-
-
Save PowerWagon/d794a1233d7943f1614d2ae5223e678a to your computer and use it in GitHub Desktop.
If you are trying to decide between this and the MySQL version, this is better. | |
I've tried to document what I learned setting up pwm-1.8.0-SNAPSHOT-2016-10-26T09:44:11Z-pwm-bundle.zip from https://github.com/pwm-project/pwm, an LDAP self-service java webapp on Oracle Linux 6. RHEL or CentOS should work exactly the same. | |
My lastest attempt as of 2/22/17, worked on Oracle Linux 7 (should work exatly the same on CentOS 7 or RHEL 7) _updating to_ the file pwm-1.8.0-SNAPSHOT-2017-02-19T20:34:49Z-pwm-bundle.zip from https://github.com/pwm-project/pwm | |
For the impatient: | |
DONT RUN TOMCAT UNMODIFIED on your FreeIPA server. FreeIPA uses its own Tomcat. | |
Install java 7, tomcat 7 from binaries at the Apache website (don't use distro's packages), and deploy the pwm.war file. | |
Adjust your firewall to open TCP 8080, if using default Tomcat settings. | |
The guided configuration wizard doesn't work because you have to adjust the unique ID attribute name, use manual configuration. | |
Choose OpenLDAP for the configuration type. | |
The user LDAP base is cn=users,cn=accounts,dc=<domain>,dc=<com> | |
Your built in Admin user should be uid=admin,cn=users,cn=accounts,dc=<domain>,dc=<com> | |
The group LDAP base is cn=groups,cn=accounts,dc=<domain>,dc=<com> | |
The built in admins group should be cn=admins,cn=groups,cn=accounts,dc=<domain>,dc=<com> | |
Anything that says cn referencing a user should be changed to uid | |
Password policy doesn't seem to pull from FreeIPA, but maybe that's me. | |
Security question reset doesn't seem to work. Once they're set you have to manually delete, but maybe that's me, too. | |
For the non-impatient: | |
Prerequisites: | |
A working FreeIPA implementation | |
Your LDAP DN info. (e.g. if your domain were domain.com, your DN would be dc=domain,dc=com, use this to replace <dc=YOUR,dc=DN>) | |
Create FreeIPA users "pwmproxy" and "pwmtest". | |
- pwmproxy DN would be uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN> | |
- pwmtest DN would be uid=pwmtest,cn=users,cn=accounts,<dc=YOUR,dc=DN> | |
Latest tomcat 7 "Core" tar.gz package from https://tomcat.apache.org/download-70.cgi | |
(packaged versions of tomcat 7 from your distro's repos are not fully recommended) | |
File pwm-1.8.0-SNAPSHOT-2016-10-26T09:44:11Z-pwm-bundle.zip from http://www.pwm-project.org/artifacts/pwm/ . | |
Selinux may need to be disabled. | |
0. Log into the server you are going to use for PWM as root. | |
1. Disable SELinux (setenforce 0; sed -i 's/SELINUX=.*/SELINUX=disabled/g' /etc/sysconfig/selinux) | |
1a. Modify or disable your firewall. (service iptables stop;service ip6tables stop; chkconfig iptables off OR systemctl stop firewalld; systemctl disable firewalld) | |
2. Unzip the Tomcat package into /opt (tar xf apache-tomcat-*.tar.gz -C /opt) | |
3. Step left intentionally blank. | |
4. Unzip the file pwm-1.8.0-SNAPSHOT-2016-10-26T09:44:11Z-pwm-bundle.zip file you downloaded and find the pwm.war file. Copy it to /opt/apache-tomcat*/webapps directory. (cp pwm.war /opt/apache-tomcat*/webapps) | |
5. Create a PWM data directory (mkdir /pwm) | |
6. Copy the contents of the file in this gist called 99pwm.ldif to your configuration directory /etc/dirsrv/slapd-<YOUR-DOMAIN>/schema | |
7. Restart FreeIPA. (ipactl restart) | |
8. Copy the contents of the file in this gist called PWMacis.ldif, modify, and pull it into FreeIPA (ldapmodify -D "cn=Directory Manager" -W -f PWMacis.ldif) | |
9. EITHER start, pause a couple minutes, and stop the tomcat server and edit the correct line in web.xml OR set a shell variable to tell the app where to save it's configuration data. I've chosen to show the second. (echo 'export PWM_APPLICATIONPATH="/pwm"' >> ~/.bashrc; . ~/.bashrc) | |
