imagens showing properly when run on port 8000

[maniasso]

How can I have it running in port 8000 but showing the background images properly? If I run it on same port and URL as Freeipa it seems ok, but when I try to access it using port 8000 ( http://ipa-server:8000/reset) it doesn't show it properly. See screenshot in attach

[Yukesh4791]

Hi @maniasso , Basically it means that freeipa-password-reset is not able to use the Web UI paths of Freeipa deployment. Which can also mean that you have deployed your freeipa-password-reset in different server than along with the freeipa deployment and the freeipa url is unreachable to the password-reset program. If you have deployed freeipa in different server and wanted it to be accessed by different URL than the freeipa URL, you will need to change the ipa-password-reset.conf to match below config,

<VirtualHost *:80>
    ServerName your.subdomain.com

    <Location "/">
      RedirectMatch 301 ^/$ /reset/
    </Location>

    <Location "/reset/">
       ProxyPass "http://127.0.0.1:8000/reset/"
    </Location>

</VirtualHost>

Change the your.subdomain.com to your FQDN. Also, make sure that you freeipa server is accessible to the freeipa-password-reset server.

[maniasso]

Hi, in fact I tried that, I populated the file as below

<VirtualHost *:80> ServerName freeipa.example.com

<Location "/reset">
  RedirectMatch 301 ^/$ /reset/
</Location>

<Location "/reset/">
   ProxyPass "http://127.0.0.1:8000/reset/"
</Location>

however it doesn't load and shows

Not Found

The requested URL was not found on this server.

If I go to port 8000, I see the page, seems something is missing or incorrect at http configuration file :(

[Yukesh4791]

Hi @maniasso , I guess you already have a DNS entry for the freeipa.example.com which points to the host where freeipa-password-reset is deployed. If so, according to your above config you should be able to access it as freeipa.example.com/reset

[maniasso]

Seems it's not redirecting to the freeipa server, I set the debug in the apache configuration file and seems it's looking at localhost...

[Thu Dec 16 10:00:24.155657 2021] [core:info] [pid 3658940:tid 140735564541808] [client 9.160.28.68:59823] AH00128: File does not exist: /var/www/html/ipa/ui/ipa.css, referer: http://b02xormon.example.com/reset/ [Thu Dec 16 10:00:24.317905 2021] [authz_core:debug] [pid 3658938:tid 140735256850288] mod_authz_core.c(820): [client 9.160.28.68:59822] AH01626: authorization result of Require all granted: granted, referer: http://b02xormon.example.com/reset/

[Yukesh4791]

Hi @maniasso , is it possible for you to elaborate a bit on how you have deployed your freeipa-password-reset and if your freeipa server is publicly accessible?

[maniasso]

Hello, yes sure, let me explain more details.

I have a freeipa environment, however I don't allow users connect at WebGUI interface, why? because the UI only allows google 2FA and the company uses DUO. Some users have difficult to understand how to change their password using CLI, is kind of complicate for them, so I found your project which is pretty nice, simple and functional.

Since I don't allow users to connect at WebGUI, the app doesn't open properly if I point users to use it by port 8000. What I tried to do, was two things, but I believe I have address both. 1 - Use a bastion server as self-service portal, but doing this I don't see the page loading properly, so I have copied the /usr/ipa content to bastion at /var/www/html and page load properly. 2 - Use a different port in the IDM server to allow the self-service portal, I have used this option, so I have made some changes at /etc/httpd/conf.d/ipa-password-reset.conf

Listen 8081 <VirtualHost *:8081> ServerName FREEIPA-FQDN

LogLevel debug ssl:warn

ErrorLog /var/log/httpd/error-ipa.log

<Location "/reset"> RedirectMatch 301 ^/reset$ /reset/

<Location "/reset/"> ProxyPass "http://127.0.0.1:8000/reset/"

Doing this the portal will be available at FREEIPA, but at port 8081 :)

Em sex., 17 de dez. de 2021 às 11:30, Yukesh Hari @.***> escreveu:

Hi @maniasso https://github.com/maniasso , is it possible for you to elaborate a bit on how you have deployed your freeipa-password-reset and if your freeipa server is publicly accessible?

— Reply to this email directly, view it on GitHub https://github.com/larrabee/freeipa-password-reset/issues/59#issuecomment-996765860, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKMYTSUM27JZMEFCFAS2F63URNCRVANCNFSM5FRTNKMA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

[rpelissi]

Hi, Instead of opening a new ticket for pretty much the same issue, let me describe my setup and what I did so far. I have 3 freeipa servers I have done the step

• Create service user
• Create new role with permission to change passwords
• on the freeipa server Now on a client that was joined to the freeipa domain:
• Create user home dir
• Install App (and all subtasks) So my freeipa client got the app installed but got the same CSS issue as describe above.

Can you tell me what step I am missing to not have it workin properly? Should I install the app on the free-ipa server (so it can listen on the port 8000) and have the standalone forward to http://:8000 ? Or just copy the missing usr/ipa content to my client's /var/www/html folder?

Please let me know what is the best way to have the ipa-reset project hosted on a stanlone server.

Thanks!

[rpelissi]

So, in fact the ipa.conf that describe where to find the /ipa/ui was missing on the client's setup so I have copied it to the client's http conf.d folder and restarted the http process. Now the CSS works but got this when trying the email setup. Error 111 connecting to localhost:6379. Connection refused. I guess because redis is missing, let me try to fix this

[rpelissi]

yes it's working!