1 -----------------------------------------------------------------------
2 Password Plugin for Roundcube
3 -----------------------------------------------------------------------
5 Plugin that adds a possibility to change user password using many
6 methods (drivers) via Settings/Password tab.
8 -----------------------------------------------------------------------
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License version 2
11 as published by the Free Software Foundation.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License along
19 with this program; if not, write to the Free Software Foundation, Inc.,
20 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 @author Aleksander 'A.L.E.C' Machniak <alec@alec.pl>
24 @author <see driver files for driver authors>
25 -----------------------------------------------------------------------
30 2.2. Cyrus/SASL (sasl)
31 2.3. Poppassd/Courierpassd (poppassd)
33 2.5. DirectAdmin Control Panel
35 2.7. XIMSS (Communigate)
42 Copy config.inc.php.dist to config.inc.php and set the options as described
49 Password plugin supports many password change mechanisms which are
50 handled by included drivers. Just pass driver name in 'password_driver' option.
56 You can specify which database to connect by 'password_db_dsn' option and
57 what SQL query to execute by 'password_query'. See main.inc.php file for
60 Example implementations of an update_passwd function:
62 - This is for use with LMS (http://lms.org.pl) database and postgres:
64 CREATE OR REPLACE FUNCTION update_passwd(hash text, account text) RETURNS integer AS $$
68 UPDATE passwd SET password = hash
69 WHERE login = split_part(account, '@', 1)
70 AND domainid = (SELECT id FROM domains WHERE name = split_part(account, '@', 2))
71 RETURNING id INTO res;
74 $$ LANGUAGE plpgsql SECURITY DEFINER;
76 - This is for use with a SELECT update_passwd(%o,%c,%u) query
77 Updates the password only when the old password matches the MD5 password
80 CREATE FUNCTION update_password (oldpass text, cryptpass text, user text) RETURNS text
83 DECLARE currentsalt varchar(20);
85 SET error = 'incorrect current password';
86 SELECT substring_index(substr(user.password,4),_latin1'$',1) INTO currentsalt FROM users WHERE username=user;
87 SELECT '' INTO error FROM users WHERE username=user AND password=ENCRYPT(oldpass,currentsalt);
88 UPDATE users SET password=cryptpass WHERE username=user AND password=ENCRYPT(oldpass,currentsalt);
94 - Plain text passwords:
95 UPDATE users SET password=%p WHERE username=%u AND password=%o AND domain=%h LIMIT 1
97 - Crypt text passwords:
98 UPDATE users SET password=%c WHERE username=%u LIMIT 1
100 - Use a MYSQL crypt function (*nix only) with random 8 character salt
101 UPDATE users SET password=ENCRYPT(%p,concat(_utf8'$1$',right(md5(rand()),8),_utf8'$')) WHERE username=%u LIMIT 1
103 - MD5 stored passwords:
104 UPDATE users SET password=MD5(%p) WHERE username=%u AND password=MD5(%o) LIMIT 1
107 2.2. Cyrus/SASL (sasl)
108 ----------------------
110 Cyrus SASL database authentication allows your Cyrus+RoundCube
111 installation to host mail users without requiring a Unix Shell account!
113 This driver only covers the "sasldb" case when using Cyrus SASL. Kerberos
114 and PAM authentication mechanisms will require other techniques to enable
115 user password manipulations.
117 Cyrus SASL includes a shell utility called "saslpasswd" for manipulating
118 user passwords in the "sasldb" database. This plugin attempts to use
119 this utility to perform password manipulations required by your webmail
120 users without any administrative interaction. Unfortunately, this
121 scheme requires that the "saslpasswd" utility be run as the "cyrus"
122 user - kind of a security problem since we have chosen to SUID a small
123 script which will allow this to happen.
125 This driver is based on the Squirrelmail Change SASL Password Plugin.
126 See http://www.squirrelmail.org/plugin_view.php?id=107 for details.
130 Change into the drivers directory. Edit the chgsaslpasswd.c file as is
131 documented within it.
133 Compile the wrapper program:
134 gcc -o chgsaslpasswd chgsaslpasswd.c
136 Chown the compiled chgsaslpasswd binary to the cyrus user and group
137 that your browser runs as, then chmod them to 4550.
139 For example, if your cyrus user is 'cyrus' and the apache server group is
140 'nobody' (I've been told Redhat runs Apache as user 'apache'):
142 chown cyrus:nobody chgsaslpasswd
143 chmod 4550 chgsaslpasswd
145 Stephen Carr has suggested users should try to run the scripts on a test
146 account as the cyrus user eg;
148 su cyrus -c "./chgsaslpasswd -p test_account"
150 This will allow you to make sure that the script will work for your setup.
151 Should the script not work, make sure that:
152 1) the user the script runs as has access to the saslpasswd|saslpasswd2
153 file and proper permissions
154 2) make sure the user in the chgsaslpasswd.c file is set correctly.
155 This could save you some headaches if you are the paranoid type.
158 2.3. Poppassd/Courierpassd (poppassd)
159 -------------------------------------
161 You can specify which host to connect to via 'password_pop_host' and
162 what port via 'password_pop_port'. See config.inc.php file for more info.
168 See config.inc.php file. Requires PEAR::Net_LDAP2 package.
171 2.5. DirectAdmin Control Panel
172 -------------------------------------
174 You can specify which host to connect to via 'password_directadmin_host'
175 and what port via 'password_direactadmin_port'. See config.inc.php file
182 You can specify parameters for HTTP connection to cPanel's admin
183 interface. See config.inc.php file for more info.
186 2.7. XIMSS (Communigate)
187 -------------------------------------
189 You can specify which host and port to connect to via 'password_ximss_host'
190 and 'password_ximss_port'. See config.inc.php file for more info.
196 Driver file (<driver_name>.php) must define 'password_save' function with
197 two arguments. First - current password, second - new password. Function
198 may return PASSWORD_SUCCESS on success or any of PASSWORD_CONNECT_ERROR,
199 PASSWORD_CRYPT_ERROR, PASSWORD_ERROR when driver was unable to change password.
200 See existing drivers in drivers/ directory for examples.