記住它，更改它也會使所有以前的令牌和簡訊代碼無效。
# Reset URL (if behind a reverse proxy)
#$reset_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . "://" . $_SERVER['HTTP_X_FORWARDED_HOST'] . $_SERVER['SCRIPT_NAME'];  //預設情況下，重置密碼URL使用伺服器名稱和埠計算的，但如果應用背後是一個反向代理，這些值可能是錯誤的。在這種情況下，你可以自己設置網址
# Display help messages
$show_help = true;  //是否顯示幫助信息
# Default language
$lang = "zh-CN";  //預設顯示語言
# List of authorized languages. If empty, all language are allowed.
# If not empty and the user's browser language setting is not in that list, language from $lang will be used.
$allowed_lang = array();  //定義授權語言列表。 如果為空，則允許使用所有語言。
# Display menu on top
$show_menu = true;  //是否顯示導航欄
# Logo
$logo = "images/logo.png";  //LOGO地址
# Background image
$background_image = "images/unsplash-lanse.jpg";  //背景圖調用
# Where to log password resets - Make sure apache has write permission
# By default, they are logged in Apache log
$reset_request_log = "logs/self.log";  //定義日誌存放路徑，預設生成的URL記錄在Apache日誌中。
# Invalid characters in login
# Set at least "*()&|" to prevent LDAP injection
# If empty, only alphanumeric characters are accepted
$login_forbidden_chars = "*()&|";  //登錄保護，以避免LDAP註射。某些字元是被禁止的
## CAPTCHA  //以下為谷歌CAPTCHA驗證碼調用配置
# Use Google reCAPTCHA (http://www.google.com/recaptcha)
$use_recaptcha = false;
# Go on the site to get public and private key
$recaptcha_publickey = "";
$recaptcha_privatekey = "";
# Customization (see https://developers.google.com/recaptcha/docs/display)
$recaptcha_theme = "light";
$recaptcha_type = "image";
$recaptcha_size = "normal";
# reCAPTCHA request method, null for default, Fully Qualified Class Name to override
# Useful when allow_url_fopen=0 ex. $recaptcha_request_method = '\ReCaptcha\RequestMethod\CurlPost';
$recaptcha_request_method = null;
## Default action
# change
# sendtoken
# sendsms
$default_action = "change";  //配置預設頁面
## Extra messages  //編輯消息模板
# They can also be defined in lang/ files
#$messages['passwordchangedextramessage'] = NULL;
$messages['changehelpextramessage'] = ">>帳戶被鎖定請使用導航欄中的其他方式解鎖賬戶並重置密碼。<br />回答問題重置密碼：請確認您已自行設置答案。<br />通過郵件發送鏈接：請確認您已聯繫管理員設置郵箱。<br />通過簡訊重置密碼：請確認您已聯繫管理員設置手機號碼。";
# Launch a posthook script after successful password change
#$posthook = "/usr/share/self-service-password/posthook.sh";  //密碼更改成功後啟動posthook腳本
#$display_posthook_error = true;
# Hide some messages to not disclose sensitive information
# These messages will be replaced by badcredentials error
$obscure_failure_messages = array("mailnomatch");  //讓一些錯誤不顯示