Version 1.5.0

ℹ️ Self Service Password

LDAP Tool Box Self Service Password is a web application for end users. It allows them to change or reset their password if they lost it.

It works with any LDAP directory, including Active Directory.

📄 What's Changed

• feat(ssh): public key check ( #509 ) by @faust64 in #510
• docs(sshkey) by @faust64 in #512
• fix(mail): add sendmail to Docker image by @faust64 in #517
• docs(multi-tenancy): adds samples setting multi-tenancy header by @faust64 in #515
• If token was provided by SMS, check initial SMS code before changing password by @coudot in #521
• [Security:low] Dismiss captcha once it is used by @coudot in #522
• Merge 1.4 branch by @coudot in #523
• Typo in resetbytoken resulting in mails not being sent by @faust64 in #529
• adding Kerberos authentication support by @jazzl0ver in #536
• Change expired password as manager by @coudot in #530
• fix(version): mismatch between htdocs/index.php and rest/v1/include.php by @faust64 in #539
• core(update): apache 2.4.46 by @faust64 in #541
• Refactor pwned passwords by @faust64 in #540
• fix(notify): don't send notification if modification failed by @faust64 in #542
• docs(ratelimit): typo by @faust64 in #545
• feat(mails): using several mail attributes by @faust64 in #546
• fix(sshkeys): don't send mail notification when entry was not changed by @faust64 in #513
• Update de.inc.php by @usrflo in #547
• fix(docs): invalid nginx root serving ssp by @faust64 in #551
• Added sms api for signal-cli by @mfulz in #549
• fix(docs): ratelimit check interval should be 1h, not 1min by @faust64 in #558
• Document $allowed_lang var by @maxxer in #562
• Updated IT translation by @maxxer in #564
• Fix Error 500 when user is not found in ldap for sms reset by @mfulz in #571
• fix(api): phpmailer needs to be included (#573) by @faust64 in #576
• fix: captcha misaligned in the mobile version by @bondif in #588
• Update simplified Chinese translation by @tweea in #594
• fix(docs) - see #590 by @faust64 in #598
• Update fr translation by @vboucard in #606
• chore(deps): bump phpmailer/phpmailer from 6.4.1 to 6.5.0 in /lib by @dependabot in #559
• Fix some undefined warnings by @liedekef in #609
• fix apache / bullseye by @faust64 in #612
• Issue 608 by @doc-slice in #619
• Implement Argon2 hashing by @tleuxner in #628
• Add some cosmetic css properties to sshkey textarea by @spike77453 in #642
• Fix translation by @tvdijen in #646
• chore(deps): bump guzzlehttp/psr7 from 2.1.0 to 2.2.1 in /lib by @dependabot in #647
• chore(deps): bump guzzlehttp/guzzle from 7.4.0 to 7.4.4 in /lib by @dependabot in #659
• Update bootstrap to v3.4.1 by @bohze in #661
• chore(deps): bump guzzlehttp/guzzle from 7.4.4 to 7.4.5 in /lib by @dependabot in #664
• feat(sms): Allow more than one mobile attribute #658 by @artlog in #673
• Feat mail factorize attributes by @artlog in #675
• Update TR translation by @berkaycagir in #669
• fix(sshkey): should add one sshPublicKey per key by @faust64 in #514
• Remove warning "Decoding error" by @coudot in #676
• Fix 563 by @faust64 in #592
• Use correct message identifiers by @coudot in #677
• hide failure by default for mailnomatch issue #610 by @artlog in #685
• fix check password toward ldap attribute for token based methods by @artlog in #686
• captcha use dedicated session cookie fix #602 by @artlog in #680
• Rate limit optional support per ip (ratelimit_filter_by_ip) by @artlog in #683
• Add rate limit checking for any password change request include fix #654 by @artlog in #684
• Improve documentation, parse php code by @coudot in #696
• Fix password check ldap by @artlog in #688
• Use require_once for file inclusion by @coudot in #702
• Fix reset by questions display after password change by @coudot in #703
• Check parameters before calling hash_equals by @coudot in #699
• Get entry in checkpassword REST service by @coudot in #708

🤝 New Contributors

• @jazzl0ver made their first contribution in #536
• @usrflo made their first contribution in #547
• @mfulz made their first contribution in #549
• @maxxer made their first contribution in #562
• @bondif made their first contribution in #588
• @vboucard made their first contribution in #606
• @liedekef made their first contribution in #609
• @doc-slice made their first contribution in #619
• @tleuxner made their first contribution in #628
• @tvdijen made their first contribution in #646
• @artlog made their first contribution in #673

