jirutka / ldap-passwd-webui Goto Github PK

Very simple web interface for changing password stored in LDAP or Active Directory (Samba 4 AD).

License: MIT License

CSS 21.23% Python 61.70% Smarty 17.06%

python ldap samba active-directory passwords bottlepy web-app

ldap-passwd-webui's Introduction

Web UI for changing LDAP password

The aim of this project is to provide a very simple web form for users to be able to change their password stored in LDAP or Active Directory (Samba 4 AD). It’s built with Bottle, a WSGI micro web-framework for Python.

Installation

Alpine Linux

Install package ldap-passwd-webui-waitress from the Alpine’s community repository:
```
apk add ldap-passwd-webui-waitress
```
Important
This package is in Alpine stable since v3.7. You can also install it from edge (unstable) branch.
Adjust configuration in /etc/ldap-passwd-webui.ini and /etc/conf.d/.
Start service ldap-passwd-webui:
```
/etc/init.d/ldap-passwd-webui start
```

Manually

Clone this repository and install dependencies:

git clone [email protected]:jirutka/ldap-passwd-webui.git
cd ldap-passwd-webui
pip install -r requirements.txt

Read the next sections to learn how to run it.

Requirements

Python 3.x
bottle
ldap3 2.x

Configuration

Configuration is read from the file settings.ini. You may change location of the settings file using the environment variable CONF_FILE.

If you have Active Directory (or Samba 4 AD), then you must use encrypted connection (i.e. LDAPS or StartTLS) – AD doesn’t allow changing password via unencrypted connection.

Run it

There are multiple ways how to run it:

with the built-in default WSGI server based on wsgiref,
under a WSGI server like uWSGI, Waitress, Gunicorn, … (recommended)
as a CGI script.

Run with the built-in server

Simply execute the app.py:

python3 app.py

Then you can access the app on http://localhost:8080. The port and host may be changed in settings.ini.

Run with Waitress

cd ldap-passwd-webui
waitress-serve --listen=*:8080 app:application

Run with uWSGI and nginx

If you have many micro-apps like this, it’s IMO kinda overkill to run each in a separate uWSGI process, isn’t it? It’s not so well known, but uWSGI allows to “mount” multiple application in a single uWSGI process and with a single socket.

Sample uWSGI configuration:

[uwsgi]
plugins = python3
socket = /run/uwsgi/main.sock
chdir = /var/www/scripts
logger = file:/var/log/uwsgi/main.log
processes = 1
threads = 2
# map URI paths to applications
mount = /admin/ldap-passwd-webui=ldap-passwd-webui/app.py
#mount = /admin/change-world=change-world/app.py
manage-script-name = true

Sample nginx configuration as a reverse proxy in front of uWSGI:

server {
    listen 443 ssl;
    server_name example.org;

    ssl_certificate     /etc/ssl/nginx/nginx.crt;
    ssl_certificate_key /etc/ssl/nginx/nginx.key;

    # uWSGI scripts
    location /admin/ {
        uwsgi_pass  unix:/run/uwsgi/main.sock;
        include     uwsgi_params;
    }
}

Screenshot

License

This project is licensed under MIT License. For the full text of the license, see the LICENSE file.

ldap-passwd-webui's People

Contributors

Stargazers

Watchers

ldap-passwd-webui's Issues

Ability to connect to openldap

Is there a possibility to configure the connection to openldap?

ImportError: cannot import name 'LDAPBindError'

Hello

I create virtualenv, install inside requirements packages via pip, and when run python3 app.py, I see error:

(test) [root@ansible-dev change-password]# which python3
/root/test/bin/python3
(test) [root@ansible-dev change-password]# python3 app.py
Traceback (most recent call last):
File "app.py", line 7, in
from ldap3 import Connection, LDAPBindError, LDAPInvalidCredentialsResult, Server
ImportError: cannot import name 'LDAPBindError'
(test) [root@ansible-dev change-password]#

Changing password in AD doesn’t work

Hello, I Apache with this config (I also tried nginx+uwsgi and the result is the same):

