[squirrelmail.git] / plugins / change_password / README

Master Change Password plugin
-----------------------------

WHAT'S THIS?
This plugin is a general framework for enabling the user to
change his/her password. It allows for different backend
to perform this task on different systems.

STATUS
Development

REQUIREMENTS:
- SquirrelMail 1.4.3 or later. (plugin is included in squirrelmail 
  1.5.0 and later versions).
- ldap backend needs php ldap extension. It might need php
  mhash extension and system crypt libraries that support crypto
  used on ldap server. It might need php ldap extension with ssl
  support, if ldap server requires it.
- mysql backend needs php mysql extension.
- merak backend needs php curl extension.
- poppass backend needs poppassd server that supports authentication
  used by imap server.
- vmailmgrd backend needs vmailmgr php library (vmail.inc) and
  vmailmgrd service running on tcp port or unix socket. It also 
  requires SquirrelMail 1.4.4 or 1.5.1.

CONFIGURATION
Edit the file config.php to set the backend you want to use.

Backends can use special arrays that override default values set
in backend/<yourbackend>.php. Check description of backend that
you use.

BACKENDS
- ldap

  Default settings are supplied in backends/ldap.php.

  You don't have to change any configuration vars in
  backend/ldap.php - instead, create an $cpw_ldap array in 
  config.php containing the variable you want to override.

  See more information in "About ldap backend" chapter.

- mysql

  Default settings are supplied in backends/mysql.php.

  You do not have to change any configuration vars in 
  backend/mysql.php - instead, create an $cpw_mysql array in 
  config.php containing the variable you want to override, 
  for example:

  To override the server name ($mysql_server), you would add
    $cpw_mysql['server'] = 'remote_servername';
  to config.php.

  See more information in "About mysql backend" chapter.

- merak

  Default settings are supplied in backends/merak.php.

  Site configuration is controlled in config.php $cpw_merak
  array. You can use 'url','selfpage' and 'action' array
  keys to override default values.

  * 'url'
    override sets address of merak interface. URL is used 
    by webserver's libraries. If it points at localhost, 
    plugin tries to connect to administrative interface on
    same machine that hosts squirrelmail scripts.
    Defaults to 'http://localhost:32000/'.

  * 'selfpage'
    override sets page that is used to change password.
    Defaults to 'self.html'.

  * 'action'
    override sets action that is used during password change.
    Defaults to 'self_edit'.

  For example:
  $cpw_merak['url']='http://example.com:32000';


- poppassd

  Default settings are supplied in backends/poppassd.php.

  Site configuration is controlled in config.php $cpw_poppassd 
  array. You can use 'server' array key to override address
  of poppassd server. Backend uses address of imap server, if
  variable is set to empty string. It uses address of imap 
  server by default.

  For example:
  $cpw_poppassd['server'] = 'remote_servername';

- vmailmgrd

  Default settings are supplied in backends/vmailmgrd.php.
  
  Site configuration is controlled in config.php $cpw_vmailmgrd 
  array. Backend uses 'vmail_inc_path', 'vm_tcphost', 
  'vm_tcphost_port' and '8bitpw' array keys.
  
  'vmail_inc_path' sets path to vmail.inc. 'vm_tcphost' sets
  vmailmgrd tcp service ip address or dns name. Plugin uses 
  vmailmgrd socket, if it is not set. 'vm_tcphost_port' sets 
  port of vmailmrgd service. Plugin uses port 322, if it is 
  not set. '8bitpw' controls use of 8bit passwords. If it 
  is not set, interface does not allow new passwords with 
  8bit symbols.

  $cpw_vmailmgrd['vmail_inc_path'] setting is required.

  Tested configurations:
  - Linux Debian Woody, vmailmgr 0.96.9, stock Woody's courier-imap 
    with vmailmgr authentication module.


AUTHORS:
ldap backend      - Tomas Kuliavas <tokul@users.sourceforge.net>
                    used code from phpldapadmin and squirrelmail
                    ldapquery plugin.
merak backend     - Edwin van Elk <Edwin@eve-software.com>
mysql backend     - Thijs Kinkhorst <kink@squirrelmail.org>
poppassd backend  - Seth Randall <sethr@missoulafcu.org>
vmailmgrd backend - Tomas Kuliavas <tokul@users.sourceforge.net>

------------------
ABOUT LDAP BACKEND
------------------
  List of supported overrides
  * 'server'
    overrides address of ldap server. use any syntax that is supported 
    by your php ldap extension. Defaults to address of imap server.

  * 'port'
    overrides port of ldap server. Defaults to 389.

