Integrating PWM password manager with Zimbra: Difference between revisions
(12 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{{Article Infobox|{{admin}}|{{ZCS 8. | {{Unsupported}}{{Article Infobox|{{admin}}|{{ZCS 8.7}}||}}==Introduction== | ||
PWM is an open source password manager for multiple directories that can provide "Forgot Password" functionality based on security questions, and Email or SMS based token response. This wiki documents the steps required to allow pwm to manage passwords in the Zimbra OpenLDAP implementation. | PWM is an open source password manager for multiple directories that can provide "Forgot Password" functionality based on security questions, and Email or SMS based token response. This wiki documents the steps required to allow pwm to manage passwords in the Zimbra OpenLDAP implementation. | ||
This article is based on pwm 1. | This article is based on pwm 1.8 on Zimbra Network Edition 8.7.x. | ||
Installation Instructions for PWM are here: | Installation Instructions for PWM are here: | ||
https:// | https://github.com/pwm-project/pwm | ||
These instructions assume pwm is installed on a stand-alone CentOS 6.4 server. The base installation of pwm requires apache and tomcat and by default is listening on port 8080, but a small configuration change for tomcat and it will listen on https://<your.server>:8443 | These instructions assume pwm is installed on a stand-alone CentOS 6.4 server. The base installation of pwm requires apache and tomcat and by default is listening on port 8080, but a small configuration change for tomcat and it will listen on https://<your.server>:8443 | ||
==To Do== | ==To Do== | ||
*Document | *Document integration with email and sms for token resets | ||
*Document integration with auto-login from Zimbra | |||
==Extend the Zimbra Schema to include the pwm attributes== | ==Extend the Zimbra Schema to include the pwm attributes== | ||
Line 39: | Line 40: | ||
AUXILIARY | AUXILIARY | ||
MAY ( pwmLastPwdUpdate $ pwmEventLog $ pwmResponseSet $ pwmGUID ) ) | MAY ( pwmLastPwdUpdate $ pwmEventLog $ pwmResponseSet $ pwmGUID ) ) | ||
Create a file called "/tmp/ldap/test.conf" with the following contents | For 8.7.x, Create a file called "/tmp/ldap/test.conf" with the following contents | ||
include /opt/zimbra/ | include /opt/zimbra/common/etc/openldap/schema/core.schema | ||
include /opt/zimbra/ | include /opt/zimbra/common/etc/openldap/schema/cosine.schema | ||
include /opt/zimbra/ | include /opt/zimbra/common/etc/openldap/schema/inetorgperson.schema | ||
include /tmp/ldap/schema/pwm.schema | include /tmp/ldap/schema/pwm.schema | ||
Then execute | Then execute | ||
cd /tmp/ldap | cd /tmp/ldap | ||
/opt/zimbra/ | /opt/zimbra/common/sbin/slaptest -f /tmp/ldap/test.conf -F /tmp/ldap | ||
This will create a new "cn=config" directory in /tmp/ldap. If you examine its contents, you'll see: | This will create a new "cn=config" directory in /tmp/ldap. If you examine its contents, you'll see: | ||
ls cn\=config | ls cn\=config | ||
Line 65: | Line 65: | ||
objectClass: olcSchemaConfig | objectClass: olcSchemaConfig | ||
cn: {11}pwm | cn: {11}pwm | ||
Copy the new file in to the ZCS OpenLDAP schema directory, as the zimbra user: | |||
ldap stop | ldap stop | ||
cp /tmp/ldap/cn\=config/cn\=schema/cn\=\{11\}pwm.ldif /opt/zimbra/data/ldap/config/cn\=config/cn\=schema/ | cp /tmp/ldap/cn\=config/cn\=schema/cn\=\{11\}pwm.ldif /opt/zimbra/data/ldap/config/cn\=config/cn\=schema/ | ||
ldap start | ldap start | ||
Modify the zimbra configuration to support the new object class | |||
zmprov mcf +zimbraAccountExtraObjectClass pwmUser | |||
After you have installed the new schema, restart Zimbra services and make sure that they started successfully. | After you have installed the new schema, restart Zimbra services and make sure that they started successfully. | ||
==Create a pwmadmin account to execute directory updates in Zimbra's OpenLDAP== | ==Create a pwmadmin account to execute directory updates in Zimbra's OpenLDAP== | ||
