source: subversion/trunk/roundcubemail/plugins/password/README @ 2688

Last change on this file since 2688 was 2688, checked in by thomasb, 4 years ago

Add SASL password wrapper program + update SASL instructions in README
File size: 6.1 KB
RevLine 
[2664]1 -----------------------------------------------------------------------
2 Password Plugin for Roundcube
3 -----------------------------------------------------------------------
4
5 Plugin that adds a possibility to change user password using many
6 methods (drivers) via Settings/Password tab.
7
8 -----------------------------------------------------------------------
[2668]9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2
11 as published by the Free Software Foundation.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16 GNU General Public License for more details.
17
[2664]18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
[2668]20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
[2664]21
22 @version 1.2
23 @author Aleksander 'A.L.E.C' Machniak <alec@alec.pl>
24 @author <see driver files for driver authors>
25 -----------------------------------------------------------------------
26
27 1.     Configuration
28 2.     Drivers
29 2.1.   Database (sql)
30 2.2.   Cyrus/SASL (sasl)
[2668]31 2.3.   Poppassd/Courierpassd (poppassd)
[2679]32 2.4.   LDAP (ldap)
[2664]33 3.     Driver API
34
35
36 1. Configuration
37 ----------------
38
39 * See config.inc.php file.
40
41
42 2. Drivers
43 ----------
44
45 Password plugin supports many password change mechanisms which are
46 handled by included drivers. Just pass driver name in 'password_driver' option.
47
48
49 2.1. Database (sql)
50 -------------------
51
52 You can specify which database to connect by 'password_db_dsn' option and
53 what SQL query to execute by 'password_query'. See main.inc.php file for
54 more info.
[2668]55
[2664]56 Example implementations of an update_passwd function:
57
58 - This is for use with LMS (http://lms.org.pl) database and postgres:
59
60        CREATE OR REPLACE FUNCTION update_passwd(hash text, account text) RETURNS integer AS $$
61        DECLARE
62            res integer;
63        BEGIN
64            UPDATE passwd SET password = hash
65            WHERE login = split_part(account, '@', 1)
66                AND domainid = (SELECT id FROM domains WHERE name = split_part(account, '@', 2))
67            RETURNING id INTO res;
68            RETURN res;
69        END;
70        $$ LANGUAGE plpgsql SECURITY DEFINER;
71
72 - This is for use with a SELECT update_passwd(%o,%c,%u) query
73        Updates the password only when the old password matches the MD5 password
74        in the database
75
76        CREATE FUNCTION update_password (oldpass text, cryptpass text, user text) RETURNS text
77            MODIFIES SQL DATA
78        BEGIN
79            DECLARE currentsalt varchar(20);
80            DECLARE error text;
81            SET error = 'incorrect current password';
82            SELECT substring_index(substr(user.password,4),_latin1'$',1) INTO currentsalt FROM users WHERE username=user;
83            SELECT '' INTO error FROM users WHERE username=user AND password=ENCRYPT(oldpass,currentsalt);
84            UPDATE users SET password=cryptpass WHERE username=user AND password=ENCRYPT(oldpass,currentsalt);
85            RETURN error;
86        END
87
88 Example SQL UPDATEs:
[2668]89
[2664]90 - Plain text passwords:
91    UPDATE users SET password=%p WHERE username=%u AND password=%o AND domain=%h LIMIT 1
[2668]92
[2664]93 - Crypt text passwords:
94    UPDATE users SET password=%c WHERE username=%u LIMIT 1
95
96 - Use a MYSQL crypt function (*nix only) with random 8 character salt
97    UPDATE users SET password=ENCRYPT(%p,concat(_utf8'$1$',right(md5(rand()),8),_utf8'$')) WHERE username=%u LIMIT 1
[2668]98
[2664]99 - MD5 stored passwords:
100    UPDATE users SET password=MD5(%p) WHERE username=%u AND password=MD5(%o) LIMIT 1
101
102
103 2.2. Cyrus/SASL (sasl)
104 ----------------------
105
106 Cyrus SASL database authentication allows your Cyrus+RoundCube
107 installation to host mail users without requiring a Unix Shell account!
108
109 This driver only covers the "sasldb" case when using Cyrus SASL. Kerberos
110 and PAM authentication mechanisms will require other techniques to enable
111 user password manipulations.
112
113 Cyrus SASL includes a shell utility called "saslpasswd" for manipulating
114 user passwords in the "sasldb" database.  This plugin attempts to use
115 this utility to perform password manipulations required by your webmail
116 users without any administrative interaction. Unfortunately, this
117 scheme requires that the "saslpasswd" utility be run as the "cyrus"
118 user - kind of a security problem since we have chosen to SUID a small
119 script which will allow this to happen.
120
121 This driver is based on the Squirrelmail Change SASL Password Plugin.
122 See http://www.squirrelmail.org/plugin_view.php?id=107 for details.
123
124 Installation:
125
[2688]126 Change into the drivers directory. Edit the chgsaslpasswd.c file as is
127 documented within it.
[2664]128
129 Compile the wrapper program:
130        gcc -o chgsaslpasswd chgsaslpasswd.c
131
[2688]132 Chown the compiled chgsaslpasswd binary to the cyrus user and group
[2664]133 that your browser runs as, then chmod them to 4550.
134
135 For example, if your cyrus user is 'cyrus' and the apache server group is
136 'nobody' (I've been told Redhat runs Apache as user 'apache'):
137
138        chown cyrus:nobody chgsaslpasswd
139        chmod 4550 chgsaslpasswd
140
141 Stephen Carr has suggested users should try to run the scripts on a test
142 account as the cyrus user eg;
143
144        su cyrus -c "./chgsaslpasswd -p test_account"
145
146 This will allow you to make sure that the script will work for your setup.
147 Should the script not work, make sure that:
148 1) the user the script runs as has access to the saslpasswd|saslpasswd2
149   file and proper permissions
150 2) make sure the user in the chgsaslpasswd.c file is set correctly.
151   This could save you some headaches if you are the paranoid type.
152
153
[2668]154 2.3. Poppassd/Courierpassd (poppassd)
[2679]155 -------------------------------------
[2668]156
157 You can specify which host to connect to via `password_pop_host` and
158 what port via `password_pop_port`. See config.inc.php file for more info.
159
160
[2679]161 2.4. LDAP (ldap)
162 ----------------
163 
164 See config.inc.php file. Requires PEAR::Net_LDAP2 package.
165
166
[2664]167 3. Driver API
168 -------------
[2668]169
[2664]170 Driver file (<driver_name>.php) must define 'password_save' function with
171 two arguments. First - current password, second - new password. Function
[2668]172 may return PASSWORD_SUCCESS on success or any of PASSWORD_CONNECT_ERROR,
173 PASSWORD_CRYPT_ERROR, PASSWORD_ERROR when driver was unable to change password.
[2664]174 See existing drivers in drivers/ directory for examples.
Note: See TracBrowser for help on using the repository browser.