Dockerfile to build a LTB-Self Service Password self service password reset tool for infrastructure with an LDAP backend.
Clone this repository and build the image with docker build <arguments> (imagename) .
Builds of the image are available on Docker Hub and is the recommended method of installation.
The following image tags are available along with their taged release based on what's written in the Changelog:
Container OS | Tag |
---|---|
Alpine | :latest |
Images are built primarily for amd64
architecture, and may also include builds for arm/v6
, arm/v7
, arm64
and others. These variants are all unsupported. Consider sponsoring my work so that I can work with various hardware. To see if this image supports multiple architecures, type docker manifest (image):(tag)
The quickest way to get started is using docker-compose. See the examples folder for a working docker-compose.yml that can be modified for development or production use.
Set various environment variables to understand the capabilities of this image.
Map persistent storage for access to configuration and data files for backup.
The following directories are used for configuration and can be mapped for persistent storage.
Directory | Description |
---|---|
/www/ssp |
Root SelfService Password Directory |
OR
Don't map anything and let it run with the included source inside the image. If you wish to customize the source on each container restart map the following
Directory | Description |
---|---|
/assets/custom |
Place files to be added/updated on container start following the /www/ssp file / folder structure |
OR
If you want to manually configure the application you can set SETUP_TYPE=MANUAL
in environment variables and map the following:
Directory | Description |
---|---|
/www/ssp/conf |
SSP Configuration Directory |
This image relies on an Alpine Linux or Debian Linux base image that relies on an init system for added capabilities. Outgoing SMTP capabilities are handlded via msmtp
. Individual container performance monitoring is performed by zabbix-agent. Additional tools include: bash
,curl
,less
,logrotate
,nano
,vim
.
Be sure to view the following repositories to understand all the customizable options:
Image | Description |
---|---|
OS Base | Customized Image based on Alpine Linux |
Nginx | Nginx webserver |
PHP-FPM | PHP Interpreter |
Parameter | Description | Default |
---|---|---|
SETUP_TYPE |
Configure SSP via environment variables AUTO or MANUAL - If true, ignore everything below |
AUTO |
Parameter | Description | Default |
---|---|---|
LDAP_SERVER |
Ldap server. | |
LDAP_STARTTLS |
Enable TLS on Ldap bind. | |
LDAP_BINDDN |
Ldap bind dn. | |
LDAP_BINDPASS |
Ldap bind password. | |
LDAP_BASE_SEARCH |
Base where we can search for users. | |
LDAP_FILTER |
LDAP Lookup Filter | (&(objectClass=person)(\$ldap_login_attribute={login})) |
LDAP_ANSWER_ATTRIBUTE |
Ldap property to get user's answers if Questions enabled. | info |
LDAP_LOGIN_ATTRIBUTE |
Ldap property used for user searching. | uid |
LDAP_FULLNAME_ATTRIBUTE |
Ldap property to get user fullname. | cn |
LDAP_MAIL_ATTRIBUTE |
Ldap property to get user mail. | mail |
LDAP_SMS_ATTRIBUTE |
Ldap property to get user SMS Phone Number. | mobile |
LDAP_SSHKEY_ATTRIBUTE |
Ldap property to get user mail. | sshKey |
LDAP_CA_CERTIFICATE |
Path to Root CA if using ldaps. | |
AD_OPT_CHANGE_EXPIRED_PASSWORD |
Allow user with expired password to change password. | false |
