Difference between revisions of "Integrating PWM password manager with Zimbra"

(Extend the Zimbra Schema to include the pwm attributes)
m (Configure pwm to work against the Zimbra OpenLDAP instance)
 
(31 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Article Infobox|{{admin}}|{{ZCS 8.0}}||}}===Introduction===
+
{{Unsupported}}{{Article Infobox|{{admin}}|{{ZCS 8.7}}||}}==Introduction==
PWM is an open source Password Manager for multiple directories.  The goal of this wiki is to provide the steps required to allow pwm to manage passwords in the Zimbra OpenLDAP implementation.
+
PWM is an open source password manager for multiple directories that can provide "Forgot Password" functionality based on security questions, and Email or SMS based token responseThis wiki documents the steps required to allow pwm to manage passwords in the Zimbra OpenLDAP implementation.
  
This article is based on pwm 1.7 with Zimbra Network Edition 8.0.5.
+
This article is based on pwm 1.8 on Zimbra Network Edition 8.7.x.
  
 
Installation Instructions for PWM are here:
 
Installation Instructions for PWM are here:
https://code.google.com/p/pwm/
+
https://github.com/pwm-project/pwm
  
These instructions assume pwm is installed on a stand-alone CentOS 6.4 server.  The base installation of pwm requires apache and tomcat and by default is listening on port 8080.
+
These instructions assume pwm is installed on a stand-alone CentOS 6.4 server.  The base installation of pwm requires apache and tomcat and by default is listening on port 8080, but a small configuration change for tomcat and it will listen on https://<your.server>:8443
  
 
==To Do==
 
==To Do==
*Document configuration for multiple domains
+
*Document integration with email and sms for token resets
 +
*Document integration with auto-login from Zimbra
  
 
==Extend the Zimbra Schema to include the pwm attributes==
 
==Extend the Zimbra Schema to include the pwm attributes==
Line 23: Line 24:
 
  attributetype ( 1.3.6.1.4.1.591242.2.2010.04.16.1
 
  attributetype ( 1.3.6.1.4.1.591242.2.2010.04.16.1
 
         NAME 'pwmEventLog'
 
         NAME 'pwmEventLog'
 +
        EQUALITY octetStringMatch
 
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
 
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
 
  attributetype ( 1.3.6.1.4.1.591242.2.2010.04.16.2
 
  attributetype ( 1.3.6.1.4.1.591242.2.2010.04.16.2
 
         NAME 'pwmResponseSet'
 
         NAME 'pwmResponseSet'
 +
        EQUALITY octetStringMatch
 
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
 
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
 
  attributetype ( 1.3.6.1.4.1.591242.2.2010.04.16.3
 
  attributetype ( 1.3.6.1.4.1.591242.2.2010.04.16.3
Line 37: Line 40:
 
         AUXILIARY
 
         AUXILIARY
 
         MAY ( pwmLastPwdUpdate $ pwmEventLog $ pwmResponseSet $ pwmGUID ) )
 
         MAY ( pwmLastPwdUpdate $ pwmEventLog $ pwmResponseSet $ pwmGUID ) )
Create a file called "/tmp/ldap/test.conf" with the following contents
+
For 8.7.x, Create a file called "/tmp/ldap/test.conf" with the following contents
   include /opt/zimbra/openldap/etc/openldap/schema/core.schema
+
   include /opt/zimbra/common/etc/openldap/schema/core.schema
   include /opt/zimbra/openldap/etc/openldap/schema/cosine.schema
+
   include /opt/zimbra/common/etc/openldap/schema/cosine.schema
   include /opt/zimbra/openldap/etc/openldap/schema/inetorgperson.schema
+
   include /opt/zimbra/common/etc/openldap/schema/inetorgperson.schema
   include /tmp/ldap/schema/samba.schema
+
   include /tmp/ldap/schema/pwm.schema
 
 
 
Then execute
 
Then execute
 
   cd /tmp/ldap
 
   cd /tmp/ldap
   /opt/zimbra/openldap/sbin/slaptest -f /tmp/ldap/test.conf -F /tmp/ldap
+
   /opt/zimbra/common/sbin/slaptest -f /tmp/ldap/test.conf -F /tmp/ldap
 
