GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → larrabee → Freeipa Password Reset

larrabee / Freeipa Password Reset

Licence: gpl-3.0
Self-service password reset app for FreeIPA

Programming Languages

python
139335 projects - #7 most used programming language

Labels

djangopasswordsmsldap

Projects that are alternatives of or similar to Freeipa Password Reset

Django Notifs
Modular Notifications (InApp, Email, SMS, CustomBackend etc) for Django
Stars: ✭ 105 (+138.64%)
Mutual labels:  django, sms
Unchained
Secure password hashers for Go compatible with Django
Stars: ✭ 46 (+4.55%)
Mutual labels:  django, password
Keepass4web
An application that serves KeePass database entries on a web frontend
Stars: ✭ 115 (+161.36%)
Mutual labels:  ldap, password
Pwm
pwm
Stars: ✭ 657 (+1393.18%)
Mutual labels:  ldap, password
multiOTPCredentialProvider
multiOTP Credential Provider is a V2 Credential Provider for Windows 7/8/8.1/10/2012(R2)/2016 with options like RDP only and UPN name support
Stars: ✭ 121 (+175%)
Mutual labels:  ldap, sms
Django Herald
A Django messaging library
Stars: ✭ 159 (+261.36%)
Mutual labels:  django, sms
Multiotp
multiOTP open source strong two factor authentication PHP library, OATH certified, with TOTP, HOTP, Mobile-OTP, YubiKey, SMS, QRcode provisioning, etc.
Stars: ✭ 173 (+293.18%)
Mutual labels:  sms, ldap
Django Sendsms
A simple API to send SMS messages. It is modeled after the django email api.
Stars: ✭ 208 (+372.73%)
Mutual labels:  django, sms
service-desk
Application for support team who need to check and reset user passwords
Stars: ✭ 23 (-47.73%)
Mutual labels:  ldap, password
Self Service Password
Web interface to change and reset password in an LDAP directory
Stars: ✭ 699 (+1488.64%)
Mutual labels:  ldap, password
X Ray
X-Ray is a script that lets users toggle password visibility in forms.
Stars: ✭ 40 (-9.09%)
Mutual labels:  password
Ponee
A lightweight Django template ready for Heroku
Stars: ✭ 41 (-6.82%)
Mutual labels:  django
Django Preserialize
Convert your model instances and querysets into dicts and list with style.
Stars: ✭ 42 (-4.55%)
Mutual labels:  django
Sublimall Server
Server behind Sublimall SublimeText plugin
Stars: ✭ 43 (-2.27%)
Mutual labels:  django
Django Rest Apis
Sample Django App using Twitter Sign in (OAuth) and REST APIs.
Stars: ✭ 40 (-9.09%)
Mutual labels:  django
Ics Default Passwords
List of default passwords for Industrial Control Systems
Stars: ✭ 42 (-4.55%)
Mutual labels:  password
Pyexcel Io
One interface to read and write the data in various excel formats, import the data into and export the data from databases
Stars: ✭ 40 (-9.09%)
Mutual labels:  django
Django react boilerplate
Boiler-Plate code to Use Django with React
Stars: ✭ 40 (-9.09%)
Mutual labels:  django
Likelion django study summary
🦁Like Lion 7th Python Django Study Summary📚
Stars: ✭ 40 (-9.09%)
Mutual labels:  django
Browserpass Legacy
Legacy Browserpass repo, development is now happening at:
Stars: ✭ 1,020 (+2218.18%)
Mutual labels:  password
View All Similar Projects ➔

FreeIPA self-service password reset

Features

  1. Users can reset their own passwords with token that is sent to the user's mobile phones
  2. Users can reset their own passwords with token that is sent to the user's emails
  3. The service has protection against brute force attacks
  4. The service is dedicated. It does not change the scheme or system files of FreeIPA. No problems with upgrade of FreeIPA
  5. The password reset page stylized as FreeIPA pages
  6. SMS with tokens is sent through the Amazon SNS service.
  7. Tested with CentOS 7, python 2.7 and FreeIPA 4.4/4.5
  8. This instruction assumes that the service will be installed on the FreeIPA server.
  9. I recommend that you protect the service using a firewall and allow access only through the internal network
  10. This app is very small. You can easily audit the code.
  11. You can easily write your own 2FA providers.

