Skip to main content
Ask Question
Asked a question 2 years ago

How do I integrate PWM (password manager) with Bright?

Where am I?

In Bright Computing, Inc. you can ask and answer questions and share your experience with others!

How do I integrate PWM with Bright Cluster Manager?


What is PWM?

PWM is an open source self-service password application for LDAP directories. PWM is an ideal candidate for organizations that wish to “roll their own” self-service password solution, but do not wish to start from scratch.[1]

It can be installed as follows:

Install Tomcat on top of a Bright Cluster


  • Install tomcat from the base distribution repository:

[root@ma-b72-c7 ~]# yum install tomcat


  • Add the following JAVA_OPTS line to /etc/tomcat/tomcat.conf configuration file. Feel free to change the Xmx and MaxPermSize values, these settings affect how much memory tomcat will use:


JAVA_OPTS=" -Djava.awt.headless=true -Xmx512m -XX:MaxPermSize=256m -XX:+UseConcMarkSweepGC"



  • The following line should be added for PWM version 1.8 to work with tomcat:




  • Install the admin packages:

[root@ma-b72-c7 ~]# yum install tomcat-webapps tomcat-admin-webapps


  • Configure tomcat to use port 9085 instead of the default port:

[root@ma-b72-c7 ~]# grep 9085 /etc/tomcat/server.xml

    <Connector port="9085" protocol="HTTP/1.1"

[root@ma-b72-c7 ~]#


  • Add an admin user and password to access the web interface:

[root@ma-b72-c7 ~]# grep -r user /usr/share/tomcat/conf/tomcat-users.xml


        <user username="admin" password="system" roles="manager-gui,admin-gui"/>




  • Enable/Start the tomcat service

[root@ma-b72-c7 ~]# systemctl enable tomcat

[root@ma-b72-c7 ~]# systemctl start tomcat


  • Add a shorewall rule to allow access to port 9085:

[root@ma-b72-c7 ~]# grep 9085 /etc/shorewall/rules

ACCEPT   net            fw              tcp     9085

[root@ma-b72-c7 ~]# service shorewall restart





Install PWM


  • Download the sources for PWM 1.7.1


  • Unzip the sources:

[root@ma-b72-c7 ~]# mkdir pwm-1.7.1

[root@ma-b72-c7 ~]# mv pwm-1.7.1

[root@ma-b72-c7 ~]# cd pwm-1.7.1

[root@ma-b72-c7 ~]# unzip


  • Copy the pwm.war file to tomcat webapps:

[root@ma-b72-c7 ~]# cp pwm-1.7.1/pwm.war /var/lib/tomcat/webapps/


  • Restart tomcat and check if the pwm is accessible

[root@ma-b72-c7 ~]# systemctl restart tomcat

Access at:



  • The first time the PWM web interface is accessed, it will offer a configuration guide to help in doing the initial configuration:

Screenshot from 2016-05-20 12:54:45.png


  • Click on “Start Configuration Guide” to start the guided configurations.
  • Choose the backend LDAP server and click “Next”

Screenshot from 2016-05-20 12:58:16.png


  • Add port 389 to the list of allowed ports in shorewall:

[root@ma-b72-c7 ~]# grep 389 /etc/shorewall/rules

ACCEPT   net            fw              tcp     389

[root@ma-b72-c7 ~]# systemctl restart shorewall


  • Enter the LDAP configuration in the web form: Screenshot from 2016-05-20 14:05:26.png


  • Define an admin user:

[root@ma-b72-c7 ~]# cat adminuser.ldif
        # adel, cm.cluster
        dn: uid=adel,dc=cm,dc=cluster
        uid: adel
        objectClass: inetOrgPerson
        objectClass: posixAccount
        objectClass: shadowAccount
        loginShell: /bin/bash
        uidNumber: 1001
        gidNumber: 1002
        cn: adel
        homeDirectory: /home/adel
        shadowMin: 0
        shadowMax: 999999
        shadowWarning: 7
        shadowInactive: 0
        shadowExpire: 24837
        shadowLastChange: 16792
        sn: adel
        memberof: cn=admins,ou=Group,dc=cm,dc=cluster


