o Initial import of configuration for knot.

11 files changed, 430 insertions, 0 deletions

diff --git a/knot/README.md b/knot/README.md
new file mode 100644
index 0000000..75066cd
--- /dev/null
+++ b/knot/README.md
@@ -0,0 +1,17 @@
+    sudo docker network create --subnet=172.90.0.0/16 trygvis-net
+
+# Add new entry in LDAP
+
+    dn: uid=trygvis,ou=People,dc=trygvis,dc=io
+    changetype: add
+    objectClass: top
+    objectClass: person
+    objectClass: organizationalPerson
+    objectClass: inetOrgPerson
+    uid: trygvis
+    givenName: Trygve
+    sn: Laugstøl
+    cn: Trygve Laugstøl
+    mail: trygvis@inamo.no
+    userPassword: password
+
diff --git a/knot/add-People.ldif b/knot/add-People.ldif
new file mode 100644
index 0000000..f4bd9bd
--- /dev/null
+++ b/knot/add-People.ldif
@@ -0,0 +1,4 @@
+dn: ou=People,dc=trygvis,dc=io
+changetype: add
+objectClass: top
+objectClass: organizationalUnit
diff --git a/knot/add.ldif b/knot/add.ldif
new file mode 100644
index 0000000..9fdfbc3
--- /dev/null
+++ b/knot/add.ldif
@@ -0,0 +1,13 @@
+dn: uid=trygvis,ou=People,dc=trygvis,dc=io
+changetype: add
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+uid: trygvis
+givenName: Trygve
+sn: Laugstøl
+cn: Trygve Laugstøl
+mail: trygvis@inamo.no
+userPassword: password
+
diff --git a/knot/docker-compose.yml b/knot/docker-compose.yml
new file mode 100644
index 0000000..2a04626
--- /dev/null
+++ b/knot/docker-compose.yml
@@ -0,0 +1,40 @@
+version: "3"
+
+services:
+  t-ssp:
+    build: ssp
+    container_name: t-ssp
+#    ports:
+#      - "8010:80"
+    networks:
+      trygvis_net:
+        ipv4_address: 172.90.0.10
+    env_file:
+        - ./secrets/t-ssp.env
+  t-ldap:
+    image: dinkel/openldap
+    container_name: t-openldap
+    environment:
+      SLAPD_PASSWORD: "secret"
+      SLAPD_DOMAIN: "trygvis.io"
+      SLAPD_CONFIG_PASSWORD: "secret"
+    networks:
+      trygvis_net:
+        ipv4_address: 172.90.0.20
+    volumes:
+      - ssp-etc:/etc/ldap
+      - ssp-data:/var/lib/ldap
+
+networks:
+  trygvis_net:
+    ipam:
+      config:
+        - subnet: 172.90.0.0/16
+
+volumes:
+  ssp-etc:
+    external:
+      name: t-ssp-etc
+  ssp-data:
+    external:
+      name: t-ssp-data
diff --git a/knot/launch-ldap b/knot/launch-ldap
new file mode 100755
index 0000000..123eea9
--- /dev/null
+++ b/knot/launch-ldap
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+exec docker run -d \
+    --name trygvis-openldap \
+    --net trygvis-net \
+    --ip 172.90.0.30 \
+    --volume trygvis-openldap_etc_ldap:/etc/ldap \
+    --volume trygvis-openldap_var_lib_ldap:/var/lib/ldap \
+    -e SLAPD_PASSWORD=secret \
+    -e SLAPD_DOMAIN=trygvis.io \
+    -e SLAPD_CONFIG_PASSWORD=secret \
+    dinkel/openldap
diff --git a/knot/ssp/Dockerfile b/knot/ssp/Dockerfile
new file mode 100644
index 0000000..6f19b9d
--- /dev/null
+++ b/knot/ssp/Dockerfile
@@ -0,0 +1,24 @@
+FROM debian:stretch-slim
+
+MAINTAINER Trygve Laugstøl <trygvis@inamo.no>
+
+VOLUME /local
+
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && \
+	apt-get install -y --no-install-recommends \
+		apache2 \
+		aptitude \
+		apt-utils \
+		git \
+		git \
+		libapache2-mod-php \
+		php-ldap \
+		php-mbstring \
+		php-xml
+
+COPY self-service-password /srv/self-service-password
+COPY conf/000-default.conf /etc/apache2/sites-available/000-default.conf
+COPY conf/config.inc.php /srv/self-service-password/conf/config.inc.php
+CMD []
+ENTRYPOINT ["apachectl", "-DFOREGROUND"]
diff --git a/knot/ssp/build b/knot/ssp/build
new file mode 100755
index 0000000..2c2e62d
--- /dev/null
+++ b/knot/ssp/build
@@ -0,0 +1,7 @@
+#!/bin/bash
+set -x
+set -e
+name=trygvis-ssp
+basedir=$(dirname $0)
+cd $basedir
+exec sudo docker build -t "$name" .
