## Installing in production ### Build image ``` docker build --no-cache=true -t ndn-pwman . ``` ## Running pwman You need a useradmin keytab file, and the admin password for our LDAP. You also need a proxy running in front of pwman, that sends along the following http headers: - X-Remote-User - AFFILITATION - used to determine `is_staff` and `is_active` - GIVENNAME - SN - surname - MAIL - not really used ``` docker run --rm -ti --name pwman -e LDAP_PASSWORD="1234secrets" -e LDAP_SERVER="ldap.nordu.net" -v /etc/useradmin.keytab:/opt/keytabs/pwman.keytab:ro -v $(pwd)/data:/opt/pwman ndn-pwman ``` ## Gennerating a persistent csrf key ``` docker run --rm --ti ndn-pwman pwman -gennerate-csrf ``` ## Environement variables Run `pwman -h` to get the full list of flags. All flags can be set using environment variables by upper casing them and replacing dashes with underscore e.g. `ldap-password` becomes `LDAP_PASSWORD`. The only required variable is the `LDAP_PASSWORD` - LDAP_SERVER - defaults to `localhost` - LDAP_PORT - defaults to `636` - LDAP_USER - defaults to `cn=admin,dc=nordu,dc=net` - LDAP_PASSWORD - CHANGEPW_SCRIPT - `/opt/scripts/create-kdc-principal.pl` - CSRF_SECRET - random 32 characters (including specials) - ADDRESS - sets the address the pwman server will listen on - `:3000` - BASE_PATH - Pwman should reside under e.g. `/sso` - PWNED - path to pwned passwords v2 file - KRB5_CONFIG - path to krb5.conf file Primarily development variables: - CSRF_INSECURE - allow csrf cookies to be sent over unencrypted http - LDAP_SSL_SKIP_VERIFY - don't do ldap ssl verification ## Development You can use docker-compose to get up and running. `docker-compose up --build` will recompile pwman, and start: - openldap server on port 6636 - heimdal kerberos server on port 8888 and 7749 - nginx listening on port 80 - pwman For rapid testing that does not need to build docker images you can choose to just start the dependencies. ``` # In one window docker-compose up # In another (hacky since it is not under gopath) go run !(*_test).go -ldap-password secretpw -ldap-port 6636 -ldap-ssl-skip-verify -csrf-insecure -krb5-config dev/krb5.conf -changepw-script data/pwman/log-principal.pl -base-path /dev # You can now access it on http://localhost/dev ```