Self Password Change

LDAP Self Service Password is a web application for end users. It allows them to change or reset their password if they lost it.

You need to install these prerequisites:

• Apache or another web server
• php (>=7.4)
• php-curl (haveibeenpwned api)
• php-filter
• php-gd (captcha)
• php-ldap
• php-mbstring (reset mail)
• php-openssl (token crypt, probably built-in)
• smarty (3 or 4)

Installation From tarball

Uncompress and unarchive the tarball: ​https://ltb-project.org/download.html

$ tar -zxvf ltb-project-self-service-password-*.tar.gz

Install files in /usr/share/:

# mv ltb-project-self-service-password-* /usr/share/self-service-password #mkdir /usr/share/self-service-password/cache #mkdir /usr/share/self-service-password/templates_c

Adapt ownership of Smarty cache repositories so Apache user can write into them. For example:

chown apache:apache /usr/share/self-service-password/cache chown apache:apache /usr/share/self-service-password/templates_c

Due to a bug in old Debian and Ubuntu smarty3 package, you may face the error syntax error, unexpected token "class". In this case, install a newer version of the package://

# wget http://ftp.us.debian.org/debian/pool/main/s/smarty3/smarty3_3.1.47-2_all.deb

# dpkg -i smarty3_3.1.47-2_all.deb

Configure the repository:

# vi /etc/apt/sources.list.d/ltb-project.list

deb [arch=amd64 signed-by=/usr/share/keyrings/ltb-project.gpg] https://ltb-project.org/debian/stable stable main

Import repository key:

wget -O - https://ltb-project.org/documentation/_static/RPM-GPG-KEY-LTB-project | gpg --dearmor | sudo tee /usr/share/keyrings/ltb-project.gpg >/dev/null

Then update:

apt update

You are now ready to install: apt install self-service-password

Apache configuration

<VirtualHost *:80>
    ServerName ssp.example.com

    DocumentRoot /usr/share/self-service-password/htdocs
    DirectoryIndex index.php

    AddDefaultCharset UTF-8

    <Directory /usr/share/self-service-password/htdocs>
        AllowOverride None
        <IfVersion >= 2.3>
            Require all granted
        </IfVersion>
        <IfVersion < 2.3>
            Order Deny,Allow
            Allow from all
        </IfVersion>
    </Directory>

    Alias /rest /usr/share/self-service-password/rest

    <Directory /usr/share/self-service-password/rest>
        AllowOverride None
        <IfVersion >= 2.3>
            Require all denied
        </IfVersion>
        <IfVersion < 2.3>
            Order Deny,Allow
            Deny from all
        </IfVersion>
    </Directory>

    LogLevel warn
    ErrorLog /var/log/apache2/ssp_error.log
    CustomLog /var/log/apache2/ssp_access.log combined
</VirtualHost>

a2ensite self-service-password

Check you configuration and reload Apache:

# apachectl configtest
# apachectl reload

Graphics

You change the default logo with your own

$logo = "images/ltb-logo.png";

You change the background image with your own

$background_image = "images/unsplash-space.jpeg";

To easily customize CSS

$custom_css = "css/custom.css";

You can hide the footer bar

$display_footer = false;

Debug

$debug = true;

$smarty_debug = true;

Security

You need a key phrase if you use ciphered tokens

$keyphrase = "secret";

There is also a protection on login to avoid LDAP injections. Some characters are forbidden, you can change the list of forbidden characters in login

$login_forbidden_chars = "*()&|";

For the reset process via mail token and send sms token, errors are hidden by default, to avoid account disclosure

$obscure_usernotfound_sendtoken = true;
$obscure_notfound_sendsms = true;

LDAP Connection

Server address

Use an LDAP URI to configure the location of your LDAP server

$ldap_url = "ldap://localhost:389";

To use SSL

$ldap_url = "ldaps://localhost";

To use StartTLS, set true in $ldap_starttls

$ldap_starttls = true;

Note:// LDAP certificate management in PHP relies on LDAP system libraries. Under Linux, you can configure /etc/ldap.conf (or /etc/ldap/ldap.conf on Debian or Ubuntu, or C:\OpenLDAP\sysconf\ldap.conf for Windows).

• Provide the certificate from the certificate authority that issued your LDAP server’s certificate

TLS_CACERT /etc/ssl/ca.crt

Or, disable server certificate checking:

TLS_REQCERT allow

If you face issues with non matching TLS versions between SSP and your LDAP server, you should try to modify TLS_CIPHER_SUITE to match the requirements of your server. For example:

TLS_CIPHER_SUITE TLSv1+RSA

You can also define the ldap connection timeout:

$ldap_network_timeout = true;

Credentials

Configure DN and password in $ldap_bindn and $ldap_bindpw, for example a service account

$ldap_binddn = "cn=ssp,ou=dsa,dc=example,dc=com";

$ldap_bindpw = "secret";

To instead use user’s credentials when writing in LDAP directory, replace manager with user in $who_change_password

$who_change_password = "user";