diff options
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | .gitmodules | 3 | ||||
-rw-r--r-- | knot/README.md | 17 | ||||
-rw-r--r-- | knot/add-People.ldif | 4 | ||||
-rw-r--r-- | knot/add.ldif | 13 | ||||
-rw-r--r-- | knot/docker-compose.yml | 40 | ||||
-rwxr-xr-x | knot/launch-ldap | 12 | ||||
-rw-r--r-- | knot/ssp/Dockerfile | 24 | ||||
-rwxr-xr-x | knot/ssp/build | 7 | ||||
-rw-r--r-- | knot/ssp/conf/000-default.conf | 19 | ||||
-rw-r--r-- | knot/ssp/conf/config.inc.php | 285 | ||||
-rwxr-xr-x | knot/ssp/launch | 9 | ||||
m--------- | knot/ssp/self-service-password | 0 |
13 files changed, 434 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4bd922a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +secrets/ diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..795eb73 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "knot/ssp/self-service-password"] + path = knot/ssp/self-service-password + url = https://github.com/ltb-project/self-service-password diff --git a/knot/README.md b/knot/README.md new file mode 100644 index 0000000..75066cd --- /dev/null +++ b/knot/README.md @@ -0,0 +1,17 @@ + sudo docker network create --subnet=172.90.0.0/16 trygvis-net + +# Add new entry in LDAP + + dn: uid=trygvis,ou=People,dc=trygvis,dc=io + changetype: add + objectClass: top + objectClass: person + objectClass: organizationalPerson + objectClass: inetOrgPerson + uid: trygvis + givenName: Trygve + sn: Laugstøl + cn: Trygve Laugstøl + mail: trygvis@inamo.no + userPassword: password + diff --git a/knot/add-People.ldif b/knot/add-People.ldif new file mode 100644 index 0000000..f4bd9bd --- /dev/null +++ b/knot/add-People.ldif @@ -0,0 +1,4 @@ +dn: ou=People,dc=trygvis,dc=io +changetype: add +objectClass: top +objectClass: organizationalUnit diff --git a/knot/add.ldif b/knot/add.ldif new file mode 100644 index 0000000..9fdfbc3 --- /dev/null +++ b/knot/add.ldif @@ -0,0 +1,13 @@ +dn: uid=trygvis,ou=People,dc=trygvis,dc=io +changetype: add +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: inetOrgPerson +uid: trygvis +givenName: Trygve +sn: Laugstøl +cn: Trygve Laugstøl +mail: trygvis@inamo.no +userPassword: password + diff --git a/knot/docker-compose.yml b/knot/docker-compose.yml new file mode 100644 index 0000000..2a04626 --- /dev/null +++ b/knot/docker-compose.yml @@ -0,0 +1,40 @@ +version: "3" + +services: + t-ssp: + build: ssp + container_name: t-ssp +# ports: +# - "8010:80" + networks: + trygvis_net: + ipv4_address: 172.90.0.10 + env_file: + - ./secrets/t-ssp.env + t-ldap: + image: dinkel/openldap + container_name: t-openldap + environment: + SLAPD_PASSWORD: "secret" + SLAPD_DOMAIN: "trygvis.io" + SLAPD_CONFIG_PASSWORD: "secret" + networks: + trygvis_net: + ipv4_address: 172.90.0.20 + volumes: + - ssp-etc:/etc/ldap + - ssp-data:/var/lib/ldap + +networks: + trygvis_net: + ipam: + config: + - subnet: 172.90.0.0/16 + +volumes: + ssp-etc: + external: + name: t-ssp-etc + ssp-data: + external: + name: t-ssp-data diff --git a/knot/launch-ldap b/knot/launch-ldap new file mode 100755 index 0000000..123eea9 --- /dev/null +++ b/knot/launch-ldap @@ -0,0 +1,12 @@ +#!/bin/bash + +exec docker run -d \ + --name trygvis-openldap \ + --net trygvis-net \ + --ip 172.90.0.30 \ + --volume trygvis-openldap_etc_ldap:/etc/ldap \ + --volume trygvis-openldap_var_lib_ldap:/var/lib/ldap \ + -e SLAPD_PASSWORD=secret \ + -e SLAPD_DOMAIN=trygvis.io \ + -e SLAPD_CONFIG_PASSWORD=secret \ + dinkel/openldap diff --git a/knot/ssp/Dockerfile b/knot/ssp/Dockerfile new file mode 100644 index 0000000..6f19b9d --- /dev/null +++ b/knot/ssp/Dockerfile @@ -0,0 +1,24 @@ +FROM debian:stretch-slim + +MAINTAINER Trygve Laugstøl <trygvis@inamo.no> + +VOLUME /local + +ARG DEBIAN_FRONTEND=noninteractive +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + apache2 \ + aptitude \ + apt-utils \ + git \ + git \ + libapache2-mod-php \ + php-ldap \ + php-mbstring \ + php-xml + +COPY self-service-password /srv/self-service-password +COPY conf/000-default.conf /etc/apache2/sites-available/000-default.conf +COPY conf/config.inc.php /srv/self-service-password/conf/config.inc.php +CMD [] +ENTRYPOINT ["apachectl", "-DFOREGROUND"] diff --git a/knot/ssp/build b/knot/ssp/build new file mode 100755 index 0000000..2c2e62d --- /dev/null +++ b/knot/ssp/build @@ -0,0 +1,7 @@ +#!