To contribute content or make changes to the PWM Administrator Guide, please request access to the development work-in-progress document .
PWM Administrator’s Guide pdated !or v".#.$ http%&&code.google.com&p&pwm& Table Table o! 'ontents PWM Administrator(s Guide )verview and *equirements +eatures *equirements nstallation erver etup Making a new WA* !ile pgrading General irector/ etup ecure 0AP 'onnection chema changes sers, groups and permissions 1ovell eirector/ ntegration eirector/ chema eirector/ *ights eirector/ nteractio nteraction n )pen0AP ntegration Access control control rules chema e2tensions )pen & )pen3 ntegration 'on!iguration change chema 42tensions Access *ights *ights 567 and *ed 8at irector/ erver ntegration 4nable Member)! )verla/ chema 'hanges sers and Groups Access 'ontrol 'ontrol )ther ntegration 1otes Active irector/ irector/ ntegration ntegration Microso!t AAM & A 0
Web ntegration and Page +low Access Gatewa/s Gatewa/s *equest Parameters 'ommand ervlet 'ommands nternationali9ation ispla/ Page 'on!iguration Alternative Alternativ e translations translations Themes Wordlists Global Password 8istor/ 0odal: atabase PWM 'ommand 0ine Tools Policies Password Polic/ 'hallenge Polic/ 0ogging 'aptchas M 1oti!ications 'on!iguration 42ample con!igurations 'lickatell ;)Pbuster 'ustom )AP service Appendi2 A% Trouble Troubleshooting shooting Appendi2 :% 4rror 'odes 'odes Guide A% ntegrating PWM with 3ava ecurit/ Manager ntroduction Generic debugging techniques !or Tomcat PWM ".<.= on ebian 0enn/ PWM ".>.5 & ;1 revision "?$ on ebian quee9e Guide :% PWM behind an Apache reverse pro2/ ntroduction 'on!iguring PWM server 'on!iguring the webserver Guide '% ntegrating PWM with 'A ntroduction clearPass 4dit /our 'A pom.2ml to include the clearPass dependenc/. nterrupting a 'A session Guide % ntegrating PWM with 1ovell Access Manager ntroduction 0ink *edirection *everse Pro2/ ettings
Web ntegration and Page +low Access Gatewa/s Gatewa/s *equest Parameters 'ommand ervlet 'ommands nternationali9ation ispla/ Page 'on!iguration Alternative Alternativ e translations translations Themes Wordlists Global Password 8istor/ 0odal: atabase PWM 'ommand 0ine Tools Policies Password Polic/ 'hallenge Polic/ 0ogging 'aptchas M 1oti!ications 'on!iguration 42ample con!igurations 'lickatell ;)Pbuster 'ustom )AP service Appendi2 A% Trouble Troubleshooting shooting Appendi2 :% 4rror 'odes 'odes Guide A% ntegrating PWM with 3ava ecurit/ Manager ntroduction Generic debugging techniques !or Tomcat PWM ".<.= on ebian 0enn/ PWM ".>.5 & ;1 revision "?$ on ebian quee9e Guide :% PWM behind an Apache reverse pro2/ ntroduction 'on!iguring PWM server 'on!iguring the webserver Guide '% ntegrating PWM with 'A ntroduction clearPass 4dit /our 'A pom.2ml to include the clearPass dependenc/. nterrupting a 'A session Guide % ntegrating PWM with 1ovell Access Manager ntroduction 0ink *edirection *everse Pro2/ ettings
0ogin Page 'ustomi9ations
Overview and Requirements Welcome to PWM Administrator’s Guide. PWM provides a feature rich, rich, easy to manage, password self service web application for ldap directories. Always check the PWM website for the latest version. he PWM website also has useful useful !A"s, support lists, and other helpful information as well as the most current version of this document. PWM Website# http%&&code.google.com&p&pwm his document describes the overall installation and setup of PWM. he PWM $onfigManager interface has detailed information about each of the many PWM configuration options. PWM is distributed under the terms of the G%& General Public 'icense (GP'). he full license te*t is available in the file pwm-license.txt file pwm-license.txt included included with the distribution.
Features @ Web based configuration manager with over +- configurable settings $onfigurable display values for every userfacing te*t string @ Polished, intuitive enduser interface with asyoutype password rule enforcement @ !orgotten Password /nternationali0ed1'ocali0ed challenge 2uestions &se responses stored in local server, standard 345M6 database, '4AP server or %et/" e4irectory %MA6 repositories &se !orgotten Password, 7mail16M6 oken1P/%, &ser attribute values, or any combination for password password recovery @ 6tandalone, easy to deploy, 8ava web application @ &serfacing screens are locali0ed for# Chinese (中文) $0ech (ce9tina) 4utch (%ederlands) 7nglish !innish (suomi) !rench (fran:ais) German (4eutsch) ;ebrew (BCDEF) /talian (italiano)
%orwegian %ynorsk (%orwegian %ynorsk) Polish (polski) Portuguese (portugu=s) 6lovak (6loven>ina) 6panish (espa?ol), Thai ( ไทย) urkish (@rk:e)
;elpdesk module, 3eset password with random and1or supplied passwords $lear intruder lockout $lear user challenge responses @ %ew &ser 3egistration 1 Account $reation 3e2uire agreement with configurable te*t ptional email address validation Berify ldap server replica synchroni0ation $reate account only after email address validation ptional autogenerated account entry name. @ Guest &ser 3egistration 1 &pdating @ People6earch (white pages) @ Account Activation 1 !irst time password assignment ptional email address 1 sms token validation 3e2uire agreement with configurable te*t @ Administration modules including intruderlockout manager, and online log viewer, daily stats viewer and user information debugging @ 7asy to customi0e <6P ;M' pages hemeable interface with several e*ample $66 themes @ 6upport for large dictionary wordlists to enf orce strong passwords @ 6elf;ealth engine for displaying PWM and ldap directory health Periodic test account validation perations room health display screen 3ealtime feedback during configuration @ 6hared password history to prevent passwords from being reused organi0ationally @ Automatic '4AP server failover to multiple ldap servers @ 6upport for password replication checking @ 5ased on 'dap$hai AP/ @ $aptcha support using re$aptcha @ 6upport for minimal, restricted and mobile browsers with no cookies, 8avascript or css @ 6peciali0ed skins for iPhone1Mobile devices @ 4esigned for integration with e*isting portals and web security gateways @ /ntegration with $A6 @
Requirements PWM will work on any platform that meets the following minimum re2uirements#
@
/n most cases, the full
Installation /nstallation of PWM follows standard
Server Setup n your platform of choice, ensure that
download the latest
&pon the initial PWM installation, a webbased configuration editor is available at# http://localhost:8080/pwm/config/ConfigManager
nce a configuration is saved, PWM will operate in I$onfiguration ModeI, which allows continued configuration changes to be made while you test PWM functionality. When all configuration changes are completed, you can 'ock the PWM configuration, which will prevent any further direct changes via the web based $onfigManager. /f you wish to make further changes to the configuration once the config is 'ocked, you can follow the instructions on the $onfigManager page. hese steps re2uire access to the server file system. 5eyond configuring PWM, you may also need to make changes to your '4AP directory schema and rights1permissions. /nformation about schema and rights modifications for particular directories can be found below, or by visiting the pwmgeneral Google Group. Important! 5e sure to sign up the pwmannounce Google Group. his group is used for sending infre2uent notices when new PWM releases are available. As security related fi*es are discovered and updated by PWM users, it is important to keep note of updates.
Making a new WAR file !or a variety of reasons, it may be desirable to deploy a customi0ed WA3 file, you can use the
included ant script to repackage a new WA3 file after you have modified any of the PWM files. 7ven if you can modify the servlet files after they are deployed, its still a good idea to modify the original source and build your own pwm.war. hat way, it will be available as a backup. With this process, you can have a pwm.war file that is completely customi0ed for your environment. Hou do not need ant on your server, you can follow these steps on your workstation, and then deploy the resulting war file on your server. /t is even okay if your workstation and server are different operating systems. o build a new pwm.war file, follow the following steps# ". Make sure you have . 4ownload PWM and un0ip the pwm.0ip directory ?. Make any changes to PWM desired (8sp edits, configuration changes, etc) #. At the root of the pwm directory (where the build.*ml file is located), run the following commands# ant clean ant makeWAR
6. 4eploy the resulting pwm.war file. n tomcat this means deleting the webapps1pwm directory (if any) placing pwm.war file in the webaps directory, and restarting tomcat. (%ewer versions of tomcat allow deploying war files through a web interface without restarting tomcat.
pgrading To upgrade PWM on Apache Tomcat, the !ollowing steps need to be per!ormed% ". top the PWM application or entire application server =. Make a backup o! the !ile WEB-I!/"wmConfig#ration$%ml. 5. Make a backup o! the !older WEB-I!/local&B. Hin older versions this ma/ be named WEB-I!/pwm&B' <. ndeplo/ the old war !ile b/ removing both the war !ile and the e2tracted director/. >. eplo/ the new war !ile. ?. 'lean the work and temp directories o! the Tomcat application server. #. ! the application server is stopped, start it to make sure it will e2pand the war !ile i! Tomcat is running it will automaticall/ do so. 6. *estore WEB-I!/local&B 7. *estore WEB-I!/"wmConfig#ration$%ml. Remark! it is possible to place the 0ocal: director/ outside o! the web application. n that case restoration o! the 0ocal: can be skipped. A backup should nevertheless be made, in case a roll-0ocback to the previous version is required, or something goes wrong.
General "ire#tor$ Setup PWM generally re2uires some changes to your directory server in order to function correctly. !irst of all, a number of attributes are used for storing PWM’s information like password history, 2uestions and answers needed for password reset, last password change date and optionally some information like (e*ternal) email addresses or mobile phone numbers for 6M6 notifications. his re2uires changes to the schema. !urthermore, a number of users and groups must be selected or setup to perform specific operations. 'ast but not least, the users need to get credentials and permissions in order to perform their tasks.
Se#ure %"AP &onne#tion 6ome directories only allow encrypted operations or re2uire encryption for certain operations, like changing passwords. /n these cases you need to connect PWM to the 66' port. his usually is DLD or alternatively CDLD. PWM allows you to use a promiscuous connection, which means it will accept any server certificate, whether it is valid or not. hat is useful in development and testing environments, but often unwanted in production environments. /n a production environment, you would want PWM, or in fact 8ava, to trust the '4AP server’s certificate. here are three scenario’s# Hou use a certificate issued by a generally recogni0ed commercial certificate authority. he certificate of this authority should already be in the certificate database. /f the server name in the '4AP &3' is identical to the common name of the certificate, you’re done. Hou use a certificate issued by a private certificate authority, like from %et/" iManager, Microsoft Active 4irectory or created using a tool like iny$A. /n this case the certificate(s) of that certificate authority need(s) to be imported into the 8ava certificate database. 6ee instructions below. Hou use a self signed certificate. /n this case, the self signed certificate needs to be imported into the 8ava certificate database. 6ee instructions below. /n all cases you need to make sure that# @ he certificate and the issuer certificates are still valid and have not e*pired. @ he name in the '4AP &3' is identical to the name or any of the alternate names of the certificate. !or e*ample connecting to ldaps#11C+J.-.-.C#DLD will probably fail, while connecting to ldaps#11ldap.e*ample.com#DLD will succeed if the certificate name is ldap.e*ample.com. o import the $A certificate or self signed certificate into the certificate database, make sure you have it available in P7M format, also known as baseDE. 6uch a file looks like# -----BE(I CER)I!ICA)E----MIICA)CCAWoCC*&+,.01l2ABgk3hki(4w0BA*5!A&B!M*swC*6&7**(EwB 7)E)MBE(A15ECAw954t+;1)(!0+)EhMB8(A15ECgw6;W<0+=#+=*g7lk+l0 c>B*?kg)?RkMB,=&)E%M)I%M2IwME11o=&)E%M)I>M2IwME11owR)E@MAk( A15EBhMC*75%E2ARBg7BAgMCl.W5t5Rh(5%I)AfBg7BAoM(El#(7>m70 I!p+(p?Mg5?R8#n&&c03+.wl9i2=efck#C>)5DC&?7 ?4he%571=5ArlfWB&.5an(M#1@?0<;D?s!er9wp.3n7f9f(2rf%5p1lh)5 cARt2k<&5;=g3=+kw%>%rr19@m)(D4745ECAwEAA)ABgk3hki(4w0BA*5! AABg*B*(52;1kn7n/sn3o4)E(rW0#MCAa5*4Clo>9l2rpBh3e#oh/I34E? 5t6&o4oDt@ke34=#Is6WiC;?k"6p<.B.7s@55a<06s@AFF -----E& CER)I!ICA)E-----
%ow locate the certificate database. /t is located in GA7AH?ME/li/sec#rit>/cacerts, where GA7AH?ME is the directory where 8ava is installed. %ow use keytool to import the file# ke>tool -import -ke>store GA7AH?ME/li/sec#rit>/cacerts -file e%ample$pem -alias lap$e%ample$com
he keytool will ask for a password, which is changeit by default. After importing the certificate, restart you application server.