Install steps

  1. Configure FreeIPA
  2. Install & Configure App
  3. Set users mobile phones in their profile. The service require phone in "Telephone Number" field in international format like '+79991234567'
  4. Enjoy!

Configure FreeIPA

  1. Create service user (example: ldap-passwd-reset)
ipa -n user-add "ldap-passwd-reset" --first="Service" --last="Password reset" --password-expiration="2050-01-01Z" --password "CHANGE_ME_PLEASE"
  1. Create new role with permission to change passwords
ipa role-add "Self Password Reset"
ipa role-add-member "Self Password Reset" --users="ldap-passwd-reset"
ipa role-add-privilege "Self Password Reset" --privileges="Modify Users and Reset passwords"
ipa role-add-privilege "Self Password Reset" --privileges="Password Policy Readers"
ipa role-add-privilege "Self Password Reset" --privileges="Kerberos Ticket Policy Readers"
ipa permission-mod "System: Change User password" --includedattrs="krbloginfailedcount"
  1. Create user home dir
mkdir $(ipa -n user-show "ldap-passwd-reset" --raw |grep 'homedirectory' |awk -F':' '{print $2}')
chown ldap-passwd-reset.ldap-passwd-reset $(ipa -n user-show "ldap-passwd-reset" --raw |grep 'homedirectory' |awk -F':' '{print $2}')
chmod 750 $(ipa -n user-show "ldap-passwd-reset" --raw |grep 'homedirectory' |awk -F':' '{print $2}')

Install App

  1. Install system dependencies:

RHEL/CentOS 7

yum install -y python-virtualenv python-pip python-ipaclient git-core

RHEL/CentOS 8

dnf install -y python3-virtualenv python3-pip python3-ipaclient git-core
  1. Clone repository to directory. (default is /opt/data/IPAPasswordReset/, but you can change it.):
git clone https://github.com/larrabee/freeipa-password-reset.git /opt/data/IPAPasswordReset/
  1. Create virtual env:

RHEL/CentOS 7

cd /opt/data/IPAPasswordReset/
virtualenv --system-site-packages ./virtualenv
. ./virtualenv/bin/activate
pip install -r requirements.txt

RHEL/CentOS 8

cd /opt/data/IPAPasswordReset/
virtualenv-3 --system-site-packages ./virtualenv
. ./virtualenv/bin/activate
pip install -r requirements.txt
  1. Get keytab for "ldap-passwd-reset" user (you must run it from user with admin privileges):
ipa-getkeytab -p ldap-passwd-reset -k /opt/data/IPAPasswordReset/ldap-passwd-reset.keytab
  1. chown files (change username if you use not default):
chown -R ldap-passwd-reset:ldap-passwd-reset /opt/data/IPAPasswordReset
  1. Install Apache config and reload httpd:
cp service/ipa-password-reset.conf /etc/httpd/conf.d/ipa-password-reset.conf
systemctl reload httpd
  1. Install redis (you can skip this step and use external redis):
yum install -y redis
systemctl enable --now redis
  1. Copy file PasswordReset/PasswordReset/settings.py.example to PasswordReset/PasswordReset/settings.py and modify it. You should change following vars:
SECRET_KEY = "Your CSRF protection key. It must be long random string"
LDAP_USER = "LDAP user. Default is ldap-passwd-reset"
KEYTAB_PATH = "Path to ldap-passwd-reset keytab. Default is ../ldap-passwd-reset.keytab"
PROVIDERS = {...} # Configuration of 2FA providers like Amazon SNS (SMS), Email, Slack, Signal
  1. Install systemd unit and start the app:
cp service/ldap-passwd-reset.service /etc/systemd/system/ldap-passwd-reset.service
systemctl daemon-reload
systemctl enable --now ldap-passwd-reset.service

Enjoy!

  • Open https:/ipa.example.com/reset/ (replace ipa.example.com with your FreeIPA hostname)
  • Enter the user uid and click 'Reset Password'
  • On next page enter the security code from SMS and enter new password twice and click 'Reset'
  • Try to login to FreeIPA with new password

Screenshots

Main Page Confirmation Page

License

GPLv3

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].