|
0
|
1 -----------------------------------------------------------------------
|
|
|
2 Password Plugin for Roundcube
|
|
|
3 -----------------------------------------------------------------------
|
|
|
4 Plugin that adds a possibility to change user password using many
|
|
|
5 methods (drivers) via Settings/Password tab.
|
|
|
6 -----------------------------------------------------------------------
|
|
|
7 This program is free software: you can redistribute it and/or modify
|
|
|
8 it under the terms of the GNU General Public License as published by
|
|
|
9 the Free Software Foundation, either version 3 of the License, or
|
|
|
10 (at your option) any later version.
|
|
|
11
|
|
|
12 This program is distributed in the hope that it will be useful,
|
|
|
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
15 GNU General Public License for more details.
|
|
|
16
|
|
|
17 You should have received a copy of the GNU General Public License
|
|
|
18 along with this program. If not, see http://www.gnu.org/licenses/.
|
|
|
19
|
|
|
20 @author Aleksander Machniak <alec@alec.pl>
|
|
|
21 @author <see driver files for driver authors>
|
|
|
22 -----------------------------------------------------------------------
|
|
|
23
|
|
|
24 1. Configuration
|
|
|
25 2. Drivers
|
|
|
26 2.1. Database (sql)
|
|
|
27 2.2. Cyrus/SASL (sasl)
|
|
|
28 2.3. Poppassd/Courierpassd (poppassd)
|
|
|
29 2.4. LDAP (ldap)
|
|
|
30 2.5. DirectAdmin Control Panel (directadmin)
|
|
|
31 2.6. cPanel
|
|
|
32 2.6.1. cPanel WHM (cpanel)
|
|
|
33 2.6.2. cPanel Webmail (cpanel_webmail)
|
|
|
34 2.7. XIMSS/Communigate (ximms)
|
|
|
35 2.8. Virtualmin (virtualmin)
|
|
|
36 2.9. hMailServer (hmail)
|
|
|
37 2.10. PAM (pam)
|
|
|
38 2.11. Chpasswd (chpasswd)
|
|
|
39 2.12. LDAP - no PEAR (ldap_simple)
|
|
|
40 2.13. XMail (xmail)
|
|
|
41 2.14. Pw (pw_usermod)
|
|
|
42 2.15. domainFACTORY (domainfactory)
|
|
|
43 2.16. DBMail (dbmail)
|
|
|
44 2.17. Expect (expect)
|
|
|
45 2.18. Samba (smb)
|
|
|
46 2.19. Vpopmail daemon (vpopmaild)
|
|
|
47 2.20. Plesk (Plesk RPC-API)
|
|
|
48 2.21. Kpasswd
|
|
|
49 3. Driver API
|
|
|
50 4. Sudo setup
|
|
|
51
|
|
|
52
|
|
|
53 1. Configuration
|
|
|
54 ----------------
|
|
|
55
|
|
|
56 Copy config.inc.php.dist to config.inc.php and set the options as described
|
|
|
57 within the file.
|
|
|
58
|
|
|
59
|
|
|
60 2. Drivers
|
|
|
61 ----------
|
|
|
62
|
|
|
63 Password plugin supports many password change mechanisms which are
|
|
|
64 handled by included drivers. Just pass driver name in 'password_driver' option.
|
|
|
65
|
|
|
66
|
|
|
67 2.1. Database (sql)
|
|
|
68 -------------------
|
|
|
69
|
|
|
70 You can specify which database to connect by 'password_db_dsn' option and
|
|
|
71 what SQL query to execute by 'password_query'. See config.inc.php.dist file for
|
|
|
72 more info.