<VirtualHost passwd.example.org:80>
	ServerName passwd.example.org
	WSGIDaemonProcess change-passwd user=apache group=apache processes=1 threads=5
	WSGIScriptAlias / /var/www/html/change-passwd/app.py

	<Directory /var/www/html/change-passwd>
		WSGIProcessGroup change-passwd
		WSGIApplicationGroup %{GLOBAL}
		Require all granted
	</Directory>
</VirtualHost>

Apache successfully started and display main page, but if I try change password I get error "Error: 500 Internal Server Error":

[Fri Jul 07 13:18:21.143218 2017] [:error] [pid 106200] [remote 172.30.0.10:34204] Traceback (most recent call last):
[Fri Jul 07 13:18:21.143268 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/usr/lib/python2.7/site-packages/bottle.py", line 861, in _handle
[Fri Jul 07 13:18:21.143273 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     return route.call(**args)
[Fri Jul 07 13:18:21.143275 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/usr/lib/python2.7/site-packages/bottle.py", line 1731, in wrapper
[Fri Jul 07 13:18:21.143278 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     rv = callback(*a, **ka)
[Fri Jul 07 13:18:21.143281 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/var/www/html/change-passwd/app.py", line 34, in post_index
[Fri Jul 07 13:18:21.143284 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     change_password(form('username'), form('old-password'), form('new-password'))
[Fri Jul 07 13:18:21.143287 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/var/www/html/change-passwd/app.py", line 65, in change_password
[Fri Jul 07 13:18:21.143290 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     change_password_ad(*args)
[Fri Jul 07 13:18:21.143292 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/var/www/html/change-passwd/app.py", line 94, in change_password_ad
[Fri Jul 07 13:18:21.143295 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     c.extend.microsoft.modify_password(user_dn, new_pass, old_pass)
[Fri Jul 07 13:18:21.143298 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/usr/lib/python2.7/site-packages/ldap3/extend/__init__.py", line 265, in modify_password
[Fri Jul 07 13:18:21.143301 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     controls)
[Fri Jul 07 13:18:21.143303 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/usr/lib/python2.7/site-packages/ldap3/extend/microsoft/modifyPassword.py", line 50, in ad_modify_password
[Fri Jul 07 13:18:21.143306 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     controls)
[Fri Jul 07 13:18:21.143309 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/usr/lib/python2.7/site-packages/ldap3/core/connection.py", line 1044, in modify
[Fri Jul 07 13:18:21.143312 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     response = self.post_send_single_response(self.send('modifyRequest', request, controls))
[Fri Jul 07 13:18:21.143314 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/usr/lib/python2.7/site-packages/ldap3/strategy/sync.py", line 124, in post_send_single_response
[Fri Jul 07 13:18:21.143317 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     responses, result = self.get_response(message_id)
[Fri Jul 07 13:18:21.143320 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/usr/lib/python2.7/site-packages/ldap3/strategy/base.py", line 377, in get_response
[Fri Jul 07 13:18:21.143323 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     raise LDAPOperationResult(result=result['result'], description=result['description'], dn=result['dn'], message=result['message'], response_type=result['type'])
[Fri Jul 07 13:18:21.143327 2017] [:error] [pid 106200] [remote 172.30.0.10:34204] LDAPNoSuchObjectResult: LDAPNoSuchObjectResult - 32 - noSuchObject - OU=ADM,OU=HQ,DC=alt,DC=altarix,DC=ru - 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=ADM,OU=HQ,DC=alt,DC=altarix,DC=ru'

But the password check is successful:

[Fri Jul 07 13:18:08.841810 2017] [:error] [pid 106200] Unsuccessful attemp to change password for tak: Username or password is incorrect!

