Password management portal for end users

We in IT have heard it often, the #1 request coming into help desk ticket systems is password resets, account lockouts, and the like. PWM is a password reset web application written in Java for use with LDAP directories. You can configure it to work with Active Directory, OpenLDAP, FreeIPA, and others. There are already a handful of good tutorials on how to set up PWM (I think of this one in particular); however, I want to demonstrate the puppet apply command in this tutorial.


This guide assumes you have an Active Directory server with TLS set up (to change passwords) which is beyond the scope of this post. It also assumes you have a CentOS 7 instance which can communicate to the Active Directory server. It also assumes this is in an environment without a puppet master/server. The end manifest can be uploaded to a master and used that way.

Obtaining PWM

PWM is available in zip format on their website or in source format on GitHub. We are going to use the war file so grab the zip from off of their website, extract it, and place it on a webserver or locally on the server.

yum install wget unzip -y
unzip pwm*.zip

Installing puppet and puppet modules

Our next step is to get puppet and relevant puppet modules

rpm -ivh
yum install puppet -y
source /etc/profile
puppet module install puppetlabs-mysql
puppet module install puppetlabs-java
puppet module install puppetlabs-git
puppet module install puppetlabs-concat
puppet module install puppetlabs-tomcat --ignore-dependencies

We are --ignore-dependencies because there is a conflicting staging module that the mysql module already installed.

vim manifest.pp

The contents of this file are as below:

include git
include java

tomcat::install { '/opt/tomcat8':
  source_url => ''

tomcat::instance { 'tomcat8-pwm':
  catalina_home => '/opt/tomcat8',
  catalina_base => '/opt/tomcat8/pwm',

tomcat::war { 'pwm.war':
  catalina_base => '/opt/tomcat8/pwm',
  war_source    => '/path/to/pwm.war', # or http://domain.tld/pwm.war

augeas {'web.xml':
	incl    => '/opt/tomcat8/pwm/webapps/pwm/WEB-INF/web.xml',
	context => '/files/opt/tomcat8/pwm/webapps/pwm/WEB-INF/web.xml/web-app',
	lens    => 'Xml.lns',
	changes => 'set context-param[1]/param-value/#text /opt/tomcat8/pwm/webapps/pwm/WEB-INF',

We can now enforce the environment by issuing a puppet apply manifest.pp. This will install PWM (insecurely), java, git, and tomcat. PWM is insecure in this state as passwords can be intercepted before they hit the web server. In a follow-up tutorial next week, I will explain how to install mysql (to store the password reset questions) as well as placing nginx in front of tomcat to offer SSL and http to https redirection.


Comments are closed.