Full Changelog: v1.4.5...v1.5.0

⬇️ Download

Get tarball and packages on https://ltb-project.org/download.html

Use our apt and yum repositories to ease the installation:

• https://self-service-password.readthedocs.io/en/latest/installation.html#debian-ubuntu
• https://self-service-password.readthedocs.io/en/latest/installation.html#centos-redhat

You can also use our Docker image: https://hub.docker.com/r/ltbproject/self-service-password

Version 1.4.5

What's Changed

• Latest version of 1.4.4 not working by @Max7641 in #670

Download

Get tarball and packages on https://ltb-project.org/download.html

Use our apt and yum repositories to ease the installation:

• https://self-service-password.readthedocs.io/en/stable/installation.html#debian-ubuntu
• https://self-service-password.readthedocs.io/en/stable/installation.html#centos-redhat

Version 1.4.4

What's Changed

• Update bootstrap to v3.4.1 by @bohze in #663
• Separate Smarty debug and debug by @coudot in #666
• Typo in resetbytoken resulting in mails not being sent by @faust64 in #529
• Don't send notification if modification failed by @faust64 in #542
• PHP Fatal error: Uncaught TypeError: ldap_get_dn() in #648
• REST files are not shipped in packages in #660

Full changelog: https://github.com/ltb-project/self-service-password/issues?q=is%3Aclosed+milestone%3A1.4.4

Download

Get tarball and packages on https://ltb-project.org/download.html

Use our apt and yum repositories to ease the installation:

• https://self-service-password.readthedocs.io/en/stable/installation.html#debian-ubuntu
• https://self-service-password.readthedocs.io/en/stable/installation.html#centos-redhat

Version 1.4.3

Some bug fixes for version 1.4:

• #516: Docker image does not have sendmail in it
• #517: fix(mail): add sendmail to Docker image
• #520: [Security:high] Reset by SMS can be used to change any account password
• #521: If token was provided by SMS, check initial SMS code before changing password
• #522: [Security:low] Dismiss captcha once it is used

⚠️ Some fixes concern security issues, please upgrade as soon as possible

Please read release notes from https://github.com/ltb-project/self-service-password/releases/tag/v1.4

Version 1.4.2

Some bug fixes for version 1.4:

• #504: Cannot use docker get gregwar/captcha----use docker
• #505: fix(captcha): missing gd library
• #506: I have a little problem - I can't use SMS for the next step
• #507: fix(reset)
• #508: fix(undefined)
• #511: Bump phpmailer/phpmailer from 6.3.0 to 6.4.1 in /lib

Please read release notes from https://github.com/ltb-project/self-service-password/releases/tag/v1.4

Version 1.4.1

Some bug fixes for version 1.4:

• #501: Remove extra semicolon from setquestions template
• #502: Remove alt text so empty logo doesn't show 'msg_title' twice

Please read release notes from https://github.com/ltb-project/self-service-password/releases/tag/v1.4

Version 1.4

✨ Self Service Password 1.4 ✨

This version introduces many important changes, including:

• Usage of Smarty framework
• Prehook
• REST API
• New password policy checks: forbidden words, forbidden LDAP fields
• Multiple question/answers
• Advanced LDAP features: password modify extended operation, password policy control
• Official Docker image
• Multi tenancy

Full changelog available here: https://github.com/ltb-project/self-service-password/milestone/7?closed=1

⬆️ Upgrade

Compatibility

Version 1.4 requires PHP 7. Advanced LDAP features require PHP 7.4.

Packages are only available for Debian stable, CentOS 7 and CentOS 8.

Webserver configuration

The document root is now in htdocs/ and this should be changed in the virtual host configuration.

Configuration needs also to be updated if you want to use REST API.

Captcha

Google reCaptcha was removed. A new built-in captcha is provided, enable it with:

$use_captcha = true;

⬇️ Download

Follow installation instructions to use APT/YUM repositories: https://self-service-password.readthedocs.io/en/latest/installation.html

Packages can also be downloaded from LDAP Tool Box site: https://ltb-project.org/download#self_service_password

🤝 Contributors

Thanks a lot to all contributors: https://github.com/ltb-project/self-service-password/graphs/contributors

v1.3

Changelog:

• #182: Message incorrect when resetting using email but not supplying email (minor)
• #187: Security assessment issues
• #191: Minor changes to Spanish translation
• #196: reduce info released in error messages
• #197: Please wrap mail debug ouput in pre tags.
• #198: Create ee.inc.php
• #201: Added some translations
• #202: include config.inc.local.php + warning
• #204: Index includes .swp files and crashes sites with error 500
• #206: Encrypt answers in directory
• #209: Check ldap_bind return code instead of relying on ldap_errno
• #210: SSH key change should not be permitted for expired or must change passwords
• #211: Force string conversion of input values
• #215: added support for pwned-passwords api v2
• #217: take into account post-hook exit status

