The rest of this post will focus on walking through the installation and initial configuration of PWM with an OpenLDAP system. Most of the things we describe can also be found in the PWM administration guide or from other sources. However, some things (eg. configuration of certain modules in PWM) we didn\u2019t immediately understand and we will describe some tips\/solutions here.<\/p>\n
<\/p>\n
\n
<\/p>\n
Lets get started<\/strong><\/p>\n Requirements<\/em><\/p>\n Our installation used Apache Tomcat 7 to serve PWM from a vm running Ubuntu 13.04.<\/p>\n Start by downloading pwm to your machine, in this example we use a dropbox mirror link for a pwm version 1.7.1 zip (also commonly found in other installation tutorials).<\/p>\n Stop tomcat, deploy the war and start tomcat again.<\/em><\/p>\n This will deploy pwm to tomcat and you should now be able to reach the app (assuming you run Tomcat under port 8080) via:<\/p>\n http:\/\/<your_IP_address>:8080\/pwm<\/strong><\/p>\n <\/p>\n <\/p>\n Continuing the PWM Installation<\/strong><\/p>\n To make the installation easier, PWM offers a configuration wizard.<\/p>\n The first screen will establish a connection to your LDAP server, this is where you add your server details and proxy or admin account for connecting to your LDAP server. On the next page, we define the contextless login root. It is possible to enter multiple contexts, however initially pwm will want you to set just one.<\/p>\n This will let PWM know where to look for your ldap users. So if you, for instance, have an organizational unit (ou) called \u2018users\u2019, you might specify \u201cou=users,\u201d followed by your domain component(s). The administration search filter will give administrator access to its matching entries.<\/p>\n In this example we just enter cn=admin, matching our ldap admin user, so we can continue.<\/p>\n It is recommended that you set a test user so that PWM can do health checks periodically. Ideally, this is a user uniquely created for and used by PWM.<\/p>\n You are now able to complete the initial configuration for PWM. After this, you can login as ldap admin and make more changes to the configuration in the pwm configuration editor. The ldap configuration password you entered earlier is needed to access this editor.<\/p>\n <\/p>\n <\/p>\n Problems occurring upon not applying the PWM schema extensions<\/strong><\/p>\n <\/p>\n As we were eager to setup pwm without too much hassle, we only partly followed some tutorials and then tried doing the configuration of pwm on our own. We didn\u2019t read the administration guide or any other source thoroughly yet and thus followed our first error.<\/p>\n As we logged in as ldap admin, with the intention of changing some profile settings to see if everything works correctly, we were prompted to set some recovery responses. PWM supports these type of security questions and answers as a method of recovering your account when you lose or forget your password. Everything went fine up until the point where we hit the save button. An error occurred during the save of your response questions. Please contact your administrator. {5045 ERROR_WRITING_RESPONSES (response storage only partially successful; attempts=1, successes=0) }<\/strong><\/p>\n As found in the PWM Administration guide<\/a>,\u00a0PWM needs a schema extension in the ldap configuration. Another possibility to save responses, configurable in the configuration editor, would be to use a database. However, we decided to just use the schema extension. The administration guide describes the following schema extension:<\/p>\n To extend your configuration with this schema, save the above code as an LDIF file and run the ldapadd<\/em> command to add it to your existing schema. After adding the pwm scheme, the responses setup works and saving password responses for existing users will succeed.<\/p>\n Another situation we found ourselves in later on, when testing with an actual existing environment without adding the pwm schema: <\/p>\n <\/p>\n Other things worth mentioning<\/strong> To automate LDAP user management as much as possible (to save valuable system administrators time), we enabled the \u201cNew User Registration\u201d module. However, PWM has to provide LDAP with a unique distinguished name. If not provided by the registration form, pwm will solve this problem by setting random values. The DN will be formed by the naming attribute (set in Settings > LDAP Directory > (Advanced Settings) > LDAP Naming Attribute<\/em>, eg. cn) and the random value set for that attribute.<\/p>\n Naturally, in a production environment, random values as distinguished names are not that common or an ideal\u00a0situation. We found that in the advanced settings, you can disable these random characters. Go to View > Advanced Settings<\/em> and set Random Username Length <\/em>to zero.<\/p>\n PWM now needs you to specify the value for the naming attribute yourself, if you don\u2019t do this, user registration will not work. To do this, simply make the user specify it\u2019s username. Create a text field in the New User Form<\/em> with name of the naming attribute (eg. \u2018cn\u2019) and then label it \u2018Username\u2019 (or something that suits your implementation). PWM will now use this for the value of the naming attribute.