S#'ema #'anges /n order to function correctly, PWM needs a number of attributes for application specific data storage. /n theory, one could use e*isting, unused attributes of the right type, but to keep the directory clean and well organi0ed, it is recommended to add new attributes to the directory schema. he table below shows the re2uired attributes with the suggested (default) names and o b8ect identifiers. 1ame
)
T/pe
ingle
pwm4vent0og
".5.?.".<.".5>$">.".=."
)ctettring
1
pwm*esponseet
".5.?.".<.".5>$">.".=.=
)ctettring
1
pwm0astPwdpdate
".5.?.".<.".5>$">.".=.5
Time
I
pwmG
".5.?.".<.".5>$">.".=.<
irector/tring
I
%e*t, an au*iliary ob8ect class needs to be defined that allows the attributes. 1ame
)
T/pe
pwmser
".5.?.".<.".5>$">."."."
Au2iliar/
f course, you are free to select different or e*isting attributes and ob8ect classes, but you need to update the PWM configuration.
Users, groups and permissions PWM needs, apart from the NnormalO users, a set of NspecialO users and groups to perform certain actions. he table below gives an overview of the types of users and1or groups that must an may be set up. 6ome user1group types are optional and only necessary if a certain module is enabled. +unction
escription
ser & Group
Module
PWM Pro2/ ser
The pro2/ user per!orms most actions, especiall/ when no user is authenticated within the session.
A00
Actions that the pro2/ user per!orms are% @ 0ooking up users @ Testing 0AP connections @ ;alidation o! attributes and securit/ questions during Password reset @ *eading user data @ H*eJsetting passwords @ 'reating new accounts Hi! 1ew ser module is enabledJ The pro2/ user there!or needs access to the users in the user subtree and be able to read and write% @ obKect'lass @ userPassword or equivalent password attributes @ pwm4vent0og, pwm0astPwdpdate, pwmG Hor other con!igured attributesJ Additionall/, the pro2/ user needs to have read access to most other attributes o! normal users. PWM Administrators
PWM administrators can be a single user or a group o! users. An administrator needs read access to the user tree o! the director/, but actuall/ does nothing to modi!/ them. A PWM administrator can access administrative !unctions withing PWM, but is not a director/ administrator.
&G
A00
Test ser
Periodicall/, PWM tries to connect to the director/ server en per!orm standard actions. n order to do this, PWM uses a test user account. PWM tries to set the password, per!orm login, etc. The test user is a normal user account, that must be allowed to modi!/ itLs own password and some
A00
attributes. Guest Administrators
! the Guest *egistration module is selected, a user or group must be allowed to per!orm these action. The userHsJ must be granted director/ permissions to% @ create users in a selected guest subtree @ read&set attributes and passwords !or the guest accounts
&G
Guest *egistration
8elpdesk 4mplo/ees
! the 8elpdesk module is enabled, a special user or group is allowed to access this module. 8elpdesk emplo/ees are allowed and should be given director/ permissions to view user account data, password modi!ication and login data Hnot the password itsel!J, like last login, last password change, account status, etc., and to set a new password i! necessar/.
&G
8elpdesk
4epending on you organi0ation and separation of duties, it is possible to create new users or groups for the guest administrator or helpdesk functions or share the permissions with the PWM administrators. %ormal users must be allowed to selfmodify their own password, pwm3esponse6et and other attributes that are configured for the module &pdate Profile, if enabled.
(etI) *(ovell+ e"ire#tor$ Integration PWM has robust support for %ovell e4irectory. he following features are supported# @ 3ead &niversal Password policies and traditional password settings @ $orrectly handle intruder lockout scenarios @ 3ead &niversal Password challenge set policies, including locali0ed policies. @ Write forgotten password responses to %MA6 for compatibility with %ovell forgotten password clients @ 3ead forgotten password responses from %MA6 for use by forgotten passwords
e"ire#tor$ S#'ema
PWM uses e4irectory attributes to store data about users, including last password change time, last time PWM sent email notices about password e*piration, and secret 2uestion1answer. PWM includes a Iedirectoryschema.ldifI file in the schema directory that has the standard PWM schema e*tensions. he schema included uses an au*iliary class that is added to users as they use PWM, so the au*iliary class and attributes are removable from e4irectory in the future. &sing the /$7 command line the schema file can be imported with a command something like this# ice -;@&I! -f eirector>-schema$lif -&@&A" -s 14$18$1$1 - cnFaminoFo -w passwor
he ldif file can be imported using the $onsolene wi0ard, iManager, the /$7 command line, and standard IldapmodifyI tools. /f you do not wish to use the standard PWM schema, all the attributes used by PWM can be changed in the PWM configuration to attributes that are already available in the directory.
e"ire#tor$ Rig'ts PWM re2uires permission to perform operations in e4irectory. PWM uses two different e4irectory logins, one is a generic pro*y user that is used for certain operations, preAuthenticaton operations. nce the user is authenticated most operations will be performed with the users connection and permissions. he ldif file e4irectory3ights.ldif is included that offers a sample basic configuration of a pro*y user and also sets A$' for users that are re2uired by PWM. !or a default configuration, the following rights are re2uired for the pro*y user to the user container(s)# @ 5rowse rights to 7ntry 3ightsQ @ 3ead and $ompare rights to pwm3esponse6et and $% (or otherwise configured naming attribute) @ 3ead and $ompare and Write rights to ob8ect$lass, passwordManagement, pwm7vent'og and pwm'astPwd&pdate @ 3ead and $ompare rights to any attribute used by Activate&ser servlet
!or a default configuration, the following rights are re2uired for each user to their own user entry# @
5rowse rights to 7ntry 3ightsQ
@ 3ead and $ompare and Write rights to pwm3esponse6et @ 3ead and $ompare and Write rights to any attributes used in the &pdateAttributes servlet
o assign rights to each user, it is best to use the thisQ security entry. Assigning rights to a parent level container to modify pwm3esponse6et will allow any user in the container to modify the value of this attribute for any other user in the container, and thus allow a password reset by any user. 6ee the e4irectory3ights.ldif file for an e*ample of the thisQ security entry. ptionally, PWM should also have rights to read the password. his is configured as part of the e4irectory password policies. %ormally, when a user uses PWMs !orgotten Password recovery feature, pwm will set the users password to a randomly generated value during the recovery process. /t does this so that when the user actually does type set a new password, the PWM can authenticate as the user using the random password, and then change the password using the users credentials. his process allows the directory to apply normal change password effects such as correctly setting the password e*piration. ;owever, if PWM is able to read the password of the user, it will not set an intermediate temporary password on the user. PWM provides e*tensive logging to help troubleshoot installation and configuration issues. !or best results during installation, set the log levels to ItraceI in the logE8config.*ml file, and monitor the output.
e"ire#tor$ Intera#tion With the default configuration, PWM performs all operations against e4irectory using generic '4AP calls unless %MA6 support is enabled. 7nabling %MA6 allows for better error reporting and integration with e4irectory. Many operations are preformed using the pro*y user specified in the PWM $onfiguration. ;owever, if the Always &se Pro*y is set to true, then PWM will not bind as the user. Authentications will be handled using ldap compare. /f the option to store %MA6 responses is enabled, then whenever a user saves their responses using PWM, they will also be stored in %MA6. his allows for %ovell forgotten password clients to use the same responses. ;owever, PWM itself can not directly use these responses for forgotten password.
Open%"AP Integration here are a few modifications that may be needed to the pen'4AP configuration file,
1etc1ldap1slapd.conf. %ote that these modifications here are suggested as a template and may need to be customi0ed to your own re2uirements. !or e*ample, if pwm is configured to enable %ew &ser 3egistration and use the cn attribute to test for ob8ect name uni2ueness, then the following configuration edit would allow PWM to perform the ldap e2uality check from PWM. J Ine% cn to allow e3#alit> checks from the pwm weapp$ )his is J #se > the new #ser registration mo#le to check whether a gi.en J #sername Kcn' alrea> e%ists in the @&A" irector>$ ine% cn e3
A##ess #ontrol rules $onfiguring access control rules properly for pwm can be challenging. he following ruleset can be used as a reference. /t has been tested to verify that users (or the PWM Admin) does not have any more privileges to the directory than absolutely re2uired, but this configuration should be e*amined closely to ensure it does not allow any e*cess privileges in your environment. J )he #ser"asswor > efa#lt can e change J > the entr> owning it if the> are a#thenticate$ J thers sho#l not e ale to see it e%cept the J amin entr> elow J J )E: this is mostl> stanar pen@&A" config#ration$ J )he pwmamin line can proal> e omitte$ access to attrsF#ser"assworshaow@astChange > nFLcnFamincFomaincFcomL write > nFLcnFpwmamincFomaincFcomL write > anon>mo#s a#th > self write > none J J J J J J J J J J J J J
(rant access to s#tree Lo#FAcco#nts cFomain cFcomL which contains the acco#nts create > pwm$ Change this path to match >o#r @&A" irector>$ ote that here we ha.e two LclassesL of pwm #sers$ )he nFLcnFpwmamincFomaincFcomL #ser is #se #ring the initial phases of new #ser registration to create the #ser into the irector>$ )his is wh> the pwmamin acco#nt nees to ha.e write access to this s#tree$ Right after the #ser is create pwm ins to pen@&A" as the newl> create #ser so L> anon>mo#s a#thL is re3#ire$ )he #ser also nees to e ale moif> itNs own
J ata so L> self writeL is also neee$ If itNs missing J the #serNs passwor an/or personal information cannot e J create/eite$ )his also pre.ents the new #ser J registration from working properl>$ access to n$s#treeFLo#FAcco#ntscFomaincFcomL > nFLcnFamincFomaincFcomL write > nFLcnFpwmamincFomaincFcomL write > anon>mo#s a#th > self write > none J )E: this is stanar pen@&A" st#ff access to n$aseFLL > rea J )he amin n has f#ll write access pwmamin has f#ll rea access$ J )he pwmamin entr> ma> not e re3#ire$ !eel free to e%periment$ access to > nFLcnFamincFomaincFcomL write > nFLcnFpwmamincFomaincFcomL rea > none
S#'ema e,tensions Pwm contains a few schemas e*tensions which are distributed as '4/! files, however some of the settings are %ovell e4irectoryspecific, so these templates can instead be used on for pen'4AP. he following are changes made to the /etc/ldap/schema file. J /etc/lap/schema/pwm$schema J J We tr> to efine I&Ns Lcorrectl>L as o#tline here: J J http://www$openlap$org/oc/amin/schema$html J J 1$$$1$,$1 ase I& J <41, organi2ation ienfifier J 1 if an oectclass J if an attri#te J >>>>$mm$ ate of creation J n e%tra ientifier J attri#tet>pe K 1$$$1$,$1$<41,$$010$0,$1$1 AME NpwmE.ent@ogN ;6)A= 1$$$1$,$1$1,$11<$11$1$,0 ' attri#tet>pe K 1$$$1$,$1$<41,$$010$0,$1$ AME NpwmResponse;etN ;6)A= 1$$$1$,$1$1,$11<$11$1$,0 '
attri#tet>pe K 1$$$1$,$1$<41,$$010$0,$1$ AME Npwm@ast"w5pateN ;6)A= 1$$$1$,$1$1,$11<$11$1$, ' attri#tet>pe K 1$$$1$,$1$<41,$$010$0,$1$, AME Npwm(5I&N ;6)A= 1$$$1$,$1$1,$11<$11$1$1< ' oectclass K 1$$$1$,$1$<41,$1$010$0,$1$1 AME Npwm5serN A5=I@IAR6 MA6 K pwm@ast"w5pate G pwmE.ent@og G pwmResponse;et G pwm(5I& '
his allows pwm to track pwmspecific attributes for each user.
Open"S - Open". Integration pen46 and fork pro8ect pen4< re2uire a couple of schema e*tension and setting user rights for an administrator account, pro*y user and test user.
&onfiguration #'ange 5y default clients are allowed to keep their connections open and reuse them for other operations. his can lead to problems under certain circumstances. o prevent this, clients must be forced to open a new connection for each operation. his can be done by setting scfg-#se-tcp-keep-ali.eFfalse for each of the connection handlers. &sing an '4AP client (command line tool, '4AP browser or the 4irectory $onsole) look up the entry cnF@&A" Connection ?anler cnFConnection ?anlers cnFconfig and add the attribute s-cfg-#se-tcp-keep-ali.e with value false. 3epeat this for cnF@&A"; Connection ?anler cnFConnection ?anlers cnFconfig.
