From 2965a981b7ec22866fbdf2d567d87e2d068d3617 Mon Sep 17 00:00:00 2001 From: Thomas Bruederli <thomas@roundcube.net> Date: Fri, 31 Jul 2015 16:04:08 -0400 Subject: [PATCH] Allow to search and import missing PGP pubkeys from keyservers using Publickey.js --- plugins/password/README | 304 +++++++++++++++++++++++++++++++++++++++++--------- 1 files changed, 247 insertions(+), 57 deletions(-) diff --git a/plugins/password/README b/plugins/password/README index 80532be..88cc849 100644 --- a/plugins/password/README +++ b/plugins/password/README @@ -1,36 +1,52 @@ ----------------------------------------------------------------------- Password Plugin for Roundcube ----------------------------------------------------------------------- - Plugin that adds a possibility to change user password using many methods (drivers) via Settings/Password tab. - ----------------------------------------------------------------------- - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License version 2 - as published by the Free Software Foundation. + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - You should have received a copy of the GNU General Public License along - with this program; if not, write to the Free Software Foundation, Inc., - 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + You should have received a copy of the GNU General Public License + along with this program. If not, see http://www.gnu.org/licenses/. - @version 1.2 - @author Aleksander 'A.L.E.C' Machniak <alec@alec.pl> + @version @package_version@ + @author Aleksander Machniak <alec@alec.pl> @author <see driver files for driver authors> ----------------------------------------------------------------------- - 1. Configuration - 2. Drivers - 2.1. Database (sql) - 2.2. Cyrus/SASL (sasl) - 2.3. Poppassd/Courierpassd (poppassd) - 2.4. LDAP (ldap) - 3. Driver API + 1. Configuration + 2. Drivers + 2.1. Database (sql) + 2.2. Cyrus/SASL (sasl) + 2.3. Poppassd/Courierpassd (poppassd) + 2.4. LDAP (ldap) + 2.5. DirectAdmin Control Panel (directadmin) + 2.6. cPanel (cpanel) + 2.7. XIMSS/Communigate (ximms) + 2.8. Virtualmin (virtualmin) + 2.9. hMailServer (hmail) + 2.10. PAM (pam) + 2.11. Chpasswd (chpasswd) + 2.12. LDAP - no PEAR (ldap_simple) + 2.13. XMail (xmail) + 2.14. Pw (pw_usermod) + 2.15. domainFACTORY (domainfactory) + 2.16. DBMail (dbmail) + 2.17. Expect (expect) + 2.18. Samba (smb) + 2.19. Vpopmail daemon (vpopmaild) + 2.20. Plesk (Plesk RPC-API) + 2.21. Kpasswd + 3. Driver API + 4. Sudo setup 1. Configuration @@ -51,40 +67,40 @@ ------------------- You can specify which database to connect by 'password_db_dsn' option and - what SQL query to execute by 'password_query'. See main.inc.php file for + what SQL query to execute by 'password_query'. See config.inc.php.dist file for more info. Example implementations of an update_passwd function: - This is for use with LMS (http://lms.org.pl) database and postgres: - CREATE OR REPLACE FUNCTION update_passwd(hash text, account text) RETURNS integer AS $$ - DECLARE - res integer; - BEGIN - UPDATE passwd SET password = hash - WHERE login = split_part(account, '@', 1) - AND domainid = (SELECT id FROM domains WHERE name = split_part(account, '@', 2)) - RETURNING id INTO res; - RETURN res; - END; - $$ LANGUAGE plpgsql SECURITY DEFINER; + CREATE OR REPLACE FUNCTION update_passwd(hash text, account text) RETURNS integer AS $$ + DECLARE + res integer; + BEGIN + UPDATE passwd SET password = hash + WHERE login = split_part(account, '@', 1) + AND domainid = (SELECT id FROM domains WHERE name = split_part(account, '@', 2)) + RETURNING id INTO res; + RETURN res; + END; + $$ LANGUAGE plpgsql SECURITY DEFINER; - This is for use with a SELECT update_passwd(%o,%c,%u) query - Updates the password only when the old password matches the MD5 password - in the database + Updates the password only when the old password matches the MD5 password + in the database - CREATE FUNCTION update_password (oldpass text, cryptpass text, user text) RETURNS text - MODIFIES SQL DATA - BEGIN - DECLARE currentsalt varchar(20); - DECLARE error text; - SET error = 'incorrect current password'; - SELECT substring_index(substr(user.password,4),_latin1'$',1) INTO currentsalt FROM users WHERE username=user; - SELECT '' INTO error FROM users WHERE username=user AND password=ENCRYPT(oldpass,currentsalt); - UPDATE users SET password=cryptpass WHERE username=user AND password=ENCRYPT(oldpass,currentsalt); - RETURN error; - END + CREATE FUNCTION update_password (oldpass text, cryptpass text, user text) RETURNS text + MODIFIES