<\/p>\n Since this field is required and should be unique in any case, hit Options<\/em> and tick the boxes for required and unique.<\/p>\n Automatically write attributes based on form values<\/strong><\/em><\/p>\n To avoid having to ask the user for the same values multiple times, you can use PWM macros. Let\u2019s say you want to ask the user for it\u2019s username to set the naming attribute. If we have cn as our naming attribute, we add a New User Action <\/em>in the New User Registration <\/em>module under Modules<\/em>. Let\u2019s say we choose \u201cdisplayName attribute write\u201d as a Name, and \u201cWrite attribute displayName based on cn\u201d as a description.<\/p>\n Pick \u2018ldap\u2019 from the dropdown following the description textfield.<\/p>\n Then, we choose Options<\/em> and fill in the attribute name and value. The value will be the macro, it refers to the cn attribute that is already saved upon creation of the new user entry.<\/p>\n To view a list of available macros, click View > Macro Help<\/em> in the menu.<\/p>\n Hit OK and we\u2019re good to go, the user will now automatically get a displayName attribute derived from it\u2019s common name (cn) attribute after it\u2019s created.<\/p>\n <\/p>\n Use local password policy on new user registration<\/strong><\/em><\/p>\n <\/p>\n By default (or at least in our case), PWM uses a test user password policy template for determining it\u2019s user registration password policy. We found this a little confusing a first but then found out the setting hidden in Advanced Settings. Choose Enable View > Advanced Settings<\/em> when in Modules > New User Registration<\/em> and set New User Password Policy Template<\/em> to a blank field instead of \u2018TESTUSER\u2019.<\/p>\n\n
wget https:\/\/www.dropbox.com\/s\/gehtr2jgbr4s8wt\/pwm_v1.7.1.zip<\/pre>\n
unzip pwm_v1.7.1.zip -d pwm_v1.7.1<\/pre>\n
sudo service tomcat7 stop\n\nsudo cp pwm_v1.7.1\/pwm.war \/var\/lib\/tomcat7\/webapps\n\nsudo service tomcat7 start<\/pre>\n
\n
\nSince we used a demo VM, we didn\u2019t tick the SSL box in this case, but it\u2019s obviously better to go with the secure connection for connecting to your LDAP server.<\/p>\n![\"Adding](\"https:\/\/trifork.nl\/articles\/wp-content\/uploads\/sites\/3\/2015\/07\/screenshot1.png\")
<\/a><\/p>\n
\nIf you don\u2019t configure a correct contextless login root, you have to specify the complete ldap entry on login (eg. cn=JohnDoe,ou=users,dc=example,dc=com), which wouldn\u2019t be very user friendly.<\/p>\n![\"Defining](\"https:\/\/trifork.nl\/articles\/wp-content\/uploads\/sites\/3\/2015\/07\/screenshot2.png\")
<\/a><\/p>\n![\"Adding](\"https:\/\/trifork.nl\/articles\/wp-content\/uploads\/sites\/3\/2015\/07\/screenshot3.png\")
<\/a><\/p>\n
\n
\nWe were greeted with the following error:<\/p>\n\ndn: cn=pwm,cn=schema,cn=config\nobjectClass: olcSchemaConfig\ncn: pwm\nolcAttributeTypes: {0}( 1.3.6.1.4.1.591242.2.2010.04.16.1 NAME 'pwmEventLog' E\n\u00a0QUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )\nolcAttributeTypes: {1}( 1.3.6.1.4.1.591242.2.2010.04.16.2 NAME 'pwmResponseSet\n\u00a0' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )\nolcAttributeTypes: {2}( 1.3.6.1.4.1.591242.2.2010.04.16.3 NAME 'pwmLastPwdUpda\n\u00a0te' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )\nolcAttributeTypes: {3}( 1.3.6.1.4.1.591242.2.2010.04.16.4 NAME 'pwmGUID' SYNTA\n\u00a0X 1.3.6.1.4.1.1466.115.121.1.15 )\nolcObjectClasses: {0}( 1.3.6.1.4.1.591242.1.2010.04.16.1 NAME 'pwmUser' AUXILI\n\u00a0ARY MAY ( pwmLastPwdUpdate $ pwmEventLog $ pwmResponseSet $ pwmGUID ) )\n<\/pre>\n
\n<\/strong><\/p>\nldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f scheme_name_goes_here.ldif<\/pre>\n
\nLogins of existing users didn\u2019t work. When we imported an existing production environment in a clean OpenLDAP installation and foolishly forgot to add the schema again, we were unable to login.
\nThe users from this production environment didn\u2019t have the pwmUser object class and the necessary attributes. After adding the schema again, PWM automatically added the needed attributes when we did a login for one of those users.<\/p>\n
\n
\nProviding a value for your naming attribute in user registration<\/strong><\/em><\/p>\n![\"Naming](\"https:\/\/trifork.nl\/articles\/wp-content\/uploads\/sites\/3\/2015\/07\/screenshot4.png\")
<\/a><\/p>\n![\"Options](\"https:\/\/trifork.nl\/articles\/wp-content\/uploads\/sites\/3\/2015\/07\/screenshot5.png\")
<\/a><\/p>\n
\nHowever, you also want his\/her display name (attribute \u2018displayName\u2019) to be the same as that same attribute.
\nSince LDAP doesn\u2019t need the display name attribute to be provided upon creating, you can ask PWM to write this attribute post-creation with the value from the naming attribute.<\/p>\n![\"New](\"https:\/\/trifork.nl\/articles\/wp-content\/uploads\/sites\/3\/2015\/07\/screenshot6.png\")
<\/a><\/p>\n![\"Macro's\"](\"https:\/\/trifork.nl\/articles\/wp-content\/uploads\/sites\/3\/2015\/07\/screenshot7.png\")
<\/a><\/strong><\/p>\n![\"Macro's\"](\"https:\/\/trifork.nl\/articles\/wp-content\/uploads\/sites\/3\/2015\/07\/screenshot8.png\")
<\/a><\/strong><\/p>\n
![\"User](\"https:\/\/trifork.nl\/articles\/wp-content\/uploads\/sites\/3\/2015\/07\/screenshot9.png\")
<\/a><\/p>\n![\"User](\"https:\/\/trifork.nl\/articles\/wp-content\/uploads\/sites\/3\/2015\/07\/screenshot10.png\")
<\/a><\/p>\n