larrabee / Freeipa Password Reset
Licence: gpl-3.0
Self-service password reset app for FreeIPA
Stars: ✭ 44
Programming Languages
python
139335 projects - #7 most used programming language
Projects that are alternatives of or similar to Freeipa Password Reset
Django Notifs
Modular Notifications (InApp, Email, SMS, CustomBackend etc) for Django
Stars: ✭ 105 (+138.64%)
Mutual labels: django, sms
Unchained
Secure password hashers for Go compatible with Django
Stars: ✭ 46 (+4.55%)
Mutual labels: django, password
Keepass4web
An application that serves KeePass database entries on a web frontend
Stars: ✭ 115 (+161.36%)
Mutual labels: ldap, password
multiOTPCredentialProvider
multiOTP Credential Provider is a V2 Credential Provider for Windows 7/8/8.1/10/2012(R2)/2016 with options like RDP only and UPN name support
Stars: ✭ 121 (+175%)
Mutual labels: ldap, sms
Multiotp
multiOTP open source strong two factor authentication PHP library, OATH certified, with TOTP, HOTP, Mobile-OTP, YubiKey, SMS, QRcode provisioning, etc.
Stars: ✭ 173 (+293.18%)
Mutual labels: sms, ldap
Django Sendsms
A simple API to send SMS messages. It is modeled after the django email api.
Stars: ✭ 208 (+372.73%)
Mutual labels: django, sms
service-desk
Application for support team who need to check and reset user passwords
Stars: ✭ 23 (-47.73%)
Mutual labels: ldap, password
Self Service Password
Web interface to change and reset password in an LDAP directory
Stars: ✭ 699 (+1488.64%)
Mutual labels: ldap, password
X Ray
X-Ray is a script that lets users toggle password visibility in forms.
Stars: ✭ 40 (-9.09%)
Mutual labels: password
Django Preserialize
Convert your model instances and querysets into dicts and list with style.
Stars: ✭ 42 (-4.55%)
Mutual labels: django
Sublimall Server
Server behind Sublimall SublimeText plugin
Stars: ✭ 43 (-2.27%)
Mutual labels: django
Django Rest Apis
Sample Django App using Twitter Sign in (OAuth) and REST APIs.
Stars: ✭ 40 (-9.09%)
Mutual labels: django
Ics Default Passwords
List of default passwords for Industrial Control Systems
Stars: ✭ 42 (-4.55%)
Mutual labels: password
Pyexcel Io
One interface to read and write the data in various excel formats, import the data into and export the data from databases
Stars: ✭ 40 (-9.09%)
Mutual labels: django
Django react boilerplate
Boiler-Plate code to Use Django with React
Stars: ✭ 40 (-9.09%)
Mutual labels: django
Likelion django study summary
🦁Like Lion 7th Python Django Study Summary📚
Stars: ✭ 40 (-9.09%)
Mutual labels: django
Browserpass Legacy
Legacy Browserpass repo, development is now happening at:
Stars: ✭ 1,020 (+2218.18%)
Mutual labels: password
FreeIPA self-service password reset
Features
- Users can reset their own passwords with token that is sent to the user's mobile phones
- Users can reset their own passwords with token that is sent to the user's emails
- The service has protection against brute force attacks
- The service is dedicated. It does not change the scheme or system files of FreeIPA. No problems with upgrade of FreeIPA
- The password reset page stylized as FreeIPA pages
- SMS with tokens is sent through the Amazon SNS service.
- Tested with CentOS 7, python 2.7 and FreeIPA 4.4/4.5
- This instruction assumes that the service will be installed on the FreeIPA server.
- I recommend that you protect the service using a firewall and allow access only through the internal network
- This app is very small. You can easily audit the code.
- You can easily write your own 2FA providers.
Install steps
- Configure FreeIPA
- Install & Configure App
- Set users mobile phones in their profile. The service require phone in "Telephone Number" field in international format like '+79991234567'
- Enjoy!