AD_OPT_FORCE_PWD_CHANGE |
Force user change password at next login. | false |
AD_OPT_FORCE_UNLOCK |
Force account unlock when password is changed. Default to false |
|
ADMODE |
Specifies if LDAP server is Active Directory LDAP server. If your LDAP server is AD, set this to true . |
false |
PASSWORD_HASH_CRYPT_SALT_LENGTH |
- If CRYPT selected what is the hash salt length |
6 |
PASSWORD_HASH_CRYPT_SALT_PREFIX |
- If CRYPT selected what is the hash prefix |
$6$ |
PASSWORD_HASH |
Hash mechanism for passwordSSHA SHA SMD5 MD5 CRYPT clear (the default) auto (will check the hash of current password - if no password existed before, it will set as clear ) This option is not used with ad_mode = true |
|
QUESTIONS_ANSWER_OBJECTCLASS |
Default Object Class extensibleObject |
|
SAMBA_EXPIRE_DAYS |
Set Password Expiry in Days | 90 |
SAMBA_MAX_AGE |
Set Password maximum age in AD | 45 |
SAMBA_MIN_AGE |
Set Password minimum age in AD | 5 |
SAMBA_MODE |
Samba mode, if is true update sambaNTpassword and the following SAMBA attributes too; if is false just update the password. |
false |
SHADOW_OPT_UPDATE_SHADOWEXPIRE |
If true update ShadowLastExpire. |
false |
SHADOW_OPT_UPDATE_SHADOWLASTCHANGE |
If true update shadowLastChange. |
false |
Parameter | Description | Default |
---|---|---|
PASSWORD_DIFFERENT_LOGIN |
Should password be different than login | true |
PASSWORD_MAX_LENGTH |
Maximal length. | 0 (unchecked). |
PASSWORD_MIN_DIGIT |
Minimal digit characters. | 0 (unchecked). |
PASSWORD_MIN_LENGTH |
Minimal length. | 0 (unchecked). |
PASSWORD_MIN_LOWERCASE |
Minimal lower characters. | 0 (unchecked). |
PASSWORD_MIN_SPECIAL |
Minimal special characters. | 0 (unchecked). |
PASSWORD_MIN_UPPERCASE |
Minimal upper characters. | 0 (unchecked). |
PASSWORD_COMPLEXITY |
Minimum number of different classes of characters. | 0 (unchecked). |
PASSWORD_NO_REUSE |
Dont reuse the same password as currently. | true . |
PASSWORD_NO_SPECIAL_ENDS |
Dont allow special characters at start and end of password | false |
PASSWORD_SHOW_POLICY_POSITION |
Position of password policy constraints message above below |
above |
PASSWORD_SHOW_POLICY |
Show policy constraints messagealways never onerror |
never |
PASSWORD_SPECIAL_CHARACTERS |
Define Special Characters | ^a-zA-Z0-9 |
PASSWORD_USE_PWNED |
Utilize HaveIbeenpwned.com Password checking service | false |
WHO_CAN_CHANGE_PASSWORD |
Who changes the password? Also applicable for question/answer save user : the user itself manager : the above binddn. |
user |
Parameter | Description | Default |
---|---|---|
USE_QUESTIONS |
Use questions/answers? true or false |
false |
QUESTIONS_ANSWER_CRYPT |
true |
|
QUESTIONS_MULTIPLE_ANSWERS |
Allow multiple answers for Questions | false |
Parameter | Description | Default |
---|---|---|
MAIL_CHARSET |
Mail Character set | utf8 |
MAIL_CONTENTTYPE |
Content Type Delcaration | plain/text |
MAIL_FROM_NAME |
Name for MAIL_FROM . |
Self Service Password |
MAIL_FROM |
Who the email should come from. | admin@example.com |
MAIL_NEWLINE |
How to address New lines | PHP_EOL |
MAIL_PRIORITY |
Priority tag of mail | 3 |
MAIL_SIGNATURE |
Mail Signature | `` |
MAIL_USE_LDAP |
Use first address in LDAP attribute skipping asking for mail | false |
MAIL_WORDWRAP |
Amount of characters to wordwrap email | 80 |
NOTIFY_ON_CHANGE |
Notify users anytime their password is changed. | false |
NOTIFY_ON_SSHKEY_CHANGE |
Notify on SSH Key Change | true |