This will create a new "cn=config" directory in /tmp/ldap.  If you examine its contents, you'll see:
 
This will create a new "cn=config" directory in /tmp/ldap.  If you examine its contents, you'll see:
 
   ls cn\=config
 
   ls cn\=config
Line 63: Line 65:
 
   objectClass: olcSchemaConfig
 
   objectClass: olcSchemaConfig
 
   cn: {11}pwm
 
   cn: {11}pwm
To finish, we need to copy the new file in to the ZCS OpenLDAP schema directory, as the zimbra user:
+
Copy the new file in to the ZCS OpenLDAP schema directory, as the zimbra user:
 
   ldap stop
 
   ldap stop
 
   cp /tmp/ldap/cn\=config/cn\=schema/cn\=\{11\}pwm.ldif /opt/zimbra/data/ldap/config/cn\=config/cn\=schema/
 
   cp /tmp/ldap/cn\=config/cn\=schema/cn\=\{11\}pwm.ldif /opt/zimbra/data/ldap/config/cn\=config/cn\=schema/
 
   ldap start
 
   ldap start
 +
Modify the zimbra configuration to support the new object class
 +
zmprov mcf +zimbraAccountExtraObjectClass pwmUser
 +
 
After you have installed the new schema, restart Zimbra services and make sure that they started successfully.
 
After you have installed the new schema, restart Zimbra services and make sure that they started successfully.
  
 
==Create a pwmadmin account to execute directory updates in Zimbra's OpenLDAP==
 
==Create a pwmadmin account to execute directory updates in Zimbra's OpenLDAP==
  
Now you will need to create a new users for the local pwm process to use to access the information from the LDAP server.  You can generate the hash of the password for use with creating the user in ldap with the '''/opt/zimbra/openldap/slappasswd''' command.  For example, if I wanted to use the password "somepassword" , I would run:
+
Now you will need to create a new user for the local pwm process to use to access the information from the LDAP server.  You can generate the hash of the password for use with creating the user in ldap with the '''/opt/zimbra/openldap/slappasswd''' command.  For example, if I wanted to use the password "somepassword" then run:
  
  /opt/zimbra/openldap/sbin/slappasswd -s somepassword
+
  /opt/zimbra/common/sbin/slappasswd -s somepassword
  
 
This will return the SSHA hash needed for the user entry.  Create a text file called /tmp/pwmadmin-user.ldif that looks similar to the following.    Write down the password (somepassword), as you will need this information later to configure pwm.
 
This will return the SSHA hash needed for the user entry.  Create a text file called /tmp/pwmadmin-user.ldif that looks similar to the following.    Write down the password (somepassword), as you will need this information later to configure pwm.
Line 96: Line 101:
  
 
Now, you need to adjust the LDAP acls so that the new user can read the data necessary from the LDAP server.  This will need to be done on each LDAP server that exists.  Create a file called /tmp/acl.ldif and add the following to it.  <b>If this is a master with replicas, you need to change the olcDatabase line to be olcDatabase={3}mdb,cn=config in both sections.</b>
 
Now, you need to adjust the LDAP acls so that the new user can read the data necessary from the LDAP server.  This will need to be done on each LDAP server that exists.  Create a file called /tmp/acl.ldif and add the following to it.  <b>If this is a master with replicas, you need to change the olcDatabase line to be olcDatabase={3}mdb,cn=config in both sections.</b>
 
In this example I will use the domain zm-train.com, which is the name of my zimbra domain running inside a VMware instance, hence my ldapSuffix is
 
dc=zm-train,dc=com
 
Be sure to replace '''dc=zm-train,dc=com''' with your actual domain
 
  
 
  dn: olcDatabase={2}mdb,cn=config
 
  dn: olcDatabase={2}mdb,cn=config
Line 108: Line 109:
 
  add: olcAccess
 
  add: olcAccess
 
  olcAccess: {0}to attrs=userPassword,pwmResponseSet,pwmLastPwdUpdate,pwmGUID,pwmUser,pwmEventLog  by anonymous auth  by dn.children="cn=admins,cn=zimbra" write  by self write
 
