diff options
Diffstat (limited to 'plugins/sasl_password/README')
-rw-r--r-- | plugins/sasl_password/README | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/plugins/sasl_password/README b/plugins/sasl_password/README new file mode 100644 index 000000000..3fbc448ff --- /dev/null +++ b/plugins/sasl_password/README @@ -0,0 +1,65 @@ ++-------------------------------------------------------------------------+ +| +| Author: Thomas Bruederli +| Source: Squirrelmail Change SASL Password Plugin by Galen Johnson +| Program: sasl_password +| Version: 1.0 +| Purpose: Change Cyrus Account Passwords +| ++-------------------------------------------------------------------------+ + + +Purpose +------- +Cyrus SASL database authentication allows your Cyrus+RoundCube +installation to host mail users without requiring a Unix Shell account! + +This plugin only covers the "sasldb" case when using Cyrus SASL. Kerberos +and PAM authentication mechanisms will require other techniques to enable +user password manipulations. + +Cyrus SASL includes a shell utility called "saslpasswd" for manipulating +user passwords in the "sasldb" database. This patch attempts to use +this utility to perform password manipulations required by your webmail +users without any administrative interaction. Unfortunately, this +scheme requires that the "saslpasswd" utility be run as the "cyrus" +user - kind of a security problem since we have chosen to SUID a small +script which will allow this to happen. + +This plugin is based on the Squirrelmail Change SASL Password Plugin. +See http://www.squirrelmail.org/plugin_view.php?id=107 for details. + + +Installation +------------ +Install just like any other plugin, just put it in the plugin directory +and activate it by adding 'sasl_password' to the list of active plugins +in config/main.inc.php + +Edit the chgsaslpasswd.c and chgsaslpasswd.sh files as is documented +within them. + +Compile the wrapper program: + gcc -o chgsaslpasswd chgsaslpasswd.c + +Chown the chgsaslpasswd and chgsaslpasswd.sh to the cyrus user and group +that your browser runs as, then chmod them to 4550. + +For example, if your cyrus user is 'cyrus' and the apache server group is +'nobody' (I've been told Redhat runs Apache as user 'apache'): + + chown cyrus:nobody chgsaslpasswd + chmod 4550 chgsaslpasswd + +Stephen Carr has suggested users should try to run the scripts on a test +account as the cyrus user eg; + + su cyrus -c "./chgsaslpasswd -p test_account" + +This will allow you to make sure that the script will work for your setup. +Should the script not work, make sure that: +1) the user the script runs as has access to the saslpasswd|saslpasswd2 + file and proper permissions +2) make sure the user in the chgsaslpasswd.c file is set correctly. + This could save you some headaches if you are the paranoid type. + |