Docker Self Service Password Save
Dockerized Self Service Password Changer with many customizable options
github.com/tiredofit/docker-self-service-password
About
Dockerfile to build a LTB-Self Service Password self service password reset tool for infrastructure with an LDAP backend.
Maintainer
Table of Contents
- Introduction
- Authors
- Table of Contents
- Prerequisites
- Installation
- Configuration
- Maintenance
- References
Prerequisites and Assumptions
- Assumes you are using some sort of SSL terminating reverse proxy such as:
- Require - Access to an LDAP Server
- Require - Access to a SMTP Server
Installation
Build from Source
Clone this repository and build the image with docker build <arguments> (imagename) .
Prebuilt Images
Builds of the image are available on Docker Hub and is the recommended method of installation.
The following image tags are available along with their taged release based on what's written in the Changelog:
| Container OS | Tag |
|---|---|
| Alpine | :latest |
Multi Archictecture
Images are built primarily for amd64 architecture, and may also include builds for arm/v6, arm/v7, arm64 and others. These variants are all unsupported. Consider sponsoring my work so that I can work with various hardware. To see if this image supports multiple architecures, type docker manifest (image):(tag)
Configuration
Quick Start
-
The quickest way to get started is using docker-compose. See the examples folder for a working docker-compose.yml that can be modified for development or production use.
-
Set various environment variables to understand the capabilities of this image.
-
Map persistent storage for access to configuration and data files for backup.
Persistent Storage
The following directories are used for configuration and can be mapped for persistent storage.
| Directory | Description |
|---|---|
/www/ssp |
Root SelfService Password Directory |
OR
Don't map anything and let it run with the included source inside the image. If you wish to customize the source on each container restart map the following
| Directory | Description |
|---|---|
/assets/custom |
Place files to be added/updated on container start following the /www/ssp file / folder structure |
OR
If you want to manually configure the application you can set SETUP_TYPE=MANUAL in environment variables and map the following:
| Directory | Description |
|---|---|
/www/ssp/conf |
SSP Configuration Directory |
Environment Variables
Base Images used
This image relies on an Alpine Linux or Debian Linux base image that relies on an init system for added capabilities. Outgoing SMTP capabilities are handlded via msmtp. Individual container performance monitoring is performed by zabbix-agent. Additional tools include: bash,curl,less,logrotate,nano,vim.
Be sure to view the following repositories to understand all the customizable options:
| Image | Description |
|---|---|
| OS Base | Customized Image based on Alpine Linux |
| Nginx | Nginx webserver |
| PHP-FPM | PHP Interpreter |
| Parameter | Description | Default |
|---|---|---|
SETUP_TYPE |
Configure SSP via environment variables AUTO or MANUAL - If true, ignore everything below |
AUTO |
LDAP Settings
| Parameter | Description | Default |
|---|---|---|
LDAP_SERVER |
Ldap server. | |
LDAP_STARTTLS |
Enable TLS on Ldap bind. | |
LDAP_BINDDN |
Ldap bind dn. | |
LDAP_BINDPASS |
Ldap bind password. | |
LDAP_BASE_SEARCH |
Base where we can search for users. | |
LDAP_FILTER |
LDAP Lookup Filter | (&(objectClass=person)(\$ldap_login_attribute={login})) |
LDAP_ANSWER_ATTRIBUTE |
Ldap property to get user's answers if Questions enabled. | info |
LDAP_LOGIN_ATTRIBUTE |
Ldap property used for user searching. | uid |
LDAP_FULLNAME_ATTRIBUTE |
Ldap property to get user fullname. | cn |
LDAP_MAIL_ATTRIBUTE |
Ldap property to get user mail. | mail |
LDAP_SMS_ATTRIBUTE |
Ldap property to get user SMS Phone Number. | mobile |
LDAP_SSHKEY_ATTRIBUTE |
Ldap property to get user mail. | sshKey |
