I setup OpenLDAP with phpldapadmin as the front-end. Everything works great (on the admin side). On the user side, I needed a tool for users. (perhaps phpldapuser? no, that doesn't exist)
I looked around for a while and found two open source solutions.
#1 The LDAP Tool Box(LTB) written in PHP- http://ltb-project.org/wiki/start
#2 Password Manager(PWM) written in JAVA - http://code.google.com/p/pwm/
I installed both and gave it a test run. Here are my thoughts.
LDAP Tool Box
LTB is super easy to install and configure. It's just a bunch of php pages. You dump the pages in to a directory you want, point apache to it and you're done. Configuring it is easy too, you just open up the config page and start typing in the values you want.
Password Manager
PWM is pretty easy as well. Since Tomcat wasn't already installed, I had to download Tomcat and do some quick configuration. PWM started up right away and dumped in to a lengthy configuration. I found out that if something wasn't available, then clicking "Advanced" will expose the feature I was looking for. After a while of going back and fourth, I finally had PWM up and running. I ran some tests and it seem to work.
Conclusion and Decision
Both products look like they both pretty much did the same thing. Although, PWM had some extra features, I didn't need it. I was specifically looking for something to allow users to change their password from a web UI and recover their password.
I decided to go with LTB because LTB allowed more flexibility and easier to work with. First of all, LTB, out of the box performed password hashing and it allowed LDAP field mapping. When I asked about password hashing with PWM, I was told to use the OpenLDAP ppolicy feature. That's fine but I wasn't interesting in configuring ppolicy just to use PWM (I was already using something else for the policy). PWM also expected that you configure the MAIL attribute (at least that's what I figure since I could not figure out how to map MAIL to something else). In LTB, it is easy to map fields. Last, PWM did not update ShadowLastChange. They said they fixed it but in the comments, they also said you had to go and configure some other setting.
Final thoughts... I really liked the clean interface of PWM and wanted to use it but I didn't want to deal with the complexity of the product. I already have 50 other products to worry about and self-service password was one that I wanted to deploy it and forget about it.
UPDATE: I ended up setting up ppolicy anyway. When setting up ppolicy, I wanted to use a password quality checker. It turns out that LTB provides such a module, so I wrote a blog on it. http://legendofgou.blogspot.com/2012/09/how-to-setup-ppolicy-in-openldap-23.html
So, I'd say the score is LTB 2 and PWM 0.
UPDATE: I downloaded the latest PWM to give it a test run. 10/2012
They cleaned up the UI and I was pretty excited. I started configuring the product only to hit a bunch of road blocks. i.e. after clicking "forgot password", I am asked to provide a user name. I typed in my test user name and I got an error 5019. I don't know why. Everything else worked. hmmm, may be one day, they will get it right. I will be sure to test again next year.
LTB 3 and PWM 0
