LTB Self Service Password

From Newroco tech docs
Jump to: navigation, search

Prerequisites

  • Apache
  • PHP(5 or higher)
  • PHP LDAP
  • PHP MBSTRING
  • PHP MCRYPT
  • PHP XML

Install LTB Self Service Password

Configure the repository:

  1.  
  2. vi /etc/apt/sources.list.d/ltb-project.list
  3.  

And write this inside the file:

  1. deb [arch=amd64] http://ltb-project.org/debian/jessie jessie main

Import repository key:

  1.  
  2. wget -O - http://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project | sudo apt-key add -
  3.  

Update apt-get:

  1.  
  2. apt-get update
  3.  

Install LTB Self Service Password:

  1.  
  2. apt-get install self-service-password
  3.  

Configure LTB Self Service Password

Apache Configuration

Edit self-service-password.conf

  1.  
  2. vi /etc/apache2/sites-available/self-service-password.conf
  3.  

It should look something like this:

  1.  
  2. <VirtualHost *:80>
  3. ServerName ssp.example.com
  4.  
  5. DocumentRoot /usr/share/self-service-password
  6. DirectoryIndex index.php
  7.  
  8. AddDefaultCharset UTF-8
  9.  
  10. LogLevel warn
  11. ErrorLog /var/log/apache2/ssp_error.log
  12. CustomLog /var/log/apache2/ssp_access.log combined
  13. </VirtualHost>
  14.  

And enable the site:

  1.  
  2. a2ensite self-service-password
  3.  

LDAP Connection

Before configuring the LDAP connection create an account for the LTB Self Service Password to use for changing the passwords and add it to the "Account Operators" group:

  1.  
  2. samba-tool user add ssp.user
  3. samba-tool user setexpiry ssp.user --noexpiry
  4. samba-tool group addmembers "Account Operators" ssp.user
  5.  

Edit the LTB Self Service Password configuration file

  1.  
  2. vi /usr/share/self-service-password/conf/config.inc.php
  3.  

Modify the following fields:

  1.  
  2. $ldap_url = "ldap://localhost:389";
  3. $ldap_starttls = false;
  4. $ldap_binddn = "cn=ssp.user,cn=Users,dc=SAMBAAD,dc=LOCAL";
  5. $ldap_bindpw = "<ssp.user password>";
  6. $ldap_base = "dc=SAMBAAD,dc=LOCAL";
  7. $ldap_login_attribute = "sAMAccountName";
  8. $ldap_fullname_attribute = "cn";
  9. $ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
  10. $ad_mode = true;
  11. $samba_mode = true;
  12. $who_change_password = "manager";
  13.  

Reset by question

Edit the following lines in /usr/share/self-service-password/conf/config.inc.php file:

  1.  
  2. $use_questions = true;
  3. $answer_objectClass = "user";
  4. $answer_attribute = "comment";
  5.  

Setting a question for a user is available on the website.

Reset by email token

First make that the server is able to send emails. Modify the /usr/share/self-service-password/conf/config.inc.php file:

  1.  
  2. $use_tokens = true;
  3. $crypt_tokens = true;
  4. $token_lifetime = "3600";
  5. $mail_attribute = "mail";
  6. $mail_from = "<username>@example.com";
  7. $mail_from_name = "Self Service Password";
  8. $notify_on_change = false;
  9. $mail_sendmailpath = '/usr/sbin/sendmail';
  10. $mail_protocol = 'smtps';
  11. $mail_smtp_debug = 0;
  12. $mail_debug_format = 'html';
  13. $mail_smtp_host = 'localhost';
  14. $mail_smtp_auth = false;
  15. $mail_smtp_user = '';
  16. $mail_smtp_pass = '';
  17. $mail_smtp_port = 587;
  18. $mail_smtp_timeout = 30;
  19. $mail_smtp_keepalive = false;
  20. $mail_smtp_secure = 'tls';
  21. $mail_contenttype = 'text/plain';
  22. $mail_charset = 'utf-8';
  23. $mail_priority = 3;
  24. $mail_newline = PHP_EOL;
  25.  

To set an email for a samba user follow the steps from here: http://docswiki.newro.co/index.php/Samba#Setting_an_email_for_a_user

Additional information

For more information about installing and configuring the LTB Self Service Password visit the following link: http://ltb-project.org/wiki/documentation/self-service-password/latest/start

Other features for the future

Features:

   Reset by SMS (trough external Email 2 SMS service)

For more information visit the following link: http://ltb-project.org/wiki/documentation/self-service-password