SQL DATA + BEGIN + DECLARE currentsalt varchar(20); + DECLARE error text; + SET error = 'incorrect current password'; + SELECT substring_index(substr(user.password,4),_latin1'$',1) INTO currentsalt FROM users WHERE username=user; + SELECT '' INTO error FROM users WHERE username=user AND password=ENCRYPT(oldpass,currentsalt); + UPDATE users SET password=cryptpass WHERE username=user AND password=ENCRYPT(oldpass,currentsalt); + RETURN error; + END Example SQL UPDATEs: @@ -104,7 +120,7 @@ 2.2. Cyrus/SASL (sasl) ---------------------- - Cyrus SASL database authentication allows your Cyrus+RoundCube + Cyrus SASL database authentication allows your Cyrus+Roundcube installation to host mail users without requiring a Unix Shell account! This driver only covers the "sasldb" case when using Cyrus SASL. Kerberos @@ -124,11 +140,11 @@ Installation: - Change into the drivers directory. Edit the chgsaslpasswd.c file as is + Change into the helpers directory. Edit the chgsaslpasswd.c file as is documented within it. Compile the wrapper program: - gcc -o chgsaslpasswd chgsaslpasswd.c + gcc -o chgsaslpasswd chgsaslpasswd.c Chown the compiled chgsaslpasswd binary to the cyrus user and group that your browser runs as, then chmod them to 4550. @@ -136,13 +152,13 @@ For example, if your cyrus user is 'cyrus' and the apache server group is 'nobody' (I've been told Redhat runs Apache as user 'apache'): - chown cyrus:nobody chgsaslpasswd - chmod 4550 chgsaslpasswd + chown cyrus:nobody chgsaslpasswd + chmod 4550 chgsaslpasswd Stephen Carr has suggested users should try to run the scripts on a test account as the cyrus user eg; - su cyrus -c "./chgsaslpasswd -p test_account" + su cyrus -c "./chgsaslpasswd -p test_account" This will allow you to make sure that the script will work for your setup. Should the script not work, make sure that: @@ -155,21 +171,195 @@ 2.3. Poppassd/Courierpassd (poppassd) ------------------------------------- - You can specify which host to connect to via `password_pop_host` and - what port via `password_pop_port`. See config.inc.php file for more info. + You can specify which host to connect to via 'password_pop_host' and + what port via 'password_pop_port'. See config.inc.php.dist file for more info. 2.4. LDAP (ldap) ---------------- - - See config.inc.php file. Requires PEAR::Net_LDAP2 package. + + See config.inc.php.dist file. Requires PEAR::Net_LDAP2 package. + + + 2.5. DirectAdmin Control Panel (directadmin) + -------------------------------------------- + + You can specify which host to connect to via 'password_directadmin_host' (don't + forget to use tcp:// or ssl://) and what port via 'password_direactadmin_port'. + The password enforcement with plenty customization can be done directly by + DirectAdmin, please see http://www.directadmin.com/features.php?id=910 + See config.inc.php.dist file for more info. + + + 2.6. cPanel (cpanel) + -------------------- + + Install cPanel XMLAPI Client Class into Roundcube program/lib directory + or any other place in PHP include path. You can get the class from + https://raw.github.com/CpanelInc/xmlapi-php/master/xmlapi.php + + You can configure parameters for connection to cPanel's API interface. + See config.inc.php.dist file for more info. + + + 2.7. XIMSS/Communigate (ximms) + ------------------------------ + + You can specify which host and port to connect to via 'password_ximss_host' + and 'password_ximss_port'. See config.inc.php.dist file for more info. + + + 2.8. Virtualmin (virtualmin) + ---------------------------- + + As in sasl driver this one allows to change password using shell + utility called "virtualmin". See helpers/chgvirtualminpasswd.c for + installation instructions. See also config.inc.php.dist file. + + + 2.9. hMailServer (hmail) + ------------------------ + + Requires PHP COM (Windows only). For access to hMail server on remote host + you'll need to define 'hmailserver_remote_dcom' and 'hmailserver_server'. + See config.inc.php.dist file for more info. + + + 2.10. PAM (pam) + --------------- + + This driver is for changing passwords of shell users authenticated with PAM. + Requires PECL's PAM exitension to be installed (http://pecl.php.net/package/PAM). + + + 2.11. Chpasswd (chpasswd) + ------------------------- + + Driver that adds functionality to change the systems user password via + the 'chpasswd' command. See config.inc.php.dist file. + + Attached wrapper script (helpers/chpass-wrapper.py) restricts password changes + to uids >= 1000 and can deny requests based on a blacklist. + + + 2.12. LDAP - no PEAR (ldap_simple) + ----------------------------------- + + It's rewritten ldap driver that doesn't require the Net_LDAP2 PEAR extension. + It uses directly PHP's ldap module functions instead (as Roundcube does). + + This driver is fully compatible with the ldap driver, but + does not require (or uses) the + $config['password_ldap_force_replace'] variable. + Other advantages: + * Connects only once with the LDAP server when using the search user. + * Does not read the DN, but only replaces the password within (that is + why the 'force replace' is always used). + + + 2.13. XMail (xmail) + ----------------------------------- + + Driver for XMail (www.xmailserver.org). See config.inc.php.dist file + for configuration description. + + + 2.14. Pw (pw_usermod) + ----------------------------------- + + Driver to change the systems user password via the 'pw usermod' command. + See config.inc.php.dist file for configuration description. + + + 2.15. domainFACTORY (domainfactory) + ----------------------------------- + + Driver for the hosting provider domainFACTORY (www.df.eu). + No configuration options. + + + 2.16. DBMail (dbmail) + ----------------------------------- + + Driver that adds functionality to change the users DBMail password. + It only works with dbmail-users on the same host where Roundcube runs + and requires shell access and gcc in order to compile the binary + (see instructions in chgdbmailusers.c file). + See config.inc.php.dist file for configuration description. + + Note: DBMail users can also use sql driver. + + + 2.17. Expect (expect) + ----------------------------------- + + Driver to change user password via the 'expect' command. + See config.inc.php.dist file for configuration description. + + + 2.18. Samba (smb) + ----------------------------------- + + Driver to change Samba user password via the 'smbpasswd' command. + See config.inc.php.dist file for configuration description. + + + 2.19. Vpopmail daemon (vpopmaild) + ----------------------------------- + + Driver for the daemon of vpopmail. Vpopmail is used with qmail to + enable virtual users that are saved in a database and not in /etc/passwd. + + Set $config['password_vpopmaild_host'] to the host where vpopmaild runs. + + Set $config['password_vpopmaild_port'] to the port of vpopmaild. + + Set $config['password_vpopmaild_timeout'] to the timeout used for the TCP + connection to vpopmaild (You may want to set it higher on busy servers). + + + 2.20. Plesk (Plesk RPC-API) + --------------------------- + + Driver for changing Passwords via Plesk RPC-API. This Driver also works with + Parallels Plesk Automation (PPA). + + You need to allow the IP of the Roundcube-Server for RPC-Calls in the Panel. + + Set $config['password_plesk_host'] to the Hostname / IP where Plesk runs + Set your Admin or RPC User: $config['password_plesk_user'] + Set the Password of the User: $config['password_plesk_pass'] + Set $config['password_plesk_rpc_port'] for the RPC-Port. Usually its 8443 + Set the RPC-Path in $config['password_plesk_rpc_path']. Normally this is: enterprise/control/agent.php. + + + 2.21. Kpasswd + ----------------------------------- + + Driver to change the password in Kerberos environments via the 'kpasswd' command. + See config.inc.php.dist file for configuration description. 3. Driver API ------------- - Driver file (<driver_name>.php) must define 'password_save' function with - two arguments. First - current password, second - new password. Function - may return PASSWORD_SUCCESS on success or any of PASSWORD_CONNECT_ERROR, + Driver file (<driver_name>.php) must define rcube_<driver_name>_password class + with public save() method that has two arguments. First - current password, second - new password. + This method should return PASSWORD_SUCCESS on success or any of PASSWORD_CONNECT_ERROR, PASSWORD_CRYPT_ERROR, PASSWORD_ERROR when driver was unable to change password. - See existing drivers in drivers/ directory for examples. + Extended result (as a hash-array with 'message' and 'code' items) can be returned + too. See existing drivers in drivers/ directory for examples. + + 4. Sudo setup + ------------- + + Some drivers that execute system commands (like chpasswd) require use of sudo command. + Here's a sample for CentOS 7: + + # cat <<END >/etc/sudoers.d/99-roundcubemail + apache ALL=NOPASSWD:/usr/sbin/chpasswd + Defaults:apache !requiretty + <<END + + Note: on different systems the username (here 'apache') may be different, e.g. www. + Note: on some systems the disabling tty line may not be needed. -- Gitblit v1.9.1