Python/Flask Web App for managing user passwords including self service.
You will need to provide a configuration file for apache and the password interface python application. You can copy the examples in the conf directory and replace the with values appropriate for you environment. There are a number of sensitive fields that you can chose to store in the configuration files, but it is not recommmended. Instead, you should pass in your secrets via environment variables or through files in the secrets directory.
cp conf/apache2.conf.example conf/apache2.conf
cp conf/passwd_interface_conf.json.example conf/passwd_interface_conf.json
$EDITOR conf/apache2.conf
$EDITOR conf/passwd_interface_conf.json
$ cat docker/compose/dev-compose.yml
version: "3"
services:
passwd_if_app:
command: /opt/passwd_if/runserver.py
ports:
- "5000:5000"
volumes:
- "../../src:/opt/passwd_if"
- "../../conf:/etc/password_interface"
- "../../secrets/certs:/certs"
env_file: ../../secrets/env_secrets
$ cat docker/compose/prod-compose.yml
version: "3"
services:
passwd_if_app:
volumes:
- "../../secrets/certs:/certs"
env_file: ../../secrets/env_secrets
docker-compose -f compose/docker-compose.yml -f compose/dev-compose.yml -p passwd_if up
docker-compose -f compose/docker-compose.yml -f compose/prod-compose.yml -p passwd_if up -d
- Create group for each password length policy you have, default being most restrictive min
- Open Active Directory Administration Center
- Navigate through <YOUR_DOM> => System => Password Setting Container
- Task => New => Password Setting
- Name something logical and match settings appropriate to the policy from passwd-if conf
- Add in the correct group for this policy
- Create a krb5.conf, follow the example in the conf dir, adjust values as necessary
- Make sure there is a service principal for the http server attached to a user for auth
setspn -S HTTP/passwd.corp.example.com
- Make keytab file that can be read in linux, if re-using the passwd app user, re-use the password as well.
ktpass -out <KEYTAB_FILE> -ptype KRB5_NT_PRINCIPAL /mapuser app_passwd-if -pass <APP_USER_PASSWORD> -princ HTTP/[email protected]