| commit | author | age | ||
| 6bd74d | 1 | ----------------------------------------------------------------------- |
| A | 2 | Password Plugin for Roundcube |
| 3 | ----------------------------------------------------------------------- | |
| 4 | ||
| 5 | Plugin that adds a possibility to change user password using many | |
| 6 | methods (drivers) via Settings/Password tab. | |
| 7 | ||
| 8 | ----------------------------------------------------------------------- | |
| 4534ab | 9 | This program is free software; you can redistribute it and/or modify |
| A | 10 | it under the terms of the GNU General Public License version 2 |
| 11 | as published by the Free Software Foundation. | |
| 12 | ||
| 13 | This program is distributed in the hope that it will be useful, | |
| 14 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| 16 | GNU General Public License for more details. | |
| 17 | ||
| 6bd74d | 18 | You should have received a copy of the GNU General Public License along |
| A | 19 | with this program; if not, write to the Free Software Foundation, Inc., |
| 4534ab | 20 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
| 6bd74d | 21 | |
| A | 22 | @version 1.2 |
| 23 | @author Aleksander 'A.L.E.C' Machniak <alec@alec.pl> | |
| 24 | @author <see driver files for driver authors> | |
| 25 | ----------------------------------------------------------------------- | |
| 26 | ||
| 27 | 1. Configuration | |
| 28 | 2. Drivers | |
| 29 | 2.1. Database (sql) | |
| 30 | 2.2. Cyrus/SASL (sasl) | |
| 4534ab | 31 | 2.3. Poppassd/Courierpassd (poppassd) |
| c8a1e6 | 32 | 2.4. LDAP (ldap) |
| 6bd74d | 33 | 3. Driver API |
| A | 34 | |
| 35 | ||
| 36 | 1. Configuration | |
| 37 | ---------------- | |
| 38 | ||
| be6c97 | 39 | Copy config.inc.php.dist to config.inc.php and set the options as described |
| T | 40 | within the file. |
| 6bd74d | 41 | |
| A | 42 | |
| 43 | 2. Drivers | |
| 44 | ---------- | |
| 45 | ||
| 46 | Password plugin supports many password change mechanisms which are | |
| 47 | handled by included drivers. Just pass driver name in 'password_driver' option. | |
| 48 | ||
| 49 | ||
| 50 | 2.1. Database (sql) | |
| 51 | ------------------- | |
| 52 | ||
| 53 | You can specify which database to connect by 'password_db_dsn' option and | |
| 54 | what SQL query to execute by 'password_query'. See main.inc.php file for | |
| 55 | more info. | |
| 4534ab | 56 | |
| 6bd74d | 57 | Example implementations of an update_passwd function: |
| A | 58 | |
| 59 | - This is for use with LMS (http://lms.org.pl) database and postgres: | |
| 60 | ||
| 61 | CREATE OR REPLACE FUNCTION update_passwd(hash text, account text) RETURNS integer AS $$ | |
| 62 | DECLARE | |
| 63 | res integer; | |
| 64 | BEGIN | |
| 65 | UPDATE passwd SET password = hash | |
| 66 | WHERE login = split_part(account, '@', 1) | |
| 67 | AND domainid = (SELECT id FROM domains WHERE name = split_part(account, '@', 2)) | |
| 68 | RETURNING id INTO res; | |
| 69 | RETURN res; | |
| 70 | END; | |
| 71 | $$ LANGUAGE plpgsql SECURITY DEFINER; | |
| 72 | ||
| 73 | - This is for use with a SELECT update_passwd(%o,%c,%u) query | |
| 74 | Updates the password only when the old password matches the MD5 password | |
| 75 | in the database | |
| 76 | ||
| 77 | CREATE FUNCTION update_password (oldpass text, cryptpass text, user text) RETURNS text | |
| 78 | MODIFIES SQL DATA | |
| 79 | BEGIN | |
| 80 | DECLARE currentsalt varchar(20); | |
| 81 | DECLARE error text; | |
| 82 | SET error = 'incorrect current password'; | |
| 83 | SELECT substring_index(substr(user.password,4),_latin1'$',1) INTO currentsalt FROM users WHERE username=user; | |
| 84 | SELECT '' INTO error FROM users WHERE username=user AND password=ENCRYPT(oldpass,currentsalt); | |
| 85 | UPDATE users SET password=cryptpass WHERE username=user AND password=ENCRYPT(oldpass,currentsalt); | |
| 86 | RETURN error; | |
| 87 | END | |
| 88 | ||
| 89 | Example SQL UPDATEs: | |
| 4534ab | 90 | |
| 6bd74d | 91 | - Plain text passwords: |
| A | 92 | UPDATE users SET password=%p WHERE username=%u AND password=%o AND domain=%h LIMIT 1 |
