Ansible Role: selfservice

This role installs the self-service-password web application, which enables users to reset their passwords using an SMS token.

The role sets up nginx, PHP, and the Remi repository for proper functionality. You'll need to configure the variables for connecting to your LDAP server.

You must write your own PHP function that connects to your chosen SMS API service, and place this PHP file at /opt/selfservice/reset/lib/smsapi.inc.php. The PHP function should be named send_sms_by_api($mobile, $message).

Additionally, this role will disable SELinux.

This role has been tested on CentOS 7.

Requirements

You need an LDAP server (like Active Directory) and an account on SMSAPI.com.

Role Variables

• selfservice_version: Specify which version you want to install (default is 1.1).
• server_name: Set the domain name for the web application (e.g., "selfservice.company.invalid").
• ldap_url: Provide the LDAP server's URI (e.g., "ldap://localhost:389").
• ldap_binddn: Set the distinguished name of the bind user (e.g., "CN=Administrator,CN=Users,DC=mimacom,DC=local").
• ldap_bindpw: Enter the password for the bind user (e.g., "secure").
• ldap_base: Define the search base for LDAP (e.g., "dc=company,dc=invalid").
• keyphrase: This should be a long, random string used for generating tokens (e.g., "secure").
• smsapi_user: Specify your user email for SMSAPI.com (e.g., "smsapiuser@company.invalid").
• smsapi_pass: Provide the user API password as an md5 hash for SMSAPI.com (e.g., "md5hashedpassword").
• allowed_lang: List the allowed application languages. If left empty, all languages are allowed. For more details, visit: Self-Service Password Documentation.

Dependencies

This role will use the following pre-existing roles:

• geerlingguy.nginx
• geerlingguy.php
• geerlingguy.repo-remi

Example Playbook

- hosts: servers
  become: yes
  roles:
    - role: mimacom.selfservice
      selfservice_version: 1.1

License

Apache License 2.0

Author Information

This role was created by Remo Wenger.