To a degree, but there are significant differences:
With a hosting provider, everybody is remote, including the admin (the hosting provider’s customer)–and they certainly don’t expose their own administrative interface to the Internet.
The Neth server manager provides much more control over the system than what a typical hosting provider exposes.
These are separate functions, and should be treated separately. If an attacker is able to compromise an admin password, exposing the password change function means that attacker can change the password (which is certainly a bad thing)–but if the admin interface isn’t exposed to the Internet, that attacker still won’t be able to log in to it.
Yes, and that’s one way to go about it. Not ideal if only some of several web apps have the capability to change passwords (it means you can change your password for everything, but you have to use this specific app to do it), but definitely one possibility.
Why? If that interface doesn’t run as root (it doesn’t), and it doesn’t require administrative privileges to do its thing (it doesn’t; it uses the user’s credentials to change that user’s password), it wouldn’t seem to have the ability to compromise the system. I don’t see that it should need to be protected behind another password–though as I noted above, I’d prefer it not have the capability to change an admin’s password.
The default virtual host with Alias (/ssp) is working. The example in the ssp documentation points to /usr/local/self-service-password but it’s located in /usr/share/self-service-password.
I couldn’t check group membership of a user but I managed to exclude the admin user (for LDAP):
The typical rewriting should be enough. Just create /etc/e-smith/templates-custom/etc/httpd/conf.d/default-virtualhost.inc/50ssp with following content:
Put ldap server require strong auth = no to the global section in /var/lib/machines/nsdc/etc/samba/smb.conf and restart samba in the container with systemctl -M nsdc restart samba
EDIT:
You need to use a higher version of PHP if you want to use AD. So I had to install nethserver-rh-php71-php-fpm and put the following in the Directory statements in /etc/httpd/conf.d/self-service-password.conf…
Don’t much like that either. Between these two points, if they can’t be addressed, the AD installation would be much less secure than the OpenLDAP installation:
It needs admin privileges to run, which give it the power to do other bad things
It stores the admin credentials, in clear text, in a directory that’s served to the public (which is not quite as bad as it sounds; the PHP should be parsed such that those credentials are never sent out, but still doesn’t sound like a good idea)
It weakens authentication for everyone using the server, whether they use this feature or not
Changed my template fragment to reflect the correct directory, and yes, it’s now working from the default virtual host. Silly me for not having noticed that myself.
Can we get any input from the devs on this? Specifically, is updating the password in either OpenLDAP or AD all that needs to be done? @dev_team?
I was trying to get the reset by email tokens to work with the OpenLDAP backend, and getting a message that the password was refused by the LDAP backend. But as I think about it, that makes sense–the config I’m using has the user resetting his own password, which would mean that user needs to be authenticated. If the user hasn’t entered his password, he isn’t authenticated. Bother.
I have working templates that will do the job for the direct password reset using OpenLDAP, so I think I’ll write that up and adjust as needed.
Hi @danb35 do you have any news about the web password changing application?
I’d like to add a user password changing form, publicly accessible from HTTPS. We currently use ldappasswd and kpasswd as client commands to change the user’s password, depending on the accounts provider type.
yes, seen it.
meant, how does the email token work?
i still see enter old password appearing.
so generally, not able to change password if don.t know old one
Easy enough to fix, though.