S#'ema /,tensions The easiest way to extend the schema is using the OpenDS Control Panel (or OpenDJ Control Panel). og in as !cn"Directory #anager$ (de%ault& otherwise your con'gured administratie account). Clic Schema * #anage Schema. + new window opens& where new attri,utes and o,-ect classes can ,e con'gured. !irst add four attributes# @ 7vent 'og# %ame# pwm7vent'og 6ynta*# ctet6tring 3esponse 6et# @ %ame# pwm3esponse6et 6ynta*# ctet6tring
'ast Password &pdate# %ame# pwm'astPwd&pdate 6ynta*# Generali0edime @ PWM account G&/4# %ame# pwmG&/4 6ynta*# 4irectory6tring hen create a new ob8ect$lass# @ %ame# pwm&ser @ Parent# op @ ptional Attributes# pwm7vent'og pwm3esponse6et pwm'astPwd&pdate pwmG&/4 @ Type (xtra Options * Type)/ +uxiliary @
A##ess Rig'ts he fastest way to set up a directory structure with the proper rights is using an '4/! file. An e*ample is provided below. his e*ample defines# @ he base ob8ect ( cFe%ample cFcom) @ he user tree ( o#F5sers cFe%ample cFcom) with an access control list, that allows the pwmpro*y user to modify users (set password, add pwm attributes). 4epending on your situation, you may have to add attributes to the list of target attributes. @ An admin user and group for access to the admin interface. @ A pro*y user, used by PWM to set passwords and attributes on recovery. @ A test user used by PWM for testing the configuration. @ An e*ample test user account.
n: cFe%amplecFcom c: e%ample oectClass: omain oectClass: top n: o#F5serscFe%amplecFcom o#: 5sers oectClass: organi2ational5nit oectClass: top aci: Ktarget F Llap:///cnFo#F5serscFe%amplecFcomL'Ktargetattr F Loect ClassOOpwm(5I&OOpwm@ast"w5pateOOpwmResponse;etOOpwmE.ent@ogOO#ser"assworOO a#th"assworL'K.ersion $0P acl L"WM "ro%> AccessLP allow Kreawritesearch compare' #sernFLlap:///cnFpwmpro%>o#F5serscFe%amplecFcomLP' n: cnFpwmamino#F5serscFe%amplecFcom #ser"asswor: Qm1n"assw0r gi.ename: "WM oectClass: person
oectClass: inetrg"erson oectClass: organi2ational"erson oectClass: top #i: pwmamin cn: pwmamin sn: Amin n: cnFpwmpro%>o#F5serscFe%amplecFcom #ser"asswor: "r0%,"Qssw0r gi.ename: "WM oectClass: person oectClass: inetrg"erson oectClass: organi2ational"erson oectClass: top #i: pwmpro%> cn: pwmpro%> sn: "ro%> s-pri.ilege-name: passwor-reset n: cnFpwmtesto#F5serscFe%amplecFcom gi.ename: "WM oectClass: person oectClass: inetrg"erson oectClass: organi2ational"erson oectClass: top #i: pwmtest cn: pwmtest sn: )est n: cnFtest1o#F5serscFe%amplecFcom oectClass: person oectClass: inetrg"erson oectClass: organi2ational"erson oectClass: top gi.ename: )est moile: 01,<8 #i: test1 cn: test1 sn: 5ser1 #ser"asswor: )st"Qssw0r n: cnFpwmAmin(ro#po#F5serscFpieterscFc% #ni3#eMemer: cnFpwmamino#F5serscFpieterscFc% cn: pwmAmin(ro#p oectClass: gro#pf5ni3#eames oectClass: top
Additional permissions may be re2uired for specific modules like the ;elpdesk, %ew &ser and Guest 3egistration modules.
012 and Red 3at "ire#tor$ Server Integration he LRS 4irectory 6erver (formerly known as !edora 4irectory 6erver) is the community version of the 3ed ;at 4irectory 6erver and is commonly used on !edora and $ent6. he following instructions have been developed and tested on LRS46 version C.+.C- ($ent6 D.L) for use with 3ed ;at 4irectory 6erver version S.- on 3ed ;at 7nterprise 'inu* version D.L. he 389-console (redhat-idm-console on 3ed ;at 4irectory 6erver) is the graphical admin console program name for the LRS 4irectory 6erver and can be used to graphically set the configurations in this section. 5efore proceeding with the following integration steps you should first have omcat and the PWM application installed, as well as the basic PWM '4AP configurations in place using the $onfiguration 7ditor.
/na4le Mem4erOf Overla$ 3eference# 3ed ;at 4irectory 6erver S.- Administration Guide 4ue to the way that PWM checks for group membership this plugin must be enabled (it is disabled by default) in order to enable the Helpdesk and Admin modules. ;owever this can also be useful when checking group membership of authenticated users in e*ternal applications. he MemberOf plugin re2uires that users include the inetUser ob8ect class, so be sure to add this class to your %ew &ser 3egistration module. nce populated the following can be used to check if a user belongs to the pwmadmins group# T ldapsearch * 4 IcnU4irectory ManagerI W b IuidUtestuser,ouUPeople,dcUe*ample,dcUcomI I(memberfUcnUpwmadmins,ouUGroups,dcUe*ample,dcUcom)I dn /f successful the users dn will be returned. !ilters in the eneral and Helpdesk modules, which normally use the !roupmembership attribute should instead be updated to use memberof as shown above once the plugin has been enabled and the fi*up script has been run.
S#'ema &'anges Graphical console method# ". 5ring up the admin console by running 389-console (redhat-idm-console on 3ed ;at). =. 'ogin as admin user to the management console
5. $hoose the 4irectory instance that you want to configure PWM with from V6erver Group’ <. 4ouble click to open the 4irectory 6erver admin console >. $hoose the confi!uration tab ?. $hoose "chema node from the directory tree #. click on Attributes tab 6. click on $reate button 7. his should popup a window like the one below
"$. !or pwm%&ent'o! a. 7nter pwm%&ent'o! as Attribute name. b. 7nter (.3.).(.*.3+,(+.(..( as Attribute O 0optional1 c. choose octet"trin! for 6ynta* d. mark this as a VMultivalued’ attribute and click F "". !or pwm2esponse"et a. 7nter pwm2esponse"et as Attribute name. b. 7nter (.3.).(.*.3+,(+.(.. as Attribute O 0optional1 c. choose octet"trin! for 6ynta* d. mark this as a VMultivalued’ attribute and click F "=. !or pwm'astwdUpdate a. 7nter pwm'astwdUpdate as Attribute name. b. 7nter (.3.).(.*.3+,(+.(..3 as Attribute O 0optional1 c. choose enerali4ed5ime for 6ynta* d. click F "5. !or pwmU a. 7nter pwmU as Attribute name. b. 7nter (.3.).(.*.3+,(+.(..* as Attribute O 0optional1 c. choose irector6"trin! for 6ynta* d. click F "<. hen to create a new ob8ectclass pwmUser
">. $lick on schema node again from the directory tree "?. $lick on Ob7ect $lasses tab "#. $lick on create button on the bottom of the console "6. his should popup a create Ob7ect $lass window like the one below
"7. Provide the following and click F a. enter pwmuser as %ame b. enter C.L.D.C.E.L-C.C.+.E as /4 c. $hoose pwm%&ent'o! pwm2esponse"et pwm'astwdUpdate pwmU from the Available Attributes and click Add as Allowed Attributes. Make sure you click the Add button at the bottom.
$ommand line '4/! method# he easiest way to e*tend the schema of LRS 4irectory 6erver is to add a custom '4/! file named 99-PWMschema.ldif in /etc/dirsrv/slapd-/schema. $reate it with following contents, ad8usting the bold te*t with your '4AP information. 3estart the directory server to make the changes take effect. n: cnFschema oectclass: top oectclass: lap;#entr> oectclass: s#schema cn: schema
aci: KtargetFLlap:///cnFschemaL'Ktargetattr FLaciL'K.ersion $0Pacl Lanon>mo#s no acisLP allow Krea search compare' #sern F Llap:///an>oneLP' aci: KtargetattrFLL'K.ersion $0P acl LConfig#ration Aministrators (ro#pLP allow Kall' gro#pnFLlap:///cnFConfig#ration Aministratorso#F(ro#pso#F)opolog>ManagementoFetscapeRootLP' aci: KtargetattrFLL'K.ersion $0P acl LConfig#ration AministratorLP allow Kall' #sernFLlap:///#iFamino#FAministratorso#F)opolog>ManagementoFetscapeRootLP' aci: Ktargetattr F LL'K.ersion $0P acl L;IE (ro#pLP allow Kall' gro#pn F Llap:///cnFldapservercnF84 &irector> ;er.ercnF;er.er (ro#pcnFldapserver.example.com o#Fldapserver.example.com oFetscapeRootLP' attri#tet>pes: K 1$$$1$,$1$<01<$1$$1 AME NpwmE.ent@ogN ;6)A= 1$$$1$,$1$1,$11<$11$1$,0 =-RI(I N#ser efineN ' attri#tet>pes: K 1$$$1$,$1$<01<$1$$ AME NpwmResponse;etN ;6)A= 1$$$1$,$1$1,$11<$11$1$,0 =-RI(I N#ser efineN ' attri#tet>pes: K 1$$$1$,$1$<01<$1$$ AME Npwm@ast"w5pateN ;6)A= 1$$$1$,$1$1,$11<$11$1$, ;I(@E-7A@5E =-RI(I N#ser efineN ' attri#tet>pes: K 1$$$1$,$1$<01<$1$$, AME Npwm(5I&N ;6)A= 1$$$1$,$1$1,$11<$11$1$ ;I(@E-7A@5E =-RI(I N#ser efineN ' oectclasses: K 1$$$1$,$1$<01<$1$1$1 AME Npwm5serN &E;C NN ;5" top A5=I@IAR6 MA6 K pwmE.ent@og G pwm(5I& G pwm@ast"w5pate G pwmResponse;et ' =-RI(I N#ser efineN '
sers and Groups ". $reate hashed passwords for the PWM users using the slappasswd command. hese hashes will be used to more securely set the user passwords in the '4/! file. 7*ample# slappasswd -u -h {SSHA ad8usting the bold te*t =. $reate the following '4/! file as /r!!t/PWMusers.ldif with your directory information (do not use the hashes below, replace them with the hashes generated in step one above)# n: #iFpwmpro%>o#F"eopledc=example,dc=com oectClass: top oectClass: person oectClass: organi2ational"erson oectClass: inetrg"erson #i: pwmpro%> sn: "ro%> gi.ename: "WM cn: pwmpro%> ispla>ame: "WM "ro%> #ser"asswor: {SSHA}3byAeqxu1Aau7CBS/VaCo!"mCr#$% n: #iFpwmtesto#F"eopledc=example,dc=com oectClass: top oectClass: person oectClass: organi2ational"erson oectClass: inetrg"erson #i: pwmtest sn: )est gi.ename: "WM cn: "WM )est ispla>ame: "WM )est #ser"asswor: {SSHA}3byAeqxu1Aau7CBS/VaCo!"mCr#$%
5. 'oad the '4/! file using ldapadd . 7*ample# ldapadd -" #cn$"irect!r% Mana&er# -W -f /r!!t/PWMusers.ldif
ad8usting the bold te*t <. $reate the following '4/! file as /r!!t/PWM&r!ups.ldif with your directory information# n: cnF"wmAminso#F(ro#psdc=example,dc=com oectClass: top oectClass: gro#pf5ni3#eames cn: "wmAmins
>. 'oad the '4/! file using ldapadd . 7*ample# ldapadd -" #cn$"irect!r% Mana&er# -W -f /r!!t/PWM&r!ups.ldif
A##ess &ontrol Warning: he following A$/ e*ample may delete custom A$/s your organi0ation has added do not use this example on a production system until tested against your configuration first! he following A$/s allow the following# Allows pwmprox6 to search all attributes in !u$Pe!ple Allows pwmprox6 to add users to !u$Pe!ple Allows pwmprox6 to write necessary user attribute values in !u$Pe!ple Allows all users to write their own pwm2eponse"et attribute (in addition to the defaults) ad8usting the bold te*t ". $reate the following '4/! file as /r!!t/PWMacis.ldif with your directory information. n: o#F"eoplecFexample,dc=com changet>pe: moif> replace: aci aci: Ktargetattr F LL' Ktarget F Llap:///o#F"eopledc=example,dc=com L' K.ersion $0P acl L"WM "ro%> ;earchLP allow Kreasearch'K#sern F Llap:///#iFpwmpro%>o#F"eopledc=example,dc=com L'P' aci: Ktargetattr F LL' Ktarget F Llap:///o#F"eopledc=example,dc=com L' K.ersion $0P acl L"WM "ro%> A 5sersLP allow Ka'K#sern F Llap:///#iFpwmpro%>o#F"eopledc=example,dc=com L'P' aci: Ktargetattr F Lpwm(5I& OO pwm@ast"w5pate OO #ser"asswor OO oectClass OO pwmE.ent@ogL' Ktarget F Llap:///o#F"eopledc=example,dc=com L' K.ersion $0P acl L"WM "ro%> Reset "assworLP allow Kwrite'K#sern F Llap:///#iFpwmpro%>o#F"eopledc=example,dc=com L'P' aci: Ktargetattr FL#serpasswor OO telephonen#mer OO facsimiletelephonen#mer OO pwmResponse;etL'K.ersion $0Pacl LAllow self entr> moificationLPallow Kwrite'K#sern F Llap:///selfL'P'
=. 'oad the '4/! file using ldapmodif6. 7*ample# ldapm!dif% -" #cn$"irect!r% Mana&er# -W -f /r!!t/PWMacis.ldif
Ot'er Integration (otes
hese additional considerations apply to LRS 4irectory 6erver. ". 6ince LRS 4irectory 6erver uses uid as the default naming conte*t rather than cn you must set the Username search filter (in '4AP 4irectory settings Advanced 6ettings) to KSKoectClassFperson'Ku&d FT5;ERAMET''$ =. Hou must change the PWM Admin "uery 6tring and ;elpdesk "uery Match settings (in '4AP 4irectory and ;elpdesk configuration editor) to use the memberof attribute instead of !roupmembership. 5. he default setting to merge the password PWM password policy with the directory password policy does not work at this time. herefore it should be set to use PWM only (in Advanced 6ettings). he PWM Password Policies should then match or e*ceed the password policy you set on the directory server itself. <. he %ew &ser 3egistration module should be updated to include the pwmUser and inetUser ob8ect classes in 4efault b8ect $lasses. Hou may also want to add these ob8ect classes to pree*isting users. PWM probably will add these classes automatically when users log into PWM for the first time and create their response sets, but if you have issues make sure these ob8ect classes are added to the user. >. !or security purposes it is highly recommended that PWM is reverse pro*ied through Apache to hide the PWM configuration panel and other sensitive webapps. his also provides 67'inu* protection since omcat runs unconfined without e*tensive policy additions. he following e*ample Apache pro*y configuration can be used to pro*y PWM through an 66' protected Apache installation with a proper iptables firewall configuration. !uture access to the configuration editor will only be possible on the local system or local trusted network as defined by your firewall configuration. "ro%>"ass "ro%>"ass "ro%>"ass "ro%>"ass "ro%>"ass "ro%>"ass "ro%>"ass
/weapps/R) /e%amples /sample /manager /host-manager /pwm/pri.ate/amin /pwm/config
"ro%>"ass /pwm http://localhost:8080/pwm "ro%>"assRe.erse /pwm http://localhost:8080/pwm
?. /f reverse pro*ying PWM through Apache then 67'inu* by default will prevent Apache from connecting to omcat. his can be easily rectified. While you can set the 67'inu* boolean httpd'can'netw!r('c!nnect to ) a far more secure option is to simply add a new policy module such as the following# mo#le http-tomcat 1$0P re3#ire U t>pe httpHtP t>pe httpHcacheHportHtP class tcpHsocket nameHconnectP V allow httpHt httpHcacheHportHt:tcpHsocket nameHconnectP
A#tive "ire#tor$ Integration PWM has support for standard change password functionality against active directory. !orgotten Password support also functions correctly with PWM. 5ecause many A4 sites find e*tending the A4 schema to be impractical, the recommended approach for A4 integration is to use an 345Ms database to store user’s challenge1response answers. his allows PWM to support forgotten password functionality with A4 without e*tending the schema.