SMTP_AUTH_ON |
Force smtp auth with SMTP_USER and SMTP_PASS . |
false |
SMTP_AUTOTLS |
SMTP Auto TLS true or false |
false |
SMTP_DEBUG |
SMTP debug mode (following https:////github.com/PHPMailer/PHPMailer instructions). | 0 |
SMTP_HOST |
SMTP host. | |
SMTP_KEEPALIVE |
SMTP Keepalive | false |
SMTP_PASS |
SMTP password. | |
SMTP_PORT |
SMTP port. | 587 |
SMTP_SECURE_TYPE |
SMTP secure type to use. ssl or tls . Use false for unencrypted connections. |
tls |
SMTP_TIMEOUT |
SMTP Timeout in seconds | 30 |
SMTP_USER |
SMTP user. |
Parameter | Description | Default |
---|---|---|
USE_TOKENS |
Use email to send reset tokens. | true |
TOKEN_CRYPT |
Encrypt tokens | true |
TOKEN_LIFETIME |
How long are tokens valid in seconds | 3600 |
Parameter | Description | Default |
---|---|---|
USE_SMS |
Enable sms verification. | false |
SMS_API_LIB |
API Library location for SMS | /lib/smsapi.inc.php |
SMS_MAIL_SUBJECT |
Subject for SMS message | Provider Code |
SMS_MAIL_TO |
Mail Address | {sms_attribute}@service.provider.com} |
SMS_MESSAGE |
SMS Message | {snsresetnessae} {smstoken} |
SMS_METHOD |
How to send SMS mail or api |
mail |
SMS_PARTIAL_HIDE_NUMBER |
Partially hide SMS number in | true |
SMS_SANITIZE_NUMBER |
Sanitize non numbers from number | false |
SMS_TOKEN_LENGTH |
How many digits for a SMS Code | 6 |
SMS_TRUNCATE_NUMBER_LENGTH |
How many characters for above | 10 |
SMS_TRUNCATE_NUMBER |
Truncate Characters of number | false |
Parameter | Description | Default |
---|---|---|
CHANGE_SSHKEY |
Enable Changing SSH Key. | false |
WHO_CAN_CHANGE_SSHKEY |
Who changes the password? Also applicable for question/answer save user : the user itself manager : the above binddn. |
user |
Parameter | Description | Default |
---|---|---|
USE_RECAPTCHA |
Use Google reCAPTCHA (http://www.google.com/recaptcha). | false |
RECAPTCHA_PUB_KEY |
Go on the site to get public key | |
RECAPTCHA_PRIV_KEY |
Go on the site to get private key | |
RECAPTCHA_THEME |
Theme of ReCaptcha. Default: light |
|
RECAPTCHA_TYPE |
Type of ReCaptcha Default: image |
|
RECAPTCHA_SIZE |
Size of ReCaptcha Default: small |
|
RECAPTCHA_REQUEST_METHOD |
Special cases | null |
Parameter | Description | Default |
---|---|---|
BACKGROUND_IMAGE |
Change background Default images/unsplash-space.jpg |
|
DEBUG_MODE |
Debug mode. | false |
DEFAULT_ACTION |
Default actionchange sendtoken sendsms . |
change |
ENABLE_RESET_LOG - Write to log detailing password resets |
FALSE |
|
IS_BEHIND_PROXY |
Enable reset url parameter to accept reverse proxy. | false |
SITE_URL |
Use this to hardcode a Site URL if IS_BEHIND_PROXY=true - By default it will pull from various HTTP Headers. Example -`https://site.example.com |
|
LANG |
Language. | en . |
LOG_LOCATION |
Log Folder | /www/logs/self-service-password/ |
LOG_RESET - Reset Logfile |
reset.log |
|
LOGO |
Main Logo - Default images/ltb-logo.png |
|
SECRETKEY |
Encryption, decryption keyphrase. Defaults tosecret |
|
SHOW_HELP |
Display help messages. | true . |
The following ports are exposed.
Port | Description |
---|---|
80 |
HTTP |
For debugging and maintenance purposes you may want access the containers shell.
bash docker exec -it (whatever your container name is) bash
These images were built to serve a specific need in a production environment and gradually have had more functionality added based on requests from the community.
MIT. See LICENSE for more details.## References