Prerequisiti:
- Macchina Linux;
- Docker e docker compose installato;
- Installato il pacchetto “git”
loggarsi in SSH sulla macchina in questione;
eseguire il seguente comando:
git clone https://github.com/unosquare/passcore.git
posizionarsi all’interno della cartella scaricata:
cd passcore
eseguire il seguente comando:
docker build --rm -t passcore .
creare il file docker-compose.yml all’interno della cartella passcore con il seguente comando:
nano docker-compose.yml
e riportare all’interno quanto segue:
version: '3.1'
services:
passcore:
container_name: passcore
image: rahim91/passcore:latest
ports:
- 89:80
restart: always
Una volta riportato il test sopracitato digitiamo CTRL+X per chiudere il file, Y per confermare le modifiche apportate.
Ora per far partire il container dobbiamo eseguire il seguente comando.
docker-compose up -d
A questo punto verrà scaricata e avviata l’immagine del container passcore.
Una volta completata questa fase dobbiamo modificare il file appsettings.json contenuto all’interno del container, prima di modificare il suddetto file dobbiamo installare l’editor di testo nano all’interno del container, per cui eseguiamo i seguenti comandi:
docker exec -it passcore apt update docker exec -it passcore apt install nano -y docker exec -it passcore nano /app/appsettings.json
Ora dobbiamo modificare questo file inserendo le informazioni relative al nostro Active Directory
{
"Logging": {
"IncludeScopes": false,
"LogLevel": {
"Default": "Debug",
"System": "Information",
"Microsoft": "Information"
}
},
"WebSettings": {
"EnableHttpsRedirect": true
},
"AppSettings": {
// The following options for AD Provider (remove if you don't use this Provider)
"UseAutomaticContext": false, // Set true to allow PassCore to reset password using the same credentials, or false if you will fill the credentials below
"RestrictedADGroups": [
"Administrators",
"Domain Admins",
"Enterprise Admins"
], // Set the AD groups to restrict the use of PassCore
"AllowedADGroups": [
"Domain Users"
], // Set the AD Groups to allow PassCore, if the array is empty all the groups no-restricted above are allowed
"IdTypeForUser": "UPN", // Possible values are "DN", "GUID", "Name", "SAM", "SID" and "UPN" (Default UPN)
"UpdateLastPassword": true, // Set true to allow PassCore to update the last password timestamp
// The following options are for LDAP Provider (remove if you don't use this Provider)
"LdapSearchBase": "OU=Users,OU=Pomezia,DC=erbc-group,DC=it",
"LdapSecureSocketLayer": false, // Default for AD is true when using LDAPS 636
"LdapStartTls": true, // Default for AD is true when using LDAP 389
"LdapChangePasswordWithDelAdd": true,
"LdapSearchFilter": "(sAMAccountName={Username})", // Another value: "(&(objectClass=person)(cn={Username}))"
// General options (valid for both providers)
"LdapIgnoreTlsValidation": true,
"LdapIgnoreTlsErrors": true,
"LdapHostnames": [
"srvadpom01.erbc-group.it"
], // Set your hostname(s)
"LdapPort": 389, // Default for AD is 389, for LDAPS 636
"LdapUsername": "admin_domain_user", // Set the username or distinguish name (DN) to bind the LDAP server
"LdapPassword": "admin_domain_password", // Set the password for the username
"DefaultDomain": "erbc-group.it" // Set your default AD domain here, or non "@" logins will not work! Use empty value to allow user to set the domain. This option is ONLY available with UPN.
},
"ClientSettings": {
"ValidationRegex": {
"EmailRegex": "^[a-zA-Z0-9.!#$%&’*+/=?^_`{|}~-]+@[a-zA-Z0-9-]+(?:\\.[a-zA-Z0-9-]+)*$",
"UsernameRegex": "^[a-zA-Z0-9._-]{3,20}$"
},
"UsePasswordGeneration": false, //Set true to let PassCore create a new password for the current account. If true the user can not customize its new password.
"MinimumDistance": 0, //The minimum distance beetween the old and the new password, this is used to enforce the edit distance using the levenshtein distance algorithm.
"PasswordEntropy": 16, // the number of bytes of entropy to use for generated passwords
"ShowPasswordMeter": true,
"MinimumScore": 0, //The minimum acceptable score that the user's new password needs to get at being evaluated by ZXCVBN to be established as the new password.
"Recaptcha": {
"SiteKey": "", // ReCAPTCHA public key: replace this! or leave empty if you don't need ReCAPTCHA
"PrivateKey": "", // ReCAPTCHA private key: replace this! or leave empty if you don't need ReCAPTCHA
"LanguageCode": "en"
},
"UseEmail": "false",
"ApplicationTitle": "Change Account Password | Self-Service Account Management Tools",
"ChangePasswordTitle": "Change Account Password",
"ChangePasswordForm": {
"HelpText": "If you are having trouble with this tool, please contact IT Support",
"UsernameLabel": "Username",
"UsernameHelpblock": "Your organization's email address",
"UsernameDefaultDomainHelperBlock": "Your organization's username",
"CurrentPasswordLabel": "Current Password",
"CurrentPasswordHelpblock": "Enter your current password",
"NewPasswordLabel": "New Password",
"NewPasswordHelpblock": "Enter a <a href='https://support.microsoft.com/en-us/help/4026406/microsoft-account-create-a-strong-password' target='_blank'>strong password</a>. You can use <a href='https://xkpasswd.net/s/' target='_blank'>this tool</a> to help you create one; use the XKCD (random sep, pad digit), or NTLM, options.",
"NewPasswordVerifyLabel": "Re-enter New Password",
"NewPasswordVerifyHelpblock": "Enter your new password again",
"ChangePasswordButtonLabel": "Change Password"
},
"ErrorsPasswordForm": {
"FieldRequired": "This field is required",
"UsernamePattern": "Please enter a valid username",
"UsernameEmailPattern": "Please enter a valid email address",
"PasswordMatch": "Passwords do not match"
},
"Alerts": {
"SuccessAlertTitle": "You have changed your password successfully.",
"SuccessAlertBody": "Please note it may take a few hours for your new password to reach all domain controllers.",
"ErrorPasswordChangeNotAllowed": "You are not allowed to change your password. Please contact your system administrator.",
"ErrorInvalidCredentials": "You need to provide the correct current password.",
"ErrorInvalidDomain": "You have supplied an invalid domain to logon to.",
"ErrorInvalidUser": "We could not find your user account.",
"ErrorCaptcha": "Could not verify you are not a robot.",
"ErrorFieldRequired": "Fulfill all the fields.",
"ErrorFieldMismatch": "The passwords do not match.",
"ErrorComplexPassword": "Failed due to password complex policies: New password length is shorter than AD minimum password length",
"ErrorConnectionLdap": "Unhandled error connecting to the LDAP server.",
"ErrorScorePassword": "The password you are trying to set is not secure enough.",
"ErrorDistancePassword": "The password you are trying to set is not diferent enough of your last password.",
"ErrorPwnedPassword": "The password you are trying to use is publicly known and can be used in dictionary attacks."
}
}
}
Una volta terminate le modifice digitamo CTRL+X poi Y per confermare le modifiche ed infine per riavviare il containter passcore eseguiamo il seguente comando:
docker-compose restart passcore