August 29, 2018
by Grant Hamono
People asking you to reset their passwords all the time?
Would it lighten your workload to have them reset it themselves with a web-based interface?
Trying to implement a better password policy to break your users out of bad practices?
Well, there’s a Microsoft service that can handle this for you. But there are license costs. And it turns out that it’s actually not even as good as the open source alternative: PWM. This is a very powerful, self-service password reset tool that integrates with your existing MS Active Directory infrastructure using LDAP.
This guide will show you how to configure PWM start to finish with SSL cert installation and MYSQL database setup included.
I will be using Ubuntu Server 16.04 for this guide. I have tried with 18.04 but with varying degrees of success. It seems that 18.04, at the time of writing this article, has some compatibility issues with some of the packages that get installed in the process.
The official installation instructions are actually pretty good – even a Windows guy like me could figure out most of it. But I got stuck a bit trying to configure the SSL certificates and configuring PWM to use a remote database. Having taken the effort to figure these bits out, I wanted to share what I’d done to make it easier for the next guy 🙂
Running Linux as a Virtual Machine
Because PWM runs on Linux, we’ll need to install it onto a virtual machine. This guide assumes you are already using and are familiar with some flavour of virtual machine software.
Virtual machine technology is ubiquitous enough in modern client/server networks that you are almost certainly running it already, even if you’re not familiar with it. If that’s you, try to find out which virtual machine software is installed on your network and look up some introductory tutorials for it.
Other Things to Get Ready
Before we start you should download some tools that will help you immensely in the process, especially if you’re more comfortable with a windows GUI than a command line interface.
You will also want to install PUTTY; Putty allows you to have SSH access to your virtual machine that will make cutting and pasting code from this guide into the command line a breeze.
WINSCP is a great tool for copying files between your windows machine and the Ubuntu server we will be setting up.
Finally you might want to download notepad++ especially if you are uncomfortable with using linux text editors, like nano or VI.
Let’s get this show on the road!
Create a virtual machine with Ubuntu Server 16.04 installed and running, then follow these steps:
sudo apt update sudo apt upgrade
sudo apt install ssh
sudo nano /etc/network/interfaces
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet static address 192.168.1.10 netmask 255.255.255.0 gateway 192.168.1.1 dns-nameservers 192.168.1.5
sudo service networking restart
sudo apt install apache2 sudo apt install php libapache2-mod-php sudo apt install tomcat8 tomcat8-docs tomcat8-examples tomcat8-admin
sudo nano /etc/tomcat8/tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?> <!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. --> <tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0"> <!-- NOTE: By default, no user is included in the "manager-gui" role required to operate the "/manager/html" web application. If you wish to use this app, you must define such a user - the username and password are arbitrary. --> <!-- NOTE: The sample user and role entries below are wrapped in a comment and thus are ignored when reading this file. Do not forget to remove <!.. ..> that surrounds them. --> <!-- <role rolename="tomcat"/> <role rolename="role1"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="both" password="tomcat" roles="tomcat,role1"/> <user username="role1" password="tomcat" roles="role1"/> --> <role rolename="manager-gui"/> <role rolename="admin-gui"/> <role rolename="manager-script"/> <user username="username" password="password" roles="manager-gui,admin-gui,manager-script"/> </tomcat-users>
sudo service tomcat8 restart
sudo apt install haveged
sudo mkdir /media/pwm/ sudo chown tomcat8 /media/pwm/
sudo nano /var/lib/tomcat8/webapps/pwm/WEB-INF/web.xml
<display-name>PWM Password Management</display-name> <!-- <distributable/> Clustering/Session replication is not supported --> <description>Password Management Servlet</description> <context-param> <description> Explicit location of application path working directory or the literal value "/media/pwm/". See the environment documentation at /public/reference/environment.jsp for more information. </description> <param-name>applicationPath</param-name> <param-value>/media/pwm/</param-value> </context-param>
sudo service tomcat8 restart
sudo apt install mysql-server
mysql -u root –p
CREATE DATABASE pwm; CREATE USER 'pwm'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON pwm.* TO 'pwm'@'localhost';
sudo apt install libapr1 libtcnative-1 libapr1-dev sudo ln -sv /usr/lib/x86_64-linux-gnu/libtcnative-1.so /usr/lib/
sudo mkdir /usr/local/ssl sudo mv ca_bundle.crt /usr/local/ssl/ sudo mv certificate.crt /usr/local/ssl/ sudo mv private.key /usr/local/ssl/
sudo nano /etc/tomcat8/server.xml
<!-- A "Connector" represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL/TLS HTTP/1.1 Connector on port 8080 --> <!-- HTTP connector. Uncomment to enable <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" redirectPort="8443" /> -->< <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> <Connector protocol="org.apache.coyote.http11.Http11AprProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" SSLCertificateChainFile="/usr/local/ssl/ca_bundle.crt" SSLCertificateFile="/usr/local/ssl/certificate.crt" SSLCertificateKeyFile="/usr/local/ssl/private.key" SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/> <!-- A "Connector" using the shared thread pool--> <!-- <Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> -->
sudo service tomcat8 restart
And that’s it! Start to finish! I’ve found that it’s a good idea to print off a QR code linking to your pwm server around the office with a title like “Forgotten your password?” then staff can simply use their phone to answer their secret questions and reset their own passwords instead of hassling you!
Need Us to do this for You?
We’re available for hire across the Melbourne metropolitan area, or remotely via the internet. To get in touch, please contact us via our server installation and configuration page.