## Installing in production

### Build image

```
docker build --no-cache=true -t ndn-pwman .
```

## Running pwman

You need a useradmin keytab file, and the admin password for our LDAP.

You also need a proxy running in front of pwman, that sends along a `X-Remote-User` http header.

```
	docker run --rm -ti --name pwman -e LDAP_PASSWORD="1234secrets" -e LDAP_SERVER="ldap.nordu.net" -v /etc/useradmin.keytab:/opt/keytabs/pwman.keytab:ro -v $(pwd)/data:/opt/pwman ndn-pwman
```

## Gennerating a persistent csrf key

```
docker run --rm --ti ndn-pwman pwman -gennerate-csrf
```

## Environement variables

Run `pwman -h` to get the full list of flags. All flags can be set using environment variables by upper casing them and replacing dashes with underscore e.g. `ldap-password` becomes `LDAP_PASSWORD`.

The only required variable is the `LDAP_PASSWORD`

- LDAP_SERVER - defaults to `localhost`
- LDAP_PORT - defaults to `636`
- LDAP_USER - defaults to `cn=admin,dc=nordu,dc=net`
- LDAP_PASSWORD
- CHANGEPW_SCRIPT - `/opt/scripts/create-kdc-principal.pl`
- CSRF_SECRET - random 32 characters (including specials)
- ADDRESS - sets the address the pwman server will listen on - `:3000`
- BASE_PATH - Pwman should reside under e.g. `/sso`
- PWNED - path to pwned passwords v2 file
- KRB5_CONFIG - path to krb5.conf file

Primarily development variables:

- CSRF_INSECURE - allow csrf cookies to be sent over unencrypted http
- LDAP_SSL_SKIP_VERIFY - don't do ldap ssl verification