A running LDAP implementation without a password recovery service for users can be a real hassle for system administrators, in our case every time when a user forgets his/her password the only way to reset/change it was to go to the system administrator let him fix it.
As a solution for this problem we stumbled upon PWM as a password recovery service and in this blogpost will describe the steps you have to take to implement this yourself.
The reasons why we chose PWM as our service of choice are the following:
- Open-source and still being actively developed.
- It works with multiple LDAP implementations, including OpenLDAP.
- Pretty intuitive design for the end-user.
- A vast amount of configuration options, of which configuring our own password policy is one option.
- Able to recover password by sending and Email/SMS token or PIN.
- Captcha Integration with Google re-Captcha.
- Event logs and statistics that are available to administrators.
The rest of this post will focus on walking through the installation and initial configuration of PWM with an OpenLDAP system. Most of the things we describe can also be found in the PWM administration guide or from other sources. However, some things (eg. configuration of certain modules in PWM) we didn’t immediately understand and we will describe some tips/solutions here.