LDAP_CA_CERTIFICATE |
Path to Root CA if using ldaps. | |
AD_OPT_CHANGE_EXPIRED_PASSWORD |
Allow user with expired password to change password. | false |
AD_OPT_FORCE_PWD_CHANGE |
Force user change password at next login. | false |
AD_OPT_FORCE_UNLOCK |
Force account unlock when password is changed. Default to false |
|
ADMODE |
Specifies if LDAP server is Active Directory LDAP server. If your LDAP server is AD, set this to true. |
false |
PASSWORD_HASH_CRYPT_SALT_LENGTH |
- If CRYPT selected what is the hash salt length |
6 |
PASSWORD_HASH_CRYPT_SALT_PREFIX |
- If CRYPT selected what is the hash prefix |
$6$ |
PASSWORD_HASH |
Hash mechanism for passwordSSHA SHA SMD5 MD5 CRYPT clear (the default) auto (will check the hash of current password - if no password existed before, it will set as clear) This option is not used with ad_mode = true |
|
QUESTIONS_ANSWER_OBJECTCLASS |
Default Object Class extensibleObject |
|
SAMBA_EXPIRE_DAYS |
Set Password Expiry in Days | 90 |
SAMBA_MAX_AGE |
Set Password maximum age in AD | 45 |
SAMBA_MIN_AGE |
Set Password minimum age in AD | 5 |
SAMBA_MODE |
Samba mode, if is true update sambaNTpassword and the following SAMBA attributes too; if is false just update the password. |
false |
SHADOW_OPT_UPDATE_SHADOWEXPIRE |
If true update ShadowLastExpire. |
false |
SHADOW_OPT_UPDATE_SHADOWLASTCHANGE |
If true update shadowLastChange. |
false |
Local Password Policy Settings
| Parameter | Description | Default |
|---|---|---|
PASSWORD_DIFFERENT_LOGIN |
Should password be different than login | true |
PASSWORD_MAX_LENGTH |
Maximal length. | 0 (unchecked). |
PASSWORD_MIN_DIGIT |
Minimal digit characters. | 0 (unchecked). |
PASSWORD_MIN_LENGTH |
Minimal length. | 0 (unchecked). |
PASSWORD_MIN_LOWERCASE |
Minimal lower characters. | 0 (unchecked). |
PASSWORD_MIN_SPECIAL |
Minimal special characters. | 0 (unchecked). |
PASSWORD_MIN_UPPERCASE |
Minimal upper characters. | 0 (unchecked). |
PASSWORD_COMPLEXITY |
Minimum number of different classes of characters. | 0 (unchecked). |
PASSWORD_NO_REUSE |
Dont reuse the same password as currently. | true. |
PASSWORD_NO_SPECIAL_ENDS |
Dont allow special characters at start and end of password | false |
PASSWORD_SHOW_POLICY_POSITION |
Position of password policy constraints message above below |
above |
PASSWORD_SHOW_POLICY |
Show policy constraints messagealways never onerror |
never |
PASSWORD_SPECIAL_CHARACTERS |
Define Special Characters | ^a-zA-Z0-9 |
PASSWORD_USE_PWNED |
Utilize HaveIbeenpwned.com Password checking service | false |
WHO_CAN_CHANGE_PASSWORD |
Who changes the password? Also applicable for question/answer save user: the user itself manager: the above binddn. |
user |
Questions Settings
| Parameter | Description | Default |
|---|---|---|
USE_QUESTIONS |
Use questions/answers? true or false |
false |
QUESTIONS_ANSWER_CRYPT |
true |
|
QUESTIONS_MULTIPLE_ANSWERS |
Allow multiple answers for Questions | false |
Mail Settings
| Parameter | Description | Default |
|---|---|---|
MAIL_CHARSET |
Mail Character set | utf8 |
MAIL_CONTENTTYPE |
Content Type Delcaration | plain/text |
MAIL_FROM_NAME |
Name for MAIL_FROM. |
Self Service Password |
MAIL_FROM |
Who the email should come from. | [email protected] |
MAIL_NEWLINE |
How to address New lines | PHP_EOL |
MAIL_PRIORITY |
Priority tag of mail | 3 |
MAIL_SIGNATURE |
Mail Signature | `` |
MAIL_USE_LDAP |
Use first address in LDAP attribute skipping asking for mail | false |
MAIL_WORDWRAP |
Amount of characters to wordwrap email | 80 |
NOTIFY_ON_CHANGE |
Notify users anytime their password is changed. | false |
NOTIFY_ON_SSHKEY_CHANGE |
Notify on SSH Key Change | true |
SMTP_AUTH_ON |
Force smtp auth with SMTP_USER and SMTP_PASS. |
false |
SMTP_AUTOTLS |
SMTP Auto TLS true or false |
false |
SMTP_DEBUG |
SMTP debug mode (following https:////github.com/PHPMailer/PHPMailer instructions). | 0 |
SMTP_HOST |
SMTP host. | |
SMTP_KEEPALIVE |
SMTP Keepalive | false |
SMTP_PASS |
