Self-service account portal with PWM

Print Friendly, PDF & Email

Everyone knows the war that users can wage with their user accounts, that if they have gone on vacation and have forgotten their password, I swear to you that I have written it 5 Times good… Well, Well, today we have a top document, A web portal for self-management of user accounts.

To avoid wasting time in IT, it is good to delegate certain tasks to users, and managing your credentials is one of them, apart from removing a % important time of our resources, we also lose efficiency since the response time will not be immediate. Consequently, Today we will see PWM, a Self-Service web portal for user accounts in any LDAP, such as our Active Directory.

Of course PWM is Open Source and has very, very curious things, it will allow us to granularly select the options we want to implement, however it may be, Allow you to create new user accounts, or activate new users, Change your password, reset the password if it is not agreed based on a few questions (u Bad Token, ALL…), HelpDesk Integration, Updating certain user fields… It is available in any language, The web interface theme is simply customizable to make it corporate… Quite interesting, So we thank its authors and remember to collaborate with the community in the way that best suits 😉 you

Of course, the installation is based on a Docker container that in a minute we will have running. If you need to install Docker check out the Official documentation. We unload 'pwm-docker-image-2.0.1.tar’ of https://github.com/pwm-project/pwm/releases, we upload it to the machine with Docker and start the container:

Docker Load --input=/tmp/pwm-docker-image-2.0.1.tar Docker Run -D --Name mipwm -p 8443:8443 pwm/pwm-webapp -v /config:/Home/OpenServices/PWM-config sudo Docker Start mipwm

Configuring PWM,

We open a browser against https://DIRECCION_IP_PWM:8443 We will welcome a setup wizard, “Next”,

Click on “Manual Configuration” to set it up,

We accept to exit the basic setup wizard.

It asks us for a password that will be the one we use whenever we want to enter to modify the configuration.

Accept, It tells us that we are in configuration mode and that we will be able to log in without LDAP accounts, until we configure and validate them.

So we click on “Configuration Editor”,

Enter the configuration password,

And welcome to the setup, It is really easy to navigate through the left menu and locate the options we need. We have several views that will hide Basic features, hospitalized or not at all.

First things, if we are going to integrate it with our Active Directory, we will select it in “LDAP Vendor Default Settings”.

We embrace change,

And in LDAP Settings Menu, we will have to create a connection against our Active Directory, we will indicate the LDAP server(s), we will connect with LDAPS preferably, Click on Get the Certificate from the server. After, We will set up the called account “LDAP Proxy User” which will be the user account of our AD that will be used to change and reset passwords (so it must be a user with only that delegation), we will also indicate the (or the) DN base where our users will be. And finally, we must indicate a test account to validate that we can make these changes.

By clicking on “Test LDAP Profile” will validate the connection.

To not make changes to the AD schema, we will need a MySQL or MariaDB DB server where PWM will store the attributes it needs. This MySQL can run on the same machine as Docker, in a container or on a dedicated machine. With the following commands we will create the database, a user with a password and we will assign permissions to the user to that database:

CREATE DATABASE pwm_db;
CREATE USER 'pwd_user'@'%' IDENTIFIED BY 'XXXXXXXXXX';
GRANT ALL ON pwm_db.* TO 'pwd_user'@'%';
FLUSH PRIVILEGES;

So from “Settings” > “Database (Remote)” > “Connection” we will have to connect to it.

Before that, We download mysql-connector-java-8.0.28.zip of https://dev.mysql.com/downloads/connector/j/?os=26, we'll unzip it and in “Database Driver” we will upload the JAR file (in my case mysql-connector-java-8.0.28.jar). In “Database Class” Indicate: 'com.mysql.jdbc.Driver’ and in “Database Connection String” Put: 'jdbc:Mysql://DIRECCION_IP_MYSQL:3306/pwm_db?useTimezone=true&serverTimezone=UTC'. Enter the login credentials in “User Name” and in “Password”.

If we click on “Test Database Connection” We will verify the correct access!