diff --git a/knot/ssp/conf/000-default.conf b/knot/ssp/conf/000-default.conf
new file mode 100644
index 0000000..7bccb8b
--- /dev/null
+++ b/knot/ssp/conf/000-default.conf
@@ -0,0 +1,19 @@
+<VirtualHost *:80>
+	ServerAdmin webmaster@trygvis.io
+	ServerName auth.trygvis.io
+	DocumentRoot /srv/self-service-password
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+	<Directory /srv/self-service-password>
+		DirectoryIndex index.php
+		AddDefaultCharset UTF-8
+
+		Options Indexes FollowSymLinks
+		AllowOverride None
+		Require all granted
+	</Directory>
+
+</VirtualHost>
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
diff --git a/knot/ssp/conf/config.inc.php b/knot/ssp/conf/config.inc.php
new file mode 100644
index 0000000..90f0779
--- /dev/null
+++ b/knot/ssp/conf/config.inc.php
@@ -0,0 +1,285 @@
+<?php
+#==============================================================================
+# LTB Self Service Password
+#
+# Copyright (C) 2009 Clement OUDOT
+# Copyright (C) 2009 LTB-project.org
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# GPL License: http://www.gnu.org/licenses/gpl.txt
+#
+#==============================================================================
+
+#==============================================================================
+# Configuration
+#==============================================================================
+# LDAP
+$ldap_url = "ldap://172.90.0.20";
+$ldap_starttls = false;
+$ldap_binddn = "cn=admin,dc=trygvis,dc=io";
+$ldap_bindpw = "secret";
+$ldap_base = "dc=trygvis,dc=io";
+$ldap_login_attribute = "uid";
+$ldap_fullname_attribute = "cn";
+$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";
+
+# Active Directory mode
+# true: use unicodePwd as password field
+# false: LDAPv3 standard behavior
+$ad_mode = false;
+# Force account unlock when password is changed
+$ad_options['force_unlock'] = false;
+# Force user change password at next login
+$ad_options['force_pwd_change'] = false;
+# Allow user with expired password to change password
+$ad_options['change_expired_password'] = false;
+
+# Samba mode
+# true: update sambaNTpassword and sambaPwdLastSet attributes too
+# false: just update the password
+$samba_mode = false;
+# Set password min/max age in Samba attributes
+#$samba_options['min_age'] = 5;
+#$samba_options['max_age'] = 45;
+
+# Shadow options - require shadowAccount objectClass
+# Update shadowLastChange
+$shadow_options['update_shadowLastChange'] = false;
+$shadow_options['update_shadowExpire'] = false;
+
+# Default to -1, never expire
+$shadow_options['shadow_expire_days'] = -1;
+
+# Hash mechanism for password:
+# SSHA
+# SHA
+# SHA512
+# SMD5
+# MD5
+# CRYPT
+# clear (the default)
+# auto (will check the hash of current password)
+# This option is not used with ad_mode = true
+#$hash = "clear";
+$hash = "SSHA";
+
+# Prefix to use for salt with CRYPT
+$hash_options['crypt_salt_prefix'] = "$6$";
+$hash_options['crypt_salt_length'] = "6";
+
+# Local password policy
+# This is applied before directory password policy
+# Minimal length
+$pwd_min_length = 0;
+# Maximal length
+$pwd_max_length = 0;
+# Minimal lower characters
+$pwd_min_lower = 0;
+# Minimal upper characters
+$pwd_min_upper = 0;
+# Minimal digit characters
+$pwd_min_digit = 0;
+# Minimal special characters
+$pwd_min_special = 0;
+# Definition of special characters
+$pwd_special_chars = "^a-zA-Z0-9";
+# Forbidden characters
+#$pwd_forbidden_chars = "@%";
+# Don't reuse the same password as currently
+$pwd_no_reuse = true;
+# Check that password is different than login
+$pwd_diff_login = true;
+# Complexity: number of different class of character required
+$pwd_complexity = 0;
+# Show policy constraints message:
+# always
+# never
+# onerror
+$pwd_show_policy = "never";
+# Position of password policy constraints message:
+# above - the form
+# below - the form
+$pwd_show_policy_pos = "above";
+
+# Who changes the password?
+# Also applicable for question/answer save
+# user: the user itself
+# manager: the above binddn
+$who_change_password = "user";
+
+## Standard change
+# Use standard change form?
+$use_change = true;
+
+## SSH Key Change
+# Allow changing of sshPublicKey?
+$change_sshkey = false;
+
+# What attribute should be changed by the changesshkey action?
+$change_sshkey_attribute = "sshPublicKey";
+
+# Who changes the sshPublicKey attribute?
+# Also applicable for question/answer save
+# user: the user itself
+# manager: the above binddn
+$who_change_sshkey = "user";
+
+# Notify users anytime their sshPublicKey is changed
+## Requires mail configuration below
+$notify_on_sshkey_change = false;
+
+## Questions/answers
+# Use questions/answers?
+# true (default)
+# false
+$use_questions = false;
+
+# Answer attribute should be hidden to users!
