Closed thiyaga0601 closed 4 years ago
# Debug mode
# true: log and display any errors or warnings (use this in configuration/testing)
# false: log only errors and do not display them (use this in production)
$debug = false;
# LDAP
$ldap_url = "ldap://10.6.10.5:389";
$ldap_starttls = false;
#$ldap_binddn = "CN=domaintest,CN=users,DC=test,DC=com";
$ldap_binddn = "CN=domaintest,DC=test,DC=com";
$ldap_bindpw = "password";
$ldap_base = "DC=test,DC=com";
#$ldap_login_attribute = "uid";
$ldap_login_attribute = "cn";
#$ldap_login_attribute = "sAMAccountName";
$ldap_fullname_attribute = "cn";
#$ldap_filter = "(&(objectClass=person)(uid={login}))";
#$ldap_filter = "(&(objectClass=user)($ldap_login_attribute={login}))";
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
#$ldap_filter = "(&(objectClass=user)(sAMAccountName={login}))";
# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
$ad_mode = false;
# Force account unlock when password is changed
$ad_options['force_unlock'] = false;
# Force user change password at next login
$ad_options['force_pwd_change'] = false;
# Allow user with expired password to change password
$ad_options['change_expired_password'] = true;
# Samba mode
# true: update sambaNTpassword and sambaPwdLastSet attributes too
# false: just update the password
$samba_mode = false;
# Set password min/max age in Samba attributes
#$samba_options['min_age'] = 5;
#$samba_options['max_age'] = 45;
# Shadow options - require shadowAccount objectClass
# Update shadowLastChange
$shadow_options['update_shadowLastChange'] = true;
$shadow_options['update_shadowExpire'] = true;
# Default to -1, never expire
$shadow_options['shadow_expire_days'] = 365;
# Hash mechanism for password:
# SSHA, SSHA256, SSHA384, SSHA512
# SHA, SHA256, SHA384, SHA512
# SMD5
# MD5
# CRYPT
# clear (the default)
# auto (will check the hash of current password)
# This option is not used with ad_mode = true
$hash = "clear";
# Prefix to use for salt with CRYPT
$hash_options['crypt_salt_prefix'] = "$6$";
$hash_options['crypt_salt_length'] = "6";
# Local password policy
# This is applied before directory password policy
# Minimal length
$pwd_min_length = 8;
# Maximal length
$pwd_max_length = 40;
# Minimal lower characters
$pwd_min_lower = 0;
# Minimal upper characters
$pwd_min_upper = 0;
# Minimal digit characters
$pwd_min_digit = 1;
# Minimal special characters
$pwd_min_special = 0;
# Definition of special characters
$pwd_special_chars = "^a-zA-Z0-9";
# Forbidden characters
#$pwd_forbidden_chars = "@%";
# Don't reuse the same password as currently
$pwd_no_reuse = true;
# Check that password is different than login
$pwd_diff_login = true;
# Complexity: number of different class of character required
$pwd_complexity = 2;
# use pwnedpasswords api v2 to securely check if the password has been on a leak
$use_pwnedpasswords = false;
# Show policy constraints message:
# always
# never
# onerror
$pwd_show_policy = "onerror";
# Position of password policy constraints message:
# above - the form
# below - the form
$pwd_show_policy_pos = "above";
# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_password = "user";
## Standard change
# Use standard change form?
$use_change = true;
## SSH Key Change
# Allow changing of sshPublicKey?
$change_sshkey = false;
# What attribute should be changed by the changesshkey action?
$change_sshkey_attribute = "sshPublicKey";
# Who changes the sshPublicKey attribute?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_sshkey = "user";
# Notify users anytime their sshPublicKey is changed
## Requires mail configuration below
$notify_on_sshkey_change = false;
## Questions/answers
# Use questions/answers?
# true (default)
# false
$use_questions = false;
# Answer attribute should be hidden to users!
$answer_objectClass = "extensibleObject";
$answer_attribute = "info";
# Crypt answers inside the directory
$crypt_answers = true;
# Extra questions (built-in questions are in lang/$lang.inc.php)
#$messages['questions']['ice'] = "What is your favorite ice cream flavor?";
## Token
# Use tokens?
# true (default)
# false
$use_tokens = false;
