blob: d7ca4a9785c0603c9ff7c6925dcbdf2717b3c46a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
## Installing in production
### Build image
```
docker build --no-cache=true -t ndn-pwman .
```
## Running pwman
You need a useradmin keytab file, and the admin password for our LDAP.
You also need a proxy running in front of pwman, that sends along the following http headers:
- X-Remote-User
- AFFILITATION - used to determine `is_staff` and `is_active`
- GIVENNAME
- SN - surname
- MAIL - not really used
```
docker run --rm -ti --name pwman -e LDAP_PASSWORD="1234secrets" -e LDAP_SERVER="ldap.nordu.net" -v /etc/useradmin.keytab:/opt/keytabs/pwman.keytab:ro -v $(pwd)/data:/opt/pwman ndn-pwman
```
## Gennerating a persistent csrf key
```
docker run --rm --ti ndn-pwman pwman -gennerate-csrf
```
## Environement variables
Run `pwman -h` to get the full list of flags. All flags can be set using environment variables by upper casing them and replacing dashes with underscore e.g. `ldap-password` becomes `LDAP_PASSWORD`.
The only required variable is the `LDAP_PASSWORD`
- LDAP_SERVER - defaults to `localhost`
- LDAP_PORT - defaults to `636`
- LDAP_USER - defaults to `cn=admin,dc=nordu,dc=net`
- LDAP_PASSWORD
- CHANGEPW_SCRIPT - `/opt/scripts/create-kdc-principal.pl`
- CSRF_SECRET - random 32 characters (including specials)
- ADDRESS - sets the address the pwman server will listen on - `:3000`
- BASE_PATH - Pwman should reside under e.g. `/sso`
- PWNED - path to pwned passwords v2 file
- KRB5_CONFIG - path to krb5.conf file
Primarily development variables:
- CSRF_INSECURE - allow csrf cookies to be sent over unencrypted http
- LDAP_SSL_SKIP_VERIFY - don't do ldap ssl verification
## Development
You can use docker-compose to get up and running. `docker-compose up --build` will recompile pwman, and start:
- openldap server on port 6636
- heimdal kerberos server on port 8888 and 7749
- nginx listening on port 80
- pwman
For rapid testing that does not need to build docker images you can choose to just start the dependencies.
```
# In one window
docker-compose up
# In another (hacky since it is not under gopath)
go run !(*_test).go -ldap-password secretpw -ldap-port 6636 -ldap-ssl-skip-verify -csrf-insecure -krb5-config dev/krb5.conf -changepw-script data/pwman/log-principal.pl -base-path /dev
# You can now access it on http://localhost/dev
```
|
