[squirrelmail.git] / plugins / change_password / README

Master Change Password plugin
-----------------------------

WHAT'S THIS?
This plugin is a general framework for enabling the user to
change his/her password. It allows for different backend
to perform this task on different systems.

STATUS
Development

REQUIREMENTS:
- SquirrelMail 1.4.3 or later. (plugin is included in squirrelmail 
  1.5.0 and later versions).
- ldap backend needs php ldap extension. It might need php
  mhash extension and system crypt libraries that support crypto
  used on ldap server. It might need php ldap extension with ssl
  support, if ldap server requires it.
- mysql backend needs php mysql extension.
- merak backend needs php curl extension.
- poppass backend needs poppassd server that supports authentication
  used by imap server.
- vmailmgrd backend needs vmailmgr php library (vmail.inc) and
  vmailmgrd service running on tcp port or unix socket. It also 
  requires SquirrelMail 1.4.4 or 1.5.1.

CONFIGURATION
Edit the file config.php to set the backend you want to use.
Probably, you need to set some config vars in the backend too
(backend/<yourbackend>.php).

BACKENDS
- ldap

  Default settings are supplied in backends/ldap.php.

  You don't have to change any configuration vars in
  backend/ldap.php - instead, create an $cpw_ldap array in 
  config.php containing the variable you want to override.

  See more information in "About ldap backend" chapter.

- mysql

  Default settings are supplied in backends/mysql.php.

  You do not have to change any configuration vars in 
  backend/mysql.php - instead, create an array in config.php 
  containing the variable you want to override, for example:

  To override the server name ($mysql_server), you would add
    $mysql['server'] = 'remote_servername';
  to config.php.


- merak

  Default settings are supplied in backends/merak.php.


- poppassd

  Default settings are supplied in backends/poppassd.php.


- vmailmgrd

  Default settings are supplied in backends/vmailmgrd.php.
  
  Site configuration is controlled in config.php $vmailmgrd 
  array. Backend uses 'vmail_inc_path', 'vm_tcphost', 
  'vm_tcphost_port' and 'cpw_vmailmgrd_8bitpw' array keys.
  
  'vmail_inc_path' sets path to vmail.inc. 'vm_tcphost' sets
  vmailmgrd tcp service ip address or dns name. Plugin uses 
  vmailmgrd socket, if it is not set. 'vm_tcphost_port' sets 
  port of vmailmrgd service. Plugin uses port 322, if it is 
  not set. 'cpw_vmailmgrd_8bitpw' controls use of 8bit 
  passwords. If it is not set, interface does not allow new 
  passwords with 8bit symbols.

  $vmailmgrd['vmail_inc_path'] setting is required.


AUTHORS:
ldap backend      - Tomas Kuliavas <tokul@users.sourceforge.net>
                    used code from phpldapadmin and squirrelmail
                    ldapquery plugin.
merak backend     - Edwin van Elk <Edwin@eve-software.com>
mysql backend     - Thijs Kinkhorst <kink@squirrelmail.org>
poppassd backend  - Seth Randall <sethr@missoulafcu.org>
vmailmgrd backend - Tomas Kuliavas <tokul@users.sourceforge.net>

------------------
ABOUT LDAP BACKEND
------------------
  List of supported overrides
  * 'server'
    overrides address of ldap server. use any syntax that is supported 
    by your php ldap extension. Defaults to address of imap server.

  * 'port'
    overrides port of ldap server. Defaults to 389.

  * 'basedn'
    (required) ldap basedn used for binding to ldap server. Empty 
    string blocks use of backend. Defaults to empty string.

  * 'connect_opts'
    controls LDAP_OPT_* settings that are set with ldap_set_option() 
    function. See available options at http://www.php.net/ldap-set-option.
    LDAP_OPT_ prefix must be omitted in $cpw_ldap['connect_opts'] 
    overrides. No connection options are enabled by default.
    
    You can use this option only when your ldap extension supports 
    ldap_set_option() function.

  * 'use_tls'
    enables or disables use of tls in ldap connection. Requires php 
    4.2+, php ldap extension with ssl support and PROTOCOL_VERSION => 3 
    setting in $cpw_ldap_connect_opts. Does not enable tls by default.

