Password management portal for end users

2016-08-19T14:00:00+00:00

We in IT have heard it often, the #1 request coming into help desk ticket systems is password resets, account lockouts, and the like. PWM is a password reset web application written in Java for use with LDAP directories. You can configure it to work with Active Directory, OpenLDAP, FreeIPA, and others. There are already a handful of good tutorials on how to set up PWM (I think of this one in particular</a>); however, I want to demonstrate the puppet apply</code> command in this tutorial.

Prerequisites</h3>
This guide assumes you have an Active Directory server with TLS set up (to change passwords) which is beyond the scope of this post. It also assumes you have a CentOS 7 instance which can communicate to the Active Directory server. It also assumes this is in an environment without a puppet master/server. The end manifest can be uploaded to a master and used that way.</p>

Obtaining PWM</h3>
PWM is available in zip format on their website</a> or in source format on GitHub</a>. We are going to use the war file so grab the zip from off of their website, extract it, and place it on a webserver or locally on the server.</p>
yum install wget unzip -y
</span>wget http://www.pwm-project.org/artifacts/pwm/pwm-1.8.0-SNAPSHOT-2016-05-23T22%3A36%3A58Z-pwm-bundle.zip
</span>unzip pwm*.zip
</span></code></pre>
Installing puppet and puppet modules</h3>
Our next step is to get puppet and relevant puppet modules</p>
rpm -ivh http://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
</span>yum install puppet -y
</span>source /etc/profile
</span>puppet module install puppetlabs-mysql
</span>puppet module install puppetlabs-java
</span>puppet module install puppetlabs-git
</span>puppet module install puppetlabs-concat
</span>puppet module install puppetlabs-tomcat --ignore-dependencies
</span>
</span></code></pre>
We are --ignore-dependencies</code> because there is a conflicting staging module that the mysql</code> module already installed.</p>
vim manifest.pp
</span></code></pre>
The contents of this file are as below:</p>
include git
</span>include java
</span>
</span>tomcat::install { '/opt/tomcat8':
</span>  source_url => 'https://www.apache.org/dist/tomcat/tomcat-8/v8.5.3/bin/apache-tomcat-8.5.3.tar.gz'
</span>}
</span>
</span>tomcat::instance { 'tomcat8-pwm':
</span>  catalina_home => '/opt/tomcat8',
</span>  catalina_base => '/opt/tomcat8/pwm',
</span>}
</span>
</span>tomcat::war { 'pwm.war':
</span>  catalina_base => '/opt/tomcat8/pwm',
</span>  war_source    => '/path/to/pwm.war', # or http://domain.tld/pwm.war
</span>}
</span>
</span>augeas {'web.xml':
</span>	incl    => '/opt/tomcat8/pwm/webapps/pwm/WEB-INF/web.xml',
</span>	context => '/files/opt/tomcat8/pwm/webapps/pwm/WEB-INF/web.xml/web-app',
</span>	lens    => 'Xml.lns',
</span>	changes => 'set context-param[1]/param-value/#text /opt/tomcat8/pwm/webapps/pwm/WEB-INF',
</span>}
</span>
</span></code></pre>
We can now enforce the environment by issuing a puppet apply manifest.pp</code>. This will install PWM (insecurely), java, git, and tomcat. PWM is insecure in this state as passwords can be intercepted before they hit the web server. In a follow-up tutorial next week</a>, I will explain how to install mysql (to store the password reset questions) as well as placing nginx in front of tomcat to offer SSL and http to https redirection.</p>

Andrew Wippler's Sketchpad - PWM

Securing PWM

Password management portal for end users

Andrew Wippler's Sketchpad - PWM

Securing PWM

Password management portal for end users

Installing puppet and puppet modules</h3> Our next step is to get puppet and relevant puppet modules</p>