From 134aa99bb8e4541aeaca0bec104dd0f05664e17c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=BCnther?= <christian.guenther@vireso.de>
Date: Fri, 4 Jan 2019 03:31:16 +0100
Subject: [PATCH] add preconfigured password self service as additional
 folder-based web service

---
 docker-compose.yml-example | 38 ++++++++++++++++++++++++++++++++++++++
 kweb/kweb.cfg              |  6 ++++++
 setup.sh                   |  9 +++++++++
 3 files changed, 53 insertions(+)

diff --git a/docker-compose.yml-example b/docker-compose.yml-example
index add685a..4c00144 100644
--- a/docker-compose.yml-example
+++ b/docker-compose.yml-example
@@ -50,6 +50,43 @@ services:
       - ldap-net
       - web-net
 
+  password-self-service:
+    image: tiredofit/self-service-password
+    container_name: password-self-service
+    domainname: ${LDAP_DOMAIN}
+    depends_on:
+      - ldap
+      - mail
+    environment:
+      - LDAP_SERVER=ldap://ldap:389
+      - LDAP_BINDDN=cn=admin,dc=kopano,dc=demo
+      - LDAP_BINDPASS=${LDAP_ADMIN_PASSWORD}
+      - LDAP_BASE_SEARCH=${LDAP_BASE_DN}
+      - MAIL_FROM=noreply@${LDAP_DOMAIN}
+      - SMTP_HOST=mail
+      - SMTP_PORT=25
+      - SMTP_SECURE_TYPE=false
+      - SMTP_AUTOTLS=false
+      - QUESTIONS_ENABLED=false
+      - PASSWORD_NO_REUSE=true
+      - WHO_CAN_CHANGE_PASSWORD=user
+      - SECRETEKEY=${SELF_SERVICE_SECRETEKEY}
+      - BACKGROUND=.
+      - PASSWORD_MIN_LENGTH=${SELF_SERVICE_PASSWORD_MIN_LENGTH}
+      - PASSWORD_MAX_LENGTH=${SELF_SERVICE_PASSWORD_MAX_LENGTH}
+      - PASSWORD_MIN_LOWERCASE=${SELF_SERVICE_PASSWORD_MIN_LOWERCASE}
+      - PASSWORD_MIN_UPPERCASE=${SELF_SERVICE_PASSWORD_MIN_UPPERCASE}
+      - PASSWORD_MIN_DIGIT=${SELF_SERVICE_PASSWORD_MIN_DIGIT}
+      - PASSWORD_MIN_SPECIAL=${SELF_SERVICE_PASSWORD_MIN_SPECIAL}
+    expose:
+      - "80"
+    volumes:
+      - password-self-service:/www/ssp
+    networks:
+      - web-net # provide web-frontend
+      - ldap-net # access ldap user base and write passwords
+      - kopano-net # send mail directly to mailstack
+
   mail:
     image: tvial/docker-mailserver:release-v6.1.0
     restart: always
@@ -343,6 +380,7 @@ services:
 volumes:
   web:
   ldap:
+  password-self-service:
   slapd:
   maildata:
   mailstate:
diff --git a/kweb/kweb.cfg b/kweb/kweb.cfg
index 2c30eff..65016c8 100644
--- a/kweb/kweb.cfg
+++ b/kweb/kweb.cfg
@@ -123,4 +123,10 @@
         transparent
     }
     redir /ldap-admin /ldap-admin/
+
+    proxy /password-reset/ password-self-service:80 {
+        without /password-reset
+        transparent
+    }
+    redir /password-reset /password-reset/
 }
diff --git a/setup.sh b/setup.sh
index c027a9b..2086604 100755
--- a/setup.sh
+++ b/setup.sh
@@ -221,6 +221,15 @@ LDAP_QUERY_FILTER_ALIAS=(&(kopanoAccount=1)(kopanoAliases=%s))
 LDAP_QUERY_FILTER_DOMAIN=(&(|(mail=*@%s)(kopanoAliases=*@%s)))
 SASLAUTHD_LDAP_FILTER=(&(kopanoAccount=1)(uid=%s))
 
+# LDAP user password self-service reset settings
+SELF_SERVICE_SECRETEKEY=$(random_string)
+SELF_SERVICE_PASSWORD_MIN_LENGTH=
+SELF_SERVICE_PASSWORD_MAX_LENGTH=
+SELF_SERVICE_PASSWORD_MIN_LOWERCASE=
+SELF_SERVICE_PASSWORD_MIN_UPPERCASE=
+SELF_SERVICE_PASSWORD_MIN_DIGIT=
+SELF_SERVICE_PASSWORD_MIN_SPECIAL=
+
 # switch the value of these two variables to use the activedirectory configuration
 KCUNCOMMENT_LDAP_1=!include /usr/share/kopano/ldap.openldap.cfg
 KCCOMMENT_LDAP_1=!include /usr/share/kopano/ldap.active-directory.cfg