Download: https://ltb-project.org/download#self_service_password

Migration notes: https://ltb-project.org/documentation/self-service-password/1.3/migration

Thanks to community:

• @BShadeWork
• @trapangle
• @lonoak
• @r2evans
• @danielewood
• @tuudik
• @tekvsakdan
• @nqb
• @bananitadolca
• @413j0
• @paulignari
• @davidcoutadeur
• @Abdoulsore

Core team:

• @plewin
• @coudot (@Worteks)

v1.2

Changelog:

• #149: Remove obsolete stripslashes_if_gpc_magic_quotes
• #154: Translated the hungarian keys left in english.
• #162: Resolve send token web page issue when E-Mail To: set from LDAP
• #166: Opportunistic TLS problem
• #174: Improved nl.lang.php
• #175: reCAPTCHA not working on master
• #176: Dutch translation update by AlbertPluton
• #177: Fix "SSH Key required" message wrong color when ssh key is not submitted
• #178: Fix pattern matching in reset by questions
• #179: Revert Twig because of multiple regressions, work still needed, and lack of testing

v1.1

A lot of improvements and bugfixes:

• #33: Posthook does not work with apostrophes
• #38: Add Japanese translation
• #40: Add missing variable $mail_wordwrap in config.inc.php
• #41: Show all missing dependencies instead of one and fix color of message…
• #42: Fix $mail_sendmailpath in config was ignored because of a typo
• #43: Fix bad link in hungarian translation
• #47: Allow for longer salts
• #48: Corrections proposed to index.php and pages/* files
• #49: Fix the usage of rand instead of mt_rand
• #50: Use fixed width icons
• #51: Apache configuration in RPM package
• #54: Reset password layout
• #55: shadowExpire in LDAP
• #58: Escape shell args with escapeshellarg for posthook command (fixes #33)
• #59: Weak entropy for password generation
• #60: Encryption without authentication
• #61: Greek translation
• #63: German translation
• #64: Mail from ldap
• #65: Mail signature
• #66: Get Mail from LDAP
• #67: Mail signature
• #68: Swedish translation
• #73: Dependency check for function ldap_modify_batch()
• #74: session token with nginx
• #75: SHA512 in password encryption
• #76: Fixing Czech translation
• #77: Improved IT translation
• #78: Allow sending SMS through web-based API instead of Email2SMS Gateway
• #79: Improved ES translation
• #81: Allow self service of sshPublicKey attribute in LDAP
• #82: PHPMailer security update
• #85: mcrypt is outdated
• #87: Get Travis tests working again on PHP 7
• #89: Erreurs de Français
• #90: Update fr.inc.php
• #91: Can email reset use AD user's FirstName, instead of login ID?
• #92: Implements strong cryptography with defuse-crypto 2.0.3
• #93: Add SHA512 password hashing
• #94: Update phpmailer from v5.2.16 to v5.5.23
• #95: Dependency check for function ldap_modify_batch()
• #97: Add an easy way to override messages
• #98: Bug in resetbytoken.php
• #99: Force use of phpunit 5.7 if php >= 7.0 for travis testing
• #100: Fixes for things pointed out after #81 was merged
• #102: Fix for base64 encoded strings that contain '+'
• #104: Fix invalid html in sendsms.php
• #105: SSHKey update Insufficient access
• #106: Update zh-CN translation
• #107: Sanitize Mobile Number retrieved from LDAP
• #111: "Email" name in menu is confusing
• #115: Force specific language?
• #116: Add possibility to force use of a specific set of languages
• #117: SSHA-256 support for ldap user password
• #118: Fix hhvm on travis, update travis config
• #120: Fix debian packages/repository for debian stretch
• #121: Add popovers to explain menu links (cf. issue #111)
• #126: proxy support for ReCaptcha
• #128: Reset token validation issue
• #130: recaptcha uses file_get_contents to retrive data
• #131: Allow override of reCAPTCHA request method (cf. issue #130)
• #132: Fix travis builds for php 7.0 and 7.1
• #138: sendtoken.php send http instead of https
• #142: Move $debug config to the top of the file
• #143: Warn when key phrase is not set
• #144: Invalid Token error
• #146: Output buffering to avoid failing session_start in PHP 7.1
• #148: Change key feature never notifies