|
|
|
73
|
|
|
74 Example implementations of an update_passwd function:
|
|
|
75
|
|
|
76 - This is for use with LMS (http://lms.org.pl) database and postgres:
|
|
|
77
|
|
|
78 CREATE OR REPLACE FUNCTION update_passwd(hash text, account text) RETURNS integer AS $$
|
|
|
79 DECLARE
|
|
|
80 res integer;
|
|
|
81 BEGIN
|
|
|
82 UPDATE passwd SET password = hash
|
|
|
83 WHERE login = split_part(account, '@', 1)
|
|
|
84 AND domainid = (SELECT id FROM domains WHERE name = split_part(account, '@', 2))
|
|
|
85 RETURNING id INTO res;
|
|
|
86 RETURN res;
|
|
|
87 END;
|
|
|
88 $$ LANGUAGE plpgsql SECURITY DEFINER;
|
|
|
89
|
|
|
90 - This is for use with a SELECT update_passwd(%o,%c,%u) query
|
|
|
91 Updates the password only when the old password matches the MD5 password
|
|
|
92 in the database
|
|
|
93
|
|
|
94 CREATE FUNCTION update_password (oldpass text, cryptpass text, user text) RETURNS text
|
|
|
95 MODIFIES SQL DATA
|
|
|
96 BEGIN
|
|
|
97 DECLARE currentsalt varchar(20);
|
|
|
98 DECLARE error text;
|
|
|
99 SET error = 'incorrect current password';
|
|
|
100 SELECT substring_index(substr(user.password,4),_latin1'$',1) INTO currentsalt FROM users WHERE username=user;
|
|
|
101 SELECT '' INTO error FROM users WHERE username=user AND password=ENCRYPT(oldpass,currentsalt);
|
|
|
102 UPDATE users SET password=cryptpass WHERE username=user AND password=ENCRYPT(oldpass,currentsalt);
|
|
|
103 RETURN error;
|
|
|
104 END
|
|
|
105
|
|
|
106 Example SQL UPDATEs:
|
|
|
107
|
|
|
108 - Plain text passwords:
|
|
|
109 UPDATE users SET password=%p WHERE username=%u AND password=%o AND domain=%h LIMIT 1
|
|
|
110
|
|
|
111 - Crypt text passwords:
|
|
|
112 UPDATE users SET password=%c WHERE username=%u LIMIT 1
|
|
|
113
|
|
|
114 - Use a MYSQL crypt function (*nix only) with random 8 character salt
|
|
|
115 UPDATE users SET password=ENCRYPT(%p,concat(_utf8'$1$',right(md5(rand()),8),_utf8'$')) WHERE username=%u LIMIT 1
|
|
|
116
|
|
|
117 - MD5 stored passwords:
|
|
|
118 UPDATE users SET password=MD5(%p) WHERE username=%u AND password=MD5(%o) LIMIT 1
|
|
|
119
|
|
|
120
|
|
|
121 2.2. Cyrus/SASL (sasl)
|
|
|
122 ----------------------
|
|
|
123
|
|
|
124 Cyrus SASL database authentication allows your Cyrus+Roundcube
|
|
|
125 installation to host mail users without requiring a Unix Shell account!
|
|
|
126
|
|
|
127 This driver only covers the "sasldb" case when using Cyrus SASL. Kerberos
|
|
|
128 and PAM authentication mechanisms will require other techniques to enable
|
|
|
129 user password manipulations.
|
|
|
130
|
|
|
131 Cyrus SASL includes a shell utility called "saslpasswd" for manipulating
|
|
|
132 user passwords in the "sasldb" database. This plugin attempts to use
|
|
|
133 this utility to perform password manipulations required by your webmail
|
|
|
134 users without any administrative interaction. Unfortunately, this
|
|
|
135 scheme requires that the "saslpasswd" utility be run as the "cyrus"
|
|
|
136 user - kind of a security problem since we have chosen to SUID a small
|
|
|
137 script which will allow this to happen.
|
|
|
138
|
|
|
139 This driver is based on the Squirrelmail Change SASL Password Plugin.
|
|
|
140 See http://www.squirrelmail.org/plugin_view.php?id=107 for details.
|
|
|
141
|
|
|
142 Installation:
|
|
|
143
|
|
|
144 Change into the helpers directory. Edit the chgsaslpasswd.c file as is
|
|
|
145 documented within it.
|
|
|
146
|
|
|
147 Compile the wrapper program:
|
|
|
148 gcc -o chgsaslpasswd chgsaslpasswd.c
|
|
|
149
|
|
|
150 Chown the compiled chgsaslpasswd binary to the cyrus user and group
|
|
|
151 that your browser runs as, then chmod them to 4550.