  * 'binddn'
    unprivileged binddn. should be able to search ldap directory and 
    find DN used by user. Uses anonymous bind, if set to empty string.
    You should not use DN with write access to ldap directory here.
    Defaults to anonymous bind.

  * 'bindpw'
    password used for unprivileged bind

  * 'admindn'
    bind DN that should be able to change password.
    WARNING: usually user has enough privileges to change own password.
    If you leave default value, plugin will try to connect with dn that 
    is detected in $cpw_ldap_username_attr=$username search and current
    user password will be used for authentication.

  * 'adminpw'
    password for binding with 'admindn'

  * 'userid_attr'
    ldap attribute that stores username. Defaults to 'uid'

  * 'default_crypto'
    crypto that is used to encode new password. If set to empty string, 
    system tries to keep same encoding/hashing algorithm. Currently 
    backend supports:
    - md5 - used name 'md5'. Implemented in standard php functions.
    - smd5 - used name 'smd5'. Implemented in php mhash extension functions. 
      Minimal php version = 4.0.4.
    - sha - used name 'sha'. Implemented in php mhash extension functions 
      and php 4.3.0+ sha1() function. mhash extension is used only wheh 
      sha1() function is unavailable.
    - ssha - used name 'ssha'. Implemented in php mhash extension functions.
      Minimal php version = 4.0.4.
    - md5 crypt - used name 'md5crypt'. Uses php crypt function. Depends on
      md5 support in system crypt libraries. Should work on linux glibc2 systems
      and bsd systems.
    - blowfish crypt - used name 'blowfish'. Uses php crypt function. Depends on
      blowfish support in system crypt libraries. Should work on bsd systems. 
      Is not supported by glibc 2.3.2. (Tested on OpenBSD 3.5)
    - extended des crypt - used name 'extcrypt'. Uses php crypt function. Depends on
      extended des support in system crypt libraries. Should work on bsd systems.
      Is not supported by glibc 2.3.2. (Tested on OpenBSD 3.5)
    - standard des crypt - used name 'crypt'. Uses php crypt function. Depends on
      standard des support in system crypt libraries. Should work on libc systems
      and bsd systems.
    - plain text passwords - used name 'plaintext'.

    If you use admindn, plugin should support all encryption/hashing 
    algorithms used in your ldap server.

    WARNINGS:
    * don't enforce any crypto that is not supported by ldap server.
    * don't enforce extcrypt, md5crypt or blowfish, if they are not supported 
      by ldap server and web server crypt libraries.

    Safest setting options:
    * If web server and ldap server is on same OS, make sure that mhash 
      extension is present in php.
    * If web server and ldap server is on same OS and mhash extension is 
      not present, enforce md5 passwords or any crypt password algorithm 
      supported by your os. Remember that standard des crypt is limited
      to eight symbols.  Don't use admindn override, if ldap server 
      supports sha, ssha or smd5.
    * If crypt libraries differ on web server and ldap server -
      enforce md5 passwords or any crypt password algorithm supported by
      web server and ldap server. Don't use admindn override, if ldap 
      server supports sha, ssha or smd5 and mhash extension is not 
      present.

  Configuration example:
  $cpw_ldap['base_dn']='ou=users,dc=example,dc=com'; // sets base dn
  $cpw_ldap['connect_opts']['PROTOCOL_VERSION']=3;   // forces v3 bind protocol