10. Start the tomcat server. It takes a minute to start so be patient. (cd /opt/apache-tomcat*; bin/startup.sh) | |
11. Open a browser and open http://localhost:8080/pwm or http://<tomcat server name or IP>:8080/pwm. | |
12. Step left intentionally blank. | |
13 In your browser, choose "Manual Configuration". | |
14. Set a password as requested. | |
15. Don't log in, but click the blinking triangle, choose "Configuration Editor", enter the password you set at step 14, and start required configuration (use the search function to find these settings): | |
LDAP Vendor Default Settings = OpenLDAP | |
LDAP URLs = ldaps://<FreeIPA server name or IP>:636 OR ldap://<FreeIPA server name or IP>:389 | |
LDAP Certificates (just click Import from Server button) | |
LDAP Proxy User = uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN> | |
LDAP Proxy Password = <The password you set> | |
LDAP Contextless Login Roots = cn=users,cn=accounts,<dc=YOUR,dc=DN> | |
LDAP Test User = uid=pwmtest,cn=users,cn=accounts,<dc=YOUR,dc=DN> | |
Username Search Filter = (&(objectClass=posixAccount)(uid=%USERNAME%)) | |
Attribute to use for Username = uid | |
LDAP GUID Attribute = ipauniqueid | |
LDAP Naming Attribute = uid | |
User Object Class = posixAccount | |
Administrator Permission: <Click 'Add Group'> | |
LDAP Profile = default | |
LDAP Group DN = cn=admins,cn=groups,cn=accounts,<dc=YOUR,dc=DN> | |
Password Policy Source = Local | |
Password is Case Sensitive = True | |
(OPTIONALLY CHANGE) | |
Site URL = <the URL from step 11> | |
Enable Anonymous Statistics Publishing = False | |
Enable Version Checking = False | |
16. (optional) Finish configuring to taste. | |
17. Lock the configuration by logging in with your FreeIPA admin user, click the user name menu item and choose "Configuration Manager". Click the "Restrict Configuration" button in red, and OK. | |
What I did not address: | |
1. Email setup | |
2. FreeIPA setup | |
3. Sane passwords | |
4. Starting Tomcat on boot | |
# save this file to /etc/dirsrv/slapd-<YOUR-DOMAIN>/schema then restart FreeIPA | |
# Putting this file into /etc/dirsrv/schema will have no effect. | |
# Extra blank lines in this file are bad. You've been warned. | |
# Gleaned from Google Doc https://docs.google.com/document/d/1I9u1xaVrIOTFj8Le7uzCM5zGqrODCi9Udo2gGZyAapc/edit# | |
# You must search and replace <dc=YOUR,dc=DN> with your values | |
# Fix line 15 with your server's name, replacing: <HOSTNAME>.<YOURDOMAIN> | |
dn: cn=schema | |
objectclass: top | |
objectclass: ldapSubentry | |
objectclass: subschema | |
cn: schema | |
aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";) | |
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,<dc=YOUR,dc=DN>";) | |
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=admin,cn=users,cn=accounts,<dc=YOUR,dc=DN>";) | |
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///fqdn=<HOSTNAME>.<YOURDOMAIN>,cn=computers,cn=accounts,<dc=YOUR,dc=DN>";) | |
attributetypes: ( 1.3.6.1.4.1.35015.1.2.1 NAME 'pwmEventLog' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'user defined' ) | |
attributetypes: ( 1.3.6.1.4.1.35015.1.2.2 NAME 'pwmResponseSet' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'user defined' ) | |
attributetypes: ( 1.3.6.1.4.1.35015.1.2.3 NAME 'pwmLastPwdUpdate' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'user defined' ) | |
attributetypes: ( 1.3.6.1.4.1.35015.1.2.4 NAME 'pwmGUID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) | |
attributetypes: ( 1.3.6.1.4.1.35015.1.2.6 NAME 'pwmOtpSecret' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'user defined' ) | |
