{"id":4907,"date":"2020-01-19T14:17:30","date_gmt":"2020-01-19T11:17:30","guid":{"rendered":"https:\/\/kifarunix.com\/?p=4907"},"modified":"2024-03-13T07:45:18","modified_gmt":"2024-03-13T04:45:18","slug":"setup-ldap-self-service-password-tool-on-centos-8","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/setup-ldap-self-service-password-tool-on-centos-8\/","title":{"rendered":"Setup LDAP Self Service Password Tool on CentOS 8"},"content":{"rendered":"\n

This guide will take you through how to setup LDAP Self Service Password Tool<\/a> on CentOS 8. If you got users who are authenticating against an LDAP directory, you might want them to be able to reset their passwords on their own. Self Service Password tool is a PHP application that gives you this capability. It supports a number of LDAPv3 directories including OpenLDAP, OpenDS, ApacheDS, 389 DS, RHDS and even MicroSoft AD.<\/p>\n\n\n\n

Setting up LDAP Self Service Password Tool<\/h2>\n\n\n\n

In this demo, we are using OpenLDAP as our authenticating directory. As such, ensure that you have a running OpenLDAP server before you can proceed. You can refer to the link below to setup OpenLDAP on CentOS 8.<\/p>\n\n\n\n

Install and Setup OpenLDAP on CentOS 8<\/a><\/p>\n\n\n\n

Run System Update<\/h3>\n\n\n\n

Ensure that your system packages are up-to-date.<\/p>\n\n\n\n

dnf update<\/code><\/pre>\n\n\n\n
Install LDAP Self Service Password Tool on CentOS 8<\/h3>\n\n\n\n
As of this writing, Self Service Password version 1.3 is the current stable release.<\/p>\n\n\n\n
In this demo, we are using PHP 7.3 provided by the Remi repos. Hence proceed as follows;<\/p>\n\n\n\n
dnf install https:\/\/dl.fedoraproject.org\/pub\/epel\/epel-release-latest-8.noarch.rpm<\/code><\/pre>\n\n\n\n
dnf install http:\/\/rpms.remirepo.net\/enterprise\/remi-release-8.rpm<\/code><\/pre>\n\n\n\n
Reset PHP 7.2 module.<\/p>\n\n\n\n
dnf module reset php<\/code><\/pre>\n\n\n\n
Enable PHP 7.3 Remi repos;<\/p>\n\n\n\n
dnf module enable php:remi-7.3<\/code><\/pre>\n\n\n\n
Next, install Self Service Password tool by executing the command below;<\/p>\n\n\n\n
dnf localinstall http:\/\/ltb-project.org\/archives\/self-service-password-1.3-1.el7.noarch.rpm<\/code><\/pre>\n\n\n\n
When installed, it installs PHP and the required modules including other dependencies such as the Apache web server.<\/p>\n\n\n\n
Next, install php-mcrypt required for cryptography functions.<\/p>\n\n\n\n
dnf install php-mcrypt vim<\/code><\/pre>\n\n\n\n
If you gonna need to use the mail functionalities while resetting the password, then you need PHP mail and session modules.<\/p>\n\n\n\n
Configuring LDAP Self Service Password Tool<\/h3>\n\n\n\n
After the installation, proceed to configure the Self Service Password tool.<\/p>\n\n\n\n
SSP creates a default Apache configuration file, \/etc\/httpd\/conf.d\/self-service-password.conf<\/code>.<\/p>\n\n\n\n
Edit this file and make appropriate changes.<\/p>\n\n\n\n
cp \/etc\/httpd\/conf.d\/self-service-password.conf{,.old}<\/code><\/pre>\n\n\n\n
vim \/etc\/httpd\/conf.d\/self-service-password.conf<\/code><\/pre>\n\n\n\n
Paste the following contents into the configuration file making any appropriate changes<\/strong>.<\/p>\n\n\n\n
<VirtualHost *>\n        ServerName ssp.kifarunix-demo.com\n\n        DocumentRoot \/usr\/share\/self-service-password\n        DirectoryIndex index.php\n\n        AddDefaultCharset UTF-8\n\n        Alias \/ssp \/usr\/share\/self-service-password\n\n        <Directory \/usr\/share\/self-service-password>\n            AllowOverride None\n            Require all granted\n        <\/Directory>\n\n        <Directory \/usr\/share\/self-service-password\/scripts>\n            AllowOverride None\n            Require all denied\n        <\/Directory>\n\n        LogLevel warn\n        ErrorLog \/var\/log\/httpd\/ssp_error_log\n        CustomLog \/var\/log\/httpd\/ssp_access_log combined\n<\/VirtualHost><\/code><\/pre>\n\n\n\n
