A SASL password changing plugin inspired by the Squirrelmail Change SASL Password Plugin

1 files changed, 65 insertions, 0 deletions

diff --git a/plugins/sasl_password/README b/plugins/sasl_password/README
new file mode 100644
index 000000000..3fbc448ff
--- /dev/null
+++ b/plugins/sasl_password/README
@@ -0,0 +1,65 @@
++-------------------------------------------------------------------------+
+|
+|  Author:  Thomas Bruederli
+|  Source:  Squirrelmail Change SASL Password Plugin by Galen Johnson
+|  Program: sasl_password
+|  Version: 1.0
+|  Purpose: Change Cyrus Account Passwords
+|
++-------------------------------------------------------------------------+
+
+
+Purpose
+-------
+Cyrus SASL database authentication allows your Cyrus+RoundCube
+installation to host mail users without requiring a Unix Shell account!
+
+This plugin only covers the "sasldb" case when using Cyrus SASL. Kerberos
+and PAM authentication mechanisms will require other techniques to enable
+user password manipulations.
+
+Cyrus SASL includes a shell utility called "saslpasswd" for manipulating
+user passwords in the "sasldb" database.  This patch attempts to use
+this utility to perform password manipulations required by your webmail
+users without any administrative interaction. Unfortunately, this
+scheme requires that the "saslpasswd" utility be run as the "cyrus"
+user - kind of a security problem since we have chosen to SUID a small
+script which will allow this to happen.
+
+This plugin is based on the Squirrelmail Change SASL Password Plugin.
+See http://www.squirrelmail.org/plugin_view.php?id=107 for details.
+
+
+Installation
+------------
+Install just like any other plugin, just put it in the plugin directory
+and activate it by adding 'sasl_password' to the list of active plugins
+in config/main.inc.php
+
+Edit the chgsaslpasswd.c and chgsaslpasswd.sh files as is documented
+within them.
+
+Compile the wrapper program:
+	gcc -o chgsaslpasswd chgsaslpasswd.c
+
+Chown the chgsaslpasswd and chgsaslpasswd.sh to the cyrus user and group 
+that your browser runs as, then chmod them to 4550.
+
+For example, if your cyrus user is 'cyrus' and the apache server group is
+'nobody' (I've been told Redhat runs Apache as user 'apache'):
+
+	chown cyrus:nobody chgsaslpasswd
+	chmod 4550 chgsaslpasswd
+
+Stephen Carr has suggested users should try to run the scripts on a test
+account as the cyrus user eg;
+
+	su cyrus -c "./chgsaslpasswd -p test_account"
+
+This will allow you to make sure that the script will work for your setup.
+Should the script not work, make sure that:
+1) the user the script runs as has access to the saslpasswd|saslpasswd2
+   file and proper permissions
+2) make sure the user in the chgsaslpasswd.c file is set correctly.
+   This could save you some headaches if you are the paranoid type.
+