Now you will need to create a new user for the local pwm process to use to access the information from the LDAP server. You can generate the hash of the password for use with creating the user in ldap with the '''/opt/zimbra/openldap/slappasswd''' command. For example, if I wanted to use the password "somepassword" | Now you will need to create a new user for the local pwm process to use to access the information from the LDAP server. You can generate the hash of the password for use with creating the user in ldap with the '''/opt/zimbra/openldap/slappasswd''' command. For example, if I wanted to use the password "somepassword" then run: | ||
/opt/zimbra/ | /opt/zimbra/common/sbin/slappasswd -s somepassword | ||
This will return the SSHA hash needed for the user entry. Create a text file called /tmp/pwmadmin-user.ldif that looks similar to the following. Write down the password (somepassword), as you will need this information later to configure pwm. | This will return the SSHA hash needed for the user entry. Create a text file called /tmp/pwmadmin-user.ldif that looks similar to the following. Write down the password (somepassword), as you will need this information later to configure pwm. | ||
Line 98: | Line 101: | ||
Now, you need to adjust the LDAP acls so that the new user can read the data necessary from the LDAP server. This will need to be done on each LDAP server that exists. Create a file called /tmp/acl.ldif and add the following to it. <b>If this is a master with replicas, you need to change the olcDatabase line to be olcDatabase={3}mdb,cn=config in both sections.</b> | Now, you need to adjust the LDAP acls so that the new user can read the data necessary from the LDAP server. This will need to be done on each LDAP server that exists. Create a file called /tmp/acl.ldif and add the following to it. <b>If this is a master with replicas, you need to change the olcDatabase line to be olcDatabase={3}mdb,cn=config in both sections.</b> | ||
dn: olcDatabase={2}mdb,cn=config | dn: olcDatabase={2}mdb,cn=config | ||
Line 110: | Line 109: | ||
add: olcAccess | add: olcAccess | ||
olcAccess: {0}to attrs=userPassword,pwmResponseSet,pwmLastPwdUpdate,pwmGUID,pwmUser,pwmEventLog by anonymous auth by dn.children="cn=admins,cn=zimbra" write by self write | olcAccess: {0}to attrs=userPassword,pwmResponseSet,pwmLastPwdUpdate,pwmGUID,pwmUser,pwmEventLog by anonymous auth by dn.children="cn=admins,cn=zimbra" write by self write | ||
Now apply this ACL modification to the LDAP server: | Now apply this ACL modification to the LDAP server: | ||
ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -W | ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -W | ||
Line 135: | Line 115: | ||
==Configure pwm to work against the Zimbra OpenLDAP instance== | ==Configure pwm to work against the Zimbra OpenLDAP instance== | ||
When you launch pwm, go to the Configuration Manager, Select "View" and check "Advanced Settings" | When you launch pwm, go to the Configuration Manager, Select "View" and check "Advanced Settings". | ||
Set the following values: | Set the following values: | ||
Line 154: | Line 134: | ||
uid=ldap-test,ou=people,dc=zm-train,dc=com | uid=ldap-test,ou=people,dc=zm-train,dc=com | ||
User Selectable Login Contexts | User Selectable Login Contexts - The User Selectable Login Contexts allow you to specify a context for multiple domains. | ||
ou=people,dc=domain1,dc=com:::Domain1 | ou=people,dc=domain1,dc=com:::Domain1 | ||
ou=people,dc=domain2,dc=com:::Domain2 | ou=people,dc=domain2,dc=com:::Domain2 | ||
Username Search Filter (Advanced) | Username Search Filter (Advanced) | ||
Line 185: | Line 162: | ||
{{Article Footer|Zimbra Collaboration Server|10/26/2013}} | {{Article Footer|Zimbra Collaboration Server|10/26/2013}} | ||
[[Category:LDAP]] | [[Category:LDAP]] | ||
[[Category:ZCS 8. | [[Category:ZCS 8.7]] |
Latest revision as of 17:17, 4 July 2017
Article Information |
---|
This article applies to the following ZCS versions. |
Introduction
PWM is an open source password manager for multiple directories that can provide "Forgot Password" functionality based on security questions, and Email or SMS based token response. This wiki documents the steps required to allow pwm to manage passwords in the Zimbra OpenLDAP implementation.
