Superseded by nethserver-self-service-password, instructions in the wiki:
https://wiki.nethserver.org/doku.php?id=userguide:self-service-password
10 Likes
Well, good job! Thanks for sharing 
Thanks Dan!
Works exactly as it says on the tin.
@danb35, following your procedure above, config show ssp does not show me anything. If no options are available by default and have to be set, then âsetpropâ should be âsetâ right?
âŚas noted here:
Yep, I need to learn to read carefullyâŚ
The concern I have is that, from what @mrmarkuz says on the other thread, AD wonât work with the user credentials, and it also wonât work using the bind user (ldapservice) and passwordâit needs admin credentials. In addition to the security concerns I raised there, I think that also (effectively) makes it impossible to create a template for the config file that will work with AD. I mean, I guess you could config setprop ssp AdminUser blah AdminPassword blahblahblah (with the actual system administrator credentials), but that really doesnât sound like a good idea at all.
Active Directory password changing works with ldapservice, I didnât understand the documentation.
With user domain\ldapservice and $who_change_password = "user" Users can change their passwords in AD.
I am going to test SSL authâŚ
2 Likes
Ah, much better news. And that user (and password) are already in the config database, so should be template-able.
2 Likes
And STARTTLS and LDAPS are working too, even with self-signed certificate so no need for low security in the container smb.conf.
3 Likes
I would be willing to put the how-to on the wiki, BUT if someone is considering creating a module, Iâll hold off for now.
I have no problem with putting it in the wiki myself, but Iâd like (1) to get the templates working with AD, and (2) to have some further confirmation that it works for other folks too, before putting it there.
As to making a module, it should be straightforward enough, except that youâd still need to manually add the LTB repoâthey donât have an RPM for the repo itself, and I donât think itâd really be appropriate for us to push one. So those installation instructions would look like âcreate this repo file, add the GPG key, then yum install --enablerepo=whatever nethserver-self-service-password, then config set ssp configuration (plus whatever other properties are called for), then signal-event nethserver-self-service-password-update.â Not too bad, and a definite improvement over whatâs above, but not quite ideal.
2 Likes
Outstanding. How do the settings need to look to make that work?
1 Like
It works like expected on LDAP side. 
For AD I needed to add some lines to /etc/e-smith/templates/usr/share/self-service-password/conf/config.inc.local.php/10main.
We need the baseDN for AD. I only changed who_change_password from manager to user and added the baseDN.
/etc/e-smith/templates/usr/share/self-service-password/conf/config.inc.local.php/10main
{
use NethServer::SSSD;
my $sssd = new NethServer::SSSD();
my $baseDN = $sssd->baseDN();
my $bindDN = $sssd->bindDN();
$bindDN =~ s/\\/\\\\/g;
my $userDN = $sssd->userDN();
my $groupDN = $sssd->groupDN();
my $bindPassword = $sssd->bindPassword();
my $host = $sssd->host();
my $ldapURI = $sssd->ldapURI();
my @chars = ("A".."Z", "a".."z", "0".."9");
my $secret;
$secret .= $chars[rand @chars] for 1..12;
my $lang = ($ssp{lang} || 'en');
my $email = ($ssp{'UseEmail'} || 'false');
$OUT .= <<EOF;
<?php
/*
/usr/share/self-service-password/conf/config.inc.local.php
*/
\$lang = "$lang";
\$show_menu = true;
\$use_questions = false;
\$use_sms = false;
\$pwd_show_policy = "always";
\$pwd_show_policy_pos = "above";
\$keyphrase = "$secret";
\$use_tokens = $email;
EOF
if ( $email eq 'true') {
$OUT .= <<EOF;
\$mail_address_use_ldap = true;
\$crypt_tokens = true;
\$token_lifetime = "900";
\$mail_sendmailpath = '/usr/sbin/sendmail';
\$mail_protocol = 'sendmail';