Configure FreeIPA
- Create service user (example:
ldap-passwd-reset
)
ipa -n user-add "ldap-passwd-reset" --first="Service" --last="Password reset" --password-expiration="2050-01-01Z" --password "CHANGE_ME_PLEASE"
- Create new role with permission to change passwords
ipa role-add "Self Password Reset"
ipa role-add-member "Self Password Reset" --users="ldap-passwd-reset"
ipa role-add-privilege "Self Password Reset" --privileges="Modify Users and Reset passwords"
ipa role-add-privilege "Self Password Reset" --privileges="Password Policy Readers"
ipa role-add-privilege "Self Password Reset" --privileges="Kerberos Ticket Policy Readers"
ipa permission-mod "System: Change User password" --includedattrs="krbloginfailedcount"
- Create user home dir
mkdir $(ipa -n user-show "ldap-passwd-reset" --raw |grep 'homedirectory' |awk -F':' '{print $2}')
chown ldap-passwd-reset.ldap-passwd-reset $(ipa -n user-show "ldap-passwd-reset" --raw |grep 'homedirectory' |awk -F':' '{print $2}')
chmod 750 $(ipa -n user-show "ldap-passwd-reset" --raw |grep 'homedirectory' |awk -F':' '{print $2}')
Install App
- Install system dependencies:
RHEL/CentOS 7
yum install -y python-virtualenv python-pip python-ipaclient git-core
RHEL/CentOS 8
dnf install -y python3-virtualenv python3-pip python3-ipaclient git-core
- Clone repository to directory. (default is
/opt/data/IPAPasswordReset/
, but you can change it.):
git clone https://github.com/larrabee/freeipa-password-reset.git /opt/data/IPAPasswordReset/
- Create virtual env:
RHEL/CentOS 7
cd /opt/data/IPAPasswordReset/
virtualenv --system-site-packages ./virtualenv
. ./virtualenv/bin/activate
pip install -r requirements.txt
RHEL/CentOS 8
cd /opt/data/IPAPasswordReset/
virtualenv-3 --system-site-packages ./virtualenv
. ./virtualenv/bin/activate
pip install -r requirements.txt
- Get keytab for "ldap-passwd-reset" user (you must run it from user with admin privileges):
ipa-getkeytab -p ldap-passwd-reset -k /opt/data/IPAPasswordReset/ldap-passwd-reset.keytab
- chown files (change username if you use not default):
chown -R ldap-passwd-reset:ldap-passwd-reset /opt/data/IPAPasswordReset
- Install Apache config and reload httpd:
cp service/ipa-password-reset.conf /etc/httpd/conf.d/ipa-password-reset.conf
systemctl reload httpd
- Install redis (you can skip this step and use external redis):
yum install -y redis
systemctl enable --now redis
- Copy file
PasswordReset/PasswordReset/settings.py.example
toPasswordReset/PasswordReset/settings.py
and modify it. You should change following vars:
SECRET_KEY = "Your CSRF protection key. It must be long random string"
LDAP_USER = "LDAP user. Default is ldap-passwd-reset"
KEYTAB_PATH = "Path to ldap-passwd-reset keytab. Default is ../ldap-passwd-reset.keytab"
PROVIDERS = {...} # Configuration of 2FA providers like Amazon SNS (SMS), Email, Slack, Signal
- Install systemd unit and start the app:
cp service/ldap-passwd-reset.service /etc/systemd/system/ldap-passwd-reset.service
systemctl daemon-reload
systemctl enable --now ldap-passwd-reset.service
Enjoy!
- Open https:/ipa.example.com/reset/ (replace ipa.example.com with your FreeIPA hostname)
- Enter the user uid and click 'Reset Password'
- On next page enter the security code from SMS and enter new password twice and click 'Reset'
- Try to login to FreeIPA with new password
Screenshots
License
GPLv3
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].