So in the default Settings we can already indicate that we use a “Remote Database”.

We accept changes,

Something that we will need to configure is which users are PWM administrators.

As well as what the URL of the Site will be.

Or the configuration of the mail service to send validation emails to users' emails.

And we give “Save” to save your settings & “Accept”,

If everything went well, We can try logging in with the administrative account we have indicated, being an Active Directory user.

Perfect, after logging in we will see that we only have the Administration palen enabled, and user roles are not visible, This is why we are still in configuration mode. Click on Administration.

It will take us to this site where we can browse and investigate the activity of the users…

Total, that if we click on “Configuration Manager”,

Enter the password to access the Settings.

And to put the site into production we will click on “Restrict Configuration”.

It tells us that we have to be sure that we have validated ourselves with our Active Directory to validate it, “Accept”,

And immediately the site is put into production, when logged in with an Active Directory user, even if we are the administrator of the PWM Site we can already fill in the security questions.

If we go to the main menu this would be, unlike a normal user who wouldn't see the icon with the administrative functions.

Logging in as a normal Active Directory user,

We can log in with a normal Active Directory user to validate…

You would ask us to comply with the answers to the security questions.

It tells us that they will be useful in the future if we forget our password.

And a traditional user is what they would see by default. I insist that functionalities can be added so that you can update your account data, can search for other users, Set up an OTP…

What happens when you forget a password,

If we click on “Forgot password”,

We will get an assistant that will ask us to specify our username.

And obviously, The questions that once we fill in will come up. With this, the user will be able to reset their password in case of forgetfulness. We may also require other authentication methods such as a Token or email verification.

Enabling new user registrations,

We will see in the Modules that we have different options that we can enable in the public portal, or in the portal after authentication. In this simple example we see how to enable “New User Registration”,

And we indicate in “Creation Context” the OU where these accounts will be stored.

Click on SAVE to save the configuration.

And we validate it, We see how we already have a new button that they could click to register new users.

Enable OTP,

We will see how to enable a Token to use as a second validation method in a situation that interests us. Eye, for now PWM does not allow requiring it to log in users, but it does for when you make a change to your account, But not to change the password once logged in… ¿?

We enable OTP and optionally we can force it or not.

We verify that the OTP keys will be stored in the database and in an encrypted manner. We record the changes.

And when we log in with a user we will see a new icon to configure the Token,

If we press an assistant will appear where it will indicate instructions depending on the device we use, the user will scan the QR code and finish the assistant by validating the code.

Customizing the theme,

We couldn't close the post without this, but by default PWM has several themes that are much more modern than the classic interface. We will be able to select the one we like the most and manually modify the CSS file. While it is true that it has a menu item for this functionality, I particularly copy the CSS and background image when the container boots.

Nothing, I leave you as an example some screenshots with the modified theme, Corporate Colors… This would be the home website.

This would be the portal once the user has authenticated.

Answering questions when you forget your password….

Well, ¿ready? I think that to get an idea it can be useful, PWM is a tool that can help us a lot when this management is a nightmare or as I said, requires us to dedicate time to it from IT. It is good to have a portal for our users to, customers or suppliers can manage credentials independently.

Ale, A hug to all, Thank you if you have come this far, A cuddle to all of you who move this type of content through social networks. May it go well, ¡Successes!

Recommended Posts

VPN with Citrix NetScaler III - Authentication with certificates
Read
Monitoring our firewall's web UTM rules thanks to Centreon
Read
Implementing Windows LAPS
Read
Implementing FSSOs to integrate Fortigate with Active Directory
Read

Author

by Héctor Herrero 
nheobug@bujarra.com
Autor del blog Bujarra.com Cualquier necesidad que tengas, Do not hesitate to contact me, I will try to help you whenever I can, Sharing is living ;) . Enjoy documents!!!

A Podcast for IT - A NAS for IT

21 of March of 2022

A Podcast for IT - Auditing the Active Directory

4 de April de 2022