Post Hook configuration

You can write a script that will be called it the password was changed. This allow for example to update a file or a database on password change.

This script must be executable by the user running Apache. It will take 3 arguments:

  • $login : the user login
  • $newpassword : the new password
  • $oldpassword : the old password
The old password is only provided on standard password change, not on password reset

To declare this script, use:

$posthook = "/usr/share/self-service-password/posthook.sh";

Here is an example of a simple posthook script:

#!/bin/bash
 
LOGIN=$1
NEWPASSWORD=$2
OLDPASSWORD=$3
 
echo `date` >> /tmp/posthook.log
echo "$LOGIN / $NEWPASSWORD / $OLDPASSWORD" >> /tmp/posthook.log
This script is an example, do use not it in production: passwords should never be put in logs. Write your own script to propagate the password in a safe place
If you are using systemd, it is possible that the PrivateTmp feature is enabled by default for Apache (in your httpd.service or apache2.service).

When enabled, all logs written from posthook.sh to /tmp will be redirected to /tmp/systemd-private-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-apache2.service-XXXXXX/tmp or similar.