| 4534ab | 93 | |
| 6bd74d | 94 | - Crypt text passwords: |
| A | 95 | UPDATE users SET password=%c WHERE username=%u LIMIT 1 |
| 96 | ||
| 97 | - Use a MYSQL crypt function (*nix only) with random 8 character salt | |
| 98 | UPDATE users SET password=ENCRYPT(%p,concat(_utf8'$1$',right(md5(rand()),8),_utf8'$')) WHERE username=%u LIMIT 1 | |
| 4534ab | 99 | |
| 6bd74d | 100 | - MD5 stored passwords: |
| A | 101 | UPDATE users SET password=MD5(%p) WHERE username=%u AND password=MD5(%o) LIMIT 1 |
| 102 | ||
| 103 | ||
| 104 | 2.2. Cyrus/SASL (sasl) | |
| 105 | ---------------------- | |
| 106 | ||
| 107 | Cyrus SASL database authentication allows your Cyrus+RoundCube | |
| 108 | installation to host mail users without requiring a Unix Shell account! | |
| 109 | ||
| 110 | This driver only covers the "sasldb" case when using Cyrus SASL. Kerberos | |
| 111 | and PAM authentication mechanisms will require other techniques to enable | |
| 112 | user password manipulations. | |
| 113 | ||
| 114 | Cyrus SASL includes a shell utility called "saslpasswd" for manipulating | |
| 115 | user passwords in the "sasldb" database. This plugin attempts to use | |
| 116 | this utility to perform password manipulations required by your webmail | |
| 117 | users without any administrative interaction. Unfortunately, this | |
| 118 | scheme requires that the "saslpasswd" utility be run as the "cyrus" | |
| 119 | user - kind of a security problem since we have chosen to SUID a small | |
| 120 | script which will allow this to happen. | |
| 121 | ||
| 122 | This driver is based on the Squirrelmail Change SASL Password Plugin. | |
| 123 | See http://www.squirrelmail.org/plugin_view.php?id=107 for details. | |
| 124 | ||
| 125 | Installation: | |
| 126 | ||
| 8e9a55 | 127 | Change into the drivers directory. Edit the chgsaslpasswd.c file as is |
| T | 128 | documented within it. |
| 6bd74d | 129 | |
| A | 130 | Compile the wrapper program: |
| 131 | gcc -o chgsaslpasswd chgsaslpasswd.c | |
| 132 | ||
| 8e9a55 | 133 | Chown the compiled chgsaslpasswd binary to the cyrus user and group |
| 6bd74d | 134 | that your browser runs as, then chmod them to 4550. |
| A | 135 | |
| 136 | For example, if your cyrus user is 'cyrus' and the apache server group is | |
| 137 | 'nobody' (I've been told Redhat runs Apache as user 'apache'): | |
| 138 | ||
| 139 | chown cyrus:nobody chgsaslpasswd | |
| 140 | chmod 4550 chgsaslpasswd | |
| 141 | ||
| 142 | Stephen Carr has suggested users should try to run the scripts on a test | |
| 143 | account as the cyrus user eg; | |
| 144 | ||
| 145 | su cyrus -c "./chgsaslpasswd -p test_account" | |
| 146 | ||
| 147 | This will allow you to make sure that the script will work for your setup. | |
| 148 | Should the script not work, make sure that: | |
| 149 | 1) the user the script runs as has access to the saslpasswd|saslpasswd2 | |
| 150 | file and proper permissions | |
| 151 | 2) make sure the user in the chgsaslpasswd.c file is set correctly. | |
| 152 | This could save you some headaches if you are the paranoid type. | |
| 153 | ||
| 154 | ||
| 4534ab | 155 | 2.3. Poppassd/Courierpassd (poppassd) |
| c8a1e6 | 156 | ------------------------------------- |
| 4534ab | 157 | |
| A | 158 | You can specify which host to connect to via `password_pop_host` and |
| 159 | what port via `password_pop_port`. See config.inc.php file for more info. | |
| 160 | ||
| 161 | ||
| c8a1e6 | 162 | 2.4. LDAP (ldap) |
| A | 163 | ---------------- |
| 164 | ||
| 165 | See config.inc.php file. Requires PEAR::Net_LDAP2 package. | |
| 166 | ||
| 167 | ||
| 6bd74d | 168 | 3. Driver API |
| A | 169 | ------------- |
| 4534ab | 170 | |
| 6bd74d | 171 | Driver file (<driver_name>.php) must define 'password_save' function with |
| A | 172 | two arguments. First - current password, second - new password. Function |
| 4534ab | 173 | may return PASSWORD_SUCCESS on success or any of PASSWORD_CONNECT_ERROR, |
| A | 174 | PASSWORD_CRYPT_ERROR, PASSWORD_ERROR when driver was unable to change password. |
| 6bd74d | 175 | See existing drivers in drivers/ directory for examples. |