Mi#rosoft A"AM - A" %"S A4AM 1 A4 '46 (Active 4irectory 'ightweight 4irectory) will need a few tweaks depending of what pwm features that will be used. 6ince A4AM1A4 '46 cannot1does not store password policy, all user accounts will leverage either the local system password policy or the domain password policy if A4AM1A4 '46 is a domain8oined host. As a result, your application may leverage a A4AM1A4 '46specific user and you might think that there is no password e*piry. his is not the case, so please consult your Active 4irectory and local password policies to check the password e*piry settings. his will help to maintain service continuity for your application. /f a new user is created in A4AM1A4 '46 and it doesnt comply with the password policy, it will be disabled by default. /f the password policy cant be changed there is a workaround to add this value to each user# Ims46&serAccount4isabled# !A'67I These commands should be tested in a test environment before applying it on a production environment. As default only members of Administrators have the rights to change passwords. he e*ample below modifies A4AM 1 A4 '46 to allow everyone in &UPWM&6736 to reset passwords# sacls localhost:845F"WM5;ER;&CF"WMA&AM&CFnet /I:; /( L;E@!:CAPReset "assworL
A default PWM configuration will need all users to be members of (at least) 3eaders X &sers. his can be a problem if you want to use the %ew &ser 3egistration or the 3egister Guest &ser features. he e*ample below modifies A4AM 1 A4 '46 to give everyone Generic 3ead in
&UPWM&6736# sacls localhost:845F"WM5;ER;&CF"WMA&AM&CFnet /I:) /( e.er>one:(R
he feature &ser Activation uses the attribute%ame vehicle/nformation to store the value pwm%ewAccount for accounts that can be activated, and pwmActivated for accounts that have been activated. his attribute is missing in A4AM 1 A4 '46 and one way to fi* that is to replace vehicle/nformation with an unused attribute (for e*ample car'icense).
We4 Integration and Page Flow PWM has been designed and tested to work well with portals and web access gateways. PWM uses a very simple page flow model, with limited opportunity for configuration or changes. ;owever, the settings that are available combined with some creative ;P redirecting can allow for very customi0ed scenarios. /t is helpful to not think of PWM as a standard web application with meaningful user navigation instead the general intent is to place the user on a PWM page, complete a function, then redirect the user elsewhere. his keeps with the notion that password functions are typically not regarded as something the user desires to do, but rather an interruption or NsecuritywallO around the desired content. PWM uses two configurable &3's, the logoutUR and forardUR. hese &3's are configured as part of PWMs general configuration. ;owever, they can be overridden for any particular session by including the ;P parameters forwardU2' or continueU2' on any re2uest during the session. After completing a function, the user will be redirected to the forwardU2', e*cept if the password has been modified and the 'ogout After Password $hange setting is set to true. /n that case, the user will be redirected to the lo!outU2' instead. here are two e*ceptions where a user is not immediately redirected to the forwardU2'. he first is when the $heck 7*piration 4uring Authentication setting is set to true and the users password has been determined to be e*pired. /f this is the case, then the user is redirected to the change password screen (or possibly the password e*piration warning page if the e*piration is within the 7*pire Warn ime window. After the password change is completed, the user is then redirected back to the forwardU2'1lo!outU2' e*cept if# he second e*ception is when !orce 6etup of $hallenge 3esponses setting is set to true, the user matches $hallenge 3esponse "uery Match and the user does not have valid pwm responses configured. /n this case, the user is redirected to the setup responses module. nce
compete, the user is then redirected back to the forwardU2'1lo!outU2'. PWM Page Flow
A##ess Gatewa$s PWM 6upports ;P5asic authentication. /f an http IAuthori0ationI header is present, PWM will use the credentials in the header to authenticate the user. /t is best practice to use the entire user 4% as the username, but simple usernames will also be accepted and PWM will attempt to search the directory for the correct user. 6ome parts of PWM need to be publicly accessible, such as forgotten password modules and new user registration. o support this, configure the following urls as public or restricted by your pro*y or gateway configuration Assuming PWM is setup so the user enters the following url to access PWM# http://passwor$e%ample$com/pwm
Add the following protected &3's#
R%
Mode
passwor$e%ample$com/
Public
passwor$e%ample$com/pwm/p#lic/
Public
passwor$e%ample$com/pwm/p#lic/reso#rces/
Public
passwor$e%ample$com/pwm/pri.ate/
3estricted
passwor$e%ample$com/pwm/pri.ate/amin/
3estricted
passwor$e%ample$com/pwm/config/
3estricted
/f your access gateway supports it, you should configure it to redirect to PWM if the password is e*pired. !or e*pired password &3' use# http://passwor$e%ample$com/pwm/pri.ate/Change"assworXpassworE%pireFtr#e
ptionally you can modify your login page to add links to the public %ew&ser page or !orgotten Password page.
Request Parameters A variety of commands to PWM can be specified as parameters on &3's. Parameters are case sensitive. hese re2uest parameters can be placed on any link that will access PWM. An e*ample follows# http://passwor$e%ample$com/pwm/pri.ate/Change"assworX passworE%pireFtr#eSforwar5R@Fhttp://www$e%ample$com
Parameter
42ample
4!!ect
password42pired
passworE%pireFtr#e
6etting this parameter will make PWM override the state of the users password e*piration.
!orward*0
forwar5R@FhttpTAT! T!www$e%ample$com T!main$html
6et the forward&3' to Nhttp#11www.e*ample.com1main.html O. he value must be &3' 7ncoded.
logout*0
logo#t5R@FT!pwm
pwm0ocale
pwm@ocaleFen
6ets the logout&3' to N1pwmO. he value must be &3' 7ncoded. Given a valid browser locale code,
PWM will switch to the given locale for display of all locali0ed te*t
&ommand Servlet he $ommand6ervlet allows you to redirect a user to PWM and have it perform some specific command. ypically, you would use the $ommand6ervlet functions during a users login se2uence to a portal or some other landing point. /deally, these functions work best when used with a pro*y, access gateway, or some other device that will autoauthenticate the user. therwise, the user will have to authenticate to PWM during every login. $ommand6ervlet calls can be combined with any of the re2uest parameters described above, such as the forwardU2' parameter. !or e*ample, the user login redirect se2uence may proceed as follows# *0 42ample
'omment
http://portal$e%ample$com
/nitial re2uest from browser
http://portal$e%ample$com/@ogin
Access gateway redirects to login page
http://portal$e%ample$com/
Access gateway redirects back to portal root
http://portal$e%ample$com/ine%$html
Web server redirects to inde*.html
http://passwor$e%ample$com/pwm/pri.ate/Comma n;er.letX processActionFcheckAllSforwar5R@FhttpTAT! T!portal$e%ample$comT!portalpage$html
inde*.html has meta redirect to PWM checkAll $ommand6ervlet with a &3'7ncoded forward&3' value.
http#11portal.e*ample.com1portal1main.html
PWM redirects back to the actual portal &3'
he index.html described above would have the following content# YhtmlZ YheaZ Ymeta http-e3#i.FLRE!RE;?L contentFL0P 5R@Fhttp://passwor$e%ample$com/pwm/pri.ate/Comman;er.letX processActionFcheckAllSforwar5R@FhttpTAT!T!portal$e%ample$com T!portalpage$htmlL/Z Y/heaZ Yo>Z
YpZIf >o#r rowser oesnNt a#tomaticall> loa click Ya hrefFLhttp://passwor$e%ample$com/pwm/pri.ate/Comman;er.letX processActionFcheckAllSforwar5R@FhttpTAT!T!portal$e%ample$com T!portalpage$htmlLZhereY/aZ$ Y/pZ Y/o>Z Y/htmlZ
&ommands #'e#k/,pire http://password.example.com/pwm/private/CommandServlet? processAction=checkExpire
$hecks the users password e*piration. /f the e*piration date is within the configured threshold, the user will be re2uired to change password. #'e#kResponses http://password.example.com/pwm/private/CommandServlet? processAction=checkResponses
$hecks the users challenge responses. /f no responses are configured, the user will be re2uired to set them up. #'e#kProfile http://password.example.com/pwm/private/CommandServlet?processAction=checkProfile
$hecks the users profile. /f the users attributes do not meet the configured re2uirements, the user will be re2uired to set their profile attributes. #'e#kAll http://password.example.com/pwm/private/CommandServlet?processAction=checkAll
$alls check7*pire, check3esponses and checkProfile consecutively.
Internationali5ation PWM is fully internationali0ed, and comes with several locali0ed languages. nly pages and configuration options that affect end users are internationali0ed. Most administrator screens are not locali0ed or internationali0ed. PWM uses the
browser. 5rowser locale selection can be overridden by setting a Npwm'ocaleO parameter in any re2uest. he value must be an /6 language code like NenO, NfrO, etc. Additionally, a user can select a locale by clicking on the current locale displayed in the footer of most PWM pages.
"ispla$ Page &onfiguration he default display strings can be overridden as part of the PWM configuration. &sing the PWM $onfiguration Manager, select 4isplay from the menu and edit the display, messages or error strings displayed to users.
&'allenge )uestions PWM takes special consideration for $hallenge13esponse settings. 4ifferent challenges can be configured for each potential locale. %ot only can the challenges be different, but the number of challenges, and number of random challenges can be different as well. PWM will determine which set of challenges to use based on the locale of the browser during the 6etup3esponses process. 3esponses stored in ldap are tied to the locale of the challenge sets. !orever after, PWM will display and check the challenges of the user based on the locale they were entered in. !or e*ample, if a user sets up their responses in !rench, and then logs into pwm to recover their passwords from an 7nglish web browser, the challenges will display in !rench, and the user must enter the !rench responses. /f the user then sets up responses in a different language, the new language responses will overwrite the old responses.
