| commit | author | age | ||
| 48e9c1 | 1 | ----------------------------------------------------------------------- |
| T | 2 | Password Plugin for Roundcube |
| 3 | ----------------------------------------------------------------------- | |
| 4 | ||
| 5 | Plugin that adds a possibility to change user password using many | |
| 6 | methods (drivers) via Settings/Password tab. | |
| 7 | ||
| 8 | ----------------------------------------------------------------------- | |
| 9 | This program is free software; you can redistribute it and/or modify | |
| 10 | it under the terms of the GNU General Public License version 2 | |
| 11 | as published by the Free Software Foundation. | |
| 12 | ||
| 13 | This program is distributed in the hope that it will be useful, | |
| 14 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| 16 | GNU General Public License for more details. | |
| 17 | ||
| 18 | You should have received a copy of the GNU General Public License along | |
| 19 | with this program; if not, write to the Free Software Foundation, Inc., | |
| 20 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
| 21 | ||
| 22 | @version @package_version@ | |
| 23 | @author Aleksander 'A.L.E.C' Machniak <alec@alec.pl> | |
| 24 | @author <see driver files for driver authors> | |
| 25 | ----------------------------------------------------------------------- | |
| 26 | ||
| 27 | 1. Configuration | |
| 28 | 2. Drivers | |
| 29 | 2.1. Database (sql) | |
| 30 | 2.2. Cyrus/SASL (sasl) | |
| 31 | 2.3. Poppassd/Courierpassd (poppassd) | |
| 32 | 2.4. LDAP (ldap) | |
| 33 | 2.5. DirectAdmin Control Panel (directadmin) | |
| 34 | 2.6. cPanel (cpanel) | |
| 35 | 2.7. XIMSS/Communigate (ximms) | |
| 36 | 2.8. Virtualmin (virtualmin) | |
| 37 | 2.9. hMailServer (hmail) | |
| 38 | 2.10. PAM (pam) | |
| 39 | 2.11. Chpasswd (chpasswd) | |
| 40 | 2.12. LDAP - no PEAR (ldap_simple) | |
| 41 | 2.13. XMail (xmail) | |
| 42 | 2.14. Pw (pw_usermod) | |
| 43 | 2.15. domainFACTORY (domainfactory) | |
| 44 | 2.16. DBMail (dbmail) | |
| 45 | 2.17. Expect (expect) | |
| 46 | 2.18. Samba (smb) | |
| 47 | 3. Driver API | |
| 48 | ||
| 49 | ||
| 50 | 1. Configuration | |
| 51 | ---------------- | |
| 52 | ||
| 53 | Copy config.inc.php.dist to config.inc.php and set the options as described | |
| 54 | within the file. | |
| 55 | ||
| 56 | ||
| 57 | 2. Drivers | |
| 58 | ---------- | |
| 59 | ||
| 60 | Password plugin supports many password change mechanisms which are | |
| 61 | handled by included drivers. Just pass driver name in 'password_driver' option. | |
| 62 | ||
| 63 | ||
| 64 | 2.1. Database (sql) | |
| 65 | ------------------- | |
| 66 | ||
| 67 | You can specify which database to connect by 'password_db_dsn' option and | |
| 68 | what SQL query to execute by 'password_query'. See main.inc.php.dist file for | |
| 69 | more info. | |
| 70 | ||
| 71 | Example implementations of an update_passwd function: | |
| 72 | ||
| 73 | - This is for use with LMS (http://lms.org.pl) database and postgres: | |
| 74 | ||
| 75 | CREATE OR REPLACE FUNCTION update_passwd(hash text, account text) RETURNS integer AS $$ | |
| 76 | DECLARE | |
| 77 | res integer; | |
| 78 | BEGIN | |
| 79 | UPDATE passwd SET password = hash | |
| 80 | WHERE login = split_part(account, '@', 1) | |
| 81 | AND domainid = (SELECT id FROM domains WHERE name = split_part(account, '@', 2)) | |
| 82 | RETURNING id INTO res; | |
