Allow remote users to change password

Howto
14

It works like expected on LDAP side. :sunglasses:
For AD I needed to add some lines to /etc/e-smith/templates/usr/share/self-service-password/conf/config.inc.local.php/10main.
We need the baseDN for AD. I only changed who_change_password from manager to user and added the baseDN.

/etc/e-smith/templates/usr/share/self-service-password/conf/config.inc.local.php/10main 
{
use NethServer::SSSD;

my $sssd = new NethServer::SSSD();
my $baseDN = $sssd->baseDN();
my $bindDN = $sssd->bindDN();
    $bindDN =~ s/\\/\\\\/g;
    my $userDN = $sssd->userDN();
    my $groupDN = $sssd->groupDN();
    my $bindPassword = $sssd->bindPassword();
    my $host = $sssd->host();
my $ldapURI = $sssd->ldapURI();

my @chars = ("A".."Z", "a".."z", "0".."9");
my $secret;
$secret .= $chars[rand @chars] for 1..12;

my $lang = ($ssp{lang} || 'en');
my $email = ($ssp{'UseEmail'} || 'false');

$OUT .= <<EOF;
<?php

/*
 /usr/share/self-service-password/conf/config.inc.local.php
*/

\$lang = "$lang";
\$show_menu = true;
\$use_questions = false;
\$use_sms = false;
\$pwd_show_policy = "always";
\$pwd_show_policy_pos = "above";
\$keyphrase = "$secret";
\$use_tokens = $email;

EOF

if ( $email eq 'true') {
        $OUT .= <<EOF;
        \$mail_address_use_ldap = true;
        \$crypt_tokens = true;
        \$token_lifetime = "900";
        \$mail_sendmailpath = '/usr/sbin/sendmail';
        \$mail_protocol = 'sendmail';
        \$mail_smtp_debug = 0;
        \$mail_debug_format = 'html';
        \$mail_contenttype = 'text/plain';
        \$mail_wordwrap = 0;
        \$mail_charset = 'utf-8';
        \$mail_priority = 3;
        \$mail_newline = PHP_EOL;
        \$notify_on_change = true;
EOF
}

if ($passwordstrength{Users} eq 'none') {
        $OUT .= <<EOF;
        \$pwd_min_length = 7;
EOF
}
elsif ($passwordstrength{Users} eq 'strong') {
        $OUT .= <<EOF;
        \$pwd_min_length = 7;
        \$pwd_min_lower = 1;
        \$pwd_min_upper = 1;
        \$pwd_min_digit = 1;
        \$pwd_min_special = 1;
        \$pwd_complexity = 4;
        \$use_pwnedpasswords = true;
EOF
}

if ($sssd{Provider} eq 'ldap') {
        my $libuserpass = `cat /var/lib/nethserver/secrets/libuser | tr -d '\n'`;
        $OUT .= <<EOF;
        // \$ldap_url = "ldaps://localhost";
        // \$ldap_starttls = true;
        \$ldap_binddn = "cn=libuser,dc=directory,dc=nh";
        \$ldap_bindpw = "$libuserpass";
        \$ldap_base = "dc=directory,dc=nh";
        \$ldap_filter = "(&(objectClass=person)(uid={login})(!(uid=admin)))";
        \$who_change_password = "user";
        \$mail_attribute = "mail";
EOF
}
elsif ($sssd{Provider} eq 'ad') {
        my $ssppass = `cat /var/lib/nethserver/secrets/ssp | tr -d '\n'`;
        $OUT .= <<EOF;
        \$ad_mode = true;
        \$ldap_starttls = false;
        \$ldap_url = "$ldapURI";
        \$ldap_binddn = "ssp\@$sssd{Realm}";
        \$ldap_bindpw = "$ssppass";
        // \$ldap_binddn = "$sssd{BindDN}";
        // \$ldap_bindpw = "$sssd{BindPassword}";
        \$ldap_base = "$baseDN";
        \$ldap_login_attribute = "sAMAccountName";
        \$ldap_fullname_attribute = "cn";
        \$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
        \$who_change_password = "user";
        \$mail_attribute = "userPrincipalName";
EOF
}

}
1 Like