15

It seems like every shop that uses LDAP at some point has to cobble together something to let users reset their passwords without bothering the IT staff. The workflow almost always looks like:

  1. User gives username (jblow)
  2. Email jblow@company a link
  3. User clicks link, puts in a new password

On the backend, that corresponds to:

  1. Web form gets a username, stores (username, big unique string) in a DB, emails big unique string to username@company
  2. Other form has a click on https://site/pwreset/big unique string , uses that to authenticate the user, changes their password

Right? So, has someone written one of these that they share? I'd rather use one that's had a bit more thought put into it than the 10 minute job everyone seems to do.

I did a quick search of Sourceforge, Freshmeat etc and didn't find anything that wasn't abandoned.

Bill Weiss
  • 10,782
  • 3
  • 37
  • 65
  • 4
    Why do your users have LDAP passwords that are different from their email passwords? – 84104 Jul 29 '11 at 23:07
  • Do you want "reset when user has forgotten" or "periodic change"? They're two quite different requirements, and in a corporate environment I don't think I'd really *want* to let people reset passwords automatically when they forget them. At any rate, most places probably roll their own because integrating all the password-related policies into a standard tool is just too much effort. – womble Jul 30 '11 at 01:03
  • user84104: Different environments. Email is in the office, LDAP is in our production site. We don't want production things authing to the office, because it would be bad if production went down because the office was being worked on :) – Bill Weiss Jul 30 '11 at 14:51
  • Womble: Really? Assuming we auth them in some manner (such as access to email, which is a different pw, etc), why not let them reset their passwords? – Bill Weiss Jul 30 '11 at 14:51
  • @Bill: did you find anything useful? I need to do the same thing. – Jason S Sep 28 '11 at 22:05
  • you should be able to wrap this up into a little cgi script. shouldn't be a need for unique links though, just old password + new password, add some rate limiting to it and log all access to the script, and / or have the script read a list of allowed usernames and add an entry when someone requests a password change. – Sirex Oct 04 '11 at 07:07
  • @Sirex: you miss the point. This is such a common thing, with usability and security subtleties, that we shouldn't each have to roll our own self-reset script. There should be at least one well-known, well-maintained open-source solution out there. – Jason S Oct 05 '11 at 12:47
  • maybe. ive never experienced anything beyond 4-5000 or so users, but password resets are perhaps once a fortnight here at most. How many do you get ? – Sirex Oct 06 '11 at 10:38
  • Jason: I haven't had a chance to play with any of these yet. It's been a while, I know, but that's what I've got :( – Bill Weiss Dec 22 '11 at 14:32
  • https://github.com/jrivard/pwm – nafg Aug 12 '15 at 19:41

7 Answers7

6

We use horde for password changes, but not sure if it can fit the workflow you want.

churnd
  • 3,977
  • 5
  • 33
  • 41
4

This isn't the best documented project, but it has the advantage of being fairly simple PHP with a couple of installers for various linux flavors that get it up and running fast:

http://ltb-project.org/wiki/documentation/self-service-password/

If you are concerned about security, my recommendation is to use a more fully supported widely used package, since I don't know how well this project has been put through its paces.

Alin
  • 41
  • 1
1

phpLdapPasswd, but it is no longer being maintained.

quanta
  • 50,327
  • 19
  • 152
  • 213
1

ADSelfService Plus from ManageEngine is available in a free version. You'll have to check it out for yourself to determine the limitations of the free version to see if it fits your needs.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • I'll take a look. – Bill Weiss Jul 29 '11 at 20:59
  • Hmm. I don't see anything on there about the feature set of the free one, and I see the language "30 day free trial". I also don't see anything about LDAP on there. Have you used it for a non-AD LDAP server? Do you know what the free version is, compared to the paid? – Bill Weiss Jul 29 '11 at 21:03
0

An alternative to the sequence you give is the LDAP Password Modify Extended Operation, which is supported by modern, professional-quality directory servers. This is an LDAP extended request that changes the password upon being presented with the existing password (as opposed to a reset), and can also request the directory server to generate a password if desired.

Terry Gardner
  • 632
  • 5
  • 9
0

I don't know of password reset apps, unfortunately. There are a few for changing passwords:

There's admin-ldap in Ruby/Sinatra, ldap_password in Perl/Mojolicious, and ldapchangepw in Python/Flask.

I wasn't happy with the approach admin-ldap or ldap_password took to changing passwords, so I wrote Gente. It uses the Modify Password extended LDAPv3 operation. I would recommend using it or ldapchangepw.

sciurus
  • 12,493
  • 2
  • 30
  • 49
0

Is there any way to lock down phpLDAPadmin for "normal" users to login and manage their own information (I don't know, just a thought)? This might be worth looking into, if you guys use OpenLDAP (of course, I don't know which implementation of LDAP you have...)

I've been doing a lot of theoretical / high-level research on openLDAP recently, and will probably be implementing a new LDAP server w/ phpLDAPadmin soon...

David W
  • 3,405
  • 5
  • 34
  • 61
  • I don't think so... users can log in to it and modify whatever they have access to, which doesn't really fit my needs. – Bill Weiss Feb 19 '12 at 03:53