Description

This tool allows to:

• Manage users attributes in an LDAP/Active Directory
• Let users log-in and manage their own attributes / change their passwords
• Export password hashes into different formats (sha256, etc.)
• Send reminder to users for password expiration
• Archive passwords/users when expired
• Manage ssh public keys for users

Build and Release

• Builds are triggered by pushes to master & develop.
• Please do not forget to set hidden project variables for release, see next point!

Project CI-Variables / Environment Variables

CI-Variable	Used for
LDAP_SELFSERVICE_USER	User to authenticate to Active directory and to the Git-Server
LDAP_SELFSERVICE_PASSWORD	Password for the user
LDAP_SELFSERVICE_SERVER	Server of the Active Directory to connect to
SAMBA_SELFSERVICE_USER	Bind-User to authenticate to Active directory
SAMBA_SELFSERVICE_PASSWORD	Password for the user
SAMBA_SELFSERVICE_SERVER	Server of the Active Directory to connect to

Additional the .gitlab-ci.yml sets a TARGET_BRANCH variable, that defines to which branch changes to the passwords.yaml file should be pushed (it is always the current branch of selfservice).

Password Update Suite (PUS)

The PUS is responsible for updating the passwords.yaml file in the hiera-autogenerated Repo when user changes it's password and also to cleanup the file every 30 minutes (remove/ disable old entries).

• passwordChange.sh is called by selfservice via php when user changes it's password (it uses passwordChangeYaml.pl to change the yaml-file)
• passwordCleanupCron.sh is called by cron every 30 minutes to disable users with (too) old passwords and remove disabled (in AD) users (it uses passwordCleanupCronYaml.pl to update the yaml-file)

Password Reminder

password-reminder-cron.php is called by cron every day at 6 am. to remind all users about an expiring password (starting 14 days before the day of expiry)