{"id":308,"date":"2016-08-19T06:00:00","date_gmt":"2016-08-19T14:00:00","guid":{"rendered":"https:\/\/andrewwippler.com\/?p=308"},"modified":"2016-09-03T15:13:08","modified_gmt":"2016-09-03T23:13:08","slug":"password-management-portal-for-end-users","status":"publish","type":"post","link":"https:\/\/andrewwippler.com\/2016\/08\/19\/password-management-portal-for-end-users\/","title":{"rendered":"Password management portal for end users"},"content":{"rendered":"

We in IT have heard it often, the #1 request coming into help desk ticket systems is password resets, account lockouts, and the like. PWM is a password reset web application written in Java for use with LDAP directories. You can configure it to work with Active Directory, OpenLDAP, FreeIPA, and others. There are already a handful of good tutorials on how to set up PWM (I think of this one in particular<\/a>); however, I want to demonstrate the puppet apply<\/code> command in this tutorial.<\/p>\n

Prerequisites<\/h3>\n

This guide assumes you have an Active Directory server with TLS set up (to change passwords) which is beyond the scope of this post. It also assumes you have a CentOS 7 instance which can communicate to the Active Directory server. It also assumes this is in an environment without a puppet master\/server. The end manifest can be uploaded to a master and used that way.<\/p>\n

<\/p>\n

Obtaining PWM<\/h3>\n

PWM is available in zip format on their website<\/a> or in source format on GitHub<\/a>. We are going to use the war file so grab the zip from off of their website, extract it, and place it on a webserver or locally on the server.<\/p>\n

yum install wget unzip -y\r\nwget http:\/\/www.pwm-project.org\/artifacts\/pwm\/pwm-1.8.0-SNAPSHOT-2016-05-23T22%3A36%3A58Z-pwm-bundle.zip\r\nunzip pwm*.zip<\/code><\/pre>\n
Installing puppet and puppet modules<\/h3>\n
Our next step is to get puppet and relevant puppet modules<\/p>\n
rpm -ivh http:\/\/yum.puppetlabs.com\/puppetlabs-release-pc1-el-7.noarch.rpm\r\nyum install puppet -y\r\nsource \/etc\/profile\r\npuppet module install puppetlabs-mysql\r\npuppet module install puppetlabs-java\r\npuppet module install puppetlabs-git\r\npuppet module install puppetlabs-concat\r\npuppet module install puppetlabs-tomcat --ignore-dependencies\r\n<\/code><\/pre>\n
We are --ignore-dependencies<\/code> because there is a conflicting staging module that the mysql<\/code> module already installed.<\/p>\n
vim manifest.pp<\/code><\/pre>\n
The contents of this file are as below:<\/p>\n
include git\r\ninclude java\r\n\r\ntomcat::install { '\/opt\/tomcat8':\r\n  source_url => 'https:\/\/www.apache.org\/dist\/tomcat\/tomcat-8\/v8.5.3\/bin\/apache-tomcat-8.5.3.tar.gz'\r\n}\r\n\r\ntomcat::instance { 'tomcat8-pwm':\r\n  catalina_home => '\/opt\/tomcat8',\r\n  catalina_base => '\/opt\/tomcat8\/pwm',\r\n}\r\n\r\ntomcat::war { 'pwm.war':\r\n  catalina_base => '\/opt\/tomcat8\/pwm',\r\n  war_source    => '\/path\/to\/pwm.war', # or http:\/\/domain.tld\/pwm.war\r\n}\r\n\r\naugeas {'web.xml':\r\n\tincl    => '\/opt\/tomcat8\/pwm\/webapps\/pwm\/WEB-INF\/web.xml',\r\n\tcontext => '\/files\/opt\/tomcat8\/pwm\/webapps\/pwm\/WEB-INF\/web.xml\/web-app',\r\n\tlens    => 'Xml.lns',\r\n\tchanges => 'set context-param[1]\/param-value\/#text \/opt\/tomcat8\/pwm\/webapps\/pwm\/WEB-INF',\r\n}\r\n<\/code><\/pre>\n
We can now enforce the environment by issuing a puppet apply manifest.pp<\/code>. This will install PWM (insecurely), java, git, and tomcat. PWM is insecure in this state as passwords can be intercepted before they hit the web server. In a follow-up tutorial next week<\/a>, I will explain how to install mysql (to store the password reset questions) as well as placing nginx in front of tomcat to offer SSL and http to https redirection.<\/p>\n","protected":false},"excerpt":{"rendered":"
We in IT have heard it often, the #1 request coming into help desk ticket systems is password resets, account lockouts, and the like. PWM is a password reset web application written in Java for use with LDAP directories. You can configure it to work with Active Directory, OpenLDAP, FreeIPA, and others. There are already […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[55,11],"tags":[37,60,46,26,28],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts\/308"}],"collection":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/comments?post=308"}],"version-history":[{"count":16,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts\/308\/revisions"}],"predecessor-version":[{"id":372,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/posts\/308\/revisions\/372"}],"wp:attachment":[{"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/media?parent=308"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/categories?post=308"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andrewwippler.com\/wp-json\/wp\/v2\/tags?post=308"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}