  olcAccess: {0}to attrs=userPassword,pwmResponseSet,pwmLastPwdUpdate,pwmGUID,pwmUser,pwmEventLog  by anonymous auth  by dn.children="cn=admins,cn=zimbra" write  by self write
 
dn: olcDatabase={2}mdb,cn=config
 
changetype:modify
 
delete: olcAccess
 
olcAccess: {9}
 
-
 
add: olcAccess
 
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write by * read
 
dn: olcDatabase={2}mdb,cn=config
 
changetype:modify
 
delete: olcAccess
 
olcAccess: {10}
 
-
 
add: olcAccess
 
olcAccess: {10}to dn.subtree="dc=zm-train,dc=com"  by dn.children="cn=admins,cn=zimbra" write by * none
 
-
 
delete: olcAccess
 
olcAccess: {13}
 
-
 
olcAccess: {13}to dn.subtree="ou=people,dc=zm-train,dc=com"  by dn.children="cn=admins,cn=zimbra" write  by self write by anonymous auth  by * none
 
  
 
Now apply this ACL modification to the LDAP server:
 
Now apply this ACL modification to the LDAP server:
 
 
  ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -W
 
  ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -W
 +
Restart LDAP to make sure the acl's have been applied
  
 
==Configure pwm to work against the Zimbra OpenLDAP instance==
 
==Configure pwm to work against the Zimbra OpenLDAP instance==
 +
When you launch pwm, go to the Configuration Manager, Select "View" and check "Advanced Settings".
 +
 +
Set the following values:
 +
 +
LDAP URLs:
 +
http://ip.address.of.your.ldap.server:389
 +
 +
LDAP Proxy User:
 +
uid=pwmadmin,cn=admins,cn=zimbra
 +
 +
LDAP Proxy Password (that you set above)
 +
somepassword
 +
 +
LDAP Contextless Login Roots (specify your domain)
 +
ou=people,dc=zm-train,dc=com
 +
 +
LDAP Test User  (this should be a normal Zimbra account. WARNING: the password will get changed periodically by pwm)
 +
uid=ldap-test,ou=people,dc=zm-train,dc=com
 +
 +
User Selectable Login Contexts - The User Selectable Login Contexts allow you to specify a context for multiple domains.
 +
ou=people,dc=domain1,dc=com:::Domain1
 +
ou=people,dc=domain2,dc=com:::Domain2
 +
 +
Username Search Filter (Advanced)
 +
(&(objectClass=inetOrgPerson)(mail=%USERNAME%))
 +
 +
Last Password Update Attribute (Advanced)
 +
zimbraPasswordModifiedTime
 +
 +
LDAP Naming Attribute (Advanced)
 +
mail
 +
 +
LDAP GUID Attribute (Advanced)
 +
zimbraId
 +
 +
User Object Class (Advanced)
 +
inetOrgPerson
 +
 +
Save your configuration and test. You can also configure other settings such as password complexity, Login and Logout URL's, etc.
 +
 +
Once the configuration is completed, from the main menu, select Close Configuration. NOTE: Once you do this, if you need to change the configuration, you can modify the /usr/local/tomcat/webapps/pwm/WEB-INF/PwmConfiguration.xml file and set the configIsEditable property to true to allow access to the configuration from the browser.
  
 +
==Recommendations==
 +
PWM allows you to configure the forgot password function such that a user can answer multiple questions correctly and then be prompted to reset their password. Best Practices for security require a user to know something and have something in order to reset a password (two factor authentication). Zimbra STRONGLY recommends either an external email or sms be sent a token to allow a user to reset their password. PWM supports this configuration.
  
 
{{Article Footer|Zimbra Collaboration Server|10/26/2013}}
 
{{Article Footer|Zimbra Collaboration Server|10/26/2013}}
 
[[Category:LDAP]]
 
[[Category:LDAP]]
[[Category:ZCS 8.0]]
+
[[Category:ZCS 8.7]]

Latest revision as of 17:17, 4 July 2017

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 8.7 Article ZCS 8.7

Introduction

PWM is an open source password manager for multiple directories that can provide "Forgot Password" functionality based on security questions, and Email or SMS based token response. This wiki documents the steps required to allow pwm to manage passwords in the Zimbra OpenLDAP implementation.