$Id$
Commit	Line	Data
27663afe	1	Master Change Password plugin
	2	-----------------------------
	3
	4	WHAT'S THIS?
	5	This plugin is a general framework for enabling the user to
	6	change his/her password. It allows for different backend
	7	to perform this task on different systems.
	8
	9	STATUS
	10	Development
	11
fe90e5e4	12	REQUIREMENTS:
	13	- SquirrelMail 1.4.3 or later. (plugin is included in squirrelmail
	14	1.5.0 and later versions).
	15	- ldap backend needs php ldap extension. It might need php
	16	mhash extension and system crypt libraries that support crypto
ffa25c5c	17	used on ldap server. It might need php ldap extension with ssl
ffa25c5c	18	support, if ldap server requires it.
fe90e5e4	19	- mysql backend needs php mysql extension.
	20	- merak backend needs php curl extension.
	21	- poppass backend needs poppassd server that supports authentication
	22	used by imap server.
	23	- vmailmgrd backend needs vmailmgr php library (vmail.inc) and
2b2e606c	24	vmailmgrd service running on tcp port or unix socket. It also
2b2e606c	25	requires SquirrelMail 1.4.4 or 1.5.1.
fe90e5e4	26
27663afe	27	CONFIGURATION
	28	Edit the file config.php to set the backend you want to use.
	29	Probably, you need to set some config vars in the backend too
	30	(backend/<yourbackend>.php).
	31
	32	BACKENDS
02c81de4	33	- ldap
	34
	35	Default settings are supplied in backends/ldap.php.
	36
	37	You don't have to change any configuration vars in
	38	backend/ldap.php - instead, create an $cpw_ldap array in
	39	config.php containing the variable you want to override.
	40
	41	See more information in "About ldap backend" chapter.
	42
4165198d	43	- mysql
	44
	45	Default settings are supplied in backends/mysql.php.
	46
	47	You do not have to change any configuration vars in
	48	backend/mysql.php - instead, create an array in config.php
	49	containing the variable you want to override, for example:
	50
	51	To override the server name ($mysql_server), you would add
	52	$mysql['server'] = 'remote_servername';
	53	to config.php.
	54
27663afe	55
a391f3af	56	- merak
27663afe	57
a391f3af	58	Default settings are supplied in backends/merak.php.
27663afe	59
27663afe	60
a391f3af	61	- poppassd
	62
	63	Default settings are supplied in backends/poppassd.php.
	64
	65
	66	- vmailmgrd
	67
	68	Default settings are supplied in backends/vmailmgrd.php.
	69
	70	Site configuration is controlled in config.php $vmailmgrd
	71	array. Backend uses 'vmail_inc_path', 'vm_tcphost',
	72	'vm_tcphost_port' and 'cpw_vmailmgrd_8bitpw' array keys.
	73
	74	'vmail_inc_path' sets path to vmail.inc. 'vm_tcphost' sets
	75	vmailmgrd tcp service ip address or dns name. Plugin uses
	76	vmailmgrd socket, if it is not set. 'vm_tcphost_port' sets
	77	port of vmailmrgd service. Plugin uses port 322, if it is
	78	not set. 'cpw_vmailmgrd_8bitpw' controls use of 8bit
	79	passwords. If it is not set, interface does not allow new
	80	passwords with 8bit symbols.
	81
	82	$vmailmgrd['vmail_inc_path'] setting is required.
	83
02c81de4	84
a391f3af	85	AUTHORS:
02c81de4	86	ldap backend - Tomas Kuliavas <tokul@users.sourceforge.net>
	87	used code from phpldapadmin and squirrelmail
	88	ldapquery plugin.
a391f3af	89	merak backend - Edwin van Elk <Edwin@eve-software.com>
	90	mysql backend - Thijs Kinkhorst <kink@squirrelmail.org>
	91	poppassd backend - Seth Randall <sethr@missoulafcu.org>
	92	vmailmgrd backend - Tomas Kuliavas <tokul@users.sourceforge.net>
27663afe	93
02c81de4	94	------------------
	95	ABOUT LDAP BACKEND
	96	------------------
	97	List of supported overrides
	98	* 'server'
	99	overrides address of ldap server. use any syntax that is supported
	100	by your php ldap extension. Defaults to address of imap server.
	101
	102	* 'port'
	103	overrides port of ldap server. Defaults to 389.
	104
	105	* 'basedn'
	106	(required) ldap basedn used for binding to ldap server. Empty
	107	string blocks use of backend. Defaults to empty string.
	108
	109	* 'connect_opts'
ffa25c5c	110	controls LDAP_OPT_* settings that are set with ldap_set_option()
	111	function. See available options at http://www.php.net/ldap-set-option.
	112	LDAP_OPT_ prefix must be omitted in $cpw_ldap['connect_opts']
