User Self-Service Desk
  Download PDF

1. Overview

This Web application is mostly designed for internal (corporate) use and includes several self-management features like:

  • Manage account information such as email, mobile phone numbers, etc..
  • Reset LDAP password according to a configurable password policy
  • Enroll, re-synchronize and test a Software / Hardware Token or Yubikey
  • Enroll the TiQR mobile application
  • Manage own user certificates

The installation of SelfDesk is straightforward and only consists of running the self-installer or installing it from the RCDevs repository and configure the application in WebADM.

You do not have to modify any files in the SelfDesk install directory! The web applications configurations are managed and stored in LDAP by WebADM. To configure SelfDesk, just enter WebADM as super administrator and go to the ‘Applications’ menu. Click SelfDesk to enter the web-based configuration.

SelfDesk application logs are accessible in the Databases menu in WebADM.

Note

To be able to use SelfDesk, any LDAP user must be a WebADM account. That means usable LDAP accounts are those containing the webadmAccount LDAP object class. You can enable the WebADM features on any LDAP user/group by extending it with the webadmAccount object class (from object extension list).

Inline WebApps: You can embed a Web app on your website in an HTML iFrame or Object.

#Example

<object data="https://<webadm_addr>/webapps/selfdesk?inline=1" />

2. User Self-Service Desk Installation

The User Self-Service Desk application is included in the Webam_all_in_one package.

2.1 Install with Redhat Repository

On a RedHat, CentOS or Fedora system, you can use our repository, which simplifies updates. Add the repository:

yum install https://www.rcdevs.com/repos/redhat/rcdevs_release-1.0.0-0.noarch.rpm

Clean yum cache and install Self-Service Desk (SelfDesk):

yum clean all
yum install selfdesk

The User Self-Service Desk application is now installed.

2.2 Install with Debian Repository

On a Debian system, you can use our repository, which simplify updates. Add the repository:

wget https://www.rcdevs.com/repos/debian/rcdevs-release_1.0.0-0_all.deb
apt-get install ./rcdevs-release_1.0.0-0_all.deb

Clean cache and install the User Self-Service Desk application (SelfDesk):

apt-get update
apt-get install selfdesk

The User Self-Service Desk application is now installed.

2.3 Through the self-installer

Download the Selfdesk package from the RCDevs website, copy it on your WebADM server(s) and run the following commands:

[root@webadm1 tmp]# gunzip selfdesk-1.1.8-1.sh.gz
[root@webadm1 tmp]# sh selfdesk-1.1.8-1.sh 
Selfdesk v1.1.8-1 Self Installer
Copyright (c) 2010-2018 RCDevs SA, All rights reserved.
Please report software installation issues to bugs@rcdevs.com.

Verifying package update... Ok
Install selfdesk in '/opt/webadm/webapps/selfdesk' (y/n)? y
Extracting files, please wait... Ok
Removing temporary files... Ok
Selfdesk has been successfully installed.
Restart WebADM services (y/n) y
Stopping WebADM HTTP server... Ok
Stopping WebADM Watchd server..... Ok
Stopping WebADM PKI server... Ok
Stopping WebADM Session server... Ok
Checking libudev dependency... Ok
Checking system architecture... Ok
Checking server configurations... Ok

Found Trial Enterprise license (RCDEVSSUPPORT)
Licensed by RCDevs SA to RCDevs Support
Licensed product(s): OpenOTP,SpanKey,TiQR

Starting WebADM Session server... Ok
Starting WebADM PKI server... Ok
Starting WebADM Watchd server... Ok
Starting WebADM HTTP server... Ok

Checking server connections. Please wait... 
Connected LDAP server: YO_AD-DC (192.168.3.50)
Connected SQL server: SQL Server (192.168.3.58)
Connected PKI server: PKI Server (192.168.3.54)
Connected Mail server: SMTP Server (78.141.172.203)
Connected Push server: Push Server (91.134.128.157)
Connected Session server: Session Server 2 (192.168.3.55)
Connected License server: License Server (91.134.128.157)

Checking LDAP proxy user access... Ok
Checking SQL database access... Ok
Checking PKI service access... Ok
Checking Mail service access... Ok
Checking Push service access... Ok
Checking License service access... Ok

Cluster mode enabled with 2 nodes (I'm slave)
Session replication status: Active (0.0003 sec)
Please read the INSTALL and README files in /opt/webadm/webapps/selfdesk.

Selfdesk is now installed and can be configured under the WebADM Admin GUI.

3. Selfdesk configuration

To configure the PWReset application, you have to log in on the WebADM Admin GUI > Databases Tab > Self-Service > User Self-Service Desk (selfdesk) > CONFIGURE.

The User Self-Service Desk application can be published through the WebADM Publishing Proxy for the end-user access with the setting Publish on WAProxy. This setting is only available when WAProxy is configured with WebADM. Have a look at this documentation to setup WAProxy.

To help you end-users to download a Token application on their phone, you can configure the Token Download URLs setting. For example:

IOS=https://itunes.apple.com/us/app/openotp-token/id1148075952, Android=https://play.google.com/store/apps/details?id=com.rcdevs.auth



It will look like that for the end-user:

The other settings are described under the User Self-Service Desk configuration page.

4. Proxy_user rights on AD for SelfDesk app

The proxy_user will operate for the end user to reset the password, change user account information like mobile, mail, preferred languages… That means that the proxy_user account must have the required rights at the AD level to do these actions.

Note

Note that CN=Users,DC=test,DC=local used below is the user search base configured under the WebADM Admin GUI > Admin tab > Local Domains > YOUR_DOMAIN > CONFIGURE > User Search Base setting.

4.1 Rights for domain user accounts

For domain users, you have to configure the following rights for the proxy_user:

Token registration rights for a not extended schema

dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;bootfile'
dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;bootparameter'

Token registration rights for an extended schema

dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;webadmsetting'
dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;webadmdata'

Common attributes rights

dsacls "CN=Users,DC=test,DC=local" /G 'TEST\proxy_user:WPRP;mail'
dsacls "CN=Users,DC=test,DC=local" /G 'TEST\proxy_user:WPRP;mobile'
dsacls "CN=Users,DC=test,DC=local" /G 'TEST\proxy_user:WPRP;preferredLanguage'

Password reset rights

dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;userPassword'
dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;pwdlastset'

4.2 Rights for domain administrator accounts

For domain admin users, you have to configure the rights on the AdminSDHolder object else, rights will be overridden after an hour.

Token registration rights for a not extended schema

dsaclsc"CN=AdminSDHolder,CN=System,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;bootfile'
dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;bootparameter'

Token registration rights for an extended schema

dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;webadmsetting'
dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;webadmdata'

Common attributes rights

dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /G 'TEST\webadm_admins:WPRP;mail'
dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /G 'TEST\webadm_admins:WPRP;mobile'
dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /G 'TEST\webadm_admins:WPRP;preferredLanguage'

Password reset rights

dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;userPassword'
dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;pwdlastset'