PWM
LDAP Self Service Solution
Video
Useful Links

WATCH OUR VIDEO WALKTHROUGH - SUBSCRIBE FOR MORE!

PWM GitHub

GitHub - pwm-project/pwm: pwm
GitHub

MySQL Connector - 5.1.49 - Platform Independent

MySQL :: Download MySQL Connector/J (Archived Versions)
Please read our disclaimer https://docs.ibracorp.io/#disclaimer.

Installation

  • Head to the Community Applications store in Unraid
  • Search for and click to install 'PWM' from Sycotix's Repository
  • The template does does not need any modifications past the port you want to reach it on, if the default of 8282 is already in use on your system.
  • Click done and wait for the container to pull down and start.
  • Ensure you have MariaDB installed and operational. We recommend using Adminer to manage your MariaDB. Click here to see how.
  • Open your MariaDB in Adminer (or use CLI if you prefer) and create a database called 'pwm'.
  • Create a user and password for the new database called 'pwm' - and grant it all privileges.
  • In your FreeIPA server, ensure you have a test user account. It does not require any special privileges and should be a normal user. Tip: Default behaviour in FreeIPA means that when an admin user sets or resets a users password, it will automatically expire immediately. Sign in to FreeIPA as that user to ensure the proper password is in place. Check the expiration date of the password to be sure it's valid.
  • Download the MySQL/Java connector package from the Useful Links section above.
  • With all the above done we are now prepared for configuration.

Configuration

Docker

  • Left-click the PWM container and open the WebUI Tip: if you receive constant redirects, in the address bar, remove everything past the port so it looks like this: http://SERVERIP:8282 (where SERVERIP is your server which PWM is running on)
  • Once you see the WebUI, click Next to begin the Configuration
  • Select the 'Manual Configuration' option
  • Set a Configuration Password. This will be required any time you wish to edit the config of PWM.
  • Now, you can configure all the below settings.
WARNING:
YOU MUST CHANGE VALUES WHICH ARE SPECIFIC TO YOUR ENVIRONMENT. i.e. Base Domain, IP addresses and Ports.
1
Default Settings ⇨ LDAP Vendor Default Settings
2
OPEN_LDAP
3
4
Default Settings ⇨ Storage Default Settings
5
DB
6
7
LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection ⇨ LDAP Contextless Login Roots
8
cn=users,cn=accounts,dc=domain,dc=com
9
10
LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection ⇨ LDAP Proxy Password** (your FreeIPA admin password)
11
*hidden*
12
13
LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection ⇨ LDAP Proxy User
14
uid=admin,cn=users,cn=accounts,dc=domain,dc=com
15
16
LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection ⇨ LDAP Test User
17
uid=test,cn=users,cn=accounts,dc=domain,dc=com
18
19
LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection ⇨ LDAP URLs (your FreeIPA server IP and non-SSL port, default 389)
20
ldap://192.168.1.150:389
21
22
LDAP ⇨ LDAP Directories ⇨ default ⇨ Login Setup ⇨ User Name Search Filter
23
(&(objectClass=posixAccount)(uid=%USERNAME%))
24
25
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ Attribute to use for User Name
26
uid
27
28
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ LDAP GUID Attribute
29
ipauniqueid
30
31
LDAP ⇨ LDAP Directories ⇨ default ⇨ User Attributes ⇨ LDAP Naming Attribute
32
uid
33
34
LDAP ⇨ LDAP Settings ⇨ Global ⇨ User Object Class
35
posixAccount
36
37
Modules ⇨ Authenticated ⇨ Administration ⇨ Administrator Permission
38
UserPermission-ldapGroup: [Profile:default Base:cn=admins,cn=groups,cn=accounts,dc=domain,dc=com]
39
40
Modules ⇨ Authenticated ⇨ Change Password ⇨ Profiles ⇨ default ⇨ Require Current Password During Change
41
NOTEXPIRED
42
43
Modules ⇨ Authenticated ⇨ Guest Registration ⇨ Creation Context
44
cn=ipausers,cn=groups,cn=accounts,dc=domain,dc=com
45
46
Setting ⇨ Settings ⇨ Application ⇨ Application ⇨ Home URL
47
https://portal.domain.com/private
48
49
Setting ⇨ Settings ⇨ Application ⇨ Application ⇨ Idle Timeout Seconds
50
600
51
52
Setting ⇨ Settings ⇨ Application ⇨ Application ⇨ Logout URL
53
https://portal.domain.com/private
54
55
Setting ⇨ Settings ⇨ Application ⇨ Application ⇨ Site URL
56
https://portal.domain.com/
57
58
Setting ⇨ Settings ⇨ Database (Remote) ⇨ Connection ⇨ Database Class
59
com.mysql.jdbc.Driver
60
61
Setting ⇨ Settings ⇨ Database (Remote) ⇨ Connection ⇨ Database Connection String (your MariaDB IP and Port)
62
jdbc:mysql://192.168.1.100:3306/pwm?useTimezone=true&serverTimezone=UTC
63
64
Setting ⇨ Settings ⇨ Database (Remote) ⇨ Connection ⇨ Database Driver
65
LOAD THE MYSQL JAVA package you downloaded in the Configuration steps.
66
67
Setting ⇨ Settings ⇨ Database (Remote) ⇨ Connection ⇨ Database Password
68
*hidden*
69
70
Setting ⇨ Settings ⇨ Database (Remote) ⇨ Connection ⇨ Database User Name
71
pwm
72
73
Setting ⇨ Settings ⇨ Database (Remote) ⇨ Connection ⇨ Database Vendor
74
DB_OTHER
75
Copied!
  • With all the above configured, you have the minimum required to connect to your FreeIPA LDAP and use it for authentication.
  • Select Save in the very top-right of the Configuration Editor.
  • Once it sends you back to the login screen, select Configuration Manager.
  • Check that everything looks okay, it should look like this:
  • If it all looks clear, head to your home page and try to sign in with your FreeIPA admin account. This will allow you to check that authentication is working.
  • Once you sign in using an authenticated account successfully, you must now take PWM out of Configuration Mode.
  • Head to the Configuration Manager and select Restrict Configuration.
  • Profit.

Additional Recommendations

Now that you have the basics set up, you can successfully use PWM to authenticate users and process user management. However, some addition config is recommended at your own discretion in the Configuration Editor.
  • Set up your SMTP setting to allow emails to work
  • Set up your reverse proxy and DNS entries to allow the https://portal.domain.com address to work externally
  • Set up your password policies
  • There's plenty more PWM can do (over 400 settings). So take your time and enjoy the process.

Final Words

We hope you enjoyed this guide. It was conceptualized, written, and implemented by our Admin Sycotix.
Our work sometimes takes months to research and develop. If you want to help support us please consider:
Thank you for being part of our community!
Last modified 3mo ago