[squirrelmail.git] / plugins / change_password / README

Master Change Password plugin
-----------------------------

WHAT'S THIS?
This plugin is a general framework for enabling the user to
change his/her password. It allows for different backend
to perform this task on different systems.

STATUS
Development

REQUIREMENTS:
- SquirrelMail 1.4.3 or later. (plugin is included in squirrelmail 
  1.5.0 and later versions).
- ldap backend needs php ldap extension. It might need php
  mhash extension and system crypt libraries that support crypto
  used on ldap server. It might need php ldap extension with ssl
  support, if ldap server requires it.
- mysql backend needs php mysql extension.
- merak backend needs php curl extension.
- poppass backend needs poppassd server that supports authentication
  used by imap server.
- vmailmgrd backend needs vmailmgr php library (vmail.inc) and
  vmailmgrd service running on tcp port or unix socket. It also 
  requires SquirrelMail 1.4.4 or 1.5.1.

CONFIGURATION
Edit the file config.php to set the backend you want to use.

Backends can use special arrays that override default values set
in backend/<yourbackend>.php. Check description of backend that
you use.

BACKENDS
- ldap

  Default settings are supplied in backends/ldap.php.

  You don't have to change any configuration vars in
  backend/ldap.php - instead, create an $cpw_ldap array in 
  config.php containing the variable you want to override.

  See more information in "About ldap backend" chapter.

- mysql

  Default settings are supplied in backends/mysql.php.

  You do not have to change any configuration vars in 
  backend/mysql.php - instead, create an $cpw_mysql array in 
  config.php containing the variable you want to override, 
  for example:

  To override the server name ($mysql_server), you would add
    $cpw_mysql['server'] = 'remote_servername';
  to config.php.

  See more information in "About mysql backend" chapter.

- merak

  Default settings are supplied in backends/merak.php.

  Site configuration is controlled in config.php $cpw_merak
  array. You can use 'url','selfpage' and 'action' array
  keys to override default values.

  * 'url'
    override sets address of merak interface. URL is used 
    by webserver's libraries. If it points at localhost, 
    plugin tries to connect to administrative interface on
    same machine that hosts squirrelmail scripts.
    Defaults to 'http://localhost:32000/'.

  * 'selfpage'
    override sets page that is used to change password.
    Defaults to 'self.html'.

  * 'action'
    override sets action that is used during password change.
    Defaults to 'self_edit'.

  For example:
  $cpw_merak['url']='http://example.com:32000';


- poppassd

  Default settings are supplied in backends/poppassd.php.

  Site configuration is controlled in config.php $cpw_poppassd 
  array. You can use 'server' array key to override address
  of poppassd server. Backend uses address of imap server, if
  variable is set to empty string. It uses address of imap 
  server by default.

  For example:
  $cpw_poppassd['server'] = 'remote_servername';

- vmailmgrd

  Default settings are supplied in backends/vmailmgrd.php.
  
  Site configuration is controlled in config.php $cpw_vmailmgrd 
  array. Backend uses 'vmail_inc_path', 'vm_tcphost', 
  'vm_tcphost_port' and '8bitpw' array keys.
  
  'vmail_inc_path' sets path to vmail.inc. 'vm_tcphost' sets
  vmailmgrd tcp service ip address or dns name. Plugin uses 
  vmailmgrd socket, if it is not set. 'vm_tcphost_port' sets 
  port of vmailmrgd service. Plugin uses port 322, if it is 
  not set. '8bitpw' controls use of 8bit passwords. If it 
  is not set, interface does not allow new passwords with 
  8bit symbols.

  $cpw_vmailmgrd['vmail_inc_path'] setting is required.


