You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8e9a55abd8 | 16 years ago | |
---|---|---|
.. | ||
drivers | 16 years ago | |
localization | 16 years ago | |
README | 16 years ago | |
config.inc.php | 16 years ago | |
password.js | 16 years ago | |
password.php | 16 years ago |
README
----------------------------------------------------------------------- Password Plugin for Roundcube ----------------------------------------------------------------------- Plugin that adds a possibility to change user password using many methods (drivers) via Settings/Password tab. ----------------------------------------------------------------------- This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. @version 1.2 @author Aleksander 'A.L.E.C' Machniak <alec@alec.pl> @author <see driver files for driver authors> ----------------------------------------------------------------------- 1. Configuration 2. Drivers 2.1. Database (sql) 2.2. Cyrus/SASL (sasl) 2.3. Poppassd/Courierpassd (poppassd) 2.4. LDAP (ldap) 3. Driver API 1. Configuration ---------------- * See config.inc.php file. 2. Drivers ---------- Password plugin supports many password change mechanisms which are handled by included drivers. Just pass driver name in 'password_driver' option. 2.1. Database (sql) ------------------- You can specify which database to connect by 'password_db_dsn' option and what SQL query to execute by 'password_query'. See main.inc.php file for more info. Example implementations of an update_passwd function: - This is for use with LMS (http://lms.org.pl) database and postgres: CREATE OR REPLACE FUNCTION update_passwd(hash text, account text) RETURNS integer AS $$ DECLARE res integer; BEGIN UPDATE passwd SET password = hash WHERE login = split_part(account, '@', 1) AND domainid = (SELECT id FROM domains WHERE name = split_part(account, '@', 2)) RETURNING id INTO res; RETURN res; END; $$ LANGUAGE plpgsql SECURITY DEFINER; - This is for use with a SELECT update_passwd(%o,%c,%u) query Updates the password only when the old password matches the MD5 password in the database CREATE FUNCTION update_password (oldpass text, cryptpass text, user text) RETURNS text MODIFIES SQL DATA BEGIN DECLARE currentsalt varchar(20); DECLARE error text; SET error = 'incorrect current password'; SELECT substring_index(substr(user.password,4),_latin1'$',1) INTO currentsalt FROM users WHERE username=user; SELECT '' INTO error FROM users WHERE username=user AND password=ENCRYPT(oldpass,currentsalt); UPDATE users SET password=cryptpass WHERE username=user AND password=ENCRYPT(oldpass,currentsalt); RETURN error; END Example SQL UPDATEs: - Plain text passwords: UPDATE users SET password=%p WHERE username=%u AND password=%o AND domain=%h LIMIT 1 - Crypt text passwords: UPDATE users SET password=%c WHERE username=%u LIMIT 1 - Use a MYSQL crypt function (*nix only) with random 8 character salt UPDATE users SET password=ENCRYPT(%p,concat(_utf8'$1$',right(md5(rand()),8),_utf8'$')) WHERE username=%u LIMIT 1 - MD5 stored passwords: UPDATE users SET password=MD5(%p) WHERE username=%u AND password=MD5(%o) LIMIT 1 2.2. Cyrus/SASL (sasl) ---------------------- Cyrus SASL database authentication allows your Cyrus+RoundCube installation to host mail users without requiring a Unix Shell account! This driver only covers the "sasldb" case when using Cyrus SASL. Kerberos and PAM authentication mechanisms will require other techniques to enable user password manipulations. Cyrus SASL includes a shell utility called "saslpasswd" for manipulating user passwords in the "sasldb" database. This plugin attempts to use this utility to perform password manipulations required by your webmail users without any administrative interaction. Unfortunately, this scheme requires that the "saslpasswd" utility be run as the "cyrus" user - kind of a security problem since we have chosen to SUID a small script which will allow this to happen. This driver is based on the Squirrelmail Change SASL Password Plugin. See http://www.squirrelmail.org/plugin_view.php?id=107 for details. Installation: Change into the drivers directory. Edit the chgsaslpasswd.c file as is documented within it. Compile the wrapper program: gcc -o chgsaslpasswd chgsaslpasswd.c Chown the compiled chgsaslpasswd binary to the cyrus user and group that your browser runs as, then chmod them to 4550. For example, if your cyrus user is 'cyrus' and the apache server group is 'nobody' (I've been told Redhat runs Apache as user 'apache'): chown cyrus:nobody chgsaslpasswd chmod 4550 chgsaslpasswd Stephen Carr has suggested users should try to run the scripts on a test account as the cyrus user eg; su cyrus -c "./chgsaslpasswd -p test_account" This will allow you to make sure that the script will work for your setup. Should the script not work, make sure that: 1) the user the script runs as has access to the saslpasswd|saslpasswd2 file and proper permissions 2) make sure the user in the chgsaslpasswd.c file is set correctly. This could save you some headaches if you are the paranoid type. 2.3. Poppassd/Courierpassd (poppassd) ------------------------------------- You can specify which host to connect to via `password_pop_host` and what port via `password_pop_port`. See config.inc.php file for more info. 2.4. LDAP (ldap) ---------------- See config.inc.php file. Requires PEAR::Net_LDAP2 package. 3. Driver API ------------- Driver file (<driver_name>.php) must define 'password_save' function with two arguments. First - current password, second - new password. Function may return PASSWORD_SUCCESS on success or any of PASSWORD_CONNECT_ERROR, PASSWORD_CRYPT_ERROR, PASSWORD_ERROR when driver was unable to change password. See existing drivers in drivers/ directory for examples.