-
-
Notifications
You must be signed in to change notification settings - Fork 63
/
30-self-service-password
executable file
·200 lines (171 loc) · 9.31 KB
/
30-self-service-password
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
#!/command/with-contenv bash
source /assets/functions/00-container
prepare_service
PROCESS_NAME="self-service-password"
check_service_initialized init 20-php-fpm
## Check to see if this is a new install
if [ ! -f "${NGINX_WEBROOT}"/index.php ] ; then
print_warn "Self Service Password Not Found, Installing version ${SSP_VERSION}"
mkdir -p "${NGINX_WEBROOT}"/
tar xfz /assets/install/v"${SSP_VERSION}".tar.gz --strip 1 -C "${NGINX_WEBROOT}"
print_notice "Installation Complete"
fi
## Determine if we want to autoconfigure
if [ "${SETUP_TYPE,,}" = "auto" ]; then
print_warn "Autoconfiguring Settings based on defaults and evnironment variables"
## Remove Comments on Default Config File
sed -i -e "s|#\$samba_|\$samba_|g" "${NGINX_WEBROOT}"/conf/config.inc.php
## LDAP Settings
sanity_var LDAP_SERVER "LDAP Host information"
update_config ldap_url "${LDAP_SERVER}"
update_config_noquote ldap_starttls "${LDAP_STARTTLS}"
update_config ldap_binddn "${LDAP_BINDDN}"
update_config ldap_bindpw "${LDAP_BINDPASS}"
update_config ldap_base "${LDAP_BASE_SEARCH}"
update_config ldap_login_attribute "${LDAP_LOGIN_ATTRIBUTE}"
update_config ldap_fullname_attribute "${LDAP_FULLNAME_ATTRIBUTE}"
update_config ldap_filter "${LDAP_FILTER}"
## Active Directory
update_config_noquote ad_mode "$ADMODE"
sed -i "s|\$ad_options\['force_unlock'\].*|\$ad_options['force_unlock'] = ${AD_OPT_FORCE_UNLOCK};|g" "${NGINX_WEBROOT}"/conf/config.inc.php
sed -i "s|\$ad_options\['force_pwd_change'\].*|\$ad_options['force_pwd_changeunlock'] = ${AD_OPT_FORCE_PWD_CHANGE};|g" "${NGINX_WEBROOT}"/conf/config.inc.php
sed -i "s|\$ad_options\['change_expired_password'\].*|\$ad_options['change_expired_password'] = ${AD_OPT_CHANGE_EXPIRED_PASSWORD};|g" "${NGINX_WEBROOT}"/conf/config.inc.php
## Samba
update_config_noquote samba_mode "${SAMBA_MODE}"
sed -i "s|\$samba_options\['min_age'\].*|\$samba_options['min_age'] = ${SAMBA_MIN_AGE};|g" "${NGINX_WEBROOT}"/conf/config.inc.php
sed -i "s|\$samba_options\['max_age'\].*|\$samba_options['max_age'] = ${SAMBA_MAX_AGE};|g" "${NGINX_WEBROOT}"/conf/config.inc.php
sed -i "s|\$samba_options\['expire_days'\].*|\$samba_options\['expire_days'\] = ${SAMBA_EXPIRE_DAYS};|g" "${NGINX_WEBROOT}"/conf/config.inc.php
## Shadow Options
sed -i "s|\$shadow_options\['update_shadowLastChange'\].*|\$shadow_options['update_shadowLastChange'] = ${SHADOW_OPT_UPDATE_SHADOWLASTCHANGE};|g" "${NGINX_WEBROOT}"/conf/config.inc.php
sed -i "s|\$shadow_options\['update_shadowExpire'\].*|\$shadow_options['update_shadowExpire'] = ${SHADOW_OPT_UPDATE_SHADOWEXPIRE};|g" "${NGINX_WEBROOT}"/conf/config.inc.php
## Hash
sed -i "s|\$hash_options\['crypt_salt_prefix'\].*|\$hash_options\['crypt_salt_prefix'\] = \"${PASSWORD_HASH_CRYPT_SALT_PREFIX}\";|g" "${NGINX_WEBROOT}"/conf/config.inc.php