AUTHORS:
ldap backend      - Tomas Kuliavas <tokul@users.sourceforge.net>
                    used code from phpldapadmin and squirrelmail
                    ldapquery plugin.
merak backend     - Edwin van Elk <Edwin@eve-software.com>
mysql backend     - Thijs Kinkhorst <kink@squirrelmail.org>
poppassd backend  - Seth Randall <sethr@missoulafcu.org>
vmailmgrd backend - Tomas Kuliavas <tokul@users.sourceforge.net>

------------------
ABOUT LDAP BACKEND
------------------
  List of supported overrides
  * 'server'
    overrides address of ldap server. use any syntax that is supported 
    by your php ldap extension. Defaults to address of imap server.

  * 'port'
    overrides port of ldap server. Defaults to 389.

  * 'basedn'
    (required) ldap basedn used for binding to ldap server. If set to
    empty string, blocks use of backend. Defaults to empty string.

  * 'connect_opts'
    controls LDAP_OPT_* settings that are set with ldap_set_option() 
    function. See available options at http://www.php.net/ldap-set-option.
    LDAP_OPT_ prefix must be omitted in $cpw_ldap['connect_opts'] 
    overrides. No connection options are enabled by default.
    
    You can use this option only when your ldap extension supports 
    ldap_set_option() function.

  * 'use_tls'
    enables or disables use of tls in ldap connection. Requires php 
    4.2+, php ldap extension with ssl support and PROTOCOL_VERSION => 3 
    setting in $cpw_ldap_connect_opts. Does not enable tls by default.

  * 'binddn'
    unprivileged binddn. should be able to search ldap directory and 
    find DN used by user. Uses anonymous bind, if set to empty string.
    You should not use DN with write access to ldap directory here.
    Defaults to anonymous bind.

  * 'bindpw'
    password used for unprivileged bind

  * 'admindn'
    bind DN that should be able to change password.
    WARNING: usually user has enough privileges to change own password.
    If you leave default value, plugin will try to connect with dn that 
    is detected in $cpw_ldap_username_attr=$username search and current
    user password will be used for authentication.

  * 'adminpw'
    password for binding with 'admindn'

  * 'userid_attr'
    ldap attribute that stores username. Defaults to 'uid'

  * 'default_crypto'
    crypto that is used to encode new password. If set to empty string, 
    system tries to keep same encoding/hashing algorithm. Currently 
    backend supports:
    - md5 - used name 'md5'. Implemented in standard php functions.
    - smd5 - used name 'smd5'. Implemented in php mhash extension functions. 
      Minimal php version = 4.0.4.
    - sha - used name 'sha'. Implemented in php mhash extension functions 
      and php 4.3.0+ sha1() function. mhash extension is used only when 
      sha1() function is unavailable.
    - ssha - used name 'ssha'. Implemented in php mhash extension functions.
      Minimal php version = 4.0.4.
    - md5 crypt - used name 'md5crypt'. Uses php crypt function. Depends on
      md5 support in system crypt libraries. Should work on linux glibc2 systems
      and bsd systems.
    - blowfish crypt - used name 'blowfish'. Uses php crypt function. Depends on
      blowfish support in system crypt libraries. Should work on bsd systems. 
      Is not supported by glibc 2.3.2. (Tested on OpenBSD 3.5)
    - extended des crypt - used name 'extcrypt'. Uses php crypt function. Depends on
      extended des support in system crypt libraries. Should work on bsd systems.
      Is not supported by glibc 2.3.2. (Tested on OpenBSD 3.5)
    - standard des crypt - used name 'crypt'. Uses php crypt function. Depends on
      standard des support in system crypt libraries. Should work on libc systems
      and bsd systems.
    - plain text passwords - used name 'plaintext'.

    If you use admindn, plugin should support all encryption/hashing 
    algorithms used in your ldap server.

    WARNINGS:
    * don't enforce any crypto that is not supported by ldap server.
    * don't enforce extcrypt, md5crypt or blowfish, if they are not supported 
      by ldap server and web server crypt libraries.

