I setup OpenLDAP with phpldapadmin as the front-end. Everything works great (on the admin side). On the user side, I needed a tool for users. (perhaps phpldapuser? no, that doesn't exist)
I looked around for a while and found two open source solutions.
#1 The LDAP Tool Box(LTB) written in PHP- http://ltb-project.org/wiki/start
#2 Password Manager(PWM) written in JAVA - http://code.google.com/p/pwm/
I installed both and gave it a test run. Here are my thoughts.
LDAP Tool Box
LTB is super easy to install and configure. It's just a bunch of php pages. You dump the pages in to a directory you want, point apache to it and you're done. Configuring it is easy too, you just open up the config page and start typing in the values you want.
Password Manager
PWM is pretty easy as well. Since Tomcat wasn't already installed, I had to download Tomcat and do some quick configuration. PWM started up right away and dumped in to a lengthy configuration. I found out that if something wasn't available, then clicking "Advanced" will expose the feature I was looking for. After a while of going back and fourth, I finally had PWM up and running. I ran some tests and it seem to work.
Conclusion and Decision
Both products look like they both pretty much did the same thing. Although, PWM had some extra features, I didn't need it. I was specifically looking for something to allow users to change their password from a web UI and recover their password.
I decided to go with LTB because LTB allowed more flexibility and easier to work with. First of all, LTB, out of the box performed password hashing and it allowed LDAP field mapping. When I asked about password hashing with PWM, I was told to use the OpenLDAP ppolicy feature. That's fine but I wasn't interesting in configuring ppolicy just to use PWM (I was already using something else for the policy). PWM also expected that you configure the MAIL attribute (at least that's what I figure since I could not figure out how to map MAIL to something else). In LTB, it is easy to map fields. Last, PWM did not update ShadowLastChange. They said they fixed it but in the comments, they also said you had to go and configure some other setting.
Final thoughts... I really liked the clean interface of PWM and wanted to use it but I didn't want to deal with the complexity of the product. I already have 50 other products to worry about and self-service password was one that I wanted to deploy it and forget about it.
UPDATE: I ended up setting up ppolicy anyway. When setting up ppolicy, I wanted to use a password quality checker. It turns out that LTB provides such a module, so I wrote a blog on it. http://legendofgou.blogspot.com/2012/09/how-to-setup-ppolicy-in-openldap-23.html
So, I'd say the score is LTB 2 and PWM 0.
UPDATE: I downloaded the latest PWM to give it a test run. 10/2012
They cleaned up the UI and I was pretty excited. I started configuring the product only to hit a bunch of road blocks. i.e. after clicking "forgot password", I am asked to provide a user name. I typed in my test user name and I got an error 5019. I don't know why. Everything else worked. hmmm, may be one day, they will get it right. I will be sure to test again next year.
LTB 3 and PWM 0
hey thanks ! I was precisely thinking of installing PWM, and dind't know about ltb-project..that is much simpler indeed !
ReplyDeleteYou're welcome. Since I installed the LTB self-service tool, everything has been working great.
DeleteHi, thank you for this nice article on deciding on the self-password-reset tool. Actually, I'm facing issue after configuring the LTB tool. Here are the errors, if you could throw some light on this it would be great!
DeleteError:
[Fri Feb 08 16:43:48.487919 2013] [:error] [pid 4050:tid 139760894805760] [client 172.16.0.61:36740] PHP Notice: Undefined variable: pwd_forbidden_chars in /usr/local/apache2/htdocs/self-service-password/index.php on line 99
[Fri Feb 08 16:43:48.489287 2013] [:error] [pid 4050:tid 139760894805760] [client 172.16.0.61:36740] PHP Notice: Undefined index: changehelpextramessage in /usr/local/apache2/htdocs/self-service-password/pages/change.php on line 184
[Fri Feb 08 16:44:36.488701 2013] [:error] [pid 4047:tid 139760884315904] [client 172.16.0.61:36744] PHP Notice: Undefined variable: pwd_forbidden_chars in /usr/local/apache2/htdocs/self-service-password/index.php on line 99, referer: http://ssp.mybox.com/
[Fri Feb 08 16:44:36.816382 2013] [:error] [pid 4047:tid 139760884315904] [client 172.16.0.61:36744] PHP Warning: ldap_get_dn() expects parameter 2 to be resource, boolean given in /usr/local/apache2/htdocs/self-service-password/pages/change.php on line 112, referer: http://ssp.mybox.com/
[Fri Feb 08 16:44:36.816460 2013] [:error] [pid 4047:tid 139760884315904] [client 172.16.0.61:36744] LDAP - User test.user not found, referer: http://ssp.mybox.com/
Deepak,
DeleteI'm not sure why you are getting that error. I checked and I don't have that variable in my index.php. Perhaps you downloaded a newer version. You should check with the developers of LTB.