Alternative translations !or some languages, multiple versions of the default localisation may be provided. Alternative versions could be provided because a language allows for both a formal and an informal form of communication, or a dialect is used for which no official locale is defined. nly one version of a locale (language, region) can be used at a time. herefore, alternative translations are available in the s#pplemental/i18n folder of the PWM distribution. /n order to use the alternative translation, there are two options# @
$opy the alternative version (e.g. s#pplemental/i18n/&ispla>Hnl-
collo3#ial$properties and s#pplemental/i18n/MessageHnlcollo3#ial$propertiesJ over the standard version within the source distribution (to e.g. ser.let/src/passwor/pwm/config/&ispla>Hnl$properties and ser.let/src/passwor/pwm/config/MessageHnl$propertiesJ. hen rebuild and deploy the WA3 file. @ $opy the alternative version over the already deployed language files, found under /WEB-I!/classes/passwor/pwm/config. Then restart the PWM application.
6'emes PWM comes with a couple of standard themes. 7ach theme is an e*tension or modification of the (original) default theme. hemes are located under /reso#rces/themes/. 7ach theme consists of a directory containing at least the files pwm;t>le$css and pwmMoile;t>le$css. hese files override the standard /reso#rces/pwm;t>le$css and /reso#rces/pwmMoile;t>le$css, respectively. A simple theme, like the blue theme, changes a couple of colors, replaces the header background and adds a company logo to the page header#
Jheaer U with: 100TP height: 0p%P margin: 0P ackgro#n-image: #rlKNheaer-graient$gifN' V Jheaer-compan>-logo U position: relati.eP float: leftP ackgro#n-image: #rlKlogo$png'P top: 10p%P left: 10p%P with: <0p%P height: <0p%P 2-ine%: 1P V Jcentero> U ackgro#n-color: JeeeeeeP paing: 10p% 10p% ,0p% 10p%P orer: soli p% J000088P orer-rai#s:
V $message-info U ackgro#n-color: JccP V $message-error U ackgro#n-color: JffccccP V $message-s#ccess U ackgro#n-color: J0c1f4P V
An/ !ile re!erred !rom the st/lesheet, like includes and images, must be place in or under the same director/ where the st/lesheet itsel! resides. o the blue theme director/ contains% @ pwm;t>le$css @ pwmMoile;t>le$css @ heaer-graient$gif @ logo$png @ REA&ME$t%t More advanced e2amples with di!!erent la/outs, round corners, la/ers, transparenc/ and background images can be !ound in other themes like N*edO, NTulipsO and NWaterO. There is a special theme called NcustomO, which is merel/ an e2ample and meant to be customi9ed. Iou can test changes b/ con!iguring the custom theme as the site theme and simpl/ modi!/ing the deplo/ed custom theme. *eloading /our page will e!!ectuate /our changes immediatel/. :e sure to keep a cop/ o! /our modi!ications to be included in /our ne2t release when upgrading.
Wordlists PWM is capable of checking user entered passwords and disallowing those found in a predefined password dictionary wordlist. he dictionary in use is configured by settng the Ipassword.Wordlist!ileI setting in pwm6etting.properties. he wordlist is a Y/P file containing one or more plain te*t files with one word per line. o facilitate the speedy checking of the dictionary during password changes, PWM compiles the wordlist into a local embedded database ('ocal45). 5y default, PWM uses the 5erkely45 embedded database, and stores its files in the W75/%!1local45 directory. With logging set to trace, PWM will output the status of the wordlist compile to the log. he compile process only needs to run once unless the wordlist Y/P file is modified.
he default distribution of PWM contains a wordlist that includes about R million words of common passwords found in many systems. 'arger worldlists containing tens of millions of words with a variety of languages are available on the PWM website. PWM has been tested with wordlists over - million words, however the initial wordlist compile time can be lengthy. 6eedlists are used by PWM to generate random passwords for users. he seedlists are used as a basis for a new random password, but are sufficiently modified to guarantee randomness and also to meet the configured policy for the user.
Glo4al Password 3istor$ A seperate wordlist dictionary is used to provide a global password wordlist history. his wordlist is not prepopulated by any file, instead it is populated with a users old password during any password change. his has the effect of preventing any two users from using the same password over time. !or security reasons, only the users old password is stored. Administrators should evalute this feature closely before enabling it. his setting is controlled with the 6hared Password ;istory Age setting in the PWM $onfiguration. PWM will periodically purge the global password history of any passwords older than this age. A value of several months or years is appropriate. he unit for the setting is in seconds.
%odal"7 "ata4ase o store wordlists, event logs and statistics, PWM uses an ondisk embedded database. 6everal different database implementations are available. he default is the 5erekely45 embedded database. he default settings are intended to be selfsufficient, and should not re2uire any administrator interaction or maintenance. he 'ocal45 location and other settings are tunable in the $onfigurationManager.
PWM &ommand %ine 6ools PWM offers a command line tool for various functionality. he command line tool is called from a script in PWM’s NW75/%!O directory. cript Comman$at Comman$sh
escription
Windows 5A file script wrapper for calling PWM $ommand 'ine tools 'inu*1&ni* shell script wrapper for calling PWM $ommand 'ine tools
3unning the Pwm$ommand script wrapper will output a list of the various commands and
options available. 5efore running the script you will need to set the
Poli#ies PWM uses a matri* of configurations for determining the correct password and challenge1response policies for determining a policy for a given set. PWM gives detailed information about discovered policies during authentication time at the 3A$7 log level.
Password Poli#$ 7ach password policy setting is available in the PWM $onfiguration. hese password policies represent IminimumI policies that will be applied to the user. /f the setting the directory type is %ovell e4irectory and the $onfiguration setting 3ead e4irectory Password Policy is set to true, then PWM will attempt to locate a &niversal Password policy configured for the user. /f one is found then the policy is merged with the settings in the policies set in the PWM $onfiguration. he most restrictive of any two settings are used. When using e4irectory, PWM will attempt to read the legacy password policy settings directly from the user ob8ect in the case where the user does not have a &niversal Password policy assigned. !or e*ample, if the PWM $onfiguration contains a setting of Password Minimum 'ength set to and the &niversal Password policy has a setting of E, then the minimum password length for the user will be .
&'allenge Poli#$ !or challenge 2uestions, pwm can read both the PWM $onfiguration, as well as the configuration stored in e4irectory &niversal Password policies. he behavior is disable in the e4irectory configuration settings. $hallenge policies can be locali0ed for the the users language. /f locali0ed policies are discovered in the ldap directory, PWM will honor them. PWM can also be configured to re2uire that all random password 2uestions be re2uired to be entered at setup time. /n this case, the 2uestions are presented randomly to the user when trying to reset a forgotten password. his is the standard behavior with e4irectory challenges.
Alternatively, PWM can allow the user to provide responses for only the minimum number of re2uired random responses at setup time. hen, only those responses will be re2uired when resetting a forgotten password. his behavior reflects more common forgotten password scenarios encountered on the /nternet, but is less secure.
%ogging PWM uses Apache 'ogE8. 'ogE8 is a common logging 8ava engine for . ?.
trace debug info error warn fatal
!or normal operations, IinfoI level should be sufficient. ItraceI level is recommended during initial configuration. 'ogging is controlled by editing the PWM $onfiguration. Alternatively, PWM can be configured to register a logE8 *ml configuration file. A default sample configuration lof*7confi!.xml is included. he default logging configuration logs info level to stdout. When used with tomcat, this will log to tomcats logs1catalina.out file. PWM also stores a temporary log of recent events in the 'ocal45'o. his log is accessible in the administrator screens and is useful for checking recent pwm activity.
&apt#'as PWM has integrated support for $aptcha protection. he captcha makes it more difficult for a hacker to launch an automated attack against PWM. PWM uses the online re$aptcha service for captcha generation and validation. Hou will need to configure a re$aptcha account to use the service. re$aptcha accounts are free. he online service approach insures that the captcha technology is continuously improved to make it difficult to be compromised. he re$aptcha account parameters are configured in the PWM $onfiguration.
SMS (otifi#ations As of version C..E 6M6 notifications will be available in several parts of the application# @ Password recovery @ %ew &ser account creation @ %ew Guest account creation !or 6M6 notifications, you need to have access to an ;P or ;P6 based 6M6 gateway service. Many paid services are available on the /nternet.
&onfiguration he configuration is set up to be usable for many different service providers. he following configuration options are available. @ User "#" $umber %ttribute# enter the '4AP attribute name for the mobile phone number to be used for 6M6 notifications. his number should be in full international format, i.e. a plus sign, country code, region code (without 0ero) and subscriber number# e.g. XLCDC+LEDJR. 6ome other formats can be recogni0ed and reformatted into the international format, combined with the default country code (below). !or e*ample a 4utch mobile phone number starts with -D, the 4utch country code is LC. A mobile phone number like -DC+LEDJR would be rewritten to XLCDC+LEDJR. @ #aximum "#" &ueue %ge# this setting determines the ma*imum life time in seconds of unsent 6M6 messages in the outgoing 2ueue. /f an 6M6 message can not be sent for a period longer than configured here, the message will be discarded. he default is L-- seconds ( minutes). @ "#" 'ateay # set the ;P or ;P6 address for the 6M6 gateway. he address should include Vhttp#11’ or Vhttps#11’, the server name and full path, but no 2uestion mark or parameters. Parameters need to be configured at the 6M6 3e2uest 4ata setting. 7*ample# https#11sms.e*ample.com1gateway1. @ "#" 'ateay User and "#" 'ateay (assord# these settings are used as the authentication credentials for the 6M6 gateway. he user name and password can be used for Nbasic authenticationO (part of the ;P protocol) or as parameters for the 6M6 re2uest data (see below). /f no authentication is re2uired, because of /P address based access, fill in some dummy values. @ )TT(*"+ #ethod# data can be sent as part of the re2uest or as additional content. /f the data is to be sent as parameters after the 6M6 Gateway &3', use the G7 method. /f the data is to be sent as form data, ZM' or 6AP, use the P6 method. @ "#" 'ateay %uthentication #ethod# if the 6M6 gateway uses ;P basic authentication, set this to basic, otherwise use re2uest. /n case of re2uest, the username and password usually need to be part of the re2uest data. @ "#" Reuest -ata# this is the data sent to submit the 6M6 message. Possible formats are ;P parameters for G7 re2uests and P6 form data, plain A6$// or ZM' and 6AP. he data can include several parameters that will be replaced before submission. All parameters are surrounded by percent signs. hese parameters are available#
@ [&673[# authentication user name @ [PA66[# authentication password @ [67%473/4[# sender identification @ [[# recipient 6M6 number @ [37"&76/4[# randomly generated re2uest identifier @ [M766AG7[# the message to be sent @ "#" -ata ontent Type# set the M/M7 type for P6 data. his setting will be ignored when using the G7 re2uest method. A M/M7 type is formatted as a main type name, a slash and a subtype name, for e*ample# te*t1plain# te*t documents te*t1*ml# ZM' and 6AP documents application1*wwwformurlencoded @ "#" -ata ontent /ncoding: select the way to encode field replacement data. ften data contains characters that are considered special for specific content types. !or e*ample you cannot use \ or ] in ZM' data. hese characters have to be replaced with ^lt and ^gt. PWM can use the
/f no e*pressions are entered, any attempt to send the message will be considered successful, as long as the gateway service responds. %ote that you have to match an entire line. Hou can use .` at the beginning and end of the e*pression to fill up the e*pression. !or e*ample use F#s.` to match any string starting with NF#O a whitespace character (s) and then any other characters. he e*pressions are case sensitive. @ "#" "ender I-# service providers often allow senders to specify a sender identification. his can be either a phone number or an alphanumeric string (e.g. 7*ample$om). he service provider usually has to verify or accept the sender identification. Please contact your service provider for allowed values for the sender identification. @ "#" (hone $umber 0ormat# set the phone number format accepted by the 6M6 gateway, normally a variation of a full international format. he following variants are possible# @ plain# country code (e.g. C for &6A) plus subscriber number (e.g. C+LC+LE)# CC+LC+LE @ plus# as plain, but with a plus sign as a prefi*# XCC+LC+LE @ 0eros# as plain, but prefi*ed with a double 0ero# --CC+LC+LE @ -efault "#" ountry ode# /f the recipient 6M6 number is not in international format, the recipient number will be prefi*ed with the default country code. @ Reuest I- haracters# /f a re2uest allows or re2uires a uni2ue re2uest identifier, PWM can generate a random value. 6pecify the characters that can be used in the re2uest id. @ Reuest I- ength# 6pecify the length of the re2uest id. @ hallenge To1en "#" Text# 6et the te*t to be sent for password recovery. &se [F7%[ as a placeholder for the password recovery token to be sent. +nother option under #odules * 0orgotten Password determines the usage o% S#S %or toen deliery/ @ To1en "end #ethod: this setting determines when 6M6 or email messages will be sent. here are four possibilities# @ both# try to send both 6M6 and email @ emailfirst# try to send email if no email address is available, try 6M6 @ emailonly# try to send email if no email address is available, do not try 6M6 @ smsfirst# try to send 6M6 if no 6M6 number is available, try email @ smsonly# try to send 6M6 if no 6M6 number is available, do not try email
/,ample #onfigurations &li#katell !or $lickatell, the easiest way is the ;P(6) G7 AP/ +. o configure your service for this AP/, =ee http%&&www.clickatell.com&downloads&http&'lickatell8TTP.pd! !or !ull AP documentation.
use the following settings# @ 6et the gateway &3' to# https#11api.clickatell.com1http1sendmsg @ 7nter your username and password @ 6elect the G7 method @ &se re2uest as the authentication method @ 6et the re2uest data to# #serFT5;ERTSpassworFT"A;; TSapiHiF====StoFT)TSte%tFTME;;A(ET 4on’t forget to replace ZZZZ with the AP/ id provided. ptionally, you can add NSconcatFO or NSconcatFO to allow longer messages (up to E-D characters). @ 6et the re2uest content data encoding to 5R@. @ 6et the response regular e*pression to [I&: \A-+a-20-4]D @ 6et the phone number format to plain. @ 6pecify the ma*imum message length as CE- for single length messages (no concat option, or concatF1J, +JL for double length messages HconcatFJ or E-D for tripple length messages HconcatFJ.