    Safest setting options:
    * If web server and ldap server is on same OS, make sure that mhash 
      extension is present in php.
    * If web server and ldap server is on same OS and mhash extension is 
      not present, enforce md5 passwords or any crypt password algorithm 
      supported by your os. Remember that standard des crypt is limited
      to eight symbols.  Don't use admindn override, if ldap server 
      supports sha, ssha or smd5.
    * If crypt libraries differ on web server and ldap server -
      enforce md5 passwords or any crypt password algorithm supported by
      web server and ldap server. Don't use admindn override, if ldap 
      server supports sha, ssha or smd5 and mhash extension is not 
      present.

  Configuration example:
  $cpw_ldap['base_dn']='ou=users,dc=example,dc=com'; // sets base dn
  $cpw_ldap['connect_opts']['PROTOCOL_VERSION']=3;   // forces v3 bind protocol

-------------------
ABOUT MYSQL BACKEND
------------_------
  List of supported overrides:
  * 'server'
    address of MySQL server. Defaults to localhost.

  * 'database'
    database that stores user information. Defaults to 'email'.

  * 'table'
    database table that stores user information. Defaults to 'users'.

  * 'userid_field'
    field that stores user's ID. Defaults to 'id'.

  * 'password_field'
    field that stores password. Defaults to 'password'.

  * 'manager_id'
    username that is used to log into MySQL with (must have rights).
    Defaults to 'email_admin'.

  * 'manager_pw'
    password that is used to log into MySQL.

  * 'saslcrypt'
    boolean value that controls use of SASL (MySQL) crypt in passwords.
    It is not enabled by default.

  * 'unixcrypt'
    boolean value that controls use of unix crypt() in passwords. 
    Setting is ignored, if saslcrypt is enabled. It is not enabled 
    by default. 

If saslcrypt and unixcrypt are not enabled, plugin defaults to plaintext 
passwords.

