Auri

Auri stands for: Automated User Registration IPA

Auri implements self service account creation and reset of credentials for FreeIPA

Features

• Requesting of accounts with validation workflow (see below)
• Whitelisting of allowed domains
• Self-service reset of password and/or SSH keys
• Designed to store as less data as possible (e.g. no secrets are stored)
• Logging of all IPA operations
• Logging of all interactions (e.g. account request, approval actions)

Workflow

Requirements

• Linux (RH family)
• PostgreSQL (tested with PostgreSQL 12)
• FreeIPA (tested with FreeIPA 4.6.8 on CentOS 7)

Installation and configuration

Install and configure PostgreSQL (see this HowTo). Create a database and according user.

Use the Fedora COPR repository for auri installation:

$ wget -O /etc/yum.repos.d/auri.repo \
       https://copr.fedorainfracloud.org/coprs/auri/releases/repo/epel-8/auri-releases-epel-8.repo
# on EL7
$ yum install auri
# on EL8 and Fedoro
$ dnf install auri

Auri RPM file contains two configuration files with default settings:

• /etc/auri/database.yml - DB connection settings
• /etc/auri/config.env - configuration file for auri

Change the configuration files as needed and set the mandatory configuration options. Keep in mind to restart auri in case of configuration changes.

Update the database scheme, enable and start auri:

$ auri migrate
$ systemctl enable auri
$ systemctl start auri

Create the maintenance cronjobs for removal of expired requests and tokens:

$ cat > /etc/cron.d/auri <<EOF
0 3 * * * root auri task cleanup_requests && auri task cleanup_reset_tokens
EOF

Tasks

Auri binary provides several maintenance tasks, see auri --help and auri task list for more details.

Development environment

This repository contains a Vagrantfile, so you can start the development environment via vagrant in a virtual machine like this:

1. Install vagrant
2. Install virtualbox
3. Clone the repository
4. Invoke vagrant up and grab a coffee

Invoke vagrant ssh to get to the VM, invoke buffalo dev in the VM in order to start Auri in the development mode. You can set the configuration parameters in the development mode via creating the .env file in the top-level. See the configuration file for possible options.

Unit tests can be executed using the prepared configuration file:

$ cp fixtures/testing-config.env .env
$ make test
...

Authors

Auri was a trainee project within Deutsche Telekom Security GmbH. We assume our problem and solution are generic enough to be interesting for others, so we decided to open source it :-) Any help with maintenance of Auri is welcome and appreciated!

• Daniel Ajbassow - Auri initial development as part of trainee program
• Mohamad Asswad - Auri initial development as part of trainee program
• Sergej Schischkowski - mentoring and support of trainees
• Artem Sidorenko - mentoring and support of trainees

Acknowledgments

• Go programming language
• Go Buffalo Framework
• Go library for FreeIPA

Related and similar projects

• http://freeipa.org - OpenSource identity management
• https://github.com/ubccr/mokey - Self-service account management
• https://github.com/pwm-project/pwm - Self-service password service

License

This project is licensed under the MIT License - see the LICENSE file for details.