8OIP4uster The ;)Pbuster M service can be con!igured with a *4T call% 6et the gateway &3' # https#11www.voipbuster.com1myaccount1sendsms.php 7nter your username and password for the service 6elect the G7 method &se re2uest as the authentication method et the M *equest ata HAdvancedJ to% #sernameFT5;ERTSpassworFT"A;; TStoFT)TSte%tFTME;;A(ET
6et the re2uest content data encoding to url.
&ustom SOAP servi#e An e*ample custom made 6AP service could accept a 6AP document like below# Ysoapen.:En.elope %mlns:soapen.FLhttp://schemas$%mlsoap$org/soap/en.elope/L %mlns:wsFLhttp://ws$sms$e%ample$com/LZ Ysoapen.:?eaer/Z Ysoapen.:Bo>Z Yws:sen)e%tMessageZ YsenerZE%ampleComY/senerZ YtoZD1<<<1,<8Y/toZ Yte%tZ6o#r token is M;pe07tY/te%tZ Y/ws:sen)e%tMessageZ Y/soapen.:Bo>Z Y/soapen.:En.elopeZ
Hou could use the following settings# @ 6et the gateway &3' to your custom web service address. @ 7nter your username and password. @ 6elect the P6 method. @ &se basic as the authentication method if your service re2uires ;P
authentication, otherwise select re2uest if the authentication parameters are included in the re2uest data or the access is /P address based. @ 6et the re2uest data to the full 6AP message, with fields to be replaced. !or e*ample# Ysoapen.:En.elope %mlns:soapen.FLhttp://schemas$%mlsoap$org/soap/en.elope/L %mlns:wsFLhttp://ws$sms$e%ample$com/LZ Ysoapen.:?eaer/Z Ysoapen.:Bo>Z Yws:sen)e%tMessageZ YsenerZT;E&ERI&TY/senerZ YtoZT)TY/toZ Yte%tZTME;;A(ETY/te%tZ Y/ws:sen)e%tMessageZ Y/soapen.:Bo>Z Y/soapen.:En.elopeZ
@ 6et the re2uest data content type to te%t/%ml and the re2uest data encoding to =M@. @ 6et the response regular e*pression to something suitable that matches a success message, or leave empty to accept any response. 7*ample# $Ystat#s le.elF^response^$
@ @
6et the phone number format to the re2uired format. 6pecify the ma*imum message length.
Appendi, A! 6rou4les'ooting PWM is designed to be as easy to operate as possible. 5ut sometimes, errors will occur, especially during the initial configuration. hese steps may be helpful in selfdiagnosing the problem. 2+ Assuming PWM is starting okay, the first place to check for problems is the PWM health page. he health page can be accessed at the following url# /pwm/p#lic/health$sp
his same health screen is shown when configuring PWM, and can alert you to configuration problems or unreachable services. 3+ /f PWM isn’t starting okay and you are using tomcat, the tomcat temporary1work directories may be corrupt or have outdated files. 6top tomcat, delete the tomcat/temp and tomcat/work directory contents, then start tomcat again. his problem is especially likely when changing tomcat or PWM builds1versions.
4+ $heck out the PWM log. /f using tomcat, the log data will typically be in the tomcat/logs/catalina$o#t file, although some tomcat installations may log to different files. 5y default, PWM is set to log at level N/%!O only, which is often not useful for debugging. 7dit the PWM configuration logging settings and set the "T-5UT og evel setting to N3A$7O. 6+ $heck the log file (if possible) of your ldap directory. Many times problems with PWM aren’t problems with PWM at all but with the ldap directory.
Appendi, 7! /rror &odes 4rror
escription
>$$"
An incorrect password was used.
>$$=
/ncorrect response value (or attribute) was used.
>$$5
&ser is already authenticated.
>$$<
&ser is not authenticated, and authentication is re2 uired.
>$$?
&sername is invalid or the user does not have any responses configured.
>$$#
he response answer contains a word that is in the wordlist.
>$$6
he response answer is too short.
>$$7
he response answer is too long.
>$"$
he response answer is a duplicate.
>$""
he response 2uestion is a duplicate.
>$"=
A re2uired response 2uestion is missing.
>$"5
A re2uired ;P parameter is missing on the re2uest.
>$"<
A configuration field has an incorrect value.
>$">
An une*pected error occured.
>$"?
he username cannot be matched to an '4AP distinguished name.
>$"#
he '4AP directory is not reachable.
>$"6
&ser did not supply correct values during activation.
>$"7
he re2uested services is not available or is disabled.
>$=$
he 5asicAuthentication header has changed during the ;P session.
>$="
he user attempting activation is not permitted due to the '4AP 2uery match.
>$==
here is no challenge policy available for the user.
>$=5
oo many incorrect login attempts have been attempted by the user.
>$=<
he source address has had too many incorrect login attempts.
>$=>
he ;P session has had to many incorrect login attempts.
>$=?
PWM was unable to set the temporary password for the user during recovery.
>$=#
he user is not authori0ed to perform the action
>$=6
PWM was unable to verify the user’s ;P session.
>$=7
A re2uired response value is missing.
>$5$
A random response value is missing.
>$5"
he captcha response is incorrect.
>$5=
here was a problem communicating with the remote captcha service.
>$55
he PWM configuration file is invalid.
>$5<
he form nonce is incorrect.
>$5>
he form se2uence number is incorrect (back button detection).
>$5?
&nable to send token due to missing address1number.
>$5#
he user supplied token is incorrect.
>$56
he entered current password is incorrect.
>$57
7rror while shutting down a PWM service or database.
>$<$
he user G&/4 is unreadable or not able to be written.
>$<"
he user supplied token has e*pired.
>$<=
Multiple '4AP distinguished names found for the user supplied username.
>$<5
nly the original manager who created the user may update this user.
>$<<
%on secure ;P re2uests are not permitted.
>$<>
&nable to write the response to the configured storage message.
>$
&nable to unlock the user account.
>$<#
&nable to update the users profile.
>$<6
&nable to activate the user.
>$<7
&nable to create the new user.
>$>$
&nable to activate the user
>$>"
he remote database is unavailable.
>$>=
he local 'ocal45 is unavailable.
>$>5
he application is unavailable.
>$><
&nable to reach pwmcloud web service.
>$>>
he security key is invalid or missing.
>$>?
&nable to clear stored user responses.
>$>#
A re2uired remote service is unreachable.
>$>6
A response contains te*t from the challenge 2uestion.
>$>7
An error with the encryption certificates has been encountered.
>$?$
A problem has occured writing to the 6yslog server.
>$?"
oo many threads are in use.
>$?=
he user’s password is re2uired.
>$?5
A security restriction has been violated.
Guide A! Integrating PWM wit' .ava Se#urit$ Manager Introdu#tion $onfiguring omcats
http#118ava.sun.com1developer1onlineraining1Programming1<4$5ook1appA. http#11tomcat.apache.org1tomcat.doc1securitymanagerhowto.html http#118ava.sun.com18+se1C.E.+1docs1guide1plugin1developerKguide1debugger.
As the <6M rulesets are highly dependent on both the underlying 6, web container and PWM versions, this article is split into generic and specific sections.
Generi# de4ugging te#'niques for 6om#at he biggest problem with <6M integration is that its often not obvious what 6ecurity Manager rules you need to add to make things works. Hou almost certainly have to add <6M debugging to omcat commandline. n 4ebian this is done by editing 1etc1default1tomcat`\version`]# A7AH");FL-&a.a$awt$healessFtr#e -=m%18M -&a.a$sec#rit>$e#gFaccessL
After omcat is restarted, it starts spitting out Iaccess allowed1deniedI messages to its logs. n 4ebian 'enny this is K1var1log1syslogK, and on 4ebian 62uee0e K1var1log1tomcatD1catalina.outK. Hou can weed out failures with something like this# G tail -n 1<000 YlogfileZOgrep Laccess enieLOc#t - L L -f -OsortO#ni3 -#
Alternatively, you can activate realtime monitoring with G tail -n 0 -f YlogfileZ Ogrep Laccess enieL
before restarting omcat. /n either case, you should get notices like this#
access: access enie Ka.a$lang$management$Management"ermission monitor' access: access enie Ka.a$#til$"ropert>"ermission
org$apache$commons$logging$iagnostics$est rea' access: access enie Ka.a$#til$"ropert>"ermission org$apache$commons$logging$@og!actor>$?ashtaleImpl rea' access: access enie Ka.a$#til$"ropert>"ermission org$apache$commons$logging$@og!actor> rea' access: access enie Ka.a$#til$"ropert>"ermission org$apache$commons$logging$@og$allow!laweConte%t rea' access: access enie Ka.a$#til$"ropert>"ermission org$apache$commons$logging$@og$allow!lawe&isco.er> rea' access: access enie Ka.a$#til$"ropert>"ermission org$apache$commons$logging$@og$allow!lawe?ierarch> rea' access: access enie Ka.a$#til$"ropert>"ermission org$apache$commons$logging$@og rea' access: access enie Ka.a$#til$"ropert>"ermission org$apache$commons$logging$log rea'
After spotting these failures, convert them into matching security manager rules and restart omcat. 3epeat this as many times as necessary. %ote that this setup can easily create gigabytes worth of useless logs, so remember to switch off debugging before going to production. n 4ebian and many other distributions omcats <6M rules are stored in K1etc1tomcat`\version`]1policy.dK. hese ruleset fragments are converted into the active ruleset stored in K1var1cache1tomcat`\version`]1catalina.policyK or similar. /ts probably a good idea to make sure the pwmspecific policy file loads after the default policy files, so name it something like I-user.policyI. Also make sure the file has the same permissions as the e*isting policy files or it may not load properly.
