roundcubemail/plugins/sasl_password/README

+-------------------------------------------------------------------------+
|
|  Author:  Thomas Bruederli
|  Source:  Squirrelmail Change SASL Password Plugin by Galen Johnson
|  Program: sasl_password
|  Version: 1.0
|  Purpose: Change Cyrus Account Passwords
|
+-------------------------------------------------------------------------+


Purpose
-------
Cyrus SASL database authentication allows your Cyrus+RoundCube
installation to host mail users without requiring a Unix Shell account!

This plugin only covers the "sasldb" case when using Cyrus SASL. Kerberos
and PAM authentication mechanisms will require other techniques to enable
user password manipulations.

Cyrus SASL includes a shell utility called "saslpasswd" for manipulating
user passwords in the "sasldb" database.  This patch attempts to use
this utility to perform password manipulations required by your webmail
users without any administrative interaction. Unfortunately, this
scheme requires that the "saslpasswd" utility be run as the "cyrus"
user - kind of a security problem since we have chosen to SUID a small
script which will allow this to happen.

This plugin is based on the Squirrelmail Change SASL Password Plugin.
See http://www.squirrelmail.org/plugin_view.php?id=107 for details.


Installation
------------
Install just like any other plugin, just put it in the plugin directory
and activate it by adding 'sasl_password' to the list of active plugins
in config/main.inc.php

Edit the chgsaslpasswd.c and chgsaslpasswd.sh files as is documented
within them.

Compile the wrapper program:
	gcc -o chgsaslpasswd chgsaslpasswd.c

Chown the chgsaslpasswd and chgsaslpasswd.sh to the cyrus user and group 
that your browser runs as, then chmod them to 4550.

For example, if your cyrus user is 'cyrus' and the apache server group is
'nobody' (I've been told Redhat runs Apache as user 'apache'):

	chown cyrus:nobody chgsaslpasswd
	chmod 4550 chgsaslpasswd

Stephen Carr has suggested users should try to run the scripts on a test
account as the cyrus user eg;

	su cyrus -c "./chgsaslpasswd -p test_account"

This will allow you to make sure that the script will work for your setup.
Should the script not work, make sure that:
1) the user the script runs as has access to the saslpasswd|saslpasswd2
   file and proper permissions
2) make sure the user in the chgsaslpasswd.c file is set correctly.
   This could save you some headaches if you are the paranoid type.
A SASL password changing plugin inspired by the Squirrelmail Change SASL Password Plugin 16 years ago			`+-------------------------------------------------------------------------+`
			`\|`
			`\| Author: Thomas Bruederli`
			`\| Source: Squirrelmail Change SASL Password Plugin by Galen Johnson`
			`\| Program: sasl_password`
			`\| Version: 1.0`
			`\| Purpose: Change Cyrus Account Passwords`
			`\|`
			`+-------------------------------------------------------------------------+`


			`Purpose`
			`-------`
			`Cyrus SASL database authentication allows your Cyrus+RoundCube`
			`installation to host mail users without requiring a Unix Shell account!`

			`This plugin only covers the "sasldb" case when using Cyrus SASL. Kerberos`
			`and PAM authentication mechanisms will require other techniques to enable`
			`user password manipulations.`

			`Cyrus SASL includes a shell utility called "saslpasswd" for manipulating`
			`user passwords in the "sasldb" database. This patch attempts to use`
			`this utility to perform password manipulations required by your webmail`
			`users without any administrative interaction. Unfortunately, this`
			`scheme requires that the "saslpasswd" utility be run as the "cyrus"`
			`user - kind of a security problem since we have chosen to SUID a small`
			`script which will allow this to happen.`

			`This plugin is based on the Squirrelmail Change SASL Password Plugin.`
			`See http://www.squirrelmail.org/plugin_view.php?id=107 for details.`


			`Installation`
			`------------`
			`Install just like any other plugin, just put it in the plugin directory`
			`and activate it by adding 'sasl_password' to the list of active plugins`
			`in config/main.inc.php`

			`Edit the chgsaslpasswd.c and chgsaslpasswd.sh files as is documented`
			`within them.`

			`Compile the wrapper program:`
			`gcc -o chgsaslpasswd chgsaslpasswd.c`

			`Chown the chgsaslpasswd and chgsaslpasswd.sh to the cyrus user and group`
			`that your browser runs as, then chmod them to 4550.`

			`For example, if your cyrus user is 'cyrus' and the apache server group is`
			`'nobody' (I've been told Redhat runs Apache as user 'apache'):`

			`chown cyrus:nobody chgsaslpasswd`
			`chmod 4550 chgsaslpasswd`

			`Stephen Carr has suggested users should try to run the scripts on a test`
			`account as the cyrus user eg;`

			`su cyrus -c "./chgsaslpasswd -p test_account"`

			`This will allow you to make sure that the script will work for your setup.`
			`Should the script not work, make sure that:`
			`1) the user the script runs as has access to the saslpasswd\|saslpasswd2`
			`file and proper permissions`
			`2) make sure the user in the chgsaslpasswd.c file is set correctly.`
			`This could save you some headaches if you are the paranoid type.`