  * 'basedn'
    (required) ldap basedn used for binding to ldap server. If set to
    empty string, blocks use of backend. Defaults to empty string.

  * 'connect_opts'
    controls LDAP_OPT_* settings that are set with ldap_set_option() 
    function. See available options at http://www.php.net/ldap-set-option.
    LDAP_OPT_ prefix must be omitted in $cpw_ldap['connect_opts'] 
    overrides. No connection options are enabled by default.
    
    You can use this option only when your ldap extension supports 
    ldap_set_option() function.

  * 'use_tls'
    enables or disables use of tls in ldap connection. Requires php 
    4.2+, php ldap extension with ssl support and PROTOCOL_VERSION => 3 
    setting in $cpw_ldap_connect_opts. Does not enable tls by default.

  * 'binddn'
    unprivileged binddn. should be able to search ldap directory and 
    find DN used by user. Uses anonymous bind, if set to empty string.
    You should not use DN with write access to ldap directory here.
    Defaults to anonymous bind.

  * 'bindpw'
    password used for unprivileged bind

  * 'admindn'
    bind DN that should be able to change password.
    WARNING: usually user has enough privileges to change own password.
    If you leave default value, plugin will try to connect with dn that 
    is detected in $cpw_ldap_username_attr=$username search and current
    user password will be used for authentication.

  * 'adminpw'
    password for binding with 'admindn'

  * 'userid_attr'
    ldap attribute that stores username. Defaults to 'uid'

  * 'default_crypto'
    crypto that is used to encode new password. If set to empty string, 
    system tries to keep same encoding/hashing algorithm. Currently 
    backend supports:
    - md4 - used name 'md4'. Implemented in php mhash extension functions.
    - md5 - used name 'md5'. Implemented in standard php functions.
    - smd5 - used name 'smd5'. Implemented in php mhash extension functions. 
      Minimal php version = 4.0.4.
    - ripe-md160 - used name 'rmd160'. Implemented in php mhash extension functions.
    - sha - used name 'sha'. Implemented in php mhash extension functions 
      and php 4.3.0+ sha1() function. mhash extension is used only when 
      sha1() function is unavailable.
    - ssha - used name 'ssha'. Implemented in php mhash extension functions.
      Minimal php version = 4.0.4.
    - md5 crypt - used name 'md5crypt'. Uses php crypt function. Depends on
      md5 support in system crypt libraries. Should work on linux glibc2 systems
      and bsd systems.
    - blowfish crypt - used name 'blowfish'. Uses php crypt function. Depends on
      blowfish support in system crypt libraries. Should work on bsd systems. 
      Is not supported by glibc 2.3.2. (Tested on OpenBSD 3.5)
    - extended des crypt - used name 'extcrypt'. Uses php crypt function. Depends on
      extended des support in system crypt libraries. Should work on bsd systems.
      Is not supported by glibc 2.3.2. (Tested on OpenBSD 3.5)
    - standard des crypt - used name 'crypt'. Uses php crypt function. Depends on
      standard des support in system crypt libraries. Should work on libc systems
      and bsd systems.
    - plain text passwords - used name 'plaintext'.

    If you use admindn, plugin should support all encryption/hashing 
    algorithms used in your ldap server.

    WARNINGS:
    * don't enforce any crypto that is not supported by ldap server, if admindn 
      override is not used in backend configuration.
    * don't enforce extcrypt, md5crypt or blowfish, if they are not supported 
      by ldap server and web server crypt libraries.

    Safest setting options:
    * If web server and ldap server is on same OS, make sure that mhash 
      extension is present in php.
    * If web server and ldap server is on same OS and mhash extension is 
      not present, enforce md5 passwords or any crypt password algorithm 
      supported by your os. Remember that standard des crypt is limited
      to eight symbols.  Don't use admindn override, if ldap server 
      supports md4, rmd160, sha, ssha or smd5.
    * If crypt libraries differ on web server and ldap server -
      enforce md5 passwords or any crypt password algorithm supported by
      web server and ldap server. Don't use admindn override, if ldap 
      server supports md4, rmd160, sha, ssha or smd5 and mhash extension 
      is not present.

  Configuration example:
  $cpw_ldap['basedn']='ou=users,dc=example,dc=com'; // sets base dn
  $cpw_ldap['connect_opts']['PROTOCOL_VERSION']=3;   // forces v3 bind protocol

  Tested configurations:
  - Linux Debian Sarge, OpenLDAP v.2.1.30, Qmail LDAP 20050401a, courier-imap 
    v.3.0.8 using qmail-ldap auth-imap authentication. ns-mta-md5 crypto is not
    implemented in backend. 