Then an error occurs only when trying to change the password

Error when change AD password contain special characters

When I try new pass as:"O3D0eHAcuzia2rX$G"

127.0.0.1 - - [17/Jul/2017 15:53:50] "GET / HTTP/1.1" 200 1350
2017-07-17 15:54:10,253 WARNING: Unsuccessful attemp to change password for test: 0000052d: atrerr: dsid-03191083, #1:
0: 0000052d: dsid-03191083, problem 1005 (constraint_att_type), data 0, att 9005a (unicodepwd)

I've try

new_pass = base64.b64encode(bytes(new_pass, 'utf-16le'))

but it's the same as none

I got a erro

[root@localhost ldap-passwd-webui]# pip install -r requirements.txt
Ignoring configparser: markers 'python_version < "3.3"' don't match your environment
Requirement already satisfied: bottle>=0.12.8 in /opt/anaconda3/lib/python3.6/site-packages (from -r requirements.txt (line 1)) (0.12.13)
Requirement already satisfied: ldap3<3.0,>=2.0 in /opt/anaconda3/lib/python3.6/site-packages (from -r requirements.txt (line 2)) (2.5)
Requirement already satisfied: pyasn1>=0.1.8 in /opt/anaconda3/lib/python3.6/site-packages (from ldap3<3.0,>=2.0->-r requirements.txt (line 2)) (0.4.3)
[root@localhost ldap-passwd-webui]# pip install bottle
Requirement already satisfied: bottle in /opt/anaconda3/lib/python3.6/site-packages (0.12.13)
[root@localhost ldap-passwd-webui]# python app.py
2018-05-30 02:03:06,634 INFO: Starting ldap-passwd-webui 2.0.0
Traceback (most recent call last):
File "app.py", line 144, in
SimpleTemplate.defaults = dict(CONF['html'])
File "/opt/anaconda3/lib/python3.6/configparser.py", line 959, in getitem
raise KeyError(key)
KeyError: 'html'

Can you hele me?

Application dies right after start

Got this traceback:

2018-02-28 09:01:27,720 INFO: Starting ldap-passwd-webui 2.0.0
Traceback (most recent call last):
File "app.py", line 144, in
SimpleTemplate.defaults = dict(CONF['html'])
File "/usr/lib/python3.6/configparser.py", line 959, in getitem
raise KeyError(key)
KeyError: 'html'

Python version: 3.6.4

reset password feature

So we are thinking to contribute to this project adding a feature: the reset password thing. What do you think? Would you accept it as a pull request? Anyway, we can just fork it.

Reset password (or forgot password) is the process that sends an email with a specific token/ID to enter an ephemeral form to override the password for the specific user.

change local machine password

I just simply want to manage my server users and password, I assume they lived in /etc/passwd, how should I config setting.ini?

Correct config for AD auth?

Hello

My settings.ini looks like that:

[html]
page_title = Change your password on example.org

[ldap]
host = IP_DC
port = 636
use_ssl = true
base = ou=XX,dc=XXX,dc=XXX,dc=XXX
#search_filter = uid={uid}

# Uncomment for AD / Samba 4
type = ad
ad_domain = FQDN_DC
search_filter = sAMAccountName={uid}

[server]
server = auto
host = MY_IP
port = 8080

When I try change password I get this error:

Bottle v0.12.13 server starting up (using AutoServer())...
Listening on http://172.29.23.233:8080/
Hit Ctrl-C to quit.

MY_IP - - [26/Apr/2017 18:31:41] "GET / HTTP/1.1" 200 1350
MY_IP - - [26/Apr/2017 18:31:41] "GET /static/style.css HTTP/1.1" 304 0
Traceback (most recent call last):
  File "/root/change-passwd/lib/python2.7/site-packages/bottle.py", line 862, in _handle
    return route.call(**args)
  File "/root/change-passwd/lib/python2.7/site-packages/bottle.py", line 1740, in wrapper
    rv = callback(*a, **ka)
  File "app.py", line 33, in post_index
    change_password(form('username'), form('old-password'), form('new-password'))
  File "app.py", line 64, in change_password
    change_password_ad(*args)
  File "app.py", line 92, in change_password_ad
    user_dn = find_user_dn(c, username)
  File "app.py", line 98, in find_user_dn
    conn.search(CONF['ldap']['base'], "(%s)" % search_filter, SUBTREE, attributes=['dn'])
  File "/root/change-passwd/lib/python2.7/site-packages/ldap3/core/connection.py", line 747, in search
    raise LDAPAttributeError('invalid attribute type ' + attribute_name_to_check)
LDAPAttributeError: invalid attribute type dn
MYIP - - [26/Apr/2017 18:31:54] "POST / HTTP/1.1" 500 745

missing dependencies

Hello I had to install also this package: configparser

Cheers,

Iotaka

Allow non-anonymus bind

ldap3: cannot import name 'SUBTREE'

