LTB Self Service Password

From Newroco Tech Docs
Revision as of 14:07, 25 June 2020 by Cristian.todosi (talk | contribs) (→‎Show policy)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search


  • Apache
  • PHP(5 or higher)

Install LTB Self Service Password

Configure the repository:

vi /etc/apt/sources.list.d/ltb-project.list

And write this inside the file:

deb [arch=amd64] jessie main

Import repository key:

wget -O - | sudo apt-key add -

Update apt-get:

apt-get update

Install LTB Self Service Password:

apt-get install self-service-password php-mbstring

Configure LTB Self Service Password

Apache Configuration

Edit self-service-password.conf

vi /etc/apache2/sites-available/self-service-password.conf

It should look something like this:

<VirtualHost *:80>
        DocumentRoot /usr/share/self-service-password
        DirectoryIndex index.php
        AddDefaultCharset UTF-8
        LogLevel warn
        ErrorLog /var/log/apache2/ssp_error.log
        CustomLog /var/log/apache2/ssp_access.log combined

And enable the site:

a2ensite self-service-password

LDAP Connection

Before configuring the LDAP connection create an account for the LTB Self Service Password to use for changing the passwords and add it to the "Account Operators" group:

samba-tool user create ssp.user
samba-tool user setexpiry ssp.user --noexpiry
samba-tool group addmembers "Account Operators" ssp.user

Edit the LTB Self Service Password configuration file

vi /usr/share/self-service-password/conf/

Modify the following fields:

$ldap_url = "ldap://localhost:389";
$ldap_starttls = false;
$ldap_binddn = "cn=ssp.user,cn=Users,dc=SAMBAAD,dc=LOCAL";
$ldap_bindpw = "<ssp.user password>";
$ldap_base = "dc=SAMBAAD,dc=LOCAL";
$ldap_login_attribute = "sAMAccountName";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
$ad_mode = true;
$samba_mode = true;
$who_change_password = "manager";
$keyphrase = "secret";  ###the value needs to be changed to a long and hard to guess string

Reset by question

Edit the following lines in /usr/share/self-service-password/conf/ file:

$use_questions = true;
$answer_objectClass = "user";
$answer_attribute = "comment";

Setting a question for a user is available on the website.

Reset by email token

First make that the server is able to send emails. Modify the /usr/share/self-service-password/conf/ file:

$use_tokens = true;
$crypt_tokens = true;
$token_lifetime = "3600";
$mail_attribute = "mail";
$mail_from = "<username>";
$mail_from_name = "Self Service Password";
$notify_on_change = false;
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtps';
$mail_smtp_debug = 0;
$mail_debug_format = 'html';
$mail_smtp_host = 'localhost';
$mail_smtp_auth = false;
$mail_smtp_user = '';
$mail_smtp_pass = '';
$mail_smtp_port = 587;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_contenttype = 'text/plain';
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;

To set an email for a samba user follow the steps from here:

Additional information

For more information about installing and configuring the LTB Self Service Password visit the following link:

Other features for the future


   Reset by SMS (trough external Email 2 SMS service)

For more information visit the following link:

Show policy

Password policy can be displayed to user by configuring $pwd_show_policy. Three values are accepted:

   *     always: policy is always displayed
   *     never: policy is never displayed
   *     onerror: policy is only displayed if password is rejected because of it, and the user provided his old password correctly.