/bin/bash +set -x +set -e +name=trygvis-ssp +basedir=$(dirname $0) +cd $basedir +exec sudo docker build -t "$name" . diff --git a/knot/ssp/conf/000-default.conf b/knot/ssp/conf/000-default.conf new file mode 100644 index 0000000..7bccb8b --- /dev/null +++ b/knot/ssp/conf/000-default.conf @@ -0,0 +1,19 @@ +<VirtualHost *:80> + ServerAdmin webmaster@trygvis.io + ServerName auth.trygvis.io + DocumentRoot /srv/self-service-password + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + <Directory /srv/self-service-password> + DirectoryIndex index.php + AddDefaultCharset UTF-8 + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + </Directory> + +</VirtualHost> +# vim: syntax=apache ts=4 sw=4 sts=4 sr noet diff --git a/knot/ssp/conf/config.inc.php b/knot/ssp/conf/config.inc.php new file mode 100644 index 0000000..90f0779 --- /dev/null +++ b/knot/ssp/conf/config.inc.php @@ -0,0 +1,285 @@ +<?php +#============================================================================== +# LTB Self Service Password +# +# Copyright (C) 2009 Clement OUDOT +# Copyright (C) 2009 LTB-project.org +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# GPL License: http://www.gnu.org/licenses/gpl.txt +# +#============================================================================== + +#============================================================================== +# Configuration +#============================================================================== +# LDAP +$ldap_url = "ldap://172.90.0.20"; +$ldap_starttls = false; +$ldap_binddn = "cn=admin,dc=trygvis,dc=io"; +$ldap_bindpw = "secret"; +$ldap_base = "dc=trygvis,dc=io"; +$ldap_login_attribute = "uid"; +$ldap_fullname_attribute = "cn"; +$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))"; + +# Active Directory mode +# true: use unicodePwd as password field +# false: LDAPv3 standard behavior +$ad_mode = false; +# Force account unlock when password is changed +$ad_options['force_unlock'] = false; +# Force user change password at next login +$ad_options['force_pwd_change'] = false; +# Allow user with expired password to change password +$ad_options['change_expired_password'] = false; + +# Samba mode +# true: update sambaNTpassword and sambaPwdLastSet attributes too +# false: just update the password +$samba_mode = false; +# Set password min/max age in Samba attributes +#$samba_options['min_age'] = 5; +#$samba_options['max_age'] = 45; + +# Shadow options - require shadowAccount objectClass +# Update shadowLastChange +$shadow_options['update_shadowLastChange'] = false; +$shadow_options['update_shadowExpire'] = false; + +# Default to -1, never expire +$shadow_options['shadow_expire_days'] = -1; + +# Hash mechanism for password: +# SSHA +# SHA +# SHA512 +# SMD5 +# MD5 +# CRYPT +# clear (the default) +# auto (will check the hash of current password) +# This option is not used with ad_mode = true +#$hash = "clear"; +$hash = "SSHA"; + +# Prefix to use for salt with CRYPT +$hash_options['crypt_salt_prefix'] = "$6$"; +$hash_options['crypt_salt_length'] = "6"; + +# Local password policy +# This is applied before directory password policy +# Minimal length +$pwd_min_length = 0; +# Maximal length +$pwd_max_length = 0; +# Minimal lower characters +$pwd_min_lower = 0; +# Minimal upper characters +$pwd_min_upper = 0; +# Minimal digit characters +$pwd_min_digit = 0; +# Minimal special characters +$pwd_min_special = 0; +# Definition of special characters +$pwd_special_chars = "^a-zA-Z0-9"; +# Forbidden characters +#$pwd_forbidden_chars = "@%"; +# Don't reuse the same password as currently +$pwd_no_reuse = true; +# Check that password is different than login +$pwd_diff_login = true; +# Complexity: number of different class of character required +$pwd_complexity = 0; +# Show policy constraints message: +# always +# never +# onerror +$pwd_show_policy = "never"; +# Position of password policy constraints message: +# above - the form +# below - the form +$pwd_show_policy_pos = "above"; + +# Who changes the password? +# Also applicable for question/answer save +# user: the user itself +# manager: the above binddn +$who_change_password = "user"; + +## Standard change +# Use standard change form? +$use_change = true; + +## SSH Key Change +# Allow changing of sshPublicKey? +$change_sshkey = false; + +# What attribute should be changed by the changesshkey action? +$change_sshkey_attribute = "sshPublicKey"; + +# Who changes the sshPublicKey attribute? +# Also applicable for question/answer save +# user: the user itself +# manager: the above binddn +$who_change_sshkey = "user"; + +# Notify users anytime their sshPublicKey is changed +## Requires mail configuration below +$notify_on_sshkey_change = false; + +## Questions/answers +# Use questions/answers? +# true (default) +# false +$use_questions = false; + +# Answer attribute should be hidden to users! +$answer_objectClass = "extensibleObject"; +$answer_attribute = "info"; + +# Extra questions (built-in questions are in lang/$lang.inc.php) +#$messages['questions']['ice'] = "What is your favorite ice cream flavor?"; + +## Token +# Use tokens? +# true (default) +# false +$use_tokens = true; +# Crypt tokens? +# true (default) +# false +$crypt_tokens = true; +# Token lifetime in seconds +$token_lifetime = "3600"; + +## Mail +# LDAP mail attribute +$mail_attribute = "mail"; +# Get mail address directly from LDAP (only first mail entry) +# and hide mail input field +# default = false +$mail_address_use_ldap = false; +# Who the email should come from +$mail_from = "trygvis@inamo.no"; +$mail_from_name = "Self Service Password"; +$mail_signature = ""; +# Notify users anytime their password is changed +$notify_on_change = false; +# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer) +$mail_sendmailpath = '/usr/sbin/sendmail'; +$mail_protocol = 'smtp'; +$mail_smtp_debug = 0; +$mail_debug_format = 'html'; +$mail_smtp_host = 'trygvis.io'; +$mail_smtp_auth = true; +$mail_smtp_user = 'ssp@inamo.no'; +#$mail_smtp_pass = '1cEtGgBoRJqUg'; +$mail_smtp_pass = getenv('SMTP_PASSWORD'); +$mail_smtp_port = 25; +$mail_smtp_timeout = 30; +$mail_smtp_keepalive = false; +$mail_smtp_secure = 'tls'; +$mail_contenttype = 'text/plain'; +$mail_wordwrap = 0; +$mail_charset = 'utf-8'; +$mail_priority = 3; +$mail_newline = PHP_EOL; + +## SMS +# Use sms +$use_sms = false; +# GSM number attribute +$sms_attribute = "mobile"; +# Partially hide number +$sms_partially_hide_number = true; +# Send SMS mail to address +$smsmailto = "{sms_attribute}@service.provider.com"; +# Subject when sending email to SMTP to SMS provider +$smsmail_subject = "Provider code"; +# Message +$sms_message = "{smsresetmessage} {smstoken}"; +# Remove non digit characters from GSM number +$sms_sanitize_number = false; +# Truncate GSM number +$sms_truncate_number = false; +$sms_truncate_number_length = 10; + +# SMS token length +$sms_token_length = 6; + +# Max attempts allowed for SMS token +$max_attempts = 3; + +# Reset URL (if behind a reverse proxy) +#$reset_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . "://" . $_SERVER['HTTP_X_FORWARDED_HOST'] . $_SERVER['SCRIPT_NAME']; + +# Display help messages +$show_help = true; + +# Default language +$lang = "en"; + +# List of authorized languages. If empty, all language are allowed. +# If not empty and the user's browser language setting is not in that list, language from $lang will be used. +$allowed_lang = array(); + +# Display menu on top +$show_menu = true; + +# Logo +$logo = "images/ltb-logo.png"; + +# Background image +$background_image = "images/unsplash-space.jpeg"; + +# Debug mode +$debug = false; + +# Encryption, decryption keyphrase +$keyphrase = "secret"; + +# Where to log password resets - Make sure apache has write permission +# By default, they are logged in Apache log +#$reset_request_log = "/var/log/self-service-password"; + +# Invalid characters in login +# Set at least "*()&|" to prevent LDAP injection +# If empty, only alphanumeric characters are accepted +$login_forbidden_chars = "*()&|"; + +## CAPTCHA +# Use Google reCAPTCHA (http://www.google.com/recaptcha) +$use_recaptcha = false; +# Go on the site to get public and private key +$recaptcha_publickey = ""; +$recaptcha_privatekey = ""; +# Customization (see https://developers.google.com/recaptcha/docs/display) +$recaptcha_theme = "light"; +$recaptcha_type = "image"; +$recaptcha_size = "normal"; + +## Default action +# change +# sendtoken +# sendsms +$default_action = "change"; + +## Extra messages +# They can also be defined in lang/ files +#$messages['passwordchangedextramessage'] = NULL; +#$messages['changehelpextramessage'] = NULL; + +# Launch a posthook script after successful password change +#$posthook = "/usr/share/self-service-password/posthook.sh"; + +?> diff --git a/knot/ssp/launch b/knot/ssp/launch new file mode 100755 index 0000000..9b2066b --- /dev/null +++ b/knot/ssp/launch @@ -0,0 +1,9 @@ +#!/bin/bash +set -x +sudo docker run -d \ + --net trygvis-net \ + --ip 172.90.0.10 \ + --hostname t-ssp \ + --name t-ssp \ + --link trygvis-openldap \ + trygvis-ssp diff --git a/knot/ssp/self-service-password b/knot/ssp/self-service-password new file mode 160000 +Subproject 6ddbc1bd54e8511b2be95c9c66a1c304764300d |