Self Service Password

Documentation for version 0.3

Installation

To install it:

# tar zxvf ltb-project-self-service-password-VERSION.tar.gz
# mv ltb-project-self-service-password-VERSION /usr/local/self-service-password

You can configure a virtual host on Apache for this application:

<VirtualHost *:80>
        ServerName ssp.example.com

        DocumentRoot /usr/local/self-service-password
        DirectoryIndex index.php

        AddDefaultCharset UTF-8

        LogLevel warn
        ErrorLog /var/log/apache2/ssp_error.log
        CustomLog /var/log/apache2/ssp_access.log combined
</VirtualHost>

Configuration

Edit the configuration file (config.inc.php):

# vi /usr/local/ltb-self-service-password/config.inc.php

Parameters are the following:

  • $ldap_url: LDAP URL, like ldap://myserver
  • $ldap_binddn: Manager DN (not mandatory)
  • $ldap_bindpw: Manager password (not mandatory)
  • $ldap_base: Base of search (users branch)
  • $ldap_filter: Filter to find the user (the string {login} is replaced by submitted login)
  • $ad_mode: Set to true if you use Active Directory
  • $samba_mode : Set to true to change Samba password too (modify sambaNTpassword and sambaPwdLastSet attributes)
  • $hash: Password hashing. Default is “clear”. This option is ignored with $ad_mode. Available hashing are:
    • SHA
    • SSHA
    • MD5
    • SMD5
    • CRYPT
  • $pwd_min_lenght: Minimal length
  • $pwd_max_lenght: Maximal length
  • $pwd_min_lower: Minimal lower characters
  • $pwd_min_upper: Minimal upper characters
  • $pwd_min_digit: Minimal digit
  • $pwd_show_policy: Set to true to display password policy constraints on the page
  • $who_change_password: Set “user” if the user do the modification on the directory or “manager” else (depending on ACLs)
  • $lang: Choose “en”, “fr” or “de”
  • $logo: Path to image logo
  • $debug: Set to true to print debug information

Active Directory

If you use Active Directory, you should adapt the configuration:

  • You must use SSL, so use ldaps:// in $ldap_url
  • Activate $ad_mode
  • Use this filter: (&(objectClass=user)(sAMAccountName={login}))

Tips

You can fill the login field by setting the value in the URL, like http://ssp.example.com/?login=mylogin. This is usefull if you link to this page from another program which already knows the user login.