Hi
ReplyDeleteThanks for sharing this very useful article.
Just I want to get your clarification.
Initially you said you already had openldap-server with PHPLdapadmin.
Than you found LTB to help the user change the password.
My question are you installing openldap-server from linux rpm or was it openldap-ltb-* .rpm ? .
On the following page you shared the good article about password checker and policies. This wanted openldap source to compile with password checker C program.
Is it possible if you can summarize the list of steps to take from having open-ldap server , ltb , password policy and checker and etc.
Hi Syed,
ReplyDeleteThank you for the compliment. Here are the steps I took:
1) installed openldap from RHEL/EPEL repo as a stand alone server
2) installed phpldapadmin from RHEL/EPEL
3) installed LTB password changer/self-service tool (this was just a set of php files)
4) installed ppolicy overlay for openldap
5) installed LTB ppolicy checker module from source
6) installed a slave openldap server using syncrepl
(http://www.openldap.org/doc/admin24/replication.html)
7) installed sudoers schema for LDAP
(http://www.sudo.ws/sudoers.ldap.man.html)
8) Configured Bind to round robin the master and slave to distribute the load
9) Configured Nagios to check the health of both ldap servers
10) Configured Puppet to enable LDAP authentication automatically
I did not want to use the openldap-ltb rpm because I was not sure on the long term support of these rpm.
Thanks again
ReplyDeleteBy the way, I'm using openldap-servers-2.4-x.which come with Red Hat Linux 6.2.
Going to setup as openldap-servers using standard guideline.
I saw there was ppolicy.schema. Do I still required openlda-servers-overlays ?
LTB ppolicy checker module from source -. Is this referring to openldap source header , please correct if I'm wrong. LTB self-service already included the policy check in it config. With this does it still require to have password check in openldap ?
I believed your steps 6 - 10 are optional.
Hope your input
Syed,
DeleteSome people say you need the overlays and some say you don't. I installed it anyway.
When I built the LTB module, it did require me to use the openldap source. Check my post on that topic: http://legendofgou.blogspot.com/2014/02/how-to-setup-ppolicy-in-openldap-24.html
The LTB self-service tool already includes a policy check but it is a client side check. A clever user could bypass it easily, so use it cautiously. In reality you're better off implementing the policy on the server.
Steps 6 - 10 depends on where your LDAP implementation will be. I suppose in a small lab environment where availability and uptime is not a concern, you wouldn't need those additional steps. In a production environment however, it is a must.
HI
DeleteAt this time I have completed :-
1. Setting up openldap-servers 2.4.23
2. Install LTB -self service password together with client policy check build in.
3. I'm using Jxplorer (for admin)
4. Added in policy module which already come with openldap-servers
5. Downloaded and make.depend the openldap headers
I'm suppose to continue to get the password checker. But I'm not sure which file to be download from here ; http://tools.ltb-project.org/projects/ltb/files.
When your mentioned about "Back to the password checker. Now, I set LDAP_INC in the make file to the location where I extracted openldap source as follows:" , which makefile are your referrred to?
Hopefully by than I can have the policy check as well on the server.
Thanks
I trialed jxplorer at one time. It's a nice client.
DeleteI went to the download page at http://ltb-project.org/wiki/download
I scrolled down to the "Other" section. This is where the password check link is. I've copied the link below for easy access.
http://tools.ltb-project.org/attachments/download/51/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
Download this file and extract it. You will see the Makefile.
The following comments I gave on your topic http://legendofgou.blogspot.com/2014/02/how-to-setup-ppolicy-in-openldap-24.html
DeleteHere I paste :
Hi
I did followed this wonderful instruction.
For step one : setup environment, when i try to add the overlay for policy, this is what I got :-
Enter LDAP Password:
adding new entry "olcOverlay={0}ppolicy,olcDatabase={1}bdb,cn=config"
ldap_add: Insufficient access (50)
I just continue with step 2 and 3.
Step 2 mostly perfect similar result with given guide.
Step 3 Whan i try to load the policy , here the message is :-
LDAP: error code 21 - pwdAttribute: value #0 invalid per syntax
The pwdAttribute is referring to userPassword. I not sure why I can't add the policy with userPassword as attribute. By reading, few people suggest to use upgrade the openldap (such as 2.4.36) , few people suggest to change to OID instead of userPassword. So I did it by chnage the value to 2.5.4.35. Only than it managed to load.
Than I continue the whole guide in step 3. Unfortunately when I try do ldapmodify to modify userPassword, i found that it doesnt check against the policy (such as min lower, minimum upper and etc)
Appreciate some input if I missed anything here.
Thanks
This comment has been removed by the author.
ReplyDeleteTom,
DeleteThanks for posting. There are a lot of paid self service password solutions and I have not had the luxury to try them out. Though, the only 2 I found are PWM and LTB.