LTB Self Service Password

From Newroco Tech Docs
Revision as of 14:07, 25 June 2020 by Cristian.todosi (talk | contribs) (→‎Show policy)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Prerequisites

  • Apache
  • PHP(5 or higher)
  • PHP LDAP
  • PHP MBSTRING
  • PHP MCRYPT
  • PHP XML

Install LTB Self Service Password

Configure the repository:

vi /etc/apt/sources.list.d/ltb-project.list

And write this inside the file:

deb [arch=amd64] http://ltb-project.org/debian/jessie jessie main

Import repository key:

wget -O - http://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project | sudo apt-key add -

Update apt-get:

apt-get update

Install LTB Self Service Password:

apt-get install self-service-password php-mbstring

Configure LTB Self Service Password

Apache Configuration

Edit self-service-password.conf

vi /etc/apache2/sites-available/self-service-password.conf

It should look something like this:

<VirtualHost *:80>
        ServerName ssp.example.com
 
        DocumentRoot /usr/share/self-service-password
        DirectoryIndex index.php
 
        AddDefaultCharset UTF-8
 
        LogLevel warn
        ErrorLog /var/log/apache2/ssp_error.log
        CustomLog /var/log/apache2/ssp_access.log combined
</VirtualHost>

And enable the site:

a2ensite self-service-password

LDAP Connection

Before configuring the LDAP connection create an account for the LTB Self Service Password to use for changing the passwords and add it to the "Account Operators" group:

samba-tool user create ssp.user
samba-tool user setexpiry ssp.user --noexpiry
samba-tool group addmembers "Account Operators" ssp.user

Edit the LTB Self Service Password configuration file

vi /usr/share/self-service-password/conf/config.inc.php

Modify the following fields:

$ldap_url = "ldap://localhost:389";
$ldap_starttls = false;
$ldap_binddn = "cn=ssp.user,cn=Users,dc=SAMBAAD,dc=LOCAL";
$ldap_bindpw = "<ssp.user password>";
$ldap_base = "dc=SAMBAAD,dc=LOCAL";
$ldap_login_attribute = "sAMAccountName";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
$ad_mode = true;
$samba_mode = true;
$who_change_password = "manager";
$keyphrase = "secret";  ###the value needs to be changed to a long and hard to guess string

Reset by question

Edit the following lines in /usr/share/self-service-password/conf/config.inc.php file:

$use_questions = true;
$answer_objectClass = "user";
$answer_attribute = "comment";

Setting a question for a user is available on the website.

Reset by email token

First make that the server is able to send emails. Modify the /usr/share/self-service-password/conf/config.inc.php file:

$use_tokens = true;
$crypt_tokens = true;
$token_lifetime = "3600";
$mail_attribute = "mail";
$mail_from = "<username>@example.com";
$mail_from_name = "Self Service Password";
$notify_on_change = false;
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtps';
$mail_smtp_debug = 0;
$mail_debug_format = 'html';
$mail_smtp_host = 'localhost';
$mail_smtp_auth = false;
$mail_smtp_user = '';
$mail_smtp_pass = '';
$mail_smtp_port = 587;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_contenttype = 'text/plain';
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;

To set an email for a samba user follow the steps from here: http://docswiki.newro.co/index.php/Samba#Setting_an_email_for_a_user

Additional information

For more information about installing and configuring the LTB Self Service Password visit the following link: http://ltb-project.org/wiki/documentation/self-service-password/latest/start

Other features for the future

Features:

   Reset by SMS (trough external Email 2 SMS service)

For more information visit the following link: http://ltb-project.org/wiki/documentation/self-service-password

Show policy

Password policy can be displayed to user by configuring $pwd_show_policy. Three values are accepted:

   *     always: policy is always displayed
   *     never: policy is never displayed
   *     onerror: policy is only displayed if password is rejected because of it, and the user provided his old password correctly.