search

larrabee / freeipa-password-reset

Self-service password reset app for FreeIPA
GNU General Public License v3.0
88 stars 30 forks source link

Install the app on standalone server #21

Closed lnxart closed 4 years ago

lnxart commented 4 years ago

Hello,

Please let me know how we can install your password reset app in a standalone server?

Kind regards,

larrabee commented 4 years ago

Hello.
You can use Installation steps from README. It's the same for standalone server.

lnxart commented 4 years ago

Hello,

Thank you for your kindly help, Please let me know how we can send the reset-password requests to our FreeIPA server that run on another server?

Kind regards,

larrabee commented 4 years ago

hello.
You should install freeipa-client on that server and join it to freeipa (use ipa-client-install or ipa-join commands).

lnxart commented 4 years ago

Hello,

Thanks again, the app is running but we got the following error in https://127.0.0.1/reset/ : " The proxy server received an invalid response from an upstream server. The proxy server could not handle the request POST /reset/gettoken/.

Reason: Error reading from remote server "

Kind regards,

larrabee commented 4 years ago

DId you see web page? If no it's apache/nginx configuration error and you should fix it first.
You can check application without proxy by following url: http://127.0.0.1:8000/reset/

lnxart commented 4 years ago

Hello,

I fixed the proxy issue, and I faced another issue about ticket expiration:

$ klist -A Ticket cache: KEYRING:persistent:1000:1000 Default principal: ldap-passwd-reset@DOMAIN.TLD

Valid starting Expires Service principal 09/14/19 10:20:55 09/15/19 10:20:55 HTTP/SERVER_NAME_URL@DOMAIN.TLD renew until 09/21/19 10:20:55 09/14/19 10:20:17 09/21/19 10:20:17 krbtgt/DOMAIN.TLD@DOMAIN.TLD renew until 09/24/19 09:20:17

As you see the ticket for HTTP principal will expire in 24 hours, and users will get errors about kerberos ticket when they try to reset password.

Please let me know how we can resolve this issue?

Kind Regards,

larrabee commented 4 years ago

Hello. Did you put the keytab to file ldap-passwd-reset.keytab?
Tickets was retrieved automatically when user try to reset password. What error are you got?

lnxart commented 4 years ago

Hello,

I fixed the proxy issue, and I faced another issue about ticket expiration:

$ klist -A Ticket cache: KEYRING:persistent:1000:1000 Default principal: ldap-passwd-reset@DOMAIN.TLD

Valid starting Expires Service principal 09/14/19 10:20:55 09/15/19 10:20:55 HTTP/SERVER_NAME_URL@DOMAIN.TLD renew until 09/21/19 10:20:55 09/14/19 10:20:17 09/21/19 10:20:17 krbtgt/DOMAIN.TLD@DOMAIN.TLD renew until 09/24/19 09:20:17

As you see the ticket for HTTP principal will expire in 24 hours, and users will get errors about kerberos ticket when they try to reset password.

Please let me know how we can resolve this issue?

Kind Regards,

larrabee commented 4 years ago 
$ klist -A
Ticket cache: KEYRING:persistent:1000:1000
Default principal: ldap-passwd-reset@DOMAIN.TLD

Valid starting Expires Service principal
09/14/19 10:20:55 09/15/19 10:20:55 HTTP/SERVER_NAME_URL@DOMAIN.TLD
renew until 09/21/19 10:20:55
09/14/19 10:20:17 09/21/19 10:20:17 krbtgt/DOMAIN.TLD@DOMAIN.TLD
renew until 09/24/19 09:20:17
$ klist -A
Ticket cache: KEYRING:persistent:1000:1000
Default principal: ldap-passwd-reset@DOMAIN.TLD

Valid starting Expires Service principal
09/14/19 10:20:55 09/15/19 10:20:55 HTTP/SERVER_NAME_URL@DOMAIN.TLD
renew until 09/21/19 10:20:55
09/14/19 10:20:17 09/21/19 10:20:17 krbtgt/DOMAIN.TLD@DOMAIN.TLD
renew until 09/24/19 09:20:17

It's ok. Ticket retrieved on user requests.
You can destroy current ticket and try to reset password. After sending token you should see new ticket in klist -A list.

lnxart commented 4 years ago

Hello,

Did you put the keytab to file ldap-passwd-reset.keytab?

Yes, but please let me what is the correct setting for keytab: 1- KEYTAB_PATH = "../ldap-passwd-reset.keytab" or 2- KEYTAB_PATH = "../../ldap-passwd-reset.keytab"

You can see my directories as below (there is 2 nested PasswordReset directory): /opt/data/IPAPasswordReset/PasswordReset# tree -d . ├── PasswordReset └── app ├── migrations └── templates

Tickets was retrieved automatically when user try to reset password. What error are you got? I cannot reproduce it just know as my ticket is valid till tomorrow, but it was about "kerberos ticket" and the command "sudo -u ldap-passwd-reset -i klist -A" did not show any ticket when we faced this issue.

Kind regards,

larrabee commented 4 years ago

With default value of KEYTAB_PATH ("../ldap-passwd-reset.keytab") keytab should be placed on project root (in /opt/data/IPAPasswordReset/ dir by default).

lnxart commented 4 years ago

OK, it is fixed and working fine now. Thank you for your great work and kindly support.

Zapuskalov commented 7 months ago

Hello,

Thanks again, the app is running but we got the following error in https://127.0.0.1/reset/ : " The proxy server received an invalid response from an upstream server. The proxy server could not handle the request POST /reset/gettoken/.

Reason: Error reading from remote server "

Kind regards,

Hi, please tell me how you fixed this problem?