[root@ma-b72-c7 ~]# ldapadd -x -W -D "cn=root,dc=cm,dc=cluster" -f adminuser.ldif

Enter LDAP Password:

adding new entry "uid=adel,dc=cm,dc=cluster"




Screenshot from 2016-05-20 14:18:55.png



  • Add a test user:

Screenshot from 2016-05-20 14:20:27.png


  • Enter a configuration password. This allows the global configurations for PWM to be set:

Screenshot from 2016-05-20 14:21:42.png


  • Complete the configuration by saving it

Screenshot from 2016-05-20 14:22:33.png


  • Create a PWM schema file:

[root@ma-b71-c7 ~]# cat /cm/local/apps/openldap/etc/schema/pwmschema.schema

attributetypes (

        NAME 'pwmEventLog'


        X-ORIGIN 'user defined' )


attributetypes (

        NAME 'pwmResponseSet'


        X-ORIGIN 'user defined' )


attributetypes (

        NAME 'pwmLastPwdUpdate'



        X-ORIGIN 'user defined' )

attributetypes (

        NAME 'pwmGUID'  



        X-ORIGIN 'user defined' )


objectclass (

        NAME 'pwmUser'

        DESC ''

        SUP top AUXILIARY

        MAY ( pwmEventLog $ pwmGUID $ pwmLastPwdUpdate $ pwmResponseSet )

        X-ORIGIN 'user defined' )

[root@ma-b71-c7 ~]#



  • Include the PWM schema with an include statement in slapd.conf:

        [root@ma-b72-c7 ~]# grep pwm /cm/local/apps/openldap/etc/slapd.conf
        include         /cm/local/apps/openldap/etc/schema/pwmschema.schema

  • Add the following write access attributes to slapd.conf


[root@ma-b72-c7 ~]# cat /cm/local/apps/openldap/etc/slapd.conf


access to attrs=pwmUser

 by * read

 by * write


access to attrs=pwmResponseSet

 by * read

 by * write


access to attrs=pwmEventLog

 by * read

 by * write


[root@ma-b72-c7 ~]# systemctl restart slapd.service





Configuring Password Policy and Challenge Policy

  • Once you log in PWM, click on Configuration Manager, which is at the very top of the screen in the yellow bar:


Screenshot from 2016-05-20 14:46:15.png


  • In the configuration manager click on the “Configuration Editor” button:


Screenshot from 2016-05-20 14:36:34.png



  • You’ll be asked for the Configuration Password which was set during the initial configurations:

Screenshot from 2016-05-20 14:47:55.png


  • Disable forcing challenge policy:

Screenshot from 2016-05-20 14:49:05.png


Screenshot from 2016-05-20 14:50:18.png


  • Save changes

Screenshot from 2016-05-20 14:50:59.png


  • Change Password Policy

Screenshot from 2016-05-20 14:52:13.png


  • After clicking on “Password Policy” you’ll be redirected to the where you can enforce different attributes for a password. Edit as required and then save changes by clicking on “Actions” → “Save”
  • Screenshot from 2016-05-20 14:53:36.png



  • When a user attempts to modify a password using the PWM web interface, the password policy is followed:

Screenshot from 2016-05-20 15:17:31.png


  • A user can only change the password when the password matches all the enforced password policy rules:

Screenshot from 2016-05-20 15:20:47.png
















  • Check the admin user exists

[root@ma-b71-c7 ~]# ldapsearch -x -b dc=cm,dc=cluster memberOf

# extended LDIF


# LDAPv3

# base <dc=cm,dc=cluster> with scope subtree

# filter: (objectclass=*)

# requesting: memberOf



# adel, cm.cluster

dn: uid=adel,dc=cm,dc=cluster

memberOf: cn=admins,ou=Group,dc=cm,dc=cluster


# search result

search: 2

result: 0 Success


# numResponses: 10

# numEntries: 9