Set up LDAP self-service password tool on CentOS 8

This guide will guide you through the setup steps LDAP Self-Service Password Tool On CentOS 8. If you let users authenticate through an LDAP directory, they may want to be able to reset their passwords themselves. The self-service password tool is a PHP application that provides you with this feature. It supports many LDAPv3 directories, including OpenLDAP, OpenDS, ApacheDS, 389 DS, RHDS and even MicroSoft AD.

Set up LDAP self-service password tool on CentOS 8

In this demo, we use OpenLDAP as our authentication directory. So before proceeding, make sure you have a running OpenLDAP server. You can refer to the following link to set up OpenLDAP on CentOS 8.

Install and set up OpenLDAP on CentOS 8

Run system update

Make sure your system packages are up to date.

dnf update

Install LDAP Self-Service Password Tool on CentOS 8

As of this writing, self-service password version 1.3 is the current stable version.

In this demo, we use PHP 7.3 provided by the Remi repository. Therefore, proceed as follows;

dnf install
dnf install

Enable PHP 7.3 module flow

dnf module install php:remi-7.3

Next, install the self-service password tool by executing the following command;

dnf localinstall

Once installed, it will install PHP and the required modules, including other dependencies, such as the Apache web server.

Next, install the php-mcrypt required for the password function.

dnf install php-mcrypt vim

If you need to use the mail function when resetting your password, you need the PHP mail and session module.

Configure LDAP Self-Service Password Tool

After installation, continue to configure the self-service password tool.

SSP creates a default Apache configuration file, /etc/httpd/conf.d/self-service-password.conf.

Edit this file and make the appropriate changes.

cp /etc/httpd/conf.d/self-service-password.conf{,.old}
vim /etc/httpd/conf.d/self-service-password.conf

Paste the following into the configuration file Make any appropriate changes.


        DocumentRoot /usr/share/self-service-password
        DirectoryIndex index.php

        AddDefaultCharset UTF-8

        Alias /ssp /usr/share/self-service-password

            AllowOverride None
            Require all granted

            AllowOverride None
            Require all denied

        LogLevel warn
        ErrorLog /var/log/httpd/ssp_error_log
        CustomLog /var/log/httpd/ssp_access_log combined

Save and exit the configuration file.

Set SSP general parameters

The default profile of SSP is, /usr/share/self-service-password/conf/

First, create a local configuration file, that you can overwrite the original configuration and avoid overwriting your settings as a result of the upgrade.

cp /usr/share/self-service-password/conf/{,.local}.php

Open the configuration file for editing.

vim /usr/share/self-service-password/conf/

If you check the original configuration file, /usr/share/self-service-password/conf/ will notice that there are different configuration settings sections, such as AD, SAMBA, MAIL, SMS, etc. In our custom configuration, have phased out these parts.

Configure the LDAP server connection details. Make sure to substitute values ​​to match your environment settings.

$ldap_url = "ldap://";
 $ldap_starttls = false;
 $ldap_binddn = "cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com";
 $ldap_bindpw = "hacker";
 $ldap_base = "dc=ldapmaster,dc=kifarunix-demo,dc=com";
 $ldap_login_attribute = "uid";
 $ldap_fullname_attribute = "cn";
 $ldap_filter = "(&(objectClass=posixAccount)($ldap_login_attribute={login}))";

Under shadow configuration options;

# Shadow options - require shadowAccount objectClass
# Update shadowLastChange
$shadow_options['update_shadowLastChange'] = true;
$shadow_options['update_shadowExpire'] = true;

# Default to -1, never expire. 60 means password expires in 60 days.
$shadow_options['shadow_expire_days'] = 60;

Define the password hashing scheme before sending it to the LDAP server.