objectclasses: ( 1.3.6.1.4.1.35015.1.1.1 NAME 'pwmUser' DESC '' SUP top AUXILIARY MAY ( pwmEventLog $ pwmGUID $ pwmLastPwdUpdate $ pwmResponseSet $ pwmOtpSecret ) X-ORIGIN 'user defined' ) |
# You must search and replace <dc=YOUR,dc=DN> with your values | |
# Incorportate this into your FreeIPA instance with the command on the line below: | |
# ldapmodify -D "cn=Directory Manager" -W -f PWMacis.ldif | |
# Extra blank lines in this file are bad. You've been warned. | |
# | |
# | |
dn: cn=users,cn=accounts,<dc=YOUR,dc=DN> | |
changetype: modify | |
replace: aci | |
aci: (targetattr = "*") (target = "ldap:///cn=users,cn=accounts,<dc=YOUR,dc=DN>") (version 3.0; acl "PWM Proxy Search"; allow (read,search)(userdn = "ldap:///uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN>");) | |
aci: (targetattr = "*") (target = "ldap:///cn=users,cn=accounts,<dc=YOUR,dc=DN>") (version 3.0; acl "PWM Proxy Add Users"; allow (add)(userdn = "ldap:///uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN>");) | |
aci: (targetattr = "pwmGUID || pwmLastPwdUpdate || userPassword || objectClass || pwmEventLog || krbPrincipalKey") (target = "ldap:///cn=users,cn=accounts,<dc=YOUR,dc=DN>") (version 3.0; acl "PWM Proxy Reset Password"; allow (write)(userdn = "ldap:///uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN>");) | |
aci: (targetattr ="userpassword || telephonenumber || facsimiletelephonenumber || pwmResponseSet || pwmOtpSecret")(version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");) |
If you are trying to decide between this and the MySQL version, the other is better. | |
I've tried to document what I learned setting up Ppwm-1.8.0-SNAPSHOT-2016-10-26T09:44:11Z-pwm-bundle.zip from https://github.com/pwm-project/pwm, an LDAP self-service java webapp on Oracle Linux 6. RHEL or CentOS should work exactly the same. | |
For the impatient: | |
DONT RUN TOMCAT UNMODIFIED on your FreeIPA server. FreeIPA uses its own Tomcat. | |
Install java 7, tomcat 7 from binaries at the Apache website (don't use distro's packages), and deploy the pwm.war file. | |
Adjust your firewall to open TCP 8080, if using default Tomcat settings. | |
The guided configuration wizard doesn't work because you have to adjust the unique ID attribute name, use manual configuration. | |
Choose OpenLDAP for the configuration type. | |
The user LDAP base is cn=users,cn=accounts,dc=<domain>,dc=<com> | |
Your built in Admin user should be uid=admin,cn=users,cn=accounts,dc=<domain>,dc=<com> | |
The group LDAP base is cn=groups,cn=accounts,dc=<domain>,dc=<com> | |
The built in admins group should be cn=admins,cn=groups,cn=accounts,dc=<domain>,dc=<com> | |
Anything that says cn referencing a user should be changed to uid | |
Password policy doesn't seem to pull from FreeIPA, but maybe that's me. | |
I didn't figure out how to extend the FreeIPA schema, so I used MySQL to store PWM user data instead. | |
For the non-impatient: | |
(NOTE: I have supplied passwords not because they are any good, but to make things easier) | |
Prerequisites: (FYI: RPM-distro centric names) | |
A working FreeIPA implementation | |
Your LDAP DN info. (e.g. if your domain were domain.com, your DN would be dc=domain,dc=com) | |
FreeIPA users "pwmproxy" and "pwmtest". pwmproxy should be added to the admins built in group. | |
- pwmproxy DN would be uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN> | |
- pwmtest DN would be uid=pwmtest,cn=users,cn=accounts,<dc=YOUR,dc=DN> | |
mysql-server OR mariadb-server | |
java-1.7.0-openjdk | |
mysql-connector-java | |
Latest tomcat 7 "Core" tar.gz package from https://tomcat.apache.org/download-70.cgi | |