	113	overrides. No connection options are enabled by default.
	114
	115	You can use this option only when your ldap extension supports
	116	ldap_set_option() function.
02c81de4	117
	118	* 'use_tls'
	119	enables or disables use of tls in ldap connection. Requires php
	120	4.2+, php ldap extension with ssl support and PROTOCOL_VERSION => 3
	121	setting in $cpw_ldap_connect_opts. Does not enable tls by default.
	122
	123	* 'binddn'
	124	unprivileged binddn. should be able to search ldap directory and
	125	find DN used by user. Uses anonymous bind, if set to empty string.
	126	You should not use DN with write access to ldap directory here.
	127	Defaults to anonymous bind.
	128
	129	* 'bindpw'
	130	password used for unprivileged bind
	131
	132	* 'admindn'
	133	bind DN that should be able to change password.
	134	WARNING: usually user has enough privileges to change own password.
	135	If you leave default value, plugin will try to connect with dn that
	136	is detected in $cpw_ldap_username_attr=$username search and current
	137	user password will be used for authentication.
	138
	139	* 'adminpw'
	140	password for binding with 'admindn'
	141
	142	* 'userid_attr'
	143	ldap attribute that stores username. Defaults to 'uid'
	144
	145	* 'default_crypto'
	146	crypto that is used to encode new password. If set to empty string,
	147	system tries to keep same encoding/hashing algorithm. Currently
	148	backend supports:
	149	- md5 - used name 'md5'. Implemented in standard php functions.
	150	- smd5 - used name 'smd5'. Implemented in php mhash extension functions.
2b2e606c	151	Minimal php version = 4.0.4.
	152	- sha - used name 'sha'. Implemented in php mhash extension functions
	153	and php 4.3.0+ sha1() function. mhash extension is used only wheh
	154	sha1() function is unavailable.
	155	- ssha - used name 'ssha'. Implemented in php mhash extension functions.
	156	Minimal php version = 4.0.4.
02c81de4	157	- md5 crypt - used name 'md5crypt'. Uses php crypt function. Depends on
02c81de4	158	md5 support in system crypt libraries. Should work on linux glibc2 systems
ffa25c5c	159	and bsd systems.
2b2e606c	160	- blowfish crypt - used name 'blowfish'. Uses php crypt function. Depends on
ffa25c5c	161	blowfish support in system crypt libraries. Should work on bsd systems.
2b2e606c	162	Is not supported by glibc 2.3.2. (Tested on OpenBSD 3.5)
02c81de4	163	- extended des crypt - used name 'extcrypt'. Uses php crypt function. Depends on
ffa25c5c	164	extended des support in system crypt libraries. Should work on bsd systems.
2b2e606c	165	Is not supported by glibc 2.3.2. (Tested on OpenBSD 3.5)
02c81de4	166	- standard des crypt - used name 'crypt'. Uses php crypt function. Depends on
02c81de4	167	standard des support in system crypt libraries. Should work on libc systems
ffa25c5c	168	and bsd systems.
2b2e606c	169	- plain text passwords - used name 'plaintext'.
02c81de4	170
	171	If you use admindn, plugin should support all encryption/hashing
	172	algorithms used in your ldap server.
	173
	174	WARNINGS:
	175	* don't enforce any crypto that is not supported by ldap server.
	176	* don't enforce extcrypt, md5crypt or blowfish, if they are not supported
	177	by ldap server and web server crypt libraries.
	178
	179	Safest setting options:
	180	* If web server and ldap server is on same OS, make sure that mhash
	181	extension is present in php.
	182	* If web server and ldap server is on same OS and mhash extension is
	183	not present, enforce md5 passwords or any crypt password algorithm
	184	supported by your os. Remember that standard des crypt is limited
	185	to eight symbols. Don't use admindn override, if ldap server
	186	supports sha, ssha or smd5.
	187	* If crypt libraries differ on web server and ldap server -
	188	enforce md5 passwords or any crypt password algorithm supported by
	189	web server and ldap server. Don't use admindn override, if ldap
	190	server supports sha, ssha or smd5 and mhash extension is not
	191	present.
	192
2b2e606c	193	Configuration example:
02c81de4	194	$cpw_ldap['base_dn']='ou=users,dc=example,dc=com'; // sets base dn
	195	$cpw_ldap['connect_opts']['PROTOCOL_VERSION']=3; // forces v3 bind protocol
	196
	197
27663afe	198	$Id$