Hello, I'm trying to test out your app here. Using the python3, ldap3, and bottle modules that ship with Ubuntu 14.04. the ldap3 version meets your documented requirement, but the app fails to run.

sysmgr@ubuntu-14-04-5:~/change-password$ python3 app.py
Traceback (most recent call last):
  File "app.py", line 8, in <module>
    from ldap3 import AUTH_SIMPLE, SUBTREE
ImportError: cannot import name 'SUBTREE'

Python Versions:

ii  python3                            3.4.0-0ubuntu2                    amd64        interactive high-level object-oriented language (default python3 version)
ii  python3-bottle                     0.12.0-1                          all          fast and simple WSGI-framework for Python3
ii  python3-ldap3                      0.9.4.2-1~ubuntu14.04.1           all          Pure Python LDAP client library

Password complexity check

Hello! What do you think of implementing some type of password complexity check?
For example, for new passwords check length, presence in a dictionary file, and some kind of entropy. Or you think this UI is not the right place to make these kinds of checks? Thanks in advance!

stopped working for me

This stopped working for me, and I'm not having any luck figuring out why. Error code shows up when changing pw:

0000052d: atrerr: dsid-031910b8, #1: 0: 0000052d: dsid-031910b8, problem 1005 (constraint_att_type), data 0, att 9005a (unicodepwd)

any suggestions would be much appreciated.

Change Active Directory Password : LDAPUnwillingToPerformResult - 53 - unwillingToPerform

Hi!
Thank for your code, it's a very interesting tool for change ldap'user password.
But I can't use it to change password from an Windows Active Directory Server. Test with openldap, not problem.

Here is my setting.ini file :

[html]
page_title = Change your password on example.org
[ldap]
host = xx.xxx.x.x 
port = 389
search_filter = samaccountname={uid}
base = dc=my-ad,dc=org
type = ad
ad_domain = my-ad.org
[server]
server = auto
host = localhost
port = 8080

When i want to change a password, i have this error log :

Traceback (most recent call last):
  File "/usr/lib/python3.5/site-packages/bottle.py", line 862, in _handle
    return route.call(**args)
  File "/usr/lib/python3.5/site-packages/bottle.py", line 1732, in wrapper
    rv = callback(*a, **ka)
  File "app.py", line 34, in post_index
    change_password(form('username'), form('old-password'), form('new-password'))
  File "app.py", line 63, in change_password
    change_password_ad(*args)
  File "app.py", line 93, in change_password_ad
    c.extend.microsoft.modify_password(user_dn, old_pass, old_pass)
  File "/usr/lib/python3.5/site-packages/ldap3/extend/__init__.py", line 208, in modify_password
    controls)
  File "/usr/lib/python3.5/site-packages/ldap3/extend/microsoft/modifyPassword.py", line 13, in modify_ad_password
    controls)
  File "/usr/lib/python3.5/site-packages/ldap3/core/connection.py", line 893, in modify
    response = self.post_send_single_response(self.send('modifyRequest', request, controls))
  File "/usr/lib/python3.5/site-packages/ldap3/strategy/sync.py", line 124, in post_send_single_response
    responses, result = self.get_response(message_id)
  File "/usr/lib/python3.5/site-packages/ldap3/strategy/base.py", line 369, in get_response
    raise LDAPOperationResult(result=result['result'], description=result['description'], dn=result['dn'], message=result['message'], response_type=result['type'])
ldap3.core.exceptions.LDAPUnwillingToPerformResult: LDAPUnwillingToPerformResult - 53 - unwillingToPerform - None - 00002077: SvcErr: DSID-03190E49, problem 5003 (WILL_NOT_PERFORM), data 0
 - modifyResponse - None

Any idea for what i have this error? It's seem that you cannot change password like this in Active Directory.