PWM 9:;:< on "e4ian %enn$ he additional ruleset below allows pwm to work properly under <6M under 4ebian 'enny X omcat ..+D from 4ebian repos. /t depends on the default 4ebian rules being loaded first. %ote that this ruleset has only been tested with pwm utili0ing the following features# @ @ @ @
$reate new user &pdate attributes $hange password $AP$;A
// FFFFFFFFFF "WM-specific settings FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF // // "#t this into a separate file e$g$ /etc/tomcat<$$/<0#ser$polic> //
grant U // With this e.er>thing works great #t itNs terril> insec#re //permission a.a$sec#rit>$All"ermissio a.a$sec#rit>$All"ermissionP nP // )his gets #s past the first error permission a.a$lang$R#ntime"ermission LcreateClass@oaerLP // )his gets #s past pwm- access iss#es$ It seems we cannot #se LYsnipZ/pwm/ME)A-I!/pwm-/-L LYsnipZ/pwm/ME)A-I!/pwm-/ -L witho#t the whole // )omcat reaking$ Apparentl> this happens eca#se the pwm- irector> is create on the fl> an ;ec#rit> Manager // canNt fin it when it la#nches -Z e.er>thing reaks al>$ // // )his set of !ile"ermissions seems to work an pre.ents the weapp from HwritingH to ME)A-I!/conte%t$%ml // which contains sec#rit>-relate settings Ke$g$ host/s#net-ase filtering r#les' permission a.a$io$!ile"ermission L/.ar/li/tomcat<$"ermissions permission a.a$#til$"ropert>"ermission LelementAttri#te@imitL LreaLP permission a.a$#til$"ropert>"ermission Lentit>E%pansion@imitL LreaLP permission a.a$#til$"ropert>"ermission La.a%$%ml$parsers$&oc#mentB#iler!actor>L La.a%$%ml$parsers$&oc#mentB #iler!actor>L LreaLP
permission permission permission permission permission permission permission permission
a.a$#til$"ropert>"ermission a.a$#til$"ropert>"ermission a.a$#til$"ropert>"ermission a.a$#til$"ropert>"ermission a.a$#til$"ropert>"ermission a.a$#til$"ropert>"ermission a.a$#til$"ropert>"ermission a.a$#til$"ropert>"ermission
Lma%cc#r@imitL LreaLP L#ser$time2oneL LwriteLP LmemAminL LreaLP Lmem@ockL LreaLP Lmem)reeL LreaLP Lmem)%nL LreaLP Lmem)reeAminL LreaLP Ls#n$arch$ata$moelL LreaLP
// reCA")C?A-specific "ropert>"ermissions permission a.a$#til$"ropert>"ermission Lhttpclient$L LreaLP permission a.a$#til$"ropert>"ermission Lapache$commons$httpclient$ Lapache$commons$httpclient$L L LreaLP permission a.a$#til$"ropert>"ermission La.a$class$pathL LreaLP permission a.a$#til$"ropert>"ermission L#ser$nameL LreaLP // reCA")C?A-specific ;ocket"ermissions permission a.a$net$;ocket"ermission LLLconnectresol.eLP // Misc ;ocket"ermissions permission a.a$net$;ocket"ermission L1$0$0$1:84L Lconnect resol.eLP // @og,-specific properties permission a.a$#til$"ropert>"ermission Llog,$L LreaLP // Berkele>&B-specific properties permission a.a$#til$"ropert>"ermission Le$L LreaLP permission a.a$#til$"ropert>"ermission LE&iagnosticsL LreaLP permission a.a$#til$"ropert>"ermission LEMonitorL LreaLP // Misc permissions permission a.a$#til$logging$@ogging"ermission LcontrolLP permission ng$reflect$Reflect"ermission Ls#ppressAccessChecksLP VP
PWM 9:=:0 - S8( revision 9>? on "e4ian Squee5e A few modifications are needed to adapt adapt 'ennys ruleset for 62uee0e, omcatD and pwm C..LX. C..LX. %ote that this ruleset has only been tested with pwm utili0ing the following features only# @ @ @ @ @
$reate new user &pdate attributes $hange password Password reset with email token $AP$;A
// FFFFFFFFFF "WM-specific settings FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF grant U // )his gets #s past the first error permission a.a$lang$R#ntime"ermission LcreateClass@oaerLP // Ae etween 1$,$ an 1$<$ permission a.a$lang$R#ntime"ermission Lmoif>)hreaLP // )his gets #s past pwm- access iss#es$ It seems we cannot #se LYsnipZ/pwm/ME)A-I!/pwm-/-L LYsnipZ/pwm/ME)A-I!/pwm-/ -L witho#t the whole // )omcat reaking$ Apparentl> this happens eca#se the pwm- irector> is create on the fl> an ;ec#rit> Manager // canNt fin it when it la#nches -Z e.er>thing reaks al>$ // // )his set of !ile"ermissions seems to work an pre.ents the weapp from HwritingH to ME)A-I!/conte%t$%ml // which contains sec#rit>-relate settings Ke$g$ host/s#net-ase filtering r#les' permission a.a$io$!ile"ermission L/.ar/li/tomcat/weapps/pwm/ME)A-I!/L Lrea e%ec#teLP // pwm- mo.e from ME)A-I! to WEB-I! etween pwm 1$,$ an 1$<$P also rename from pwm- to pwm&B permission a.a$io$!ile"ermission L/.ar/li/tomcat/weapps/pwm L/.ar/li/tomcat/weapps/pwm/WEB/WEBI!/pwm&BL Lrea write elete e%ec#teLP permission a.a$io$!ile"ermission L/.ar/li/tomcat/weapps/pwm L/.ar/li/tomcat/weapps/pwm/WEB/WEBI!/pwm&B/-L Lrea write elete e%ec#teLP permission a.a$io$!ile"ermission L/.ar/li/tomcat/weapps/pwm L/.ar/li/tomcat/weapps/pwm/WEB/WEBI!/classes/-L LreaLP // permission a.a$io$!ile"ermission L/.ar/li/tomcat/weapps/pwm/WEBL/.ar/li/tomcat/weapps/pwm/WEBI!/li/L LreaLP // e%t two ae etween 1$,$ an 1$<$ permission a.a$io$!ile"ermission L/#sr/li/.m/a.a--openk/re/li/L LreaLP permission a.a$io$!ile"ermission L/.ar/li/tomcat/weapps/pwm/WEB-I!/-L LwriteLP // Misc !ile"ermissions permission a.a$io$!ile"ermission L/#sr/share/a.a2i/+oneInfoMa L/#sr/share/a.a2i/+oneInfoMappingsL ppingsL LreaLP // e%t two missing //permission a.a$io$!ile"ermission L/#sr/share/tomcat/ser.er/classes/org/apache/k/common/? L/#sr/share/tomcat/ser.er/c lasses/org/apache/k/common/?anlerRe3#est$classL anlerRe3#est$classL LreaLP //permission a.a$io$!ile"ermission L/#sr/share/tomcat/ser.er/classes/org/apache/tomcat/#til L/#sr/share/tomcat/ser.er/c lasses/org/apache/tomcat/#til/#f/&ate)ool$classL /#f/&ate)ool$classL LreaLP permission a.a$io$!ile"ermission L/#sr/share/tomcat/$mailcapL LreaLP permission a.a$io$!ile"ermission L/WEB-I!/classes/org/apache/ L/WEB-I!/classes/org/apache/log,/-L log,/-L LreaLP
// Misc R#ntime"ermissions permission a.a$lang$R#ntime"ermission LefineClassIn"ackage$a.a$langLP permission a.a$lang$R#ntime"ermission LefineClassIn"ackage$org$apache$asper$r#ntimeLP permission a.a$lang$R#ntime"ermission LaccessClassIn"ackage$s#n$#til$logging$LP permission a.a$lang$R#ntime"ermission LaccessClassIn"ackage$org$apache$tomcat$LP permission a.a$lang$R#ntime"ermission Lget!ile;>stemAttri#tesLP // Misc "ropert>"ermissions permission a.a$#til$"ropert>"ermission LL LreawriteLP //permission a.a$#til$"ropert>"ermission LelementAttri#te@imitL LreaLP //permission a.a$#til$"ropert>"ermission Lentit>E%pansion@imitL LreaLP //permission a.a$#til$"ropert>"ermission La.a%$%ml$parsers$&oc#mentB#iler!actor>L LreaLP //permission a.a$#til$"ropert>"ermission Lma%cc#r@imitL LreaLP //permission a.a$#til$"ropert>"ermission L#ser$time2oneL LwriteLP //permission a.a$#til$"ropert>"ermission LmemAminL LreaLP //permission a.a$#til$"ropert>"ermission Lmem@ockL LreaLP //permission a.a$#til$"ropert>"ermission Lmem)reeL LreaLP //permission a.a$#til$"ropert>"ermission Lmem)%nL LreaLP //permission a.a$#til$"ropert>"ermission Lmem)reeAminL LreaLP //permission a.a$#til$"ropert>"ermission Ls#n$arch$ata$moelL LreaLP // e%t two ae to pwm 1$,$ r#les for pwm 1$<$ //permission a.a$#til$propert>"ermission Lorg$apache$commons$loggingL LreaLP //permission a.a$#til$"ropert>"ermission Lcom$google$gson$annotationHcacheHsi2eHhintL LreaLP // reCA")C?A-specific "ropert>"ermissions //permission a.a$#til$"ropert>"ermission //permission a.a$#til$"ropert>"ermission LreaLP //permission a.a$#til$"ropert>"ermission //permission a.a$#til$"ropert>"ermission
Lhttpclient$L LreaLP Lapache$commons$httpclient$L La.a$class$pathL LreaLP L#ser$nameL LreaLP
// reCA")C?A-specific ;ocket"ermissions permission a.a$net$;ocket"ermission LLLconnectresol.eLP // Misc ;ocket"ermissions permission a.a$net$;ocket"ermission L1$0$0$1:84L Lconnect resol.eLP // @og,-specific properties permission a.a$#til$"ropert>"ermission Llog,$L LreaLP // Berkele>&B-specific properties permission a.a$#til$"ropert>"ermission Le$L LreaLP permission a.a$#til$"ropert>"ermission LE&iagnosticsL LreaLP permission a.a$#til$"ropert>"ermission LEMonitorL LreaLP
// Misc permissions permission a.a$#til$logging$@ogging"ermission LcontrolLP // solete in pwm 1$<$X permission ng$reflect$Reflect"ermission Ls#ppressAccessChecksLP // e%t two ae to pwm 1$,$ r#les for pwm 1$<$ permission a.a$lang$reflect$Reflect"ermission Ls#ppressAccessChecksLP permission a.a$lang$management$Management"ermission LmonitorLP VP
Guide 7! PWM 4e'ind an Apa#'e reverse pro,$ Introdu#tion here are several good reasons to place PWM behind a reverse pro*y# @ 5locking certains PWM functions for good (e.g. 1admin, 1config) @ Masking PWM servers real 4%6 name, e.g. to avoid having to buy a separate 66' certificate
PWM does not re2uire Apache or any other reverse pro*y, so this type of configuration is optional. hese instructions were written using Apache +.+ running on 'inu* 4ebian 'enny, with PWM svn revision CD- running on 'inu* 4ebian 62uee0e and omcat D.
&onfiguring PWM server n PWM, most configuration is related to security. Hou have three options# @ 'et Apache contact PWM using insecure ;P protocol (e.g. port R-R- or RCR-). his setup will become slightly more secure if firewall (or omcat) is used to block access from /Ps other than that of Apache. @ Allow omcat1PWM access only using ;P6. his will re2uire additional configuration at the Apache end. his can be made more secure by limiting access to the webservers /P. @ 6ecure Apache \ ] omcat1pwm connection using BP% such as penBP% @ 5lock all other access to PWM.
/n the PWM configuration make sure to turn 7nable 6ession Berification to false, or reverse pro*ying will not work properly.
&onfiguring t'e we4server Adding reverse pro*y support to Apache is relatively easy. Go to /etc/apache/sites-
a.ailale and place something like this to the appropriate section# J Re.erse pro%>ing set#p for other weser.ers r#nning on localhost J or on remote ser.ers$ Config#ration etails a.ailale here: J J http://http$apache$org/ocs/$/mo/moHpro%>$html J Re.erse pro%ies onNt nee to allow pro%> re3#ests "ro%>Re3#ests ff J "ro%> access control - not .er> important in re.erse pro%ies J as the target ser.ers ha.e een preefine > the s>samin Y"ro%> Z rer en>allow Allow from all Y/"ro%>Z J o nee to pro%> ;;@-enale ser.ers K>et' J;;@"ro%>Engine n J )his is re3#ire to connect to ;;@-enale ser.ers not r#nning J on port ,, JAllowCEC) 8,, J Block access to aministrati.e f#nctions see J J http://http$apache$org/ocs/$/mo/moHpro%>$htmlJpro%>pass "ro%>"ass /pwm/amin "ro%>"ass /pwm/config J Map local ser.er 5R@ to a remote ser.er 5R@$ WeNre #sing ?))" thro#gh J sec#re 7" connection$ "ro%>"ass /pwm http://Ypwm-ser.er-ipZ:8080/pwm J )his rewrites ?))" heaers etc$ so that pro%ie ser.erNs J responses point the client ack to this ser.er not the J pro%ie ser.er "ro%>"assRe.erse /pwm http://Ypwm-ser.er-ipZ:8080/pwm
%ote that using any other path than 1pwm will not work, at least out of the bo*. !or e*ample, submitting the $AP$;A form will fail with I!orm submitted with incorrect pwm!orm/4 valueI error.