+$answer_objectClass = "extensibleObject";
+$answer_attribute = "info";
+
+# Extra questions (built-in questions are in lang/$lang.inc.php)
+#$messages['questions']['ice'] = "What is your favorite ice cream flavor?";
+
+## Token
+# Use tokens?
+# true (default)
+# false
+$use_tokens = true;
+# Crypt tokens?
+# true (default)
+# false
+$crypt_tokens = true;
+# Token lifetime in seconds
+$token_lifetime = "3600";
+
+## Mail
+# LDAP mail attribute
+$mail_attribute = "mail";
+# Get mail address directly from LDAP (only first mail entry)
+# and hide mail input field
+# default = false
+$mail_address_use_ldap = false;
+# Who the email should come from
+$mail_from = "trygvis@inamo.no";
+$mail_from_name = "Self Service Password";
+$mail_signature = "";
+# Notify users anytime their password is changed
+$notify_on_change = false;
+# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
+$mail_sendmailpath = '/usr/sbin/sendmail';
+$mail_protocol = 'smtp';
+$mail_smtp_debug = 0;
+$mail_debug_format = 'html';
+$mail_smtp_host = 'trygvis.io';
+$mail_smtp_auth = true;
+$mail_smtp_user = 'ssp@inamo.no';
+#$mail_smtp_pass = '1cEtGgBoRJqUg';
+$mail_smtp_pass = getenv('SMTP_PASSWORD');
+$mail_smtp_port = 25;
+$mail_smtp_timeout = 30;
+$mail_smtp_keepalive = false;
+$mail_smtp_secure = 'tls';
+$mail_contenttype = 'text/plain';
+$mail_wordwrap = 0;
+$mail_charset = 'utf-8';
+$mail_priority = 3;
+$mail_newline = PHP_EOL;
+
+## SMS
+# Use sms
+$use_sms = false;
+# GSM number attribute
+$sms_attribute = "mobile";
+# Partially hide number
+$sms_partially_hide_number = true;
+# Send SMS mail to address
+$smsmailto = "{sms_attribute}@service.provider.com";
+# Subject when sending email to SMTP to SMS provider
+$smsmail_subject = "Provider code";
+# Message
+$sms_message = "{smsresetmessage} {smstoken}";
+# Remove non digit characters from GSM number
+$sms_sanitize_number = false;
+# Truncate GSM number
+$sms_truncate_number = false;
+$sms_truncate_number_length = 10;
+
+# SMS token length
+$sms_token_length = 6;
+
+# Max attempts allowed for SMS token
+$max_attempts = 3;
+
+# Reset URL (if behind a reverse proxy)
+#$reset_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . "://" . $_SERVER['HTTP_X_FORWARDED_HOST'] . $_SERVER['SCRIPT_NAME'];
+
+# Display help messages
+$show_help = true;
+
+# Default language
+$lang = "en";
+
+# List of authorized languages. If empty, all language are allowed.
+# If not empty and the user's browser language setting is not in that list, language from $lang will be used.
+$allowed_lang = array();
+
+# Display menu on top
+$show_menu = true;
+
+# Logo
+$logo = "images/ltb-logo.png";
+
+# Background image
+$background_image = "images/unsplash-space.jpeg";
+
+# Debug mode
+$debug = false;
+
+# Encryption, decryption keyphrase
+$keyphrase = "secret";
+
+# Where to log password resets - Make sure apache has write permission
+# By default, they are logged in Apache log
+#$reset_request_log = "/var/log/self-service-password";
+
+# Invalid characters in login
+# Set at least "*()&|" to prevent LDAP injection
+# If empty, only alphanumeric characters are accepted
+$login_forbidden_chars = "*()&|";
+
+## CAPTCHA
+# Use Google reCAPTCHA (http://www.google.com/recaptcha)
+$use_recaptcha = false;
+# Go on the site to get public and private key
+$recaptcha_publickey = "";
+$recaptcha_privatekey = "";
+# Customization (see https://developers.google.com/recaptcha/docs/display)
+$recaptcha_theme = "light";
+$recaptcha_type = "image";
+$recaptcha_size = "normal";
+
+## Default action
+# change
+# sendtoken
+# sendsms
+$default_action = "change";
+
+## Extra messages
+# They can also be defined in lang/ files
+#$messages['passwordchangedextramessage'] = NULL;
+#$messages['changehelpextramessage'] = NULL;
+
+# Launch a posthook script after successful password change
+#$posthook = "/usr/share/self-service-password/posthook.sh";
+
+?>
diff --git a/knot/ssp/launch b/knot/ssp/launch
new file mode 100755
index 0000000..9b2066b
--- /dev/null
+++ b/knot/ssp/launch
@@ -0,0 +1,9 @@
+#!/bin/bash
+set -x
+sudo docker run -d \
+  --net trygvis-net \
+  --ip 172.90.0.10 \
+  --hostname t-ssp \
+  --name t-ssp \
+  --link trygvis-openldap \
+  trygvis-ssp
diff --git a/knot/ssp/self-service-password b/knot/ssp/self-service-password
new file mode 160000
+Subproject 6ddbc1bd54e8511b2be95c9c66a1c304764300d