-------------------
ABOUT MYSQL BACKEND
------------_------
  List of supported overrides:
  * 'server'
    address of MySQL server. Defaults to localhost.

  * 'database'
    database that stores user information. Defaults to 'email'.

  * 'table'
    database table that stores user information. Defaults to 'users'.

  * 'userid_field'
    field that stores user's ID. Defaults to 'id'.

  * 'password_field'
    field that stores password. Defaults to 'password'.

  * 'manager_id'
    username that is used to log into MySQL with (must have rights).
    Defaults to 'email_admin'.

  * 'manager_pw'
    password that is used to log into MySQL.

  * 'saslcrypt'
    boolean value that controls use of SASL (MySQL) crypt in passwords.
    It is not enabled by default.

  * 'unixcrypt'
    boolean value that controls use of unix crypt() in passwords. 
    Setting is ignored, if saslcrypt is enabled. It is not enabled 
    by default. 

If saslcrypt and unixcrypt are not enabled, plugin defaults to plaintext 
passwords.

$Id$
Commit	Line	Data
27663afe	1	Master Change Password plugin
	2	-----------------------------
	3
	4	WHAT'S THIS?
	5	This plugin is a general framework for enabling the user to
	6	change his/her password. It allows for different backend
	7	to perform this task on different systems.
	8
	9	STATUS
	10	Development
	11
fe90e5e4	12	REQUIREMENTS:
	13	- SquirrelMail 1.4.3 or later. (plugin is included in squirrelmail
	14	1.5.0 and later versions).
	15	- ldap backend needs php ldap extension. It might need php
	16	mhash extension and system crypt libraries that support crypto
ffa25c5c	17	used on ldap server. It might need php ldap extension with ssl
ffa25c5c	18	support, if ldap server requires it.
fe90e5e4	19	- mysql backend needs php mysql extension.
	20	- merak backend needs php curl extension.
	21	- poppass backend needs poppassd server that supports authentication
	22	used by imap server.
	23	- vmailmgrd backend needs vmailmgr php library (vmail.inc) and
2b2e606c	24	vmailmgrd service running on tcp port or unix socket. It also
2b2e606c	25	requires SquirrelMail 1.4.4 or 1.5.1.
fe90e5e4	26
27663afe	27	CONFIGURATION
27663afe	28	Edit the file config.php to set the backend you want to use.
76063016	29
	30	Backends can use special arrays that override default values set
	31	in backend/<yourbackend>.php. Check description of backend that
	32	you use.
27663afe	33
27663afe	34	BACKENDS
02c81de4	35	- ldap
	36
	37	Default settings are supplied in backends/ldap.php.
	38
	39	You don't have to change any configuration vars in
	40	backend/ldap.php - instead, create an $cpw_ldap array in
	41	config.php containing the variable you want to override.
	42
	43	See more information in "About ldap backend" chapter.
	44
4165198d	45	- mysql
	46
	47	Default settings are supplied in backends/mysql.php.
	48
	49	You do not have to change any configuration vars in
76063016	50	backend/mysql.php - instead, create an $cpw_mysql array in
	51	config.php containing the variable you want to override,
	52	for example:
4165198d	53
4165198d	54	To override the server name ($mysql_server), you would add
76063016	55	$cpw_mysql['server'] = 'remote_servername';
4165198d	56	to config.php.
4165198d	57
76063016	58	See more information in "About mysql backend" chapter.
27663afe	59
a391f3af	60	- merak
27663afe	61
a391f3af	62	Default settings are supplied in backends/merak.php.
27663afe	63
76063016	64	Site configuration is controlled in config.php $cpw_merak
	65	array. You can use 'url','selfpage' and 'action' array
	66	keys to override default values.
	67
	68	* 'url'
	69	override sets address of merak interface. URL is used
	70	by webserver's libraries. If it points at localhost,
	71	plugin tries to connect to administrative interface on
	72	same machine that hosts squirrelmail scripts.
	73	Defaults to 'http://localhost:32000/'.
	74
	75	* 'selfpage'
	76	override sets page that is used to change password.
	77	Defaults to 'self.html'.
	78
	79	* 'action'
	80	override sets action that is used during password change.
	81	Defaults to 'self_edit'.
	82
	83	For example:
	84	$cpw_merak['url']='http://example.com:32000';
	85
27663afe	86
a391f3af	87	- poppassd
	88
	89	Default settings are supplied in backends/poppassd.php.
	90