Guide &! Integrating PWM wit' &AS
Introdu#tion $A6, which in this conte*t stands for $entral Authentication 6ervice, provides clients a single signon service facilitating a trusted way for an application to authenticate a user. More information about $A6 can be found on the
#learPass /n order to integrate PWM with $A6, or NcasifyO PWM, we have to employ the use of clearPass. !ull documentation on this process can be found here. https#11wiki.8asig.org1display1$A6&M1$learPass 7dit your $A6 pom.*ml to include the clearPass dependency. Yepenenc>Z Ygro#pIZorg$asig$cas$e%tensionsY/gro#pIZ YartifactIZclearpass-weappY/artifactIZ Y.ersionZ1$0$$(AY/.ersionZ YscopeZr#ntimeY/scopeZ Yt>peZwarY/t>peZ Y/epenenc>Z
4dit /our 'A deplo/er'on!ig'onte2t.2ml to include the required authentication manager. Ypropert> nameFLa#thenticationMeta&ata"op#latorsLZ YlistZ Yean classFLorg$asig$cas$e%tensions$clearpass$CacheCreentialsMeta&ata"op#latorLZ Yconstr#ctor-arg ine%FL0L refFLcreentialsCacheL /Z Y/eanZ Y/listZ Y/propert>Z
4dit the 'A web.2ml to include the proper clearPass servlet in!ormation. Yser.let-mappingZ Yser.let-nameZcasY/ser.let-nameZ Y#rl-patternZ/clear"assY/#rl-patternZ Y/ser.let-mappingZ
Also include the appropriate !ilters in the 'A web.2ml YfilterZ Yfilter-nameZCA; 7aliation !ilterY/filter-nameZ YfilterclassZorg$asig$cas$client$.aliation$Cas0"ro%>Recei.ing)icket7aliation!ilt er Y/filter-classZ Yinit-paramZ Yparam-nameZcas;er.er5rl"refi%Y/param-nameZ Yparam-.al#eZhttps://host:8,,/casY/param-.al#eZ Y/init-paramZ Yinit-paramZ Yparam-nameZser.erameY/param-nameZ Yparam-.al#eZhttps://host:8,,Y/param-.al#eZ Y/init-paramZ Yinit-paramZ Yparam-nameZe%ceptionn7aliation!ail#reY/param-nameZ Yparam-.al#eZfalseY/param-.al#eZ Y/init-paramZ Yinit-paramZ Yparam-nameZallowe"ro%>ChainsY/param-nameZ Yparam-.al#eZhttps://pwm$e%ample$com:8,,/pwm/pro%>Callack Y/param-.al#eZ Y/init-paramZ Yinit-paramZ Yparam-nameZ#se;essionY/param-nameZ Yparam-.al#eZfalseY/param-.al#eZ Y/init-paramZ Yinit-paramZ Yparam-nameZreirectAfter7aliationY/param-nameZ Yparam-.al#eZfalseY/param-.al#eZ Y/init-paramZ Y/filterZ YfilterZ Yfilter-nameZCA; ?ttp;er.letRe3#est Wrapper !ilterY/filter-nameZ YfilterclassZorg$asig$cas$client$#til$?ttp;er.letRe3#estWrapper!ilterY/filter-classZ Y/filterZ Yfilter-mappingZ Yfilter-nameZCA; 7aliation !ilterY/filter-nameZ Y#rl-patternZ/clear"assY/#rl-patternZ Y/filter-mappingZ
Yfilter-mappingZ Yfilter-nameZCA; ?ttp;er.letRe3#est Wrapper !ilterY/filter-nameZ Y#rl-patternZ/clear"assY/#rl-patternZ Y/filter-mappingZ
! /ou are building 'A using the Maven overla/ then rebuild it and redeplo/ the WA* !ile to /our application server. 1e2t, add the 'A clearPass url to the PWM con!iguration QM0 or use the 'on!igManager editor. The result will be a con!iguration setting in the PWM'on!iguration.2ml as !ollows% Ysetting ke>FLcas$clear"ass5rlL s>nta%FL;)RI(LZ YlaelZCA; Clear"ass 5R@Y/laelZ Y.al#eZY\C&A)A\https://host:8,,/cas/clear"ass]]ZY/.al#eZ Y/settingZ
n the PWM web.2ml /ou will need to uncomment the 'A section and !it it to /our environment. 1ote the te2t is alread/ in the web.2ml, it Kust needs the comments removed and the settings modi!ied. YfilterZ Yfilter-nameZCA; 7aliation !ilterY/filter-nameZ YfilterclassZorg$asig$cas$client$.aliation$Cas0"ro%>Recei.ing)icket7aliation!ilter Y/filter-classZ Yinit-paramZ Yparam-nameZcas;er.er5rl"refi%Y/param-nameZ Yparam-.al#eZhttps://host:8,,/cas/Y/param-.al#eZ Y/init-paramZ Yinit-paramZ Yparam-nameZser.erameY/param-nameZ Yparam-.al#eZhttps://host:8,,Y/param-.al#eZ Y/init-paramZ Yinit-paramZ Yparam-nameZpro%>Callack5rlY/param-nameZ Yparam-.al#eZhttps://host:8,,/pwm/pro%>CallackY/param-.al#eZ Y/init-paramZ Yinit-paramZ Yparam-nameZpro%>Receptor5rlY/param-nameZ Yparam-.al#eZ/pro%>CallackY/param-.al#eZ Y/init-paramZ Y/filterZ YfilterZ Yfilter-nameZCA; A#thentication !ilterY/filter-nameZ YfilterclassZorg$asig$cas$client$a#thentication$A#thentication!ilterY/filter-classZ
Yinit-paramZ Yparam-nameZcas;er.er@ogin5rlY/param-nameZ Yparam-.al#eZhttps://host:8,,/cas/loginY/param-.al#eZ Y/init-paramZ Yinit-paramZ Yparam-nameZser.erameY/param-nameZ Yparam-.al#eZhttps://host:8,,Y/param-.al#eZ Y/init-paramZ Yinit-paramZ Yparam-nameZrenewY/param-nameZ Yparam-.al#eZfalseY/param-.al#eZ Y/init-paramZ Yinit-paramZ Yparam-nameZgatewa>Y/param-nameZ Yparam-.al#eZfalseY/param-.al#eZ Y/init-paramZ Y/filterZ YfilterZ Yfilter-nameZCA; ;ingle ;ign #t !ilterY/filter-nameZ Yfilter-classZorg$asig$cas$client$session$;ingle;ign#t!ilterY/filter-classZ Y/filterZ Yfilter-mappingZ Yfilter-nameZCA; ;ingle ;ign #t !ilterY/filter-nameZ Y#rl-patternZ/Y/#rl-patternZ Y/filter-mappingZ YlistenerZ Ylistener-classZorg$asig$cas$client$session$;ingle;ign#t?ttp;ession@istener Y/listener-classZ Y/listenerZ Yfilter-mappingZ Yfilter-nameZCA; 7aliation !ilterY/filter-nameZ Y#rl-patternZ/pri.ate/Y/#rl-patternZ Y/filter-mappingZ Yfilter-mappingZ Yfilter-nameZCA; A#thentication !ilterY/filter-nameZ Y#rl-patternZ/pri.ate/Y/#rl-patternZ Y/filter-mappingZ Yfilter-mappingZ Yfilter-nameZCA; 7aliation !ilterY/filter-nameZ Y#rl-patternZ/pro%>CallackY/#rl-patternZ Y/filter-mappingZ
Also, be sure to use 8TTP !or PWM. 8TTP is required !or proper !unctionalit/. ave the changes /ou have made and restart /our application server. 1ow when /ou attempt to access PWM /ou will be redirected to /our 'A instance. pon authentication 'A will redirect /ou back to PWM.
Interrupting a &AS session )ne wa/ to interrupt a 'A login session is to edit /our 'A login-web!low.2ml. The main idea is to create a custom Raction-stateS that evaluates the service /our user is attempting to access. n the web!low, a!ter the user has been authenticated and granted a ticket, the session is then passed on to a custom page which redirects to the PWM command servlet with the service *0 and ticket appended that the *0. While the con!iguration o! such a setup is be/ond the scope o! PWM, have provided a !ew snippets to illustrate the process.
login-web!low.2ml Yaction-state iFLc#stomInterr#ptLZ Ye.al#ate e%pressionFLflow;cope$ser.ice$iL/Z Ytransition onFLhttps://ser.ice$host$com/login/ine%$phpL toFLser.ice1L /Z Ytransition onFLL toFLwarnL /Z Y/action-stateZ Yen-state iFLser.ice1L .iewFLser.ice17iewL /Z
service"view.Ksp YT ;tring reirect5R@F Lhttps://ser.ice$host$com:8,,/pwm/pri.ate/Comman;er.letX processActionFcheckAllSforwar5R@FhttpsTAT!T!ser.ice$host$comT!login T!ine%$phpXLDre3#est$get"arameterKLticketL' P response$senReirectKreirect5R@'P TZ
With these code snippets /ou should be on /our wa/ to creating an environment that allows PWM to properl/ interrupt a 'A login session.
Guide "! Integrating PWM wit' (ovell A##ess Manager Introdu#tion This section provides an overview on integrating PWM with 1ovellLs Access Manager H1AMJ solution, providing access to password management !unctionalit/ both inside and outside o! /our compan/Ls network. 1AM acts as a reverse pro2/, much like the e2ample o! the Apache reverse pro2/ given in Guide A o! this document. 1AM additionall/ provides enhanced single sign-on !unctionalit/, allowing PWM to be placed on the internal network and not have to deal with minting 0 certi!icates !or each PWM server that /ou build. ince 1AM controls authentication, /ou will not utili9e the base PWM login screen, as authentication will be passed to PWM automaticall/.
%ink Redire#tion The most important aspect o! implementing an instance o! PWM behind 1AM is understanding which *0 links to integrate into /our 1AM login page as well as the reverse pro2/ and single sign-on settings that need to be con!igured. :ecause the PWM login screen itsel! is never directl/ displa/ed in a 1AM setting, the links on that page must be trans!erred to the 1AM login screen. These links are% @ @ @
@
https%&&wwww.e2ample.com&pwm&public&Activateser This link is used !or the Activate ser PWM module https%&&www.e2ample.com&pwm&public&+orgottenPassword This link is used to reset a !orgotten password https%&&www.e2ample.com&pwm&public&8elp-ocuments.html This link should go to a web page that provides registration guides !or /our environment. https%&&www.e2ample.com&pwm&private&hortcuts This link should be the primar/ redirect link i! /ou wish to use the hortcuts page as a de!acto landing page !or 1AM logins. Iou can include a link to the ser Application here !or access to *:PM and Work!low services.
Reverse Pro,$ Settings Iou should have a reverse pro2/ created !or the PWM serverHsJ.
The reverse pro2/ that is created !or PWM must also have protected resources setup, so that the user will be able to access sections o! PWM without having to provide authentication credentials. )ne o! the protected resources should be called pwm-public and have the !ollowing url paths setup. &pwm&public&Activateser& &pwm&public&+orgottenPassword& &pwm&resources& This will enable users who click on the link on the login screen to activate their account or reset a !orgotten password to do so without having to provide an/ authentication credentials. The &pwm&resources path is included in order to !acilitate the proper themes and other parts o! the web page to displa/ correctl/ through 1AM.
%ogin Page &ustomi5ations The login page can be customi9ed to include links to public PWM services such as +orgottenPassword or 1ewser modules. To do so modi!/ the P serverLs Nlogin.KspO !ile to include a link to the !orgotten password page%
Ya hrefF^https://www$e%ample$com/pwm/p#lic/!orgotten"asswor^Z!orgotten "assworY/aZ
t is also possible to modi!/ the login page so that all logins through 1AM are processed b/ PWM. The use case !or doing this is to !orce the user throught he several NcheckO processes that PWM can en!orce such as the password pre-e2piration, setup responses and pro!ile. This approach uses the PLs NctargetO attribute to rewrite the userLs post-login destination to PWM, and then in turn pass PWM the userLs original requested *0 so a!ter the process checks in PWM are completed, the user is !orwarded on to their original destination. To implement this process, add the !ollowing to the login.Ksp page% YT // set these parameters as appropriate for >o#r en.ironment final ;tring pwm5R@ F Lhttp://www$e%ample$com/pwm/LP final ;tring pwmComman F LcheckAllLP // co#l e LcheckE%pireL LcheckResponsesL Lcheck"rofileL or LcheckAllL // see pwm oc#mentation final oolean e#gMoe F tr#eP ;tring ctarget F n#llP // o not moif> the elow coe #nless >o# know what >o# are oing$ ;tring c#rrent)arget F K;tring're3#est$getAttri#teKLtargetL'P if Ke#gMoe' U o#t$writeKLYpZC#rrent target: L D c#rrent)arget D LY/pZL'P o#t$writeKLYpZC#rrent ctarget: L D re3#est$getAttri#teKLctargetL' D LY/pZL'P V if Kc#rrent)arget F n#ll SS c#rrent)arget$containsKpwm5R@'' U final ;tringB#iler new5R@ F new ;tringB#ilerK'P new5R@$appenKpwm5R@'P new5R@$appenKL/pri.ate/Comman;er.letL'P new5R@$appenKLXprocessActionFL'P new5R@$appenKpwmComman'P new5R@$appenKLSforwar5R@FL'P new5R@$appenKa.a$net$5R@Encoer$encoeKc#rrent)argetL5)!-8L''P //re3#est$setAttri#teKLtargetLn#ll'P //session$setAttri#teKLtargetL'P ctarget F new5R@$to;tringK'P if Ke#gMoe' U o#t$writeKLYpZew target set to: L D new5R@$to;tringK' D LY/pZL'P V V else if Ke#gMoe' U o#t$writeKLYpZ)arget alrea> reirecte to "WM was not moifie$Y/pZL'P V TZ YT if Kctarget F n#ll' U TZ Yinp#t t>peFLhienL nameFLctargetL .al#eFLYTFctargetTZLZ YT V TZ
