Self-service-password changes on NethServer

I run my NethServer installation at home, but many of my users are family users in other locations. I wanted them to be able to change their passwords without messing with a VPN, and without exposing the server-manager to the whole Internet. Self-service-password was the answer that was suggested to me.

Caution: These instructions have received only minimal testing at this point, particularly in an Active Directory environment. Use at your own risk.

Begin by installing the danb35_repository. You'll then need to manually add the LTB repository. To do that, run:

nano /etc/yum.repos.d/ltb-project.repo

Its contents should be:

[ltb-project-noarch]
name=LTB project packages (noarch)
baseurl=https://ltb-project.org/rpm/$releasever/noarch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project

Then import the signing key:

rpm --import https://ltb-project.org/wiki/lib/RPM-GPG-KEY-LTB-project

Finally, install the packages:

yum --enablerepo=danb35 install nethserver-self-service-password

Browse to https://yournethserver/ssp. You should see a page like this:

You'll be unable to change the admin user's password for security reasons, but any other user can.

There are several configuration properties under the ssp key, as described below:

Property Default Description
UseDefaultHost enabled Make self-service-password available on the default virtual host. To disable, set to disabled.
DefaultPath /ssp Path to self-service-password on the default virtual host (if enabled). Must include the leading slash.
UseVhost disabled Use a dedicated virtual host for self-service-password. Set to enabled to enable.
VHostName ssp.$DomainName If using a dedicated virtual host, the fully-qualified domain name for that virtual host (e.g., password.yourdomain.com).
UseEmail false Enable password resets by email token. This will allow users who have forgotten their passwords to email a reset token to their local email address. On clicking that link, they'll be able to reset their password. To enable, set to true. This option is unlikely to work in an Active Directory environment.

Use the standard configuration database commands to change these settings, e.g., config setprop ssp UseEmail true. After making any changes, run signal-event nethserver-self-service-password-update.