76063016	91	Site configuration is controlled in config.php $cpw_poppassd
	92	array. You can use 'server' array key to override address
	93	of poppassd server. Backend uses address of imap server, if
	94	variable is set to empty string. It uses address of imap
	95	server by default.
	96
	97	For example:
	98	$cpw_poppassd['server'] = 'remote_servername';
a391f3af	99
	100	- vmailmgrd
	101
	102	Default settings are supplied in backends/vmailmgrd.php.
	103
76063016	104	Site configuration is controlled in config.php $cpw_vmailmgrd
a391f3af	105	array. Backend uses 'vmail_inc_path', 'vm_tcphost',
76063016	106	'vm_tcphost_port' and '8bitpw' array keys.
a391f3af	107
	108	'vmail_inc_path' sets path to vmail.inc. 'vm_tcphost' sets
	109	vmailmgrd tcp service ip address or dns name. Plugin uses
	110	vmailmgrd socket, if it is not set. 'vm_tcphost_port' sets
	111	port of vmailmrgd service. Plugin uses port 322, if it is
76063016	112	not set. '8bitpw' controls use of 8bit passwords. If it
	113	is not set, interface does not allow new passwords with
	114	8bit symbols.
a391f3af	115
76063016	116	$cpw_vmailmgrd['vmail_inc_path'] setting is required.
a391f3af	117
797d7708	118	Tested configurations:
	119	- Linux Debian Woody, vmailmgr 0.96.9, stock Woody's courier-imap
	120	with vmailmgr authentication module.
	121
02c81de4	122
a391f3af	123	AUTHORS:
02c81de4	124	ldap backend - Tomas Kuliavas <tokul@users.sourceforge.net>
	125	used code from phpldapadmin and squirrelmail
	126	ldapquery plugin.
a391f3af	127	merak backend - Edwin van Elk <Edwin@eve-software.com>
	128	mysql backend - Thijs Kinkhorst <kink@squirrelmail.org>
	129	poppassd backend - Seth Randall <sethr@missoulafcu.org>
	130	vmailmgrd backend - Tomas Kuliavas <tokul@users.sourceforge.net>
27663afe	131
02c81de4	132	------------------
	133	ABOUT LDAP BACKEND
	134	------------------
	135	List of supported overrides
	136	* 'server'
	137	overrides address of ldap server. use any syntax that is supported
	138	by your php ldap extension. Defaults to address of imap server.
	139
	140	* 'port'
	141	overrides port of ldap server. Defaults to 389.
	142
	143	* 'basedn'
76063016	144	(required) ldap basedn used for binding to ldap server. If set to
76063016	145	empty string, blocks use of backend. Defaults to empty string.
02c81de4	146
02c81de4	147	* 'connect_opts'
ffa25c5c	148	controls LDAP_OPT_* settings that are set with ldap_set_option()
	149	function. See available options at http://www.php.net/ldap-set-option.
	150	LDAP_OPT_ prefix must be omitted in $cpw_ldap['connect_opts']
	151	overrides. No connection options are enabled by default.
	152
	153	You can use this option only when your ldap extension supports
	154	ldap_set_option() function.
02c81de4	155
	156	* 'use_tls'
	157	enables or disables use of tls in ldap connection. Requires php
	158	4.2+, php ldap extension with ssl support and PROTOCOL_VERSION => 3
	159	setting in $cpw_ldap_connect_opts. Does not enable tls by default.
	160
	161	* 'binddn'
	162	unprivileged binddn. should be able to search ldap directory and
	163	find DN used by user. Uses anonymous bind, if set to empty string.
	164	You should not use DN with write access to ldap directory here.
	165	Defaults to anonymous bind.
	166
	167	* 'bindpw'
	168	password used for unprivileged bind
	169
	170	* 'admindn'
	171	bind DN that should be able to change password.
	172	WARNING: usually user has enough privileges to change own password.
	173	If you leave default value, plugin will try to connect with dn that
	174	is detected in $cpw_ldap_username_attr=$username search and current
	175	user password will be used for authentication.
	176
	177	* 'adminpw'
	178	password for binding with 'admindn'
	179
	180	* 'userid_attr'
	181	ldap attribute that stores username. Defaults to 'uid'
	182
	183	* 'default_crypto'
	184	crypto that is used to encode new password. If set to empty string,
	185	system tries to keep same encoding/hashing algorithm. Currently
	186	backend supports:
797d7708	187	- md4 - used name 'md4'. Implemented in php mhash extension functions.
02c81de4	188	- md5 - used name 'md5'. Implemented in standard php functions.
02c81de4	189	- smd5 - used name 'smd5'. Implemented in php mhash extension functions.
2b2e606c	190	Minimal php version = 4.0.4.