| 83 | RETURN res; | |
| 84 | END; | |
| 85 | $$ LANGUAGE plpgsql SECURITY DEFINER; | |
| 86 | ||
| 87 | - This is for use with a SELECT update_passwd(%o,%c,%u) query | |
| 88 | Updates the password only when the old password matches the MD5 password | |
| 89 | in the database | |
| 90 | ||
| 91 | CREATE FUNCTION update_password (oldpass text, cryptpass text, user text) RETURNS text | |
| 92 | MODIFIES SQL DATA | |
| 93 | BEGIN | |
| 94 | DECLARE currentsalt varchar(20); | |
| 95 | DECLARE error text; | |
| 96 | SET error = 'incorrect current password'; | |
| 97 | SELECT substring_index(substr(user.password,4),_latin1'$',1) INTO currentsalt FROM users WHERE username=user; | |
| 98 | SELECT '' INTO error FROM users WHERE username=user AND password=ENCRYPT(oldpass,currentsalt); | |
| 99 | UPDATE users SET password=cryptpass WHERE username=user AND password=ENCRYPT(oldpass,currentsalt); | |
| 100 | RETURN error; | |
| 101 | END | |
| 102 | ||
| 103 | Example SQL UPDATEs: | |
| 104 | ||
| 105 | - Plain text passwords: | |
| 106 | UPDATE users SET password=%p WHERE username=%u AND password=%o AND domain=%h LIMIT 1 | |
| 107 | ||
| 108 | - Crypt text passwords: | |
| 109 | UPDATE users SET password=%c WHERE username=%u LIMIT 1 | |
| 110 | ||
| 111 | - Use a MYSQL crypt function (*nix only) with random 8 character salt | |
| 112 | UPDATE users SET password=ENCRYPT(%p,concat(_utf8'$1$',right(md5(rand()),8),_utf8'$')) WHERE username=%u LIMIT 1 | |
| 113 | ||
| 114 | - MD5 stored passwords: | |
| 115 | UPDATE users SET password=MD5(%p) WHERE username=%u AND password=MD5(%o) LIMIT 1 | |
| 116 | ||
| 117 | ||
| 118 | 2.2. Cyrus/SASL (sasl) | |
| 119 | ---------------------- | |
| 120 | ||
| 121 | Cyrus SASL database authentication allows your Cyrus+Roundcube | |
| 122 | installation to host mail users without requiring a Unix Shell account! | |
| 123 | ||
| 124 | This driver only covers the "sasldb" case when using Cyrus SASL. Kerberos | |
| 125 | and PAM authentication mechanisms will require other techniques to enable | |
| 126 | user password manipulations. | |
| 127 | ||
| 128 | Cyrus SASL includes a shell utility called "saslpasswd" for manipulating | |
| 129 | user passwords in the "sasldb" database. This plugin attempts to use | |
| 130 | this utility to perform password manipulations required by your webmail | |
| 131 | users without any administrative interaction. Unfortunately, this | |
| 132 | scheme requires that the "saslpasswd" utility be run as the "cyrus" | |
| 133 | user - kind of a security problem since we have chosen to SUID a small | |
| 134 | script which will allow this to happen. | |
| 135 | ||
| 136 | This driver is based on the Squirrelmail Change SASL Password Plugin. | |
| 137 | See http://www.squirrelmail.org/plugin_view.php?id=107 for details. | |
| 138 | ||
| 139 | Installation: | |
| 140 | ||
| 141 | Change into the helpers directory. Edit the chgsaslpasswd.c file as is | |
| 142 | documented within it. | |
| 143 | ||
| 144 | Compile the wrapper program: | |
| 145 | gcc -o chgsaslpasswd chgsaslpasswd.c | |
| 146 | ||
| 147 | Chown the compiled chgsaslpasswd binary to the cyrus user and group | |
| 148 | that your browser runs as, then chmod them to 4550. | |
| 149 | ||
| 150 | For example, if your cyrus user is 'cyrus' and the apache server group is | |
| 151 | 'nobody' (I've been told Redhat runs Apache as user 'apache'): | |
| 152 | ||