# auto scheme gets the current password value and find the hash. It also requires read access to the password.
$hash = "auto";

Configure password policies

$pwd_min_length = 12; 
$pwd_max_length = 15;
$pwd_min_lower = 1;
$pwd_min_upper = 1;
$pwd_min_digit = 1;
$pwd_min_special = 1;
$pwd_special_chars = "^a-zA-Z0-9";
$pwd_no_reuse = true;
$pwd_diff_login = true;
$pwd_complexity = 1;
$use_pwnedpasswords = false;
$pwd_show_policy = "always";
$pwd_show_policy_pos = "above";
$who_change_password = "user";
$use_change = true;

Change the value of Keyphrase to an arbitrary and long value;

$keyphrase = "7rRy0}96#4E7#kzb%:,25X}c&66rU";

Our configuration is shown below without comments;

less /usr/share/self-service-password/conf/

Please refer to the following to traverse the entire configuration file reference And make the appropriate changes to suit your environment.

After the setting is completed, save and exit the configuration file.

Make sure users have permission to update their passwords on the OpenLDAP server. For example, this is a sample access control list in our openLDAP server database.

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase=mdb)' olcAccess
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn.subt
 ree="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by
 btree="ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com" read by * none
olcAccess: {1}to attrs=shadowLastChange,shadowExpire by self write by dn.subtr
 ee="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.sub
 tree="ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com" read by * none

Install SSL / TLS certificate

In this demo, we use SSL-based LDAP. Therefore, we need to install a CA certificate to verify the connection with the LDAP server. To download the CA certificate from the server, run the following command;

openssl s_client -connect -showcerts < /dev/null | openssl x509 -text | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

Copy certificate ...


... and paste it on a specific file, such as /etc/ssl/certs/cacert.pem.

After that update /etc/openldap/ldap.conf File to define the path of the CA certificate file downloaded above.

vim /etc/openldap/ldap.conf
#TLS_CACERT     /etc/pki/tls/cert.pem
TLS_CACERT     /etc/ssl/certs/cacert.pem

Save and exit the file.

Change ownership /usr/share/self-service-password Directory to apache.

chown -R apache:apache /usr/share/self-service-password

Verify Apache configuration syntax.

httpd -t

Restart and enable Apache to run at system startup.

systemctl restart httpd
systemctl enable httpd

Open port 80 on the firewall.

firewall-cmd --add-port=80/tcp --permanent
firewall-cmd --reload

Configure SELinux policy

If SELinux is running, run the following command to allow the Self Service Password tool to change the user password.

Allow httpd to connect to the network.

setsebool -P httpd_can_network_connect 1

Allow httpd to connect to ldap

setsebool -P httpd_can_connect_ldap 1

Parse user passwd entries directly from ldap

setsebool -P authlogin_nsswitch_use_ldap 1

Allow the system to run with NIS.

setsebool -P nis_enabled 1

Accessing SSP from a browser

You can now access the self-service password tool from your browser using your URL, http://.

To demonstrate how to reset the password, we will use a demo user in our OpenLDAP database.

ldapsearch -Y EXTERNAL -H ldapi:/// -b "ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" "(objectClass=posixAccount)" "(uid=*)"-Q -LLL
dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

In order to satisfy the defined password policy, this is an example password used, N # rAvImVosh3. Note that if you have also defined password policies in the OpenLDAP backend database, make sure that the policies defined on the SSP match the backend policies.

Set up LDAP self-service password tool on CentOS 8

If the password is accepted, you should see the output, Your password has been changed.

Set up LDAP self-service password tool on CentOS 8

You can also verify the same password on OpenLDAP;

ldapwhoami -x -H ldapi:/// -D "uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" -W
Enter LDAP Password: N#rAvImVosh3

If the passwords do not match, you will get output;

ldap_bind: Invalid credentials (49)

If you have implemented a password policy in the OpenLDAP backend using attributes pwdCheckQuality Set value 2, The password may still fail QA. In this case, set the value of this property to 1.

You go. You have successfully installed and set up an LDAP self-service password tool on CentOS 8. Users can now easily reset their passwords.


Self-service password LDAP toolbox documentation

Other related guides

Setting up OpenLDAP server with SSL / TLS on Debian 10

Configure SSSD for OpenLDAP Client authentication on Debian 10/9

How to create an OpenLDAP member group

Configure SSSD for OpenLDAP authentication on CentOS 8