SMTP password. | |
SMTP_PORT |
SMTP port. | 587 |
SMTP_SECURE_TYPE |
SMTP secure type to use. ssl or tls. Use false for unencrypted connections. |
tls |
SMTP_TIMEOUT |
SMTP Timeout in seconds | 30 |
SMTP_USER |
SMTP user. |
Token Settings
| Parameter | Description | Default |
|---|---|---|
USE_TOKENS |
Use email to send reset tokens. | true |
TOKEN_CRYPT |
Encrypt tokens | true |
TOKEN_LIFETIME |
How long are tokens valid in seconds | 3600 |
SMS Settings
| Parameter | Description | Default |
|---|---|---|
USE_SMS |
Enable sms verification. | false |
SMS_API_LIB |
API Library location for SMS | /lib/smsapi.inc.php |
SMS_MAIL_SUBJECT |
Subject for SMS message | Provider Code |
SMS_MAIL_TO |
Mail Address | {sms_attribute}@service.provider.com} |
SMS_MESSAGE |
SMS Message | {snsresetnessae} {smstoken} |
SMS_METHOD |
How to send SMS mail or api |
mail |
SMS_PARTIAL_HIDE_NUMBER |
Partially hide SMS number in | true |
SMS_SANITIZE_NUMBER |
Sanitize non numbers from number | false |
SMS_TOKEN_LENGTH |
How many digits for a SMS Code | 6 |
SMS_TRUNCATE_NUMBER_LENGTH |
How many characters for above | 10 |
SMS_TRUNCATE_NUMBER |
Truncate Characters of number | false |
SSH Settings
| Parameter | Description | Default |
|---|---|---|
CHANGE_SSHKEY |
Enable Changing SSH Key. | false |
WHO_CAN_CHANGE_SSHKEY |
Who changes the password? Also applicable for question/answer save user: the user itself manager: the above binddn. |
user |
Recaptcha Settings
| Parameter | Description | Default |
|---|---|---|
USE_RECAPTCHA |
Use Google reCAPTCHA (http://www.google.com/recaptcha). | false |
RECAPTCHA_PUB_KEY |
Go on the site to get public key | |
RECAPTCHA_PRIV_KEY |
Go on the site to get private key | |
RECAPTCHA_THEME |
Theme of ReCaptcha. Default: light |
|
RECAPTCHA_TYPE |
Type of ReCaptcha Default: image |
|
RECAPTCHA_SIZE |
Size of ReCaptcha Default: small |
|
RECAPTCHA_REQUEST_METHOD |
Special cases | null |
Misc Application and Branding Settings
| Parameter | Description | Default |
|---|---|---|
BACKGROUND_IMAGE |
Change background Default images/unsplash-space.jpg |
|
DEBUG_MODE |
Debug mode. | false |
DEFAULT_ACTION |
Default actionchange sendtoken sendsms. |
change |
ENABLE_RESET_LOG - Write to log detailing password resets |
FALSE |
|
IS_BEHIND_PROXY |
Enable reset url parameter to accept reverse proxy. | false |
SITE_URL |
Use this to hardcode a Site URL if IS_BEHIND_PROXY=true - By default it will pull from various HTTP Headers. Example -``https://site.example.com` |
|
LANG |
Language. | en. |
LOG_LOCATION |
Log Folder | /www/logs/self-service-password/ |
LOG_RESET - Reset Logfile |
reset.log |
|
LOGO |
Main Logo - Default images/ltb-logo.png |
|
SECRETKEY |
Encryption, decryption keyphrase. Defaults tosecret |
|
SHOW_HELP |
Display help messages. | true. |
Networking
The following ports are exposed.
| Port | Description |
|---|---|
80 |
HTTP |
Maintenance
Shell Access
For debugging and maintenance purposes you may want access the containers shell.
bash docker exec -it (whatever your container name is) bash
Support
These images were built to serve a specific need in a production environment and gradually have had more functionality added based on requests from the community.
Usage
- The Discussions board is a great place for working with the community on tips and tricks of using this image.
- Consider sponsoring me personalized support.
Bugfixes
- Please, submit a Bug Report if something isn't working as expected. I'll do my best to issue a fix in short order.
Feature Requests
- Feel free to submit a feature request, however there is no guarantee that it will be added, or at what timeline.
- Consider sponsoring me regarding development of features.
Updates
- Best effort to track upstream changes, More priority if I am actively using the image in a production environment.
- Consider sponsoring me for up to date releases.
License
MIT. See LICENSE for more details.## References
References
Open Source Agenda Badge