|
|
|
152
|
|
|
153 For example, if your cyrus user is 'cyrus' and the apache server group is
|
|
|
154 'nobody' (I've been told Redhat runs Apache as user 'apache'):
|
|
|
155
|
|
|
156 chown cyrus:nobody chgsaslpasswd
|
|
|
157 chmod 4550 chgsaslpasswd
|
|
|
158
|
|
|
159 Stephen Carr has suggested users should try to run the scripts on a test
|
|
|
160 account as the cyrus user eg;
|
|
|
161
|
|
|
162 su cyrus -c "./chgsaslpasswd -p test_account"
|
|
|
163
|
|
|
164 This will allow you to make sure that the script will work for your setup.
|
|
|
165 Should the script not work, make sure that:
|
|
|
166 1) the user the script runs as has access to the saslpasswd|saslpasswd2
|
|
|
167 file and proper permissions
|
|
|
168 2) make sure the user in the chgsaslpasswd.c file is set correctly.
|
|
|
169 This could save you some headaches if you are the paranoid type.
|
|
|
170
|
|
|
171
|
|
|
172 2.3. Poppassd/Courierpassd (poppassd)
|
|
|
173 -------------------------------------
|
|
|
174
|
|
|
175 You can specify which host to connect to via 'password_pop_host' and
|
|
|
176 what port via 'password_pop_port'. See config.inc.php.dist file for more info.
|
|
|
177
|
|
|
178
|
|
|
179 2.4. LDAP (ldap)
|
|
|
180 ----------------
|
|
|
181
|
|
|
182 See config.inc.php.dist file. Requires PEAR::Net_LDAP2 package.
|
|
|
183
|
|
|
184
|
|
|
185 2.5. DirectAdmin Control Panel (directadmin)
|
|
|
186 --------------------------------------------
|
|
|
187
|
|
|
188 You can specify which host to connect to via 'password_directadmin_host' (don't
|
|
|
189 forget to use tcp:// or ssl://) and what port via 'password_direactadmin_port'.
|
|
|
190 The password enforcement with plenty customization can be done directly by
|
|
|
191 DirectAdmin, please see http://www.directadmin.com/features.php?id=910
|
|
|
192 See config.inc.php.dist file for more info.
|
|
|
193
|
|
|
194
|
|
|
195 2.6. cPanel
|
|
|
196 -----------
|
|
|
197
|
|
|
198 cPanel offers various APIs. The `cpanel` driver is configured with and admin
|
|
|
199 account. It can change user's passwords without access to the current password.
|
|
|
200 See the next section.
|
|
|
201
|
|
|
202 The `cpanel_webmail` driver authenticates as the current user and does not need
|
|
|
203 an admin account. See 2.6.2.
|
|
|
204
|
|
|
205
|
|
|
206 2.6.1. cPanel WHM (cpanel)
|
|
|
207 --------------------------
|
|
|
208
|
|
|
209 Install cPanel XMLAPI Client Class into Roundcube program/lib directory
|
|
|
210 or any other place in PHP include path. You can get the class from
|
|
|
211 https://raw.github.com/CpanelInc/xmlapi-php/master/xmlapi.php
|
|
|
212
|
|
|
213 You can configure parameters for connection to cPanel's API interface.
|
|
|
214 See config.inc.php.dist file for more info.
|
|
|
215
|
|
|
216
|
|
|
217 2.6.2. cPanel Webmail (cpanel_webmail)
|
|
|
218 --------------------------------------
|
|
|
219
|
|
|
220 Specify the host to connect to via 'password_webmail_cpanel_host'. This driver
|
|
|
221 comes with a minimal UAPI implementation and does not use the external xmlapi
|
|
|
222 class. It requires php-curl extension.
|
|
|
223
|
|
|
224 See config.inc.php.dist file for more info.
|
|
|
225
|
|
|
226
|
|
|
227 2.7. XIMSS/Communigate (ximms)
|
|
|
228 ------------------------------
|
|
|
229
|
|
|
230 You can specify which host and port to connect to via 'password_ximss_host'
|
|
|
231 and 'password_ximss_port'. See config.inc.php.dist file for more info.
