Version 1.4.4

What's Changed

• Update bootstrap to v3.4.1 by @bohze in #663
• Separate Smarty debug and debug by @coudot in #666
• Typo in resetbytoken resulting in mails not being sent by @faust64 in #529
• Don't send notification if modification failed by @faust64 in #542
• PHP Fatal error: Uncaught TypeError: ldap_get_dn() in #648
• REST files are not shipped in packages in #660

Full changelog: https://github.com/ltb-project/self-service-password/issues?q=is%3Aclosed+milestone%3A1.4.4

Download

Get tarball and packages on https://ltb-project.org/download.html

Use our apt and yum repositories to ease the installation:

• https://self-service-password.readthedocs.io/en/stable/installation.html#debian-ubuntu
• https://self-service-password.readthedocs.io/en/stable/installation.html#centos-redhat

Version 1.4.3

Some bug fixes for version 1.4:

• #516: Docker image does not have sendmail in it
• #517: fix(mail): add sendmail to Docker image
• #520: [Security:high] Reset by SMS can be used to change any account password
• #521: If token was provided by SMS, check initial SMS code before changing password
• #522: [Security:low] Dismiss captcha once it is used

⚠️ Some fixes concern security issues, please upgrade as soon as possible

Please read release notes from https://github.com/ltb-project/self-service-password/releases/tag/v1.4

Version 1.4.2

Some bug fixes for version 1.4:

• #504: Cannot use docker get gregwar/captcha----use docker
• #505: fix(captcha): missing gd library
• #506: I have a little problem - I can't use SMS for the next step
• #507: fix(reset)
• #508: fix(undefined)
• #511: Bump phpmailer/phpmailer from 6.3.0 to 6.4.1 in /lib

Please read release notes from https://github.com/ltb-project/self-service-password/releases/tag/v1.4

Version 1.4.1

Some bug fixes for version 1.4:

• #501: Remove extra semicolon from setquestions template
• #502: Remove alt text so empty logo doesn't show 'msg_title' twice

Please read release notes from https://github.com/ltb-project/self-service-password/releases/tag/v1.4

Version 1.4

✨ Self Service Password 1.4 ✨

This version introduces many important changes, including:

• Usage of Smarty framework
• Prehook
• REST API
• New password policy checks: forbidden words, forbidden LDAP fields
• Multiple question/answers
• Advanced LDAP features: password modify extended operation, password policy control
• Official Docker image
• Multi tenancy

Full changelog available here: https://github.com/ltb-project/self-service-password/milestone/7?closed=1

⬆️ Upgrade

Compatibility

Version 1.4 requires PHP 7. Advanced LDAP features require PHP 7.4.

Packages are only available for Debian stable, CentOS 7 and CentOS 8.

Webserver configuration

The document root is now in htdocs/ and this should be changed in the virtual host configuration.

Configuration needs also to be updated if you want to use REST API.

Captcha

Google reCaptcha was removed. A new built-in captcha is provided, enable it with:

$use_captcha = true;

⬇️ Download

Follow installation instructions to use APT/YUM repositories: https://self-service-password.readthedocs.io/en/latest/installation.html

Packages can also be downloaded from LDAP Tool Box site: https://ltb-project.org/download#self_service_password

🤝 Contributors

Thanks a lot to all contributors: https://github.com/ltb-project/self-service-password/graphs/contributors

v1.3

Changelog:

• #182: Message incorrect when resetting using email but not supplying email (minor)
• #187: Security assessment issues
• #191: Minor changes to Spanish translation
• #196: reduce info released in error messages
• #197: Please wrap mail debug ouput in pre tags.
• #198: Create ee.inc.php
• #201: Added some translations
• #202: include config.inc.local.php + warning
• #204: Index includes .swp files and crashes sites with error 500
• #206: Encrypt answers in directory
• #209: Check ldap_bind return code instead of relying on ldap_errno
• #210: SSH key change should not be permitted for expired or must change passwords
• #211: Force string conversion of input values
• #215: added support for pwned-passwords api v2
• #217: take into account post-hook exit status

Download: https://ltb-project.org/download#self_service_password

Migration notes: https://ltb-project.org/documentation/self-service-password/1.3/migration

Thanks to community:

• @BShadeWork
• @trapangle
• @lonoak
• @r2evans
• @danielewood
• @tuudik
• @tekvsakdan
• @nqb
• @bananitadolca
• @413j0
• @paulignari
• @davidcoutadeur
• @Abdoulsore

Core team:

• @plewin
• @coudot (@Worteks)

v1.2

Changelog:

• #149: Remove obsolete stripslashes_if_gpc_magic_quotes
• #154: Translated the hungarian keys left in english.
• #162: Resolve send token web page issue when E-Mail To: set from LDAP
• #166: Opportunistic TLS problem
• #174: Improved nl.lang.php
• #175: reCAPTCHA not working on master
• #176: Dutch translation update by AlbertPluton
• #177: Fix "SSH Key required" message wrong color when ssh key is not submitted
• #178: Fix pattern matching in reset by questions
• #179: Revert Twig because of multiple regressions, work still needed, and lack of testing

v1.1

A lot of improvements and bugfixes:

• #33: Posthook does not work with apostrophes
• #38: Add Japanese translation
• #40: Add missing variable $mail_wordwrap in config.inc.php
• #41: Show all missing dependencies instead of one and fix color of message…
• #42: Fix $mail_sendmailpath in config was ignored because of a typo
• #43: Fix bad link in hungarian translation
• #47: Allow for longer salts
• #48: Corrections proposed to index.php and pages/* files
• #49: Fix the usage of rand instead of mt_rand
• #50: Use fixed width icons
• #51: Apache configuration in RPM package
• #54: Reset password layout
• #55: shadowExpire in LDAP
• #58: Escape shell args with escapeshellarg for posthook command (fixes #33)
• #59: Weak entropy for password generation
• #60: Encryption without authentication
• #61: Greek translation
• #63: German translation
• #64: Mail from ldap
• #65: Mail signature
• #66: Get Mail from LDAP
• #67: Mail signature
• #68: Swedish translation
• #73: Dependency check for function ldap_modify_batch()
• #74: session token with nginx
• #75: SHA512 in password encryption
• #76: Fixing Czech translation
• #77: Improved IT translation
• #78: Allow sending SMS through web-based API instead of Email2SMS Gateway
• #79: Improved ES translation
• #81: Allow self service of sshPublicKey attribute in LDAP
• #82: PHPMailer security update
• #85: mcrypt is outdated
• #87: Get Travis tests working again on PHP 7
• #89: Erreurs de Français
• #90: Update fr.inc.php
• #91: Can email reset use AD user's FirstName, instead of login ID?
• #92: Implements strong cryptography with defuse-crypto 2.0.3
• #93: Add SHA512 password hashing
• #94: Update phpmailer from v5.2.16 to v5.5.23
• #95: Dependency check for function ldap_modify_batch()
• #97: Add an easy way to override messages
• #98: Bug in resetbytoken.php
• #99: Force use of phpunit 5.7 if php >= 7.0 for travis testing
• #100: Fixes for things pointed out after #81 was merged
• #102: Fix for base64 encoded strings that contain '+'
• #104: Fix invalid html in sendsms.php
• #105: SSHKey update Insufficient access
• #106: Update zh-CN translation
• #107: Sanitize Mobile Number retrieved from LDAP
• #111: "Email" name in menu is confusing
• #115: Force specific language?
• #116: Add possibility to force use of a specific set of languages
• #117: SSHA-256 support for ldap user password
• #118: Fix hhvm on travis, update travis config
• #120: Fix debian packages/repository for debian stretch
• #121: Add popovers to explain menu links (cf. issue #111)
• #126: proxy support for ReCaptcha
• #128: Reset token validation issue
• #130: recaptcha uses file_get_contents to retrive data
• #131: Allow override of reCAPTCHA request method (cf. issue #130)
• #132: Fix travis builds for php 7.0 and 7.1
• #138: sendtoken.php send http instead of https
• #142: Move $debug config to the top of the file
• #143: Warn when key phrase is not set
• #144: Invalid Token error
• #146: Output buffering to avoid failing session_start in PHP 7.1
• #148: Change key feature never notifies

Version 1.0

Redesign of the application with bootstrap and a lot of fixes and new features:

• #1: Use bootstrap CSS framework
• #2: Typos in german language
• #3: Czech language
• #4: Case in-sensitive lookup e-mail address (When used with ldap/Windows AD)
• #5: CRLF Issue when sending mail
• #6: Hungarian translation
• #7: Create tr.inc.php
• #8: Add Ukrainian language support
• #9: Full Spanish and Catalan translations
• #10: Allow to define a custom reset URL
• #11: Possibility to set a background image
• #12: Add a menu
• #13: NL language file addition (typos and duplicates removed)
• #14: Update it.inc.php
• #17: fix german translation of message nophpmbstring
• #19: add prerequisite to readme
• #20: Call to undefined function utf8_decode()
• #21: Bad call to change_password in resetbytoken.php
• #22: Remove dependency on php5 in Debian package
• #23: SMS token always valid
• #24: Reset by SMS token can be used to change another account password
• #25: Update reCAPTCHA code
• #26: request: facilitate by-email when SMTP auth is required
• #28: Updated make_ad_password
• #29: Use .conf extension for Apache configuration
• #30: Added a constraint on the number of attempts + corrected reset_url
• #31: request: disable password change?
• #32: Password policy - same as login
• #34: Handle LDAP bind extended error format incompatibility with Samba4
• #35: All empty forms display a warning message

0.9

0.9 version issued just before migration to github