797d7708	191	- ripe-md160 - used name 'rmd160'. Implemented in php mhash extension functions.
2b2e606c	192	- sha - used name 'sha'. Implemented in php mhash extension functions
76063016	193	and php 4.3.0+ sha1() function. mhash extension is used only when
2b2e606c	194	sha1() function is unavailable.
	195	- ssha - used name 'ssha'. Implemented in php mhash extension functions.
	196	Minimal php version = 4.0.4.
02c81de4	197	- md5 crypt - used name 'md5crypt'. Uses php crypt function. Depends on
02c81de4	198	md5 support in system crypt libraries. Should work on linux glibc2 systems
ffa25c5c	199	and bsd systems.
2b2e606c	200	- blowfish crypt - used name 'blowfish'. Uses php crypt function. Depends on
ffa25c5c	201	blowfish support in system crypt libraries. Should work on bsd systems.
2b2e606c	202	Is not supported by glibc 2.3.2. (Tested on OpenBSD 3.5)
02c81de4	203	- extended des crypt - used name 'extcrypt'. Uses php crypt function. Depends on
ffa25c5c	204	extended des support in system crypt libraries. Should work on bsd systems.
2b2e606c	205	Is not supported by glibc 2.3.2. (Tested on OpenBSD 3.5)
02c81de4	206	- standard des crypt - used name 'crypt'. Uses php crypt function. Depends on
02c81de4	207	standard des support in system crypt libraries. Should work on libc systems
ffa25c5c	208	and bsd systems.
2b2e606c	209	- plain text passwords - used name 'plaintext'.
02c81de4	210
	211	If you use admindn, plugin should support all encryption/hashing
	212	algorithms used in your ldap server.
	213
	214	WARNINGS:
797d7708	215	* don't enforce any crypto that is not supported by ldap server, if admindn
797d7708	216	override is not used in backend configuration.
02c81de4	217	* don't enforce extcrypt, md5crypt or blowfish, if they are not supported
	218	by ldap server and web server crypt libraries.
	219
	220	Safest setting options:
	221	* If web server and ldap server is on same OS, make sure that mhash
	222	extension is present in php.
	223	* If web server and ldap server is on same OS and mhash extension is
	224	not present, enforce md5 passwords or any crypt password algorithm
	225	supported by your os. Remember that standard des crypt is limited
	226	to eight symbols. Don't use admindn override, if ldap server
797d7708	227	supports md4, rmd160, sha, ssha or smd5.
02c81de4	228	* If crypt libraries differ on web server and ldap server -
	229	enforce md5 passwords or any crypt password algorithm supported by
	230	web server and ldap server. Don't use admindn override, if ldap
797d7708	231	server supports md4, rmd160, sha, ssha or smd5 and mhash extension
797d7708	232	is not present.
02c81de4	233
2b2e606c	234	Configuration example:
ffcc6bc9	235	$cpw_ldap['basedn']='ou=users,dc=example,dc=com'; // sets base dn
02c81de4	236	$cpw_ldap['connect_opts']['PROTOCOL_VERSION']=3; // forces v3 bind protocol
02c81de4	237
797d7708	238	Tested configurations:
	239	- Linux Debian Sarge, OpenLDAP v.2.1.30, Qmail LDAP 20050401a, courier-imap
	240	v.3.0.8 using qmail-ldap auth-imap authentication. ns-mta-md5 crypto is not
	241	implemented in backend.
	242
76063016	243	-------------------
	244	ABOUT MYSQL BACKEND
	245	------------_------
	246	List of supported overrides:
	247	* 'server'
	248	address of MySQL server. Defaults to localhost.
	249
	250	* 'database'
	251	database that stores user information. Defaults to 'email'.
	252
	253	* 'table'
	254	database table that stores user information. Defaults to 'users'.
	255
	256	* 'userid_field'
	257	field that stores user's ID. Defaults to 'id'.
	258
	259	* 'password_field'
	260	field that stores password. Defaults to 'password'.
	261
	262	* 'manager_id'
	263	username that is used to log into MySQL with (must have rights).
	264	Defaults to 'email_admin'.
	265
	266	* 'manager_pw'
	267	password that is used to log into MySQL.
	268
	269	* 'saslcrypt'
	270	boolean value that controls use of SASL (MySQL) crypt in passwords.
	271	It is not enabled by default.
	272
	273	* 'unixcrypt'
	274	boolean value that controls use of unix crypt() in passwords.
	275	Setting is ignored, if saslcrypt is enabled. It is not enabled
	276	by default.
	277
	278	If saslcrypt and unixcrypt are not enabled, plugin defaults to plaintext
	279	passwords.
02c81de4	280
27663afe	281	$Id$