This article is based on pwm 1.8 on Zimbra Network Edition 8.7.x.
Installation Instructions for PWM are here: https://github.com/pwm-project/pwm
These instructions assume pwm is installed on a stand-alone CentOS 6.4 server. The base installation of pwm requires apache and tomcat and by default is listening on port 8080, but a small configuration change for tomcat and it will listen on https://<your.server>:8443
To Do
- Document integration with email and sms for token resets
- Document integration with auto-login from Zimbra
Extend the Zimbra Schema to include the pwm attributes
This information is based on the article: http://wiki.zimbra.com/wiki/Installing_custom_ldap_schema
Create a file with the pwm schema extensions which will be converted into an LDIF-format for use with ZCS, as the zimbra user:
mkdir -p /tmp/ldap/schema cd /tmp/ldap/schema
With your favorite editor, create /tmp/ldap/schema/pwm.schema with the following contents
# attributetype ( 1.3.6.1.4.1.591242.2.2010.04.16.1 NAME 'pwmEventLog' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributetype ( 1.3.6.1.4.1.591242.2.2010.04.16.2 NAME 'pwmResponseSet' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributetype ( 1.3.6.1.4.1.591242.2.2010.04.16.3 NAME 'pwmLastPwdUpdate' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) attributetype ( 1.3.6.1.4.1.591242.2.2010.04.16.4 NAME 'pwmGUID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) objectclass ( 1.3.6.1.4.1.591242.1.2010.04.16.1 NAME 'pwmUser' AUXILIARY MAY ( pwmLastPwdUpdate $ pwmEventLog $ pwmResponseSet $ pwmGUID ) )
For 8.7.x, Create a file called "/tmp/ldap/test.conf" with the following contents
include /opt/zimbra/common/etc/openldap/schema/core.schema include /opt/zimbra/common/etc/openldap/schema/cosine.schema include /opt/zimbra/common/etc/openldap/schema/inetorgperson.schema include /tmp/ldap/schema/pwm.schema
Then execute
cd /tmp/ldap /opt/zimbra/common/sbin/slaptest -f /tmp/ldap/test.conf -F /tmp/ldap
This will create a new "cn=config" directory in /tmp/ldap. If you examine its contents, you'll see:
ls cn\=config cn=schema cn=schema.ldif olcDatabase={0}config.ldif olcDatabase={-1}frontend.ldif
Note the cn=schema directory. This directory will contain the converted files, so let's go there:
cd cn\=config/cn\=schema ls cn={0}core.ldif cn={1}cosine.ldif cn={2}inetorgperson.ldif cn={3}pwm.ldif
As you can see, there is now a pwm.ldif file, which is what has been converted from the pwm schema file. We'll need to renumber the cn={3}pwm.ldif file because ZCS reserves the first 10 slots. To do this, we need to rename it and then modify it. For example, to put the pwm schema in slot number 12:
mv cn\=\{3\}pwm.ldif cn\=\{11\}pwm.ldif
Then modify it so that the following lines are changed from:
dn: cn={3}pwm objectClass: olcSchemaConfig cn: {3}pwm
to
dn: cn={11}pwm objectClass: olcSchemaConfig cn: {11}pwm
Copy the new file in to the ZCS OpenLDAP schema directory, as the zimbra user:
ldap stop cp /tmp/ldap/cn\=config/cn\=schema/cn\=\{11\}pwm.ldif /opt/zimbra/data/ldap/config/cn\=config/cn\=schema/ ldap start
Modify the zimbra configuration to support the new object class
zmprov mcf +zimbraAccountExtraObjectClass pwmUser
After you have installed the new schema, restart Zimbra services and make sure that they started successfully.
