You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
66 lines
2.4 KiB
Plaintext
66 lines
2.4 KiB
Plaintext
+-------------------------------------------------------------------------+
|
|
|
|
|
| Author: Thomas Bruederli
|
|
| Source: Squirrelmail Change SASL Password Plugin by Galen Johnson
|
|
| Program: sasl_password
|
|
| Version: 1.0
|
|
| Purpose: Change Cyrus Account Passwords
|
|
|
|
|
+-------------------------------------------------------------------------+
|
|
|
|
|
|
Purpose
|
|
-------
|
|
Cyrus SASL database authentication allows your Cyrus+RoundCube
|
|
installation to host mail users without requiring a Unix Shell account!
|
|
|
|
This plugin only covers the "sasldb" case when using Cyrus SASL. Kerberos
|
|
and PAM authentication mechanisms will require other techniques to enable
|
|
user password manipulations.
|
|
|
|
Cyrus SASL includes a shell utility called "saslpasswd" for manipulating
|
|
user passwords in the "sasldb" database. This patch attempts to use
|
|
this utility to perform password manipulations required by your webmail
|
|
users without any administrative interaction. Unfortunately, this
|
|
scheme requires that the "saslpasswd" utility be run as the "cyrus"
|
|
user - kind of a security problem since we have chosen to SUID a small
|
|
script which will allow this to happen.
|
|
|
|
This plugin is based on the Squirrelmail Change SASL Password Plugin.
|
|
See http://www.squirrelmail.org/plugin_view.php?id=107 for details.
|
|
|
|
|
|
Installation
|
|
------------
|
|
Install just like any other plugin, just put it in the plugin directory
|
|
and activate it by adding 'sasl_password' to the list of active plugins
|
|
in config/main.inc.php
|
|
|
|
Edit the chgsaslpasswd.c and chgsaslpasswd.sh files as is documented
|
|
within them.
|
|
|
|
Compile the wrapper program:
|
|
gcc -o chgsaslpasswd chgsaslpasswd.c
|
|
|
|
Chown the chgsaslpasswd and chgsaslpasswd.sh to the cyrus user and group
|
|
that your browser runs as, then chmod them to 4550.
|
|
|
|
For example, if your cyrus user is 'cyrus' and the apache server group is
|
|
'nobody' (I've been told Redhat runs Apache as user 'apache'):
|
|
|
|
chown cyrus:nobody chgsaslpasswd
|
|
chmod 4550 chgsaslpasswd
|
|
|
|
Stephen Carr has suggested users should try to run the scripts on a test
|
|
account as the cyrus user eg;
|
|
|
|
su cyrus -c "./chgsaslpasswd -p test_account"
|
|
|
|
This will allow you to make sure that the script will work for your setup.
|
|
Should the script not work, make sure that:
|
|
1) the user the script runs as has access to the saslpasswd|saslpasswd2
|
|
file and proper permissions
|
|
2) make sure the user in the chgsaslpasswd.c file is set correctly.
|
|
This could save you some headaches if you are the paranoid type.
|
|
|