sed -i "s|\$hash_options\['crypt_salt_length'\].*|\$hash_options\['crypt_salt_length'\] = ${PASSWORD_HASH_CRYPT_SALT_LENGTH};|g" "${NGINX_WEBROOT}"/conf/config.inc.php
sed -i "s|\$hash = .*|\$hash = \"${PASSWORD_HASH}\";|g" "${NGINX_WEBROOT}"/conf/config.inc.php
## Local Password Policy
update_config_noquote pwd_min_length "${PASSWORD_MIN_LENGTH}"
update_config_noquote pwd_max_length "${PASSWORD_MAX_LENGTH}"
update_config_noquote pwd_min_lower "${PASSWORD_MIN_LOWERCASE}"
update_config_noquote pwd_min_upper "${PASSWORD_MIN_UPPERCASE}"
update_config_noquote pwd_min_digit "${PASSWORD_MIN_DIGIT}"
update_config_noquote pwd_min_special "${PASSWORD_MIN_SPECIAL}"
update_config_noquote pwd_complexity "${PASSWORD_COMPLEXITY}"
update_config pwd_special_chars "${PASSWORD_SPECIAL_CHARACTERS}"
update_config_noquote pwd_no_reuse "${PASSWORD_NO_REUSE}"
update_config_noquote pwd_diff_login "${PASSWORD_DIFFERENT_LOGIN}"
update_config_noquote use_pwnedpasswords "${PASSWORD_USE_PWNED}"
update_config pwd_show_policy_pos "${PASSWORD_SHOW_POLICY_POSITION}"
update_config pwd_show_policy "${PASSWORD_SHOW_POLICY}"
update_config_noquote pwd_no_special_at_ends "${PASSWORD_NO_SPECIAL_ENDS}"
## Changing Passwords and Keys
update_config "login_forbidden_chars" "${LOGIN_FORBIDDEN_CHARACTERS}"
update_config who_change_password "${WHO_CAN_CHANGE_PASSWORD}"
update_config_noquote show_extended_error "${LDAP_EXTENDED_ERROR}"
update_config_noquote use_change "${CHANGE_PASSWORD}"
update_config_noquote change_sshkey "${CHANGE_SSHKEY}"
update_config change_sshkey_attribute "${LDAP_SSHKEY_ATTRIBUTE}"
update_config who_change_sshkey "${WHO_CAN_CHANGE_SSHKEY}"
update_config_noquote notify_on_sshkey_change "${NOTIFY_ON_SSHKEY_CHANGE}"
## Questions
update_config_noquote use_questions "${USE_QUESTIONS}"
update_config_noquote multiple_answers "${QUESTIONS_MULTIPLE_ANSWERS}"
update_config answer_objectClass "${QUESTIONS_ANSWER_OBJECTCLASS}"
update_config answer_attribute "${LDAP_ANSWER_ATTRIBUTE}"
update_config_noquote crypt_answers "${QUESTIONS_ANSWER_CRYPT}"
## Tokens
update_config_noquote use_tokens "${USE_TOKENS}"
update_config_noquote crypt_tokens "${TOKEN_CRYPT}"
update_config token_lifetime "${TOKEN_LIFETIME}"
## Mail
update_config mail_attribute "${LDAP_MAIL_ATTRIBUTE}"
update_config_noquote mail_address_use_ldap "${MAIL_USE_LDAP}"
update_config mail_from "${MAIL_FROM}"
update_config mail_from_name "${MAIL_FROM_NAME}"
update_config mail_signature "${MAIL_SIGNATURE}"
update_config_noquote notify_on_change "${NOTIFY_ON_CHANGE}"
update_config_noquote mail_smtp_debug "${SMTP_DEBUG}"
update_config mail_smtp_host "${SMTP_HOST}"
update_config_noquote mail_smtp_auth "${SMTP_AUTH_ON}"
update_config mail_smtp_user "${SMTP_USER}"
update_config mail_smtp_pass "${SMTP_PASS}"
update_config_noquote mail_smtp_port "${SMTP_PORT}"
update_config_noquote mail_smtp_timeout "${SMTP_TIMEOUT}"
update_config_noquote mail_smtp_keepalive "${SMTP_KEEPALIVE}"
update_config mail_smtp_secure "${SMTP_SECURE_TYPE}"
update_config_noquote mail_smtp_autotls "${SMTP_AUTOTLS}"