# Crypt tokens?
# true (default)
# false
$crypt_tokens = true;
# Token lifetime in seconds
$token_lifetime = "3600";
## Mail
# LDAP mail attribute
$mail_attribute = "mail";
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = false;
# Who the email should come from
$mail_from = "admin@example.com";
$mail_from_name = "Self Service Password";
$mail_signature = "";
# Notify users anytime their password is changed
$notify_on_change = false;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'error_log';
$mail_smtp_host = 'localhost';
$mail_smtp_auth = false;
$mail_smtp_user = '';
$mail_smtp_pass = '';
$mail_smtp_port = 25;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'tls';
$mail_smtp_autotls = true;
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
$mail_newline = PHP_EOL;
## SMS
# Use sms
$use_sms = false;
# SMS method (mail, api)
$sms_method = "mail";
$sms_api_lib = "lib/smsapi.inc.php";
# GSM number attribute
$sms_attribute = "mobile";
# Partially hide number
$sms_partially_hide_number = true;
# Send SMS mail to address
$smsmailto = "{sms_attribute}@service.provider.com";
# Subject when sending email to SMTP to SMS provider
$smsmail_subject = "Provider code";
# Message
$sms_message = "{smsresetmessage} {smstoken}";
# Remove non digit characters from GSM number
$sms_sanitize_number = false;
# Truncate GSM number
$sms_truncate_number = false;
$sms_truncate_number_length = 10;
# SMS token length
$sms_token_length = 6;
# Max attempts allowed for SMS token
$max_attempts = 3;
# Encryption, decryption keyphrase, required if $crypt_tokens = true
# Please change it to anything long, random and complicated, you do not have to remember it
# Changing it will also invalidate all previous tokens and SMS codes
$keyphrase = "password";
# Reset URL (if behind a reverse proxy)
#$reset_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . "://" . $_SERVER['HTTP_X_FORWARDED_HOST'] . $_SERVER['SCRIPT_NAME'];
# Display help messages
$show_help = true;
# Default language
$lang = "en";
# List of authorized languages. If empty, all language are allowed.
# If not empty and the user's browser language setting is not in that list, language from $lang will be used.
$allowed_lang = array();
# Display menu on top
$show_menu = true;
# Logo
$logo = "images/ltb-logo.png";
# Background image
$background_image = "images/unsplash-space.jpeg";
# Where to log password resets - Make sure apache has write permission
# By default, they are logged in Apache log
#$reset_request_log = "/var/log/self-service-password";
# Invalid characters in login
# Set at least "*()&|" to prevent LDAP injection
# If empty, only alphanumeric characters are accepted
$login_forbidden_chars = "*()&|";
## CAPTCHA
# Use Google reCAPTCHA (http://www.google.com/recaptcha)
$use_recaptcha = false;
# Go on the site to get public and private key
$recaptcha_publickey = "";
$recaptcha_privatekey = "";
# Customization (see https://developers.google.com/recaptcha/docs/display)
$recaptcha_theme = "light";
$recaptcha_type = "image";
$recaptcha_size = "normal";
# reCAPTCHA request method, null for default, Fully Qualified Class Name to override
# Useful when allow_url_fopen=0 ex. $recaptcha_request_method = '\ReCaptcha\RequestMethod\CurlPost';
$recaptcha_request_method = null;
## Default action
# change
# sendtoken
# sendsms
$default_action = "change";
## Extra messages
# They can also be defined in lang/ files
#$messages['passwordchangedextramessage'] = NULL;
#$messages['changehelpextramessage'] = NULL;
# Launch a posthook script after successful password change
#$posthook = "/usr/share/self-service-password/posthook.sh";
#$display_posthook_error = true;
# Hide some messages to not disclose sensitive information
# These messages will be replaced by badcredentials error
#$obscure_failure_messages = array("mailnomatch");
# Allow to override current settings with local configuration
if (file_exists (__DIR__ . '/config.inc.local.php')) {
require __DIR__ . '/config.inc.local.php';
}
Old password remain valid on AD a certain time, this is an AD behavior.
Old password remain valid on AD a certain time, this is an AD behavior.
Any solution for this behavior?
I have tried this step in my AD but still my problem persist. Do i need to give any permission in Domain controller side to allow this application to reset password?
If SSP confirms that the password was changed, then it means it has enough permission to change the password.
If SSP confirms that the password was changed, then it means it has enough permission to change the password. Hi, I did not do the below settings since im using wamp. Is that a problem for my issue.
LDAP certificate management in PHP relies on LDAP system libraries. Under Linux, you can configure /etc/ldap.conf (or /etc/ldap/ldap.conf on Debian/Ubuntu, or C:\OpenLDAP\sysconf\ldap.conf for Windows) to either: Provide the certificate from the certificate authority that issued your LDAP server's certificate: TLS_CACERT /etc/ssl/ca.crt Or, disable server certificate checking: TLS_REQCERT allow
Hi @thiyaga0601 did you solve your issue ?
No. We dropped this problem
On Tue, 21 Jan 2020 at 2:22 AM, Philippe Lewin notifications@github.com wrote:
Hi @thiyaga0601 https://github.com/thiyaga0601 did you solve your issue ?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ltb-project/self-service-password/issues/242?email_source=notifications&email_token=AKGJRHCNRDXTIZFM5N75VBTQ6YFIBA5CNFSM4FWWKYIKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJNZGLI#issuecomment-576426797, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKGJRHADN6JW35XCEIDKELLQ6YFIBANCNFSM4FWWKYIA .