This article is based on pwm 1.8 on Zimbra Network Edition 8.7.x.

Installation Instructions for PWM are here: https://github.com/pwm-project/pwm

These instructions assume pwm is installed on a stand-alone CentOS 6.4 server. The base installation of pwm requires apache and tomcat and by default is listening on port 8080, but a small configuration change for tomcat and it will listen on https://<your.server>:8443

To Do

  • Document integration with email and sms for token resets
  • Document integration with auto-login from Zimbra

Extend the Zimbra Schema to include the pwm attributes

This information is based on the article: http://wiki.zimbra.com/wiki/Installing_custom_ldap_schema

Create a file with the pwm schema extensions which will be converted into an LDIF-format for use with ZCS, as the zimbra user:

 mkdir -p /tmp/ldap/schema
 cd /tmp/ldap/schema

With your favorite editor, create /tmp/ldap/schema/pwm.schema with the following contents

#
attributetype ( 1.3.6.1.4.1.591242.2.2010.04.16.1
       NAME 'pwmEventLog'
       EQUALITY octetStringMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
attributetype ( 1.3.6.1.4.1.591242.2.2010.04.16.2
       NAME 'pwmResponseSet'
       EQUALITY octetStringMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
attributetype ( 1.3.6.1.4.1.591242.2.2010.04.16.3
       NAME 'pwmLastPwdUpdate'
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributetype ( 1.3.6.1.4.1.591242.2.2010.04.16.4
       NAME 'pwmGUID'
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
objectclass ( 1.3.6.1.4.1.591242.1.2010.04.16.1
       NAME 'pwmUser'
       AUXILIARY
       MAY ( pwmLastPwdUpdate $ pwmEventLog $ pwmResponseSet $ pwmGUID ) )

For 8.7.x, Create a file called "/tmp/ldap/test.conf" with the following contents

 include /opt/zimbra/common/etc/openldap/schema/core.schema
 include /opt/zimbra/common/etc/openldap/schema/cosine.schema
 include /opt/zimbra/common/etc/openldap/schema/inetorgperson.schema
 include /tmp/ldap/schema/pwm.schema

Then execute

 cd /tmp/ldap
 /opt/zimbra/common/sbin/slaptest -f /tmp/ldap/test.conf -F /tmp/ldap

This will create a new "cn=config" directory in /tmp/ldap. If you examine its contents, you'll see:

 ls cn\=config
 cn=schema  cn=schema.ldif  olcDatabase={0}config.ldif  olcDatabase={-1}frontend.ldif

Note the cn=schema directory. This directory will contain the converted files, so let's go there:

 cd cn\=config/cn\=schema
 ls
 cn={0}core.ldif  cn={1}cosine.ldif  cn={2}inetorgperson.ldif  cn={3}pwm.ldif

As you can see, there is now a pwm.ldif file, which is what has been converted from the pwm schema file. We'll need to renumber the cn={3}pwm.ldif file because ZCS reserves the first 10 slots. To do this, we need to rename it and then modify it. For example, to put the pwm schema in slot number 12:

 mv cn\=\{3\}pwm.ldif cn\=\{11\}pwm.ldif

Then modify it so that the following lines are changed from:

 dn: cn={3}pwm
 objectClass: olcSchemaConfig
 cn: {3}pwm

to

 dn: cn={11}pwm
 objectClass: olcSchemaConfig
 cn: {11}pwm

Copy the new file in to the ZCS OpenLDAP schema directory, as the zimbra user:

 ldap stop
 cp /tmp/ldap/cn\=config/cn\=schema/cn\=\{11\}pwm.ldif /opt/zimbra/data/ldap/config/cn\=config/cn\=schema/
 ldap start

Modify the zimbra configuration to support the new object class

zmprov mcf +zimbraAccountExtraObjectClass pwmUser

After you have installed the new schema, restart Zimbra services and make sure that they started successfully.