update_config mail_contenttype "${MAIL_CONTENTTYPE}"
update_config_noquote mail_wordwrap "${MAIL_WORDWRAP}"
update_config mail_charset "${MAIL_CHARSET}"
update_config_noquote mail_priority "${MAIL_PRIORITY}"
update_config_noquote mail_newline "${MAIL_NEWLINE}"
## SMS
update_config_noquote use_sms "${USE_SMS}"
update_config sms_method "${SMS_METHOD}"
update_config sms_api_lib "${SMS_API_LIB}"
update_config sms_attribute "${LDAP_SMS_ATTRIBUTE}"
update_config_noquote sms_partially_hide_number "${SMS_PARTIAL_HIDE_NUMBER}"
update_config smsmailto "${SMS_MAIL_TO}"
update_config smsmail_subject "${SMS_MAIL_SUBJECT}"
update_config sms_message "${SMS_MESSAGE}"
update_config_noquote sms_sanitize_number "${SMS_SANITIZE_NUMBER}"
update_config_noquote sms_truncate_number "${SMS_TRUNCATE_NUMBER}"
update_config_noquote sms_truncate_number_length "${SMS_TRUNCATE_NUMBER_LENGTH}"
update_config_noquote sms_token_length "${SMS_TOKEN_LENGTH}"
update_config_noquote max_attempts "${SMS_TOKEN_MAX_ATTEMPTS}"
## Encryption
update_config keyphrase "${SECRETKEY}"
## Logo and Branding
update_config_noquote show_help "${SHOW_HELP}"
update_config lang "${LANG}"
update_config_noquote show_menu "${SHOW_MENU}"
update_config logo "${LOGO}"
update_config background_image "${BACKGROUND_IMAGE}"
## Logging
if var_true "${ENABLE_RESET_LOG}" ; then
sed -i 's|#\$reset_request_logurl = |\$reset_request_log = |g' "${NGINX_WEBROOT}"/conf/config.inc.php
fi
update_config reset_request_log "${LOG_LOCATION}" "${LOG_RESET}"
## CAPTCHA
update_config_noquote use_recaptcha "${USE_RECAPTCHA}"
update_config recaptcha_publickey "${RECAPTCHA_PUB_KEY}"
update_config recaptcha_privatekey "${RECAPTCHA_PRIV_KEY}"
update_config recaptcha_theme "${RECAPTCHA_THEME}"
update_config recaptcha_type "${RECAPTCHA_TYPE}"
update_config recaptcha_size "${RECAPTCHA_SIZE}"
update_config_noquote recaptcha_request_method "${RECAPTCHA_REQUEST_METHOD}"
## Default action
update_config default_action "${DEFAULT_ACTION}"
## Reverse proxy Setup
if [ "$IS_BEHIND_PROXY" = "true" ]; then
sed -i 's|#\$reset_url = |\$reset_url = |g' "${NGINX_WEBROOT}"/conf/config.inc.php
if [ -n "${SITE_URL}" ]; then
update_config reset_url "${SITE_URL}"
fi
fi
### Set Debug Mode
if var_true "${DEBUG_MODE}"; then
update_config_noquote debug true
else
update_config_noquote debug false
fi
if [ -f "${LDAP_CA_CERTIFICATE}" ] ; then
print_warn "Adding root CA to /etc/openldap/ldap.conf"
echo "TLS_CACERT ${LDAP_CA_CERTIFICATE}" >> /etc/openldap/ldap.conf
fi
else
print_warn "Manual Mode Enabled - Make changs to the conf/config.inc.php manually"
fi
## Setting up files and paths
mkdir -p "${LOG_LOCATION}"
if var_true "${ENABLE_RESET_LOG}" ; then
touch "${LOG_LOCATION}""${LOG_RESET}"
chown -R "${NGINX_USER}":"${NGINX_GROUP}" "${LOG_LOCATION}"
fi
## Custom Files Support
if [ -d /assets/custom ] ; then
print_warn "Custom Assets Found, Copying over top of Master"
cp -R /assets/custom/* "${NGINX_WEBROOT}"
fi
### Force Reset Permissions for Security
chown -R "${NGINX_USER}":"${NGINX_GROUP}" "${NGINX_WEBROOT}"
liftoff