Okay sorry thank you for the update, I'm going to look if we can improve the experience for ad users meanwhile I close this issue.
Hi,
I have a windows 2008 r2 domain controller and all roles plays in it. Recently i have built self service password portal LTB. I used wampserver3.1.3_x64 in my local PC and tried to reset password. In SSP front page it shows password reset successful but in domain controller side password is not changing. can you please suggest a solution for this?
My config.php config details below
<?php
==============================================================================
LTB Self Service Password
#
Copyright (C) 2009 Clement OUDOT
Copyright (C) 2009 LTB-project.org
#
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
#
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
#
GPL License: http://www.gnu.org/licenses/gpl.txt
#
==============================================================================
==============================================================================
All the default values are kept here, you should not modify it but use
config.inc.local.php file instead to override the settings from here.
==============================================================================
==============================================================================
Configuration
==============================================================================
Debug mode
true: log and display any errors or warnings (use this in configuration/testing)
false: log only errors and do not display them (use this in production)
$debug = false;
LDAP
$ldap_url = "ldap://10.6.10.5:389"; $ldap_starttls = false;
$ldap_binddn = "CN=domaintest,CN=users,DC=test,DC=com";
$ldap_binddn = "CN=domaintest,DC=test,DC=com"; $ldap_bindpw = "password"; $ldap_base = "DC=test,DC=com";
$ldap_login_attribute = "uid";
$ldap_login_attribute = "cn";
$ldap_login_attribute = "sAMAccountName";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)(uid={login}))";
$ldap_filter = "(&(objectClass=user)($ldap_login_attribute={login}))";
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login}))";
Active Directory mode
true: use unicodePwd as password field
false: LDAPv3 standard behavior
$ad_mode = false;
Force account unlock when password is changed
$ad_options['force_unlock'] = false;
Force user change password at next login
$ad_options['force_pwd_change'] = false;
Allow user with expired password to change password
$ad_options['change_expired_password'] = true;
Samba mode
true: update sambaNTpassword and sambaPwdLastSet attributes too
false: just update the password
$samba_mode = false;
Set password min/max age in Samba attributes
$samba_options['min_age'] = 5;
$samba_options['max_age'] = 45;
Shadow options - require shadowAccount objectClass
Update shadowLastChange
$shadow_options['update_shadowLastChange'] = true; $shadow_options['update_shadowExpire'] = true;
Default to -1, never expire
$shadow_options['shadow_expire_days'] = 365;
Hash mechanism for password:
SSHA, SSHA256, SSHA384, SSHA512
SHA, SHA256, SHA384, SHA512
SMD5
MD5
CRYPT
clear (the default)
auto (will check the hash of current password)
This option is not used with ad_mode = true
$hash = "clear";
Prefix to use for salt with CRYPT
$hash_options['crypt_salt_prefix'] = "$6$"; $hash_options['crypt_salt_length'] = "6";
Local password policy
This is applied before directory password policy
Minimal length
$pwd_min_length = 8;
Maximal length
$pwd_max_length = 40;
Minimal lower characters
$pwd_min_lower = 0;
Minimal upper characters
$pwd_min_upper = 0;
Minimal digit characters
$pwd_min_digit = 1;
Minimal special characters
$pwd_min_special = 0;
Definition of special characters
$pwd_special_chars = "^a-zA-Z0-9";
Forbidden characters
$pwd_forbidden_chars = "@%";
Don't reuse the same password as currently
$pwd_no_reuse = true;
Check that password is different than login
$pwd_diff_login = true;
Complexity: number of different class of character required
$pwd_complexity = 2;
use pwnedpasswords api v2 to securely check if the password has been on a leak
$use_pwnedpasswords = false;
Show policy constraints message:
always
never
onerror
$pwd_show_policy = "onerror";
Position of password policy constraints message:
above - the form
below - the form
$pwd_show_policy_pos = "above";
Who changes the password?
Also applicable for question/answer save
user: the user itself
manager: the above binddn
$who_change_password = "user";
Standard change
Use standard change form?
$use_change = true;
SSH Key Change
Allow changing of sshPublicKey?
$change_sshkey = false;
What attribute should be changed by the changesshkey action?
$change_sshkey_attribute = "sshPublicKey";
Who changes the sshPublicKey attribute?
Also applicable for question/answer save
user: the user itself
manager: the above binddn
$who_change_sshkey = "user";
Notify users anytime their sshPublicKey is changed
Requires mail configuration below
$notify_on_sshkey_change = false;
Questions/answers
Use questions/answers?
true (default)
false
$use_questions = false;
Answer attribute should be hidden to users!