Create a pwmadmin account to execute directory updates in Zimbra's OpenLDAP

Now you will need to create a new user for the local pwm process to use to access the information from the LDAP server. You can generate the hash of the password for use with creating the user in ldap with the /opt/zimbra/openldap/slappasswd command. For example, if I wanted to use the password "somepassword" then run:

/opt/zimbra/common/sbin/slappasswd -s somepassword

This will return the SSHA hash needed for the user entry. Create a text file called /tmp/pwmadmin-user.ldif that looks similar to the following. Write down the password (somepassword), as you will need this information later to configure pwm.

dn: uid=pwmadmin,cn=admins,cn=zimbra
uid: pwmadmin
objectClass: zimbraAccount
objectClass: organizationalPerson
cn: pwmadmin
sn: pwmadmin
zimbraAccountStatus: active
zimbraIsSystemResource: TRUE
zimbraId: 59BC2282-98CC-11DE-9492-C023E3CEB16B
description: The pwm admin account
userPassword: {SSHA}QWkRtX5CQPDVzzhJKH9kDoLE5rP/hBu8

Now add the new users to the LDAP master. If you have multiple ldap servers, they will be replicated out. You will be prompted for a password, use the password from zmlocalconfig -s ldap_root_password

ldapadd -f /tmp/pwmadmin-user.ldif -x -H ldapi:/// -D cn=config -W

Modify the OpenLDAP permissions to allow the pwmadmin account to update information.

Now, you need to adjust the LDAP acls so that the new user can read the data necessary from the LDAP server. This will need to be done on each LDAP server that exists. Create a file called /tmp/acl.ldif and add the following to it. If this is a master with replicas, you need to change the olcDatabase line to be olcDatabase={3}mdb,cn=config in both sections.

dn: olcDatabase={2}mdb,cn=config
changetype:modify
delete: olcAccess
olcAccess: {0}
-
add: olcAccess
olcAccess: {0}to attrs=userPassword,pwmResponseSet,pwmLastPwdUpdate,pwmGUID,pwmUser,pwmEventLog  by anonymous auth  by dn.children="cn=admins,cn=zimbra" write  by self write

Now apply this ACL modification to the LDAP server:

ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -W

Restart LDAP to make sure the acl's have been applied

Configure pwm to work against the Zimbra OpenLDAP instance

When you launch pwm, go to the Configuration Manager, Select "View" and check "Advanced Settings".

Set the following values:

LDAP URLs:

http://ip.address.of.your.ldap.server:389

LDAP Proxy User:

uid=pwmadmin,cn=admins,cn=zimbra

LDAP Proxy Password (that you set above)

somepassword

LDAP Contextless Login Roots (specify your domain)

ou=people,dc=zm-train,dc=com 

LDAP Test User (this should be a normal Zimbra account. WARNING: the password will get changed periodically by pwm)

uid=ldap-test,ou=people,dc=zm-train,dc=com

User Selectable Login Contexts - The User Selectable Login Contexts allow you to specify a context for multiple domains.

ou=people,dc=domain1,dc=com:::Domain1
ou=people,dc=domain2,dc=com:::Domain2

Username Search Filter (Advanced)

(&(objectClass=inetOrgPerson)(mail=%USERNAME%))

Last Password Update Attribute (Advanced)

zimbraPasswordModifiedTime

LDAP Naming Attribute (Advanced)

mail

LDAP GUID Attribute (Advanced)

zimbraId

User Object Class (Advanced)

inetOrgPerson

Save your configuration and test. You can also configure other settings such as password complexity, Login and Logout URL's, etc.

Once the configuration is completed, from the main menu, select Close Configuration. NOTE: Once you do this, if you need to change the configuration, you can modify the /usr/local/tomcat/webapps/pwm/WEB-INF/PwmConfiguration.xml file and set the configIsEditable property to true to allow access to the configuration from the browser.

Recommendations

PWM allows you to configure the forgot password function such that a user can answer multiple questions correctly and then be prompted to reset their password. Best Practices for security require a user to know something and have something in order to reset a password (two factor authentication). Zimbra STRONGLY recommends either an external email or sms be sent a token to allow a user to reset their password. PWM supports this configuration.

Verified Against: Zimbra Collaboration Server Date Created: 10/26/2013
Article ID: https://wiki.zimbra.com/index.php?title=Integrating_PWM_password_manager_with_Zimbra Date Modified: 2017-07-04



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search