This role installs the LTB Self Service Password web application.
Setting up and configuring a web server with support for PHP is beyond the scope of this role.
This needs to be present and be configured to server the ssp_web_root
directory.
Furthermore, this role does not handle client certificates. If the LDAP service requires this, a proxy service should be used to locally provide an unencrypted LDAP service.
Depending on the configuration, sending email may be required.
In this case, the local sendmail
command is used, which needs to be set up properly.
This role requires the community.general
Ansible collection.
ssp_web_root
The directory where LTB Self Service Password is installed. Mandatory.ssp_web_server_group
Group the web server is running as (or is a member of). Since the config file of Self Service Password may contain sensitive information, read access is restricted to this group. Mandatory.ssp_version
The version of LTB Self Service Password that should be installed. If not set, the latest released version is installed.ssp_ldap_url
A list of URLs of LDAP servers to work with. Later URLs are only used as a fallback if those listed earlier are down. Defaults toldap://localhost
.ssp_ldap_starttls
Whether to use STARTTLS when connecting to the LDAP servers. Defaults totrue
.ssp_ldap_bind_dn
Connect to the directory as this DN. This is used to retrieve information about user and for password resets. Ensure that the account has the appropriate privileges. If not set, an anonymous bind is attempted.ssp_ldap_bind_password
The password forssp_ldap_bind_dn
.ssp_ldap_base
The search base for user account. Optional.ssp_ldap_filter
A search filter that returns the user's account. The string{login}
is replaced by the user's login name. The default is(&(objectClass=account)(uid={login}))
.ssp_display_name_attribute
The name of the attribute containing the user's display name. Defaults tocn
.ssp_mail_attribute
The name of the attribute containing the user's email address. Defaults tomail
.ssp_mobile_attribute
The name of the attribute containing the user's mobile phone number. Defaults tomobile
.ssp_sshkey_attribute
The name of the attribute containing the user's public SSH key. Defaults tosshPublicKey
.ssp_ad_mode
Set totrue
for compatibility with Microsoft Active Directory. Defaults tofalse
.ssp_samba_mode
Set totrue
to update thesambaNTpassword
andsambaPwdLastSet
attributes on password changes. Defaults tofalse
.ssp_change_sshkey
Enable support for changing SSH keys via Self Service Password. Defaults tofalse
.ssp_use_exop
Whether to use the LDAP password change extended operation instead of just setting the password attribute. This allows for further password policy checks done by the LDAP server. Defaults tofalse
.ssp_hash_passwords
Set totrue
to pass hashed passwords to the LDAP directory. Set tofalse
to pass clear text passwords and let the directory handle hashing. The latter is required for a directory-side password policy to work. Defaults tofalse
. Ignored ifssp_use_exop
istrue
.ssp_password_length
Password minimal length requirement. Optional.ssp_min_diff
Minimum number of characters that need to be different from the old passwords. Defaults to0
;ssp_password_complexity
The number of character classes required for new passwords. Sensible values are2
,3
or4
. Optional.ssp_forbidden_words
A list of words that may not be used in passwords. Optional.ssp_forbidden_fields
A list of LDAP fields on the user entry whose values may not be used in the password of the same user. Optional.ssp_check_pwned
Check passwords against publicly known password leaks using the https://haveibeenpwned.com/ API. For comparison, a part of the password's hash is sent to the API. Defaults totrue
.ssp_notify_user
If set totrue
, an email notification is sent to the users when their password or SSH key is changed. Defaults tofalse
.ssp_reset_email
Whether to enable resetting passwords via email confirmation. Defaults tofalse
.ssp_reset_sms
Whether to enable resetting passwords via SMS confirmation. Defaults tofalse
.ssp_reset_email_lifetime
How long a reset link is valid for (in seconds). Defaults to one hour.ssp_email_from
The sender address for emails. Mandatory ifssp_reset_email
orssp_notify_user
istrue
or ifssp_send_sms_method
ismail
, ignored otherwise.ssp_email_name
The sender display name for emails. Optional, Self Service Password's default is used if not set. Only used ifssp_reset_email
orssp_notify_user
istrue
or ifssp_send_sms_method
ismail
.ssp_send_sms_method
The method of contacting the SMS sending provider. Eithermail
orapi
. Mandatory ifssp_reset_sms
istrue
, ignored otherwise.ssp_sms_mail_provider
To send out an SMS, send an email to this address. The string{sms_attribute}
will be replaced by the mobile number. Mandatory ifssp_send_sms_method
ismail
, ignored otherwise.ssp_sms_mail_subject
The subject of the email sent to the SMS provider. Only used ifssp_send_sms_method
ismail
.ssp_sms_api
Name of the SMS API provider as used in the file name inlib/sms-api-*.inc.php
. Mandatory ifssp_send_sms_method
isapi
, ignored otherwise.ssp_sms_api_config
A dictionary containing further configuration for the SMS API. Note that string values require additional quotes (for YAML and PHP). Usually mandatory ifssp_send_sms_method
isapi
, ignored otherwise.ssp_smarty_path
As of version 1.4 LTB Self Service Password depends on Smarty. This role installs Smarty using the distributions package manager or by downloading the latest upstream release. In this case, this variable specifies the installation path for smarty. Defaults to/usr/local/share/php/smarty/
. Ignored when installing a version of LTB Self Service Password older than 1.4 or when Smarty is known to be available from the target system's package manager.
The following is a simple example playbook:
- hosts: servers
roles:
- role: ssp
become: true
ssp_web_root: '/var/www'
ssp_web_server_group: 'www-data'
MIT