Password management portal for end users
We in IT have heard it often, the #1 request coming into help desk ticket systems is password resets, account lockouts, and the like. PWM is a password reset web application written in Java for use with LDAP directories. You can configure it to work with Active Directory, OpenLDAP, FreeIPA, and others. There are already a handful of good tutorials on how to set up PWM (I think of this one in particular); however, I want to demonstrate the puppet apply command in this tutorial.
Prerequisites
This guide assumes you have an Active Directory server with TLS set up (to change passwords) which is beyond the scope of this post. It also assumes you have a CentOS 7 instance which can communicate to the Active Directory server. It also assumes this is in an environment without a puppet master/server. The end manifest can be uploaded to a master and used that way.
Obtaining PWM
PWM is available in zip format on their website or in source format on GitHub. We are going to use the war file so grab the zip from off of their website, extract it, and place it on a webserver or locally on the server.
yum install wget unzip -y
wget http://www.pwm-project.org/artifacts/pwm/pwm-1.8.0-SNAPSHOT-2016-05-23T22%3A36%3A58Z-pwm-bundle.zip
unzip pwm*.zipInstalling puppet and puppet modules
Our next step is to get puppet and relevant puppet modules
rpm -ivh http://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
yum install puppet -y
source /etc/profile
puppet module install puppetlabs-mysql
puppet module install puppetlabs-java
puppet module install puppetlabs-git
puppet module install puppetlabs-concat
puppet module install puppetlabs-tomcat --ignore-dependencies
We are --ignore-dependencies because there is a conflicting staging module that the mysql module already installed.
vim manifest.ppThe contents of this file are as below:
include git
include java
tomcat::install { '/opt/tomcat8':
source_url => 'https://www.apache.org/dist/tomcat/tomcat-8/v8.5.3/bin/apache-tomcat-8.5.3.tar.gz'
}
tomcat::instance { 'tomcat8-pwm':
catalina_home => '/opt/tomcat8',
catalina_base => '/opt/tomcat8/pwm',
}
tomcat::war { 'pwm.war':
catalina_base => '/opt/tomcat8/pwm',
war_source => '/path/to/pwm.war', # or http://domain.tld/pwm.war
}
augeas {'web.xml':
incl => '/opt/tomcat8/pwm/webapps/pwm/WEB-INF/web.xml',
context => '/files/opt/tomcat8/pwm/webapps/pwm/WEB-INF/web.xml/web-app',
lens => 'Xml.lns',
changes => 'set context-param[1]/param-value/#text /opt/tomcat8/pwm/webapps/pwm/WEB-INF',
}
We can now enforce the environment by issuing a puppet apply manifest.pp. This will install PWM (insecurely), java, git, and tomcat. PWM is insecure in this state as passwords can be intercepted before they hit the web server. In a follow-up tutorial next week, I will explain how to install mysql (to store the password reset questions) as well as placing nginx in front of tomcat to offer SSL and http to https redirection.
new post for installation of pwm portal https://www.itsuupport.com/2019/08/how-to-install-pwm-on-centos-7-open.html
for pwm install on centos7 open https://itsuupport.blogspot.com/2019/08/how-to-install-pwm-on-centos-7-open.html