| 153 | chown cyrus:nobody chgsaslpasswd | |
| 154 | chmod 4550 chgsaslpasswd | |
| 155 | ||
| 156 | Stephen Carr has suggested users should try to run the scripts on a test | |
| 157 | account as the cyrus user eg; | |
| 158 | ||
| 159 | su cyrus -c "./chgsaslpasswd -p test_account" | |
| 160 | ||
| 161 | This will allow you to make sure that the script will work for your setup. | |
| 162 | Should the script not work, make sure that: | |
| 163 | 1) the user the script runs as has access to the saslpasswd|saslpasswd2 | |
| 164 | file and proper permissions | |
| 165 | 2) make sure the user in the chgsaslpasswd.c file is set correctly. | |
| 166 | This could save you some headaches if you are the paranoid type. | |
| 167 | ||
| 168 | ||
| 169 | 2.3. Poppassd/Courierpassd (poppassd) | |
| 170 | ------------------------------------- | |
| 171 | ||
| 172 | You can specify which host to connect to via 'password_pop_host' and | |
| 173 | what port via 'password_pop_port'. See config.inc.php.dist file for more info. | |
| 174 | ||
| 175 | ||
| 176 | 2.4. LDAP (ldap) | |
| 177 | ---------------- | |
| 178 | ||
| 179 | See config.inc.php.dist file. Requires PEAR::Net_LDAP2 package. | |
| 180 | ||
| 181 | ||
| 182 | 2.5. DirectAdmin Control Panel (directadmin) | |
| 183 | -------------------------------------------- | |
| 184 | ||
| 185 | You can specify which host to connect to via 'password_directadmin_host' (don't | |
| 186 | forget to use tcp:// or ssl://) and what port via 'password_direactadmin_port'. | |
| 187 | The password enforcement with plenty customization can be done directly by | |
| 188 | DirectAdmin, please see http://www.directadmin.com/features.php?id=910 | |
| 189 | See config.inc.php.dist file for more info. | |
| 190 | ||
| 191 | ||
| 192 | 2.6. cPanel (cpanel) | |
| 193 | -------------------- | |
| 194 | ||
| 195 | You can specify parameters for HTTP connection to cPanel's admin | |
| 196 | interface. See config.inc.php.dist file for more info. | |
| 197 | ||
| 198 | ||
| 199 | 2.7. XIMSS/Communigate (ximms) | |
| 200 | ------------------------------ | |
| 201 | ||
| 202 | You can specify which host and port to connect to via 'password_ximss_host' | |
| 203 | and 'password_ximss_port'. See config.inc.php.dist file for more info. | |
| 204 | ||
| 205 | ||
| 206 | 2.8. Virtualmin (virtualmin) | |
| 207 | ---------------------------- | |
| 208 | ||
| 209 | As in sasl driver this one allows to change password using shell | |
| 210 | utility called "virtualmin". See helpers/chgvirtualminpasswd.c for | |
| 211 | installation instructions. See also config.inc.php.dist file. | |
| 212 | ||
| 213 | ||
| 214 | 2.9. hMailServer (hmail) | |
| 215 | ------------------------ | |
| 216 | ||
| 217 | Requires PHP COM (Windows only). For access to hMail server on remote host | |
| 218 | you'll need to define 'hmailserver_remote_dcom' and 'hmailserver_server'. | |
| 219 | See config.inc.php.dist file for more info. | |
| 220 | ||
| 221 | ||
| 222 | 2.10. PAM (pam) | |
| 223 | --------------- | |
| 224 | ||
| 225 | This driver is for changing passwords of shell users authenticated with PAM. | |
| 226 | Requires PECL's PAM exitension to be installed (http://pecl.php.net/package/PAM). | |
| 227 | ||
| 228 | ||
| 229 | 2.11. Chpasswd (chpasswd) | |
| 230 | ------------------------- | |
| 231 | ||
| 232 | Driver that adds functionality to change the systems user password via | |