|
|
|
232
|
|
|
233
|
|
|
234 2.8. Virtualmin (virtualmin)
|
|
|
235 ----------------------------
|
|
|
236
|
|
|
237 As in sasl driver this one allows to change password using shell
|
|
|
238 utility called "virtualmin". See helpers/chgvirtualminpasswd.c for
|
|
|
239 installation instructions. See also config.inc.php.dist file.
|
|
|
240
|
|
|
241
|
|
|
242 2.9. hMailServer (hmail)
|
|
|
243 ------------------------
|
|
|
244
|
|
|
245 Requires PHP COM (Windows only). For access to hMail server on remote host
|
|
|
246 you'll need to define 'hmailserver_remote_dcom' and 'hmailserver_server'.
|
|
|
247 See config.inc.php.dist file for more info.
|
|
|
248
|
|
|
249
|
|
|
250 2.10. PAM (pam)
|
|
|
251 ---------------
|
|
|
252
|
|
|
253 This driver is for changing passwords of shell users authenticated with PAM.
|
|
|
254 Requires PECL's PAM exitension to be installed (http://pecl.php.net/package/PAM).
|
|
|
255
|
|
|
256
|
|
|
257 2.11. Chpasswd (chpasswd)
|
|
|
258 -------------------------
|
|
|
259
|
|
|
260 Driver that adds functionality to change the systems user password via
|
|
|
261 the 'chpasswd' command. See config.inc.php.dist file.
|
|
|
262
|
|
|
263 Attached wrapper script (helpers/chpass-wrapper.py) restricts password changes
|
|
|
264 to uids >= 1000 and can deny requests based on a blacklist.
|
|
|
265
|
|
|
266
|
|
|
267 2.12. LDAP - no PEAR (ldap_simple)
|
|
|
268 -----------------------------------
|
|
|
269
|
|
|
270 It's rewritten ldap driver that doesn't require the Net_LDAP2 PEAR extension.
|
|
|
271 It uses directly PHP's ldap module functions instead (as Roundcube does).
|
|
|
272
|
|
|
273 This driver is fully compatible with the ldap driver, but
|
|
|
274 does not require (or uses) the
|
|
|
275 $config['password_ldap_force_replace'] variable.
|
|
|
276 Other advantages:
|
|
|
277 * Connects only once with the LDAP server when using the search user.
|
|
|
278 * Does not read the DN, but only replaces the password within (that is
|
|
|
279 why the 'force replace' is always used).
|
|
|
280
|
|
|
281
|
|
|
282 2.13. XMail (xmail)
|
|
|
283 -----------------------------------
|
|
|
284
|
|
|
285 Driver for XMail (www.xmailserver.org). See config.inc.php.dist file
|
|
|
286 for configuration description.
|
|
|
287
|
|
|
288
|
|
|
289 2.14. Pw (pw_usermod)
|
|
|
290 -----------------------------------
|
|
|
291
|
|
|
292 Driver to change the systems user password via the 'pw usermod' command.
|
|
|
293 See config.inc.php.dist file for configuration description.
|
|
|
294
|
|
|
295
|
|
|
296 2.15. domainFACTORY (domainfactory)
|
|
|
297 -----------------------------------
|
|
|
298
|
|
|
299 Driver for the hosting provider domainFACTORY (www.df.eu).
|
|
|
300 No configuration options.
|
|
|
301
|
|
|
302
|
|
|
303 2.16. DBMail (dbmail)
|
|
|
304 -----------------------------------
|
|
|
305
|
|
|
306 Driver that adds functionality to change the users DBMail password.
|
|
|
307 It only works with dbmail-users on the same host where Roundcube runs
|
|
|
308 and requires shell access and gcc in order to compile the binary
|
|
|
309 (see instructions in chgdbmailusers.c file).