\$mail_smtp_debug = 0;
\$mail_debug_format = 'html';
\$mail_contenttype = 'text/plain';
\$mail_wordwrap = 0;
\$mail_charset = 'utf-8';
\$mail_priority = 3;
\$mail_newline = PHP_EOL;
\$notify_on_change = true;
EOF
}
if ($passwordstrength{Users} eq 'none') {
$OUT .= <<EOF;
\$pwd_min_length = 7;
EOF
}
elsif ($passwordstrength{Users} eq 'strong') {
$OUT .= <<EOF;
\$pwd_min_length = 7;
\$pwd_min_lower = 1;
\$pwd_min_upper = 1;
\$pwd_min_digit = 1;
\$pwd_min_special = 1;
\$pwd_complexity = 4;
\$use_pwnedpasswords = true;
EOF
}
if ($sssd{Provider} eq 'ldap') {
my $libuserpass = `cat /var/lib/nethserver/secrets/libuser | tr -d '\n'`;
$OUT .= <<EOF;
// \$ldap_url = "ldaps://localhost";
// \$ldap_starttls = true;
\$ldap_binddn = "cn=libuser,dc=directory,dc=nh";
\$ldap_bindpw = "$libuserpass";
\$ldap_base = "dc=directory,dc=nh";
\$ldap_filter = "(&(objectClass=person)(uid={login})(!(uid=admin)))";
\$who_change_password = "user";
\$mail_attribute = "mail";
EOF
}
elsif ($sssd{Provider} eq 'ad') {
my $ssppass = `cat /var/lib/nethserver/secrets/ssp | tr -d '\n'`;
$OUT .= <<EOF;
\$ad_mode = true;
\$ldap_starttls = false;
\$ldap_url = "$ldapURI";
\$ldap_binddn = "ssp\@$sssd{Realm}";
\$ldap_bindpw = "$ssppass";
// \$ldap_binddn = "$sssd{BindDN}";
// \$ldap_bindpw = "$sssd{BindPassword}";
\$ldap_base = "$baseDN";
\$ldap_login_attribute = "sAMAccountName";
\$ldap_fullname_attribute = "cn";
\$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
\$who_change_password = "user";
\$mail_attribute = "userPrincipalName";
EOF
}
}
1 Like
Are these lines:
actually necessary? Or can we just do:
\$ldap_base = "$sssd{BaseDN}";
?
In any event, itâs looking very promising. I think Iâm still going to need to clean up the email stuff (as I donât think weâre going to be able to make email tokens work, but sending an email confirmation would still be a nice option), but looks like itâs getting close to something suitable for general release.
1 Like
The lines are necessary.
$sssd{something} only grabs the database (config show sssd).
See perldoc NethServer::SSSD and for example the sogo.conf
Fully agree.
2 Likes
And it works, LDAP with libuser and AD with a special user who only is allowed to change passwords (described here, search for rights to change password of users) but is no admin.
How to set the permission with Windows ADUC (The only way I found, samba-tool seems to not support it):
I changed the config template in a previous post to reflect the changes.
Additionaly I created a user ssp and created a file /var/lib/nethserver/secrets/ssp with the password of the ssp user. It would also be possible to give the âchange password permissionâ to ldapservice so we donât need an additional user.
If we want the token to work we need special users (libuser/ssp).
If we could manage to set the password changing permission in AD on command line somehow, we could write a random password to the file or use ldapservice and automate the whole process.
At least we wonât be able to do that with remote AD.
3 Likes
OK, first draft of a module is up on my repo. To install, add the LTB repo and import the key as above, then yum --enablerepo=danb35 install nethserver-self-service-password. Other configuration options are noted above; if you change any of them, do signal-event nethserver-self-service-password-update afterward.
This has had very minimal testing. It installs and works to change a userâs password on a local LDAP system. Iâve included @mrmarkuzâ configuration changes, but havenât worked with AD at all, so canât vouch for anything on that. I certainly wouldnât expect changing passwords using email tokens to work in AD, as nothing in this RPM makes the user role changes noted above.
Github repo is here:
4 Likes
Thanks @danb35, works as advertised!
On the wiki, but not yet linked into the user guides index:
https://wiki.nethserver.org/doku.php?id=userguide:self-service-password
3 Likes