LDAP User Manager -- This is a PHP LDAP account manager; a web-based GUI interface which allows you to quickly populate a new LDAP directory and easily manage user accounts and groups. It also has a self-service password change module. It's designed to work with OpenLDAP and to be run as a container. It complements OpenLDAP containers such as [*osixia/openldap*](https://hub.docker.com/r/osixia/openldap/). Features --- * Setup wizard: this will create the necessary structure to allow you to add users and groups and will set up an initial admin user that can log into the user manager. * Group creation and management. * User account creation and management. * Optionally send an email to the user with their new or updated account credentials. * Secure password auto-generator: click the button to generate a secure password. * Password strength indicator. * Self-service password change: non-admin users can log in to change their password. * An optional form for people to request accounts (request emails are sent to an administrator). Screenshots --- **Initial setup: add an administrator account**: ![administrator_setup](https://user-images.githubusercontent.com/17613683/59344224-8bb8ae80-8d05-11e9-869b-d08a44f4939d.png) **Add a new group**: ![new_group](https://user-images.githubusercontent.com/17613683/59344242-95421680-8d05-11e9-9a72-1f55c06dd43d.png) **Manage group membership**: ![group_membership](https://user-images.githubusercontent.com/17613683/59344247-97a47080-8d05-11e9-8606-0bcc40471458.png) **Edit accounts**: ![account_overview](https://user-images.githubusercontent.com/17613683/59344255-9c692480-8d05-11e9-9207-051291bafd91.png) **Self-service password change**: ![self_service_password_change](https://user-images.githubusercontent.com/17613683/59344258-9ffcab80-8d05-11e9-9dc2-27dfd373fcc8.png) Quick start --- ``` docker run \ --detach \ --name=lum \ -p 80:80 \ -p 443:443 \ -e "SERVER_HOSTNAME=lum.example.com" \ -e "LDAP_URI=ldap://ldap.example.com" \ -e "LDAP_BASE_DN=dc=example,dc=com" \ -e "LDAP_REQUIRE_STARTTLS=TRUE" \ -e "LDAP_ADMINS_GROUP=admins" \ -e "LDAP_ADMIN_BIND_DN=cn=admin,dc=example,dc=com" \ -e "LDAP_ADMIN_BIND_PWD=secret"\ -e "LDAP_IGNORE_CERT_ERRORS=true" \ -e "EMAIL_DOMAIN=ldapusermanager.org" \ wheelybird/ldap-user-manager:v1.5 ``` Change the variable values to suit your environment. Now go to https://lum.example.com/setup. Configuration --- Configuration is via environmental variables. Please bear the following in mind: * This tool needs to bind to LDAP as a user that has the permissions to modify everything under the base DN. * This interface is designed to work with a fresh LDAP server and should only be against existing, populated LDAP directories with caution and at your own risk. Mandatory: ---- * `LDAP_URI`: The URI of the LDAP server, e.g. `ldap://ldap.example.com` or `ldaps://ldap.example.com` * `LDAP_BASE_DN`: The base DN for your organisation, e.g. `dc=example,dc=com` * `LDAP_ADMIN_BIND_DN`: The DN for the user with permission to modify all records under `LDAP_BASE_DN`, e.g. `cn=admin,dc=example,dc=com` * `LDAP_ADMIN_BIND_PWD`: The password for `LDAP_ADMIN_BIND_DN` * `LDAP_ADMINS_GROUP`: The name of the group used to define accounts that can use this tool to manage LDAP accounts. e.g. `admins` Optional: ---- **Organisation settings** * `SERVER_HOSTNAME` (default: *ldapusername.org*): The hostname that this interface will be served from. * `ORGANISATION_NAME`: (default: *LDAP*): Your organisation's name. * `SITE_NAME` (default: *{ORGANISATION_NAME} user manager*): Change this to replace the title in the menu, e.g. "My Company Account Management". **LDAP settings** * `LDAP_USER_OU` (default: *people*): The name of the OU used to store user accounts (without the base DN appended). * `LDAP_GROUP_OU` (default: *groups*): The name of the OU used to store groups (without the base DN appended). * `LDAP_REQUIRE_STARTTLS` (default: *TRUE*): If *TRUE* then a TLS connection is required for this interface to work. If set to *FALSE* then the interface will work without STARTTLS, but a warning will be displayed on the page. * `LDAP_IGNORE_CERT_ERRORS` (default: *FALSE*): If *TRUE* then problems with the certificate presented by the LDAP server will be ignored (for example FQDN mismatches). Use this if your LDAP server is using a self-signed certificate and you don't have a CA certificate for it or you're connecting to a pool of different servers via round-robin DNS. * `LDAP_TLS_CACERT` (no default): If you need to use a specific CA certificate for TLS connections to the LDAP server (when `LDAP_REQUIRE_STARTTLS` is set) then assign the contents of the CA certificate to this variable. e.g. `-e LDAP_TLS_CACERT="$(