|
|
|
310 See config.inc.php.dist file for configuration description.
|
|
|
311
|
|
|
312 Note: DBMail users can also use sql driver.
|
|
|
313
|
|
|
314
|
|
|
315 2.17. Expect (expect)
|
|
|
316 -----------------------------------
|
|
|
317
|
|
|
318 Driver to change user password via the 'expect' command.
|
|
|
319 See config.inc.php.dist file for configuration description.
|
|
|
320
|
|
|
321
|
|
|
322 2.18. Samba (smb)
|
|
|
323 -----------------------------------
|
|
|
324
|
|
|
325 Driver to change Samba user password via the 'smbpasswd' command.
|
|
|
326 See config.inc.php.dist file for configuration description.
|
|
|
327
|
|
|
328
|
|
|
329 2.19. Vpopmail daemon (vpopmaild)
|
|
|
330 -----------------------------------
|
|
|
331
|
|
|
332 Driver for the daemon of vpopmail. Vpopmail is used with qmail to
|
|
|
333 enable virtual users that are saved in a database and not in /etc/passwd.
|
|
|
334
|
|
|
335 Set $config['password_vpopmaild_host'] to the host where vpopmaild runs.
|
|
|
336
|
|
|
337 Set $config['password_vpopmaild_port'] to the port of vpopmaild.
|
|
|
338
|
|
|
339 Set $config['password_vpopmaild_timeout'] to the timeout used for the TCP
|
|
|
340 connection to vpopmaild (You may want to set it higher on busy servers).
|
|
|
341
|
|
|
342
|
|
|
343 2.20. Plesk (Plesk RPC-API)
|
|
|
344 ---------------------------
|
|
|
345
|
|
|
346 Driver for changing Passwords via Plesk RPC-API. This Driver also works with
|
|
|
347 Parallels Plesk Automation (PPA).
|
|
|
348
|
|
|
349 You need to allow the IP of the Roundcube-Server for RPC-Calls in the Panel.
|
|
|
350
|
|
|
351 Set $config['password_plesk_host'] to the Hostname / IP where Plesk runs
|
|
|
352 Set your Admin or RPC User: $config['password_plesk_user']
|
|
|
353 Set the Password of the User: $config['password_plesk_pass']
|
|
|
354 Set $config['password_plesk_rpc_port'] for the RPC-Port. Usually its 8443
|
|
|
355 Set the RPC-Path in $config['password_plesk_rpc_path']. Normally this is: enterprise/control/agent.php.
|
|
|
356
|
|
|
357
|
|
|
358 2.21. Kpasswd
|
|
|
359 -----------------------------------
|
|
|
360
|
|
|
361 Driver to change the password in Kerberos environments via the 'kpasswd' command.
|
|
|
362 See config.inc.php.dist file for configuration description.
|
|
|
363
|
|
|
364
|
|
|
365 3. Driver API
|
|
|
366 -------------
|
|
|
367
|
|
|
368 Driver file (<driver_name>.php) must define rcube_<driver_name>_password class
|
|
|
369 with public save() method that has two arguments. First - current password, second - new password.
|
|
|
370 This method should return PASSWORD_SUCCESS on success or any of PASSWORD_CONNECT_ERROR,
|
|
|
371 PASSWORD_CRYPT_ERROR, PASSWORD_ERROR when driver was unable to change password.
|
|
|
372 Extended result (as a hash-array with 'message' and 'code' items) can be returned
|
|
|
373 too. See existing drivers in drivers/ directory for examples.
|
|
|
374
|
|
|
375 4. Sudo setup
|
|
|
376 -------------
|
|
|
377
|
|
|
378 Some drivers that execute system commands (like chpasswd) require use of sudo command.
|
|
|
379 Here's a sample for CentOS 7:
|
|
|
380
|
|
|
381 # cat <<END >/etc/sudoers.d/99-roundcubemail
|
|
|
382 apache ALL=NOPASSWD:/usr/sbin/chpasswd
|
|
|
383 Defaults:apache !requiretty
|
|
|
384 <<END
|
|
|
385
|
|
|
386 Note: on different systems the username (here 'apache') may be different, e.g. www.
|
|
|
387 Note: on some systems the disabling tty line may not be needed.
|