Save and exit the configuration file.<\/p>\n\n\n\n
Setup SSP General Parameters<\/h3>\n\n\n\n
The default configuration file for SSP is, \/usr\/share\/self-service-password\/conf\/config.inc.php<\/strong><\/code>.<\/p>\n\n\n\n
 To begin with, create a local configuration file, config.inc.local.php<\/strong><\/code>, to enable you override the original configurations and avoid any overrides of your settings due to upgrades.<\/p>\n\n\n\n
cp \/usr\/share\/self-service-password\/conf\/config.inc{,.local}.php<\/code><\/pre>\n\n\n\n
Open the configuration file for editing.<\/p>\n\n\n\n
vim \/usr\/share\/self-service-password\/conf\/config.inc.local.php<\/code><\/pre>\n\n\n\n
If you check the original configuration file, \/usr\/share\/self-service-password\/conf\/config.inc.php<\/code>, you will notice that there are different configuration settings sections, e.g AD, SAMBA, MAIL, SMS etc. In our custom configuration, config.inc.local.php<\/code>, we have phased out these sections.<\/p>\n\n\n\n
Configure LDAP Server connection details. Be sure to replace the values to match your environment settings<\/strong>.<\/p>\n\n\n\n
# LDAP\n$ldap_url = \"ldap:\/\/ldapmaster.kifarunix-demo.com\";\n $ldap_starttls = false;\n $ldap_binddn = \"cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\";\n $ldap_bindpw = \"P@ssWord\";\n $ldap_base = \"dc=ldapmaster,dc=kifarunix-demo,dc=com\";\n $ldap_login_attribute = \"uid\";\n $ldap_fullname_attribute = \"cn\";\n $ldap_filter = \"(&(objectClass=posixAccount)($ldap_login_attribute={login}))\";<\/code><\/pre>\n\n\n\n
Under the shadow configuration options;<\/p>\n\n\n\n
# Shadow options - require shadowAccount objectClass\n# Update shadowLastChange<\/strong>\n$shadow_options['update_shadowLastChange'] = true;\n$shadow_options['update_shadowExpire'] = true;\n\n# Default to -1, never expire. 60 means password expires in 60 days.<\/strong>\n$shadow_options['shadow_expire_days'] = 60;<\/code><\/pre>\n\n\n\n
Define password hashing scheme before it is sent to LDAP server.<\/p>\n\n\n\n
# auto scheme gets the current password value and find the hash. It also requires read access to the password.\n$hash = \"auto\";<\/strong><\/code><\/pre>\n\n\n\n
Configure Password Policies<\/p>\n\n\n\n
$pwd_min_length = 12; \n$pwd_max_length = 15;\n$pwd_min_lower = 1;\n$pwd_min_upper = 1;\n$pwd_min_digit = 1;\n$pwd_min_special = 1;\n$pwd_special_chars = \"^a-zA-Z0-9\";\n$pwd_no_reuse = true;\n$pwd_diff_login = true;\n$pwd_complexity = 1;\n$use_pwnedpasswords = false;<\/code><\/pre>\n\n\n\n
...\n$pwd_show_policy = \"always\";\n$pwd_show_policy_pos = \"above\";\n$who_change_password = \"user\";\n$use_change = true;<\/code><\/pre>\n\n\n\n
Change the value of the Keyphrase to anything random and long;<\/p>\n\n\n\n
$keyphrase = \"7rRy0}96#4E7#kzb%:,25X}c&66rU\";<\/code><\/pre>\n\n\n\n
Our configuration looks like in below without comments;<\/p>\n\n\n\n
less \/usr\/share\/self-service-password\/conf\/config.inc.local.php<\/code><\/pre>\n\n\n\n
<?php\n$debug = false;\n\n$ldap_url = \"ldap:\/\/ldapmaster.kifarunix-demo.com\";\n$ldap_starttls = false;\n$ldap_binddn = \"cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\";\n$ldap_bindpw = \"P@ssWord\";\n$ldap_base = \"dc=ldapmaster,dc=kifarunix-demo,dc=com\";\n$ldap_login_attribute = \"uid\";\n$ldap_fullname_attribute = \"cn\";\n$ldap_filter = \"(&(objectClass=posixAccount)($ldap_login_attribute={login}))\";\n\n$shadow_options['update_shadowLastChange'] = true;\n$shadow_options['update_shadowExpire'] = true;\n\n$shadow_options['shadow_expire_days'] = 60;\n\n$hash = \"auto\";\n\n$hash_options['crypt_salt_prefix'] = \"$6$\";\n$hash_options['crypt_salt_length'] = \"6\";\n\n$pwd_min_length = 12;\n$pwd_max_length = 15;\n$pwd_min_lower = 1;\n$pwd_min_upper = 1;\n$pwd_min_digit = 1;\n$pwd_min_special = 1;\n$pwd_special_chars = \"^a-zA-Z0-9\";\n$pwd_no_reuse = true;\n$pwd_diff_login = true;\n$pwd_complexity = 1;\n$use_pwnedpasswords = false;\n$pwd_show_policy = \"always\";\n$pwd_show_policy_pos = \"above\";\n\n$who_change_password = \"user\";\n\n$use_change = true;\n\n$change_sshkey = false;\n\n$change_sshkey_attribute = \"sshPublicKey\";\n\n$who_change_sshkey = \"user\";\n\n$notify_on_sshkey_change = false;\n\n$use_questions = true;\n\n$answer_objectClass = \"extensibleObject\";\n$answer_attribute = \"info\";\n\n$crypt_answers = true;\n\n$use_tokens = true;\n$crypt_tokens = true;\n$token_lifetime = \"3600\";\n\n$keyphrase = \"7rRy0}96#4E7#kzb%:,25X}c&66rU\";\n\n$show_help = true;\n\n$lang = \"en\";\n\n$allowed_lang = array();\n\n$show_menu = true;\n\n$logo = \"images\/kifarunix-logo.png\";\n\n$background_image = \"images\/unsplash-space.jpeg\";\n\n$login_forbidden_chars = \"*()&|\";\n\n$default_action = \"change\";\n?><\/code><\/pre>\n\n\n\n
Go through the whole configuration file with reference to Documentation<\/a> and make appropriate changes to suit your environment.<\/p>\n\n\n\n
Once done with the setup, save and exit the configuration file.<\/p>\n\n\n\n
Ensure that the user has permissions to update their passwords on OpenLDAP server. For example, this is the sample Access Control List in our openLDAP server database.<\/p>\n\n\n\n
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:\/\/\/ -b cn=config '(olcDatabase=mdb)' olcAccess<\/code><\/pre>\n\n\n\n
dn: olcDatabase={1}mdb,cn=config\nolcAccess: {0}to attrs=userPassword by self write<\/strong> by anonymous auth by dn.subt\n ree=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage by dn.su\n btree=\"ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\" read by * none\nolcAccess: {1}to attrs=shadowLastChange,shadowExpire by self write <\/strong>by dn.subtr\n ee=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" manage by dn.sub\n tree=\"ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\" read by * none\n...<\/code><\/pre>\n\n\n\n
Install SSL\/TLS Cerificate<\/h4>\n\n\n\n
In this demo, we are using LDAP over SSL. Hence, we need to install CA certificate to validate connection to LDAP server. To download the CA certificate from the server, run the command below;<\/p>\n\n\n\n
openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts < \/dev\/null | openssl x509 -text | sed -ne '\/-BEGIN CERTIFICATE-\/,\/-END CERTIFICATE-\/p'<\/code><\/pre>\n\n\n\n
Copy the certificate…<\/p>\n\n\n\n
-----BEGIN CERTIFICATE-----\nMIIDzzCCAregAwIBAgIUMJkYu\/S+fQbyGjUOLsMoar6owfowDQYJKoZIhvcNAQEL\nBQAwdzELMAkGA1UEBhMCS0UxDDAKBgNVBAgMA05haTEMMAoGA1UEBwwDTmFpMRcw\n...\n...\nkqkfQw96SLItvsAXpeosfYkH6uEG36svqAJ6rzxZcJzl3OTrUZnFX3OOsmFeHupC\nQxv7gjfE5jqdD6iQR0cohGLpaA==\n-----END CERTIFICATE-----<\/code><\/pre>\n\n\n\n
… and paste on a specific file, e.g \/etc\/ssl\/certs\/cacert.pem<\/strong><\/code>.<\/p>\n\n\n\n
After, update the \/etc\/openldap\/ldap.conf<\/code> file to define the path to the CA certificate file downloaded above.<\/p>\n\n\n\n
<\/p>\n\n\n\n
vim \/etc\/openldap\/ldap.conf<\/code><\/pre>\n\n\n\n
...\n#TLS_CACERT     \/etc\/pki\/tls\/cert.pem\nTLS_CACERT     \/etc\/ssl\/certs\/cacert.pem<\/strong>\n...<\/code><\/pre>\n\n\n\n
Save and quit the file.<\/p>\n\n\n\n
Change the ownership of the \/usr\/share\/self-service-password<\/code> directory to apache<\/code>.<\/p>\n\n\n\n
chown -R apache:apache \/usr\/share\/self-service-password<\/code><\/pre>\n\n\n\n
Verify Apache configuration syntax.<\/p>\n\n\n\n
httpd -t<\/code><\/pre>\n\n\n\n
Restart and enable Apache to run on system boot.<\/p>\n\n\n\n
systemctl restart httpd<\/code><\/pre>\n\n\n\n
systemctl enable httpd<\/code><\/pre>\n\n\n\n
Open port 80 on firewalld.<\/p>\n\n\n\n
firewall-cmd --add-port=80\/tcp --permanent<\/code><\/pre>\n\n\n\n
firewall-cmd --reload<\/code><\/pre>\n\n\n\n
Configure SELinux Policies<\/h3>\n\n\n\n