Create a pwmadmin account to execute directory updates in Zimbra's OpenLDAP
Now you will need to create a new user for the local pwm process to use to access the information from the LDAP server. You can generate the hash of the password for use with creating the user in ldap with the /opt/zimbra/openldap/slappasswd command. For example, if I wanted to use the password "somepassword" then run:
/opt/zimbra/common/sbin/slappasswd -s somepassword
This will return the SSHA hash needed for the user entry. Create a text file called /tmp/pwmadmin-user.ldif that looks similar to the following. Write down the password (somepassword), as you will need this information later to configure pwm.
dn: uid=pwmadmin,cn=admins,cn=zimbra uid: pwmadmin objectClass: zimbraAccount objectClass: organizationalPerson cn: pwmadmin sn: pwmadmin zimbraAccountStatus: active zimbraIsSystemResource: TRUE zimbraId: 59BC2282-98CC-11DE-9492-C023E3CEB16B description: The pwm admin account userPassword: {SSHA}QWkRtX5CQPDVzzhJKH9kDoLE5rP/hBu8
Now add the new users to the LDAP master. If you have multiple ldap servers, they will be replicated out. You will be prompted for a password, use the password from zmlocalconfig -s ldap_root_password
ldapadd -f /tmp/pwmadmin-user.ldif -x -H ldapi:/// -D cn=config -W
Modify the OpenLDAP permissions to allow the pwmadmin account to update information.
Now, you need to adjust the LDAP acls so that the new user can read the data necessary from the LDAP server. This will need to be done on each LDAP server that exists. Create a file called /tmp/acl.ldif and add the following to it. If this is a master with replicas, you need to change the olcDatabase line to be olcDatabase={3}mdb,cn=config in both sections.
dn: olcDatabase={2}mdb,cn=config changetype:modify delete: olcAccess olcAccess: {0} - add: olcAccess olcAccess: {0}to attrs=userPassword,pwmResponseSet,pwmLastPwdUpdate,pwmGUID,pwmUser,pwmEventLog by anonymous auth by dn.children="cn=admins,cn=zimbra" write by self write
Now apply this ACL modification to the LDAP server:
ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -W
Restart LDAP to make sure the acl's have been applied
Configure pwm to work against the Zimbra OpenLDAP instance
When you launch pwm, go to the Configuration Manager, Select "View" and check "Advanced Settings".
Set the following values:
LDAP URLs:
http://ip.address.of.your.ldap.server:389
LDAP Proxy User:
uid=pwmadmin,cn=admins,cn=zimbra
LDAP Proxy Password (that you set above)
somepassword
LDAP Contextless Login Roots (specify your domain)
ou=people,dc=zm-train,dc=com
LDAP Test User (this should be a normal Zimbra account. WARNING: the password will get changed periodically by pwm)
uid=ldap-test,ou=people,dc=zm-train,dc=com
User Selectable Login Contexts - The User Selectable Login Contexts allow you to specify a context for multiple domains.
ou=people,dc=domain1,dc=com:::Domain1 ou=people,dc=domain2,dc=com:::Domain2
Username Search Filter (Advanced)
(&(objectClass=inetOrgPerson)(mail=%USERNAME%))
Last Password Update Attribute (Advanced)
zimbraPasswordModifiedTime
LDAP Naming Attribute (Advanced)
LDAP GUID Attribute (Advanced)
zimbraId
User Object Class (Advanced)
inetOrgPerson
Save your configuration and test. You can also configure other settings such as password complexity, Login and Logout URL's, etc.
Once the configuration is completed, from the main menu, select Close Configuration. NOTE: Once you do this, if you need to change the configuration, you can modify the /usr/local/tomcat/webapps/pwm/WEB-INF/PwmConfiguration.xml file and set the configIsEditable property to true to allow access to the configuration from the browser.
Recommendations
PWM allows you to configure the forgot password function such that a user can answer multiple questions correctly and then be prompted to reset their password. Best Practices for security require a user to know something and have something in order to reset a password (two factor authentication). Zimbra STRONGLY recommends either an external email or sms be sent a token to allow a user to reset their password. PWM supports this configuration.