| 233 | the 'chpasswd' command. See config.inc.php.dist file. | |
| 234 | ||
| 235 | Attached wrapper script (helpers/chpass-wrapper.py) restricts password changes | |
| 236 | to uids >= 1000 and can deny requests based on a blacklist. | |
| 237 | ||
| 238 | ||
| 239 | 2.12. LDAP - no PEAR (ldap_simple) | |
| 240 | ----------------------------------- | |
| 241 | ||
| 242 | It's rewritten ldap driver that doesn't require the Net_LDAP2 PEAR extension. | |
| 243 | It uses directly PHP's ldap module functions instead (as Roundcube does). | |
| 244 | ||
| 245 | This driver is fully compatible with the ldap driver, but | |
| 246 | does not require (or uses) the | |
| 247 | $rcmail_config['password_ldap_force_replace'] variable. | |
| 248 | Other advantages: | |
| 249 | * Connects only once with the LDAP server when using the search user. | |
| 250 | * Does not read the DN, but only replaces the password within (that is | |
| 251 | why the 'force replace' is always used). | |
| 252 | ||
| 253 | ||
| 254 | 2.13. XMail (xmail) | |
| 255 | ----------------------------------- | |
| 256 | ||
| 257 | Driver for XMail (www.xmailserver.org). See config.inc.php.dist file | |
| 258 | for configuration description. | |
| 259 | ||
| 260 | ||
| 261 | 2.14. Pw (pw_usermod) | |
| 262 | ----------------------------------- | |
| 263 | ||
| 264 | Driver to change the systems user password via the 'pw usermod' command. | |
| 265 | See config.inc.php.dist file for configuration description. | |
| 266 | ||
| 267 | ||
| 268 | 2.15. domainFACTORY (domainfactory) | |
| 269 | ----------------------------------- | |
| 270 | ||
| 271 | Driver for the hosting provider domainFACTORY (www.df.eu). | |
| 272 | No configuration options. | |
| 273 | ||
| 274 | ||
| 275 | 2.16. DBMail (dbmail) | |
| 276 | ----------------------------------- | |
| 277 | ||
| 278 | Driver that adds functionality to change the users DBMail password. | |
| 279 | It only works with dbmail-users on the same host where Roundcube runs | |
| 280 | and requires shell access and gcc in order to compile the binary | |
| 281 | (see instructions in chgdbmailusers.c file). | |
| 282 | See config.inc.php.dist file for configuration description. | |
| 283 | ||
| 284 | Note: DBMail users can also use sql driver. | |
| 285 | ||
| 286 | ||
| 287 | 2.17. Expect (expect) | |
| 288 | ----------------------------------- | |
| 289 | ||
| 290 | Driver to change user password via the 'expect' command. | |
| 291 | See config.inc.php.dist file for configuration description. | |
| 292 | ||
| 293 | ||
| 294 | 2.18. Samba (smb) | |
| 295 | ----------------------------------- | |
| 296 | ||
| 297 | Driver to change Samba user password via the 'smbpasswd' command. | |
| 298 | See config.inc.php.dist file for configuration description. | |
| 299 | ||
| 300 | ||
| 301 | 3. Driver API | |
| 302 | ------------- | |
| 303 | ||
| 304 | Driver file (<driver_name>.php) must define 'password_save' function with | |
| 305 | two arguments. First - current password, second - new password. Function | |
| 306 | should return PASSWORD_SUCCESS on success or any of PASSWORD_CONNECT_ERROR, | |
| 307 | PASSWORD_CRYPT_ERROR, PASSWORD_ERROR when driver was unable to change password. | |
| 308 | Extended result (as a hash-array with 'message' and 'code' items) can be returned | |
| 309 | too. See existing drivers in drivers/ directory for examples. | |