$answer_objectClass = "extensibleObject"; $answer_attribute = "info";
Crypt answers inside the directory
$crypt_answers = true;
Extra questions (built-in questions are in lang/$lang.inc.php)
$messages['questions']['ice'] = "What is your favorite ice cream flavor?";
Token
Use tokens?
true (default)
false
$use_tokens = false;
Crypt tokens?
true (default)
false
$crypt_tokens = true;
Token lifetime in seconds
$token_lifetime = "3600";
Mail
LDAP mail attribute
$mail_attribute = "mail";
Get mail address directly from LDAP (only first mail entry)
and hide mail input field
default = false
$mail_address_use_ldap = false;
Who the email should come from
$mail_from = "admin@example.com"; $mail_from_name = "Self Service Password"; $mail_signature = "";
Notify users anytime their password is changed
$notify_on_change = false;
PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail'; $mail_protocol = 'smtp'; $mail_smtp_debug = 0; $mail_debug_format = 'error_log'; $mail_smtp_host = 'localhost'; $mail_smtp_auth = false; $mail_smtp_user = ''; $mail_smtp_pass = ''; $mail_smtp_port = 25; $mail_smtp_timeout = 30; $mail_smtp_keepalive = false; $mail_smtp_secure = 'tls'; $mail_smtp_autotls = true; $mail_contenttype = 'text/plain'; $mail_wordwrap = 0; $mail_charset = 'utf-8'; $mail_priority = 3; $mail_newline = PHP_EOL;
SMS
Use sms
$use_sms = false;
SMS method (mail, api)
$sms_method = "mail"; $sms_api_lib = "lib/smsapi.inc.php";
GSM number attribute
$sms_attribute = "mobile";
Partially hide number
$sms_partially_hide_number = true;
Send SMS mail to address
$smsmailto = "{sms_attribute}@service.provider.com";
Subject when sending email to SMTP to SMS provider
$smsmail_subject = "Provider code";
Message
$sms_message = "{smsresetmessage} {smstoken}";
Remove non digit characters from GSM number
$sms_sanitize_number = false;
Truncate GSM number
$sms_truncate_number = false; $sms_truncate_number_length = 10;
SMS token length
$sms_token_length = 6;
Max attempts allowed for SMS token
$max_attempts = 3;
Encryption, decryption keyphrase, required if $crypt_tokens = true
Please change it to anything long, random and complicated, you do not have to remember it
Changing it will also invalidate all previous tokens and SMS codes
$keyphrase = "password";
Reset URL (if behind a reverse proxy)
$reset_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . "://" . $_SERVER['HTTP_X_FORWARDED_HOST'] . $_SERVER['SCRIPT_NAME'];
Display help messages
$show_help = true;
Default language
$lang = "en";
List of authorized languages. If empty, all language are allowed.
If not empty and the user's browser language setting is not in that list, language from $lang will be used.
$allowed_lang = array();
Display menu on top
$show_menu = true;
Logo
$logo = "images/ltb-logo.png";
Background image
$background_image = "images/unsplash-space.jpeg";
Where to log password resets - Make sure apache has write permission
By default, they are logged in Apache log
$reset_request_log = "/var/log/self-service-password";
Invalid characters in login
Set at least "*()&|" to prevent LDAP injection
If empty, only alphanumeric characters are accepted
$login_forbidden_chars = "*()&|";
CAPTCHA
Use Google reCAPTCHA (http://www.google.com/recaptcha)
$use_recaptcha = false;
Go on the site to get public and private key
$recaptcha_publickey = ""; $recaptcha_privatekey = "";
Customization (see https://developers.google.com/recaptcha/docs/display)
$recaptcha_theme = "light"; $recaptcha_type = "image"; $recaptcha_size = "normal";
reCAPTCHA request method, null for default, Fully Qualified Class Name to override
Useful when allow_url_fopen=0 ex. $recaptcha_request_method = '\ReCaptcha\RequestMethod\CurlPost';
$recaptcha_request_method = null;
Default action
change
sendtoken
sendsms
$default_action = "change";
Extra messages
They can also be defined in lang/ files
$messages['passwordchangedextramessage'] = NULL;
$messages['changehelpextramessage'] = NULL;
Launch a posthook script after successful password change
$posthook = "/usr/share/self-service-password/posthook.sh";
$display_posthook_error = true;
Hide some messages to not disclose sensitive information
These messages will be replaced by badcredentials error
$obscure_failure_messages = array("mailnomatch");
Allow to override current settings with local configuration
if (file_exists (DIR . '/config.inc.local.php')) { require DIR . '/config.inc.local.php'; }