If SELinux is running, run the commands below to allow Self Service Password tool to change users passwords.<\/p>\n\n\n\n
Allow httpd to connect to network.<\/p>\n\n\n\n
setsebool -P httpd_can_network_connect 1<\/code><\/pre>\n\n\n\n
Allow httpd to connect to ldap<\/p>\n\n\n\n
setsebool -P httpd_can_connect_ldap 1<\/code><\/pre>\n\n\n\n
Resolve user passwd entries directly from ldap<\/p>\n\n\n\n
setsebool -P authlogin_nsswitch_use_ldap 1<\/code><\/pre>\n\n\n\n
To allow system to run with NIS.<\/p>\n\n\n\n
setsebool -P nis_enabled 1<\/code><\/pre>\n\n\n\n
Accessing SSP from Browser<\/h3>\n\n\n\n
You can now access your Self Service password tool from browser using the url, http:\/\/<server-hostname-OR-IP<\/code><\/strong>.<\/p>\n\n\n\n
\"Setup<\/figure>\n\n\n\n
To demonstrate how to reset the password, we will be using a demo user in our OpenLDAP database;<\/p>\n\n\n\n
ldapsearch -Y EXTERNAL -H ldapi:\/\/\/ -b \"ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" \"(objectClass=posixAccount)\" \"(uid=*)\"-Q -LLL<\/code><\/pre>\n\n\n\n
dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\n...<\/code><\/pre>\n\n\n\n
To meet the defined password policies, this is the sample password used, N#rAvImVosh3<\/strong>. Note if you also have defined password policies in your OpenLDAP backend database<\/a>, ensure that the policies defined on SSP matches the backend policies.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
If the password is accept, you should see the output, Your password was Changed<\/strong>.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
You can as well verify the same password on your OpenLDAP;<\/p>\n\n\n\n
ldapwhoami -x -H ldapi:\/\/\/ -D \"uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" -W<\/code><\/pre>\n\n\n\n
Enter LDAP Password: N#rAvImVosh3<\/strong>\ndn:uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code><\/pre>\n\n\n\n
If the passwords do not match, you will get the output;<\/p>\n\n\n\n
ldap_bind: Invalid credentials (49)<\/code><\/pre>\n\n\n\n
If you have implemented password policies in OpenLDAP backend with the attribute pwdCheckQuality<\/code> set the value 2<\/code>, then the password might still fail the quality checks. In that case, set the value of this attribute to 1.<\/p>\n\n\n\n
There you go. Your users can now comfortably reset their passwords.<\/p>\n\n\n\n
Reference<\/h3>\n\n\n\n
Self Service Password LDAP Tool Box Documentation<\/a><\/p>\n\n\n\n
Other Related Guides<\/h4>\n\n\n\n
Setup OpenLDAP Server with SSL\/TLS on Debian 10<\/a><\/p>\n\n\n\n
Configure SSSD for OpenLDAP Client Authentication on Debian 10\/9<\/a><\/p>\n\n\n\n
How to Create OpenLDAP Member Groups<\/a><\/p>\n\n\n\n
Configure SSSD for OpenLDAP Authentication on CentOS 8<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
This guide will take you through how to setup LDAP Self Service Password Tool on CentOS 8. If you got users who are authenticating against<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1099],"tags":[1142,286,1273,1274,1282,1272],"class_list":["post-4907","post","type-post","status-publish","format-standard","hentry","category-howtos","category-directory-server","category-openldap","tag-centos-8","tag-openldap","tag-openldap-self-service-password","tag-self-service-password-ldap-centos-8","tag-self-service-password-openldap","tag-ssp","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4907"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=4907"}],"version-history":[{"count":14,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4907\/revisions"}],"predecessor-version":[{"id":21297,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4907\/revisions\/21297"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=4907"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=4907"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=4907"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}