LTB Self Service Password
Prerequisites
- Apache
- PHP(5 or higher)
- PHP LDAP
- PHP MBSTRING
- PHP MCRYPT
- PHP XML
- Smarty3
Install LTB Self Service Password
Configure the repository:
vi /etc/apt/sources.list.d/ltb-project.list
And write this inside the file:
deb [arch=amd64] http://ltb-project.org/debian/jessie jessie main
Import repository key:
wget -O - http://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project | sudo apt-key add -
Update apt-get:
apt-get update
Install LTB Self Service Password:
apt-get install self-service-password php-mbstring
Configure LTB Self Service Password
Apache Configuration
Edit self-service-password.conf
vi /etc/apache2/sites-available/self-service-password.conf
It should look something like this:
<VirtualHost *:80> ServerName ssp.example.com DocumentRoot /usr/share/self-service-password DirectoryIndex index.php AddDefaultCharset UTF-8 LogLevel warn ErrorLog /var/log/apache2/ssp_error.log CustomLog /var/log/apache2/ssp_access.log combined </VirtualHost>
And enable the site:
a2ensite self-service-password
LDAP Connection
Before configuring the LDAP connection create an account for the LTB Self Service Password to use for changing the passwords and add it to the "Account Operators" group:
samba-tool user create ssp.user samba-tool user setexpiry ssp.user --noexpiry samba-tool group addmembers "Account Operators" ssp.user
Edit the LTB Self Service Password configuration file
vi /usr/share/self-service-password/conf/config.inc.php
Modify the following fields:
$ldap_url = "ldap://localhost:389"; $ldap_starttls = false; $ldap_binddn = "cn=ssp.user,cn=Users,dc=SAMBAAD,dc=LOCAL"; $ldap_bindpw = "<ssp.user password>"; $ldap_base = "dc=SAMBAAD,dc=LOCAL"; $ldap_login_attribute = "sAMAccountName"; $ldap_fullname_attribute = "cn"; $ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))"; $ad_mode = true; $samba_mode = true; $who_change_password = "manager"; $keyphrase = "secret"; ###the value needs to be changed to a long and hard to guess string
Reset by question
Edit the following lines in /usr/share/self-service-password/conf/config.inc.php file:
$use_questions = true; $answer_objectClass = "user"; $answer_attribute = "comment";
Setting a question for a user is available on the website.
Reset by email token
First make that the server is able to send emails. Modify the /usr/share/self-service-password/conf/config.inc.php file:
$use_tokens = true; $crypt_tokens = true; $token_lifetime = "3600"; $mail_attribute = "mail"; $mail_from = "<username>@example.com"; $mail_from_name = "Self Service Password"; $notify_on_change = false; $mail_sendmailpath = '/usr/sbin/sendmail'; $mail_protocol = 'smtps'; $mail_smtp_debug = 0; $mail_debug_format = 'html'; $mail_smtp_host = 'localhost'; $mail_smtp_auth = false; $mail_smtp_user = ''; $mail_smtp_pass = ''; $mail_smtp_port = 587; $mail_smtp_timeout = 30; $mail_smtp_keepalive = false; $mail_smtp_secure = 'tls'; $mail_contenttype = 'text/plain'; $mail_charset = 'utf-8'; $mail_priority = 3; $mail_newline = PHP_EOL;
To set an email for a samba user follow the steps from here: http://docswiki.newro.co/index.php/Samba#Setting_an_email_for_a_user
Additional information
For more information about installing and configuring the LTB Self Service Password visit the following link: http://ltb-project.org/wiki/documentation/self-service-password/latest/start
Other features for the future
Features:
Reset by SMS (trough external Email 2 SMS service)
For more information visit the following link: http://ltb-project.org/wiki/documentation/self-service-password
Show policy
Password policy can be displayed to user by configuring $pwd_show_policy. Three values are accepted:
* always: policy is always displayed * never: policy is never displayed * onerror: policy is only displayed if password is rejected because of it, and the user provided his old password correctly.