(packaged versions of tomcat 7 from your distro's repos are not fully recommended) | |
Latest PWM version from http://www.pwm-project.org/artifacts/pwm/ and the version from April 28, 2016. | |
0. Log into the server you are going to use for PWM as root. | |
1. Install the packages above | |
1a. Disable your firewall. (service iptables stop;service ip6tables stop; chkconfig iptables off OR systemctl stop firewalld; systemctl disable firewalld) | |
2. Unzip the Tomcat package into /opt (tar xf apache-tomcat-*.tar.gz -C /opt) | |
3. Copy the mysql-connector-java jar file to the Tomcat lib folder. (cp /usr/share/java/mysql-connector-java-*.jar /opt/apache-tomcat-*/lib) | |
4. Unzip the file pwm-1.8.0-SNAPSHOT-2016-10-26T09:44:11Z-pwm-bundle.zip you downloaded and find the pwm.war file. Copy it to /opt/apache-tomcat*/webapps directory. (cp pwm.war /opt/apache-tomcat*/webapps) | |
5. Create a PWM data directory (mkdir /pwm) | |
6. Start MySQL if you haven't already. (service mysqld start; chkconfig mysqld on OR systemctl start mariadb; systemctl enable mariadb) | |
7. Create a MySQL database and a user. (mysql -uroot -e 'create database PWM;'; mysql -uroot -e 'create user pwm;') | |
8. Grant user access to the user to the database. (mysql -uroot -e "grant all on PWM.* to 'pwm'@'localhost' identified by 'Pass@word1';") | |
9. EITHER start, pause a couple minutes, and stop the tomcat server and edit the correct line in web.xml OR set a shell variable to tell the app where to save it's configuration data. I've chosen to show the second. (echo 'export PWM_APPLICATIONPATH="/pwm"' >> ~/.bashrc; . ~/.bashrc) | |
10. Start the tomcat server. It takes a minute to start so be patient. (cd /opt/apache-tomcat*; bin/startup.sh) | |
11. Open a browser and open http://localhost:8080/pwm or http://<tomcat server name or IP>:8080/pwm. | |
12. Skip this step. | |
13 In your browser, choose "Manual Configuration". | |
14. Set a password as requested. | |
15. Don't log in, but click the blinking triangle, choose "Configuration Editor", enter the password you set at step 14, and start required configuration (use the search function to find these settings): | |
LDAP Vendor Default Settings = OpenLDAP | |
Storage Default Settings = Remote Database | |
LDAP URLs = ldaps://<FreeIPA server name or IP>:636 OR ldap://<FreeIPA server name or IP>:389 | |
LDAP Certificates (just click Import from Server button) | |
LDAP Proxy User = | |
uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN> | |
LDAP Proxy Password = Pass@word2 | |
LDAP Contextless Login Roots = cn=users,cn=accounts,<dc=YOUR,dc=DN> | |
LDAP Test User = uid=pwmtest,cn=users,cn=accounts,<dc=YOUR,dc=DN> | |
Auto Add Object Classes = click red X to make blank | |
Username Search Filter = (uid=%USERNAME%) | |
Attribute to use for Username = uid | |
LDAP GUID Attribute = ipauniqueid | |
LDAP Naming Attribute = uid | |
Administrator Permission: LDAP Profile = default | |
Administrator Permission: LDAP Group DN = cn=admins,cn=groups,cn=accounts,<dc=YOUR,dc=DN> | |
Password Policy Source = Local | |
Password is Case Sensitive = True | |
Database Class = com.mysql.jdbc.Driver | |
Database Connection String = jdbc:mysql://localhost:3306/PWM | |
Database Username = pwm | |
Database Password = Pass@word1 | |
Database Vendor = Other | |
(OPTIONALLY CHANGE) | |
Site URL = <the URL from step 11> | |
Enable Anonymous Statistics Publishing = False | |
Enable Version Checking = False | |
16. (optional) Finish configuring to taste. | |
17. Lock the configuration by logging in with your FreeIPA admin user, click the user name menu item and choose "Configuration Manager". Click the "Restrict Configuration" button in red, and OK. | |
