-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
40 changed files
with
828 additions
and
33 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,5 @@ | ||
*.docx | ||
*.pptx | ||
*.bat | ||
*.tmp | ||
Makefile |
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
WebLAPS agent | ||
============================== | ||
WebLAPS agent is used to manage passwords of local users and control membership in local groups. It could be run on joined or non domain joined computers. | ||
|
||
WebLAPS agent installation | ||
---------------------------------- | ||
Before you begin make sure that MS .NET Framework 4.5.1 is installed. | ||
|
||
You can install WebLAPS agent using command line: | ||
|
||
msiexec /i WebLAPSInstaller.msi /quiet /norestart SERVERURL=<serverulr> JOINKEY=<joinkey> | ||
|
||
.. list-table:: | ||
:header-rows: 1 | ||
|
||
* - **Parameter** | ||
- **Example** | ||
- **Description** | ||
* - SERVERURL | ||
- https://weblapspublic.host;https://weblapsprivate.host | ||
- WebLAPS server URL. You can set multiple URLs delimmited with ";" in case if you want to perform password rotation on remote computers outside of corporate network. WebLAPS agent will try to select first available server. If you use reversproxy you can publish URLs used by agent with mask /api/computers/remote/* so no other functionality will be available from internet. | ||
* - JOINKEY | ||
- superSECRETkey1 | ||
- key validated once by WebLAPS during initial connection. | ||
* - NOSSLCHECK | ||
- 1 | ||
- disable server certificate validation | ||
* - GROUPID | ||
- bc96b2b6-ab66-4592-be0a-2dfcfe317e58 | ||
- You can manually set computer container ID which will be used by agent to get policy otherwise distribution rules will be used to determine container | ||
|
||
WebLAPS agent policy | ||
---------------------------------- | ||
Go to **Administration -> Computers -> Policies** and select computer container, next press "Add new" button. | ||
You can configure multiple policies which will be applied to the same computer container. Policies are inherited from all parent containers. | ||
|
||
.. image:: img/weblaps_agent_policy.png | ||
:align: center | ||
|
||
WebLAPS agent policy is applied to specified *local* user account. WebLAPS agent can automatically create managed user if it is not exists. For automatic password rotation please select **Manage password** checkbox and set "Password age". You can automatically remove all users from defined group except approved. You can specify multiple approved users delimited with ";". For domain user use following format: domain\\login. | ||
|
||
To view result settings for a container go to **Administration -> Computers -> Container Details** and select a computer container. | ||
|
||
.. image:: img/weblaps_agent_result.png | ||
:align: center | ||
|
||
WebLAPS agent access management | ||
---------------------------------- | ||
|
||
Go to **Administration->Computers -> Access Groups** and setup user group to computer container mappings. You must use distinguished names of groups. Members of group will be able to get passwords managed by WebLAPS agent in the container and sub containers. If you have multiple policies for several managed users per one container you can additionally restrict managed .users to which passwords you provide access by filling **Allow access only to following subjects** parameter. | ||
|
||
.. image:: img/weblaps_agent_access.png | ||
:align: center | ||
|
||
Additionally you can provide access only for particular computer to an user or a group (group nesting is not supported) by editing computer object. This mechanism does not connected with access control subsystem based on groups and containers | ||
|
||
.. image:: img/weblaps_agent_access_managedby.png | ||
:align: center | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
Installation Prerequisites | ||
========================== | ||
|
||
.. |lapsuser| replace:: laps | ||
.. |lapsservice| replace:: laps | ||
.. |lapsdir| replace:: /opt/laps | ||
|
||
Prior to installing the WebLAPS, the following requirements must be met: | ||
|
||
#. Install Java JRE or JDK version 1.8 | ||
#. Check that java executable is on your system PATH. Following command must return no errors | ||
|
||
java -version | ||
|
||
if any error occurred please fix your Java installation https://www.java.com/en/download/help/path.xml | ||
|
||
#. Make sure that network connection is open to port 636 (LDAPS) from weblaps host to domain controllers | ||
|
||
#. Make sure that your LDAPS is configured at your domain controllers. LAPS stores passwords in special confidential attribute which is accessible only via secured connection. https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx | ||
|
||
#. Prepare service user in AD and grant it permissions to read and reset passwords. | ||
|
||
#. Export certificate of CA which signed certificate for LDAPS | ||
|
||
#. import CA certificate at mobile devices if you want to use LAPS mobile app and you use your own CA to issue certificate for WebLAPS server. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.