What I did not address: | |
1. Email setup | |
2. FreeIPA setup | |
3. Sane passwords | |
4. Starting Tomcat on boot | |
5027 ERROR_UNAUTHORIZED (You must be authenticated with admin privileges before restricting the configuration).
i received the above error. when i do this {17. Lock the configuration by logging in with your FreeIPA admin user, click the user name menu item and choose "Configuration Manager". Click the "Restrict Configuration" button in red, and OK.}
my setup is freeip+pwm+postgresql. i try with freeipa admin user.
systemd unit file:
/usr/lib/systemd/system/tomcat7-pwm.service
[Unit]
Description=PWM server
After=syslog.target network.target dirsrv.target
[Service]
Type=forking
User=tomcat
Group=tomcat
ExecStart=/opt/apache-tomcat-7.0.81/bin/startup.sh
ExecStop=/opt/apache-tomcat-7.0.81/bin/shutdown.sh
Restart=on-failure
TimeoutSec=300
Environment=PWM_APPLICATIONPATH=/pwm
[Install]
WantedBy=multi-user.target
This all seems to work, except using the PWMacis.ldif stops login on the FreeIPA host itself, but seems to allow other hosts to continue to authenticate. This change, as suggested by @mueslo, resolves the issue. Also, remove trailing whitespaces, and the spaces after colons...
# You must search and replace <dc=YOUR,dc=DN> with your values
# Incorportate this into your FreeIPA instance with the command on the line below:
# ldapmodify -D "cn=Directory Manager" -W -f PWMacis.ldif
# Extra blank lines in this file are bad. You've been warned.
#
#
dn:cn=users,cn=accounts,<dc=YOUR,dc=DN>
changetype: modify
add:aci
aci:(targetattr = "*") (target = "ldap:///cn=users,cn=accounts,<dc=YOUR,dc=DN>") (version 3.0; acl "PWM Proxy Search"; allow (read,search)(userdn = "ldap:///uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN>");)
aci:(targetattr = "*") (target = "ldap:///cn=users,cn=accounts,<dc=YOUR,dc=DN>") (version 3.0; acl "PWM Proxy Add Users"; allow (add)(userdn = "ldap:///uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN>");)
aci:(targetattr = "pwmGUID || pwmLastPwdUpdate || userPassword || objectClass || pwmEventLog || krbPrincipalKey") (target = "ldap:///cn=users,cn=accounts,<dc=YOUR,dc=DN>") (version 3.0; acl "PWM Proxy Reset Password"; allow (write)(userdn = "ldap:///uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN>");)
aci:(targetattr ="userpassword || telephonenumber || facsimiletelephonenumber || pwmResponseSet || pwmOtpSecret")(version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");)
I have configured pwm according to the above procedure. but it throws below error while performing health check.
2024-09-25T11:55:35Z, ERROR, node.NodeMachine, 5093 ERROR_NODE_SERVICE_ERROR (error writing node service heartbeat: 5079 ERROR_LDAP_DATA_ERROR (error writing node service data user 'uid=pwm-test,cn=users,cn=accounts,dc=example,dc=com (default)' attribute 'pwmData', error: javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient 'write' privilege to the 'pwmdata' attribute of entry 'uid=pwm-test,cn=users,cn=accounts,dc=example,dc=com'.
]))
can you please tell, how can i resolve this? do i need to change in PWMacis file?
Warning
Word of warning for anyone thinking about trying this: PWMacis.ldif breaks parts of the default FreeIPA configuration, I can no longer authenticate any users (using the readonly system account created as per http://www.freeipa.org/page/HowTo/LDAP#System_Accounts). You should fix those ACIs, e.g.
add: aci
instead ofreplace
Thank god for backups.