$Id$
Commit	Line	Data
27663afe	1	Master Change Password plugin
	2	-----------------------------
	3
	4	WHAT'S THIS?
	5	This plugin is a general framework for enabling the user to
	6	change his/her password. It allows for different backend
	7	to perform this task on different systems.
	8
	9	STATUS
	10	Development
	11
fe90e5e4	12	REQUIREMENTS:
	13	- SquirrelMail 1.4.3 or later. (plugin is included in squirrelmail
	14	1.5.0 and later versions).
	15	- ldap backend needs php ldap extension. It might need php
	16	mhash extension and system crypt libraries that support crypto
ffa25c5c	17	used on ldap server. It might need php ldap extension with ssl
ffa25c5c	18	support, if ldap server requires it.
fe90e5e4	19	- mysql backend needs php mysql extension.
	20	- merak backend needs php curl extension.
	21	- poppass backend needs poppassd server that supports authentication
	22	used by imap server.
	23	- vmailmgrd backend needs vmailmgr php library (vmail.inc) and
2b2e606c	24	vmailmgrd service running on tcp port or unix socket. It also
2b2e606c	25	requires SquirrelMail 1.4.4 or 1.5.1.
fe90e5e4	26
27663afe	27	CONFIGURATION
27663afe	28	Edit the file config.php to set the backend you want to use.
76063016	29
	30	Backends can use special arrays that override default values set
	31	in backend/<yourbackend>.php. Check description of backend that
	32	you use.
27663afe	33
27663afe	34	BACKENDS
02c81de4	35	- ldap
	36
	37	Default settings are supplied in backends/ldap.php.
	38
	39	You don't have to change any configuration vars in
	40	backend/ldap.php - instead, create an $cpw_ldap array in
	41	config.php containing the variable you want to override.
	42
	43	See more information in "About ldap backend" chapter.
	44
4165198d	45	- mysql
	46
	47	Default settings are supplied in backends/mysql.php.
	48
	49	You do not have to change any configuration vars in
76063016	50	backend/mysql.php - instead, create an $cpw_mysql array in
	51	config.php containing the variable you want to override,
	52	for example:
4165198d	53
4165198d	54	To override the server name ($mysql_server), you would add
76063016	55	$cpw_mysql['server'] = 'remote_servername';
4165198d	56	to config.php.
4165198d	57
76063016	58	See more information in "About mysql backend" chapter.
27663afe	59
a391f3af	60	- merak
27663afe	61
a391f3af	62	Default settings are supplied in backends/merak.php.
27663afe	63
76063016	64	Site configuration is controlled in config.php $cpw_merak
	65	array. You can use 'url','selfpage' and 'action' array
	66	keys to override default values.
	67
	68	* 'url'
	69	override sets address of merak interface. URL is used
	70	by webserver's libraries. If it points at localhost,
	71	plugin tries to connect to administrative interface on
	72	same machine that hosts squirrelmail scripts.
	73	Defaults to 'http://localhost:32000/'.
	74
	75	* 'selfpage'
	76	override sets page that is used to change password.
	77	Defaults to 'self.html'.
	78
	79	* 'action'
	80	override sets action that is used during password change.
	81	Defaults to 'self_edit'.
	82
	83	For example:
	84	$cpw_merak['url']='http://example.com:32000';
	85
27663afe	86
a391f3af	87	- poppassd
	88
	89	Default settings are supplied in backends/poppassd.php.
	90
76063016	91	Site configuration is controlled in config.php $cpw_poppassd
	92	array. You can use 'server' array key to override address
	93	of poppassd server. Backend uses address of imap server, if
	94	variable is set to empty string. It uses address of imap
	95	server by default.
	96
	97	For example:
	98	$cpw_poppassd['server'] = 'remote_servername';
a391f3af	99
	100	- vmailmgrd
	101
	102	Default settings are supplied in backends/vmailmgrd.php.
	103
76063016	104	Site configuration is controlled in config.php $cpw_vmailmgrd
a391f3af	105	array. Backend uses 'vmail_inc_path', 'vm_tcphost',
76063016	106	'vm_tcphost_port' and '8bitpw' array keys.
a391f3af	107
	108	'vmail_inc_path' sets path to vmail.inc. 'vm_tcphost' sets
	109	vmailmgrd tcp service ip address or dns name. Plugin uses
	110	vmailmgrd socket, if it is not set. 'vm_tcphost_port' sets
	111	port of vmailmrgd service. Plugin uses port 322, if it is
76063016	112	not set. '8bitpw' controls use of 8bit passwords. If it
	113	is not set, interface does not allow new passwords with
	114	8bit symbols.
a391f3af	115
76063016	116	$cpw_vmailmgrd['vmail_inc_path'] setting is required.
a391f3af	117
02c81de4	118
a391f3af	119	AUTHORS:
02c81de4	120	ldap backend - Tomas Kuliavas <tokul@users.sourceforge.net>
	121	used code from phpldapadmin and squirrelmail
	122	ldapquery plugin.
a391f3af	123	merak backend - Edwin van Elk <Edwin@eve-software.com>
	124	mysql backend - Thijs Kinkhorst <kink@squirrelmail.org>
	125	poppassd backend - Seth Randall <sethr@missoulafcu.org>
	126	vmailmgrd backend - Tomas Kuliavas <tokul@users.sourceforge.net>
27663afe	127
02c81de4	128	------------------
	129	ABOUT LDAP BACKEND
	130	------------------
	131	List of supported overrides
	132	* 'server'
	133	overrides address of ldap server. use any syntax that is supported
	134	by your php ldap extension. Defaults to address of imap server.
	135
	136	* 'port'
	137	overrides port of ldap server. Defaults to 389.
	138
	139	* 'basedn'
76063016	140	(required) ldap basedn used for binding to ldap server. If set to
76063016	141	empty string, blocks use of backend. Defaults to empty string.
02c81de4	142
02c81de4	143	* 'connect_opts'
ffa25c5c	144	controls LDAP_OPT_* settings that are set with ldap_set_option()
	145	function. See available options at http://www.php.net/ldap-set-option.
	146	LDAP_OPT_ prefix must be omitted in $cpw_ldap['connect_opts']
	147	overrides. No connection options are enabled by default.
	148
	149	You can use this option only when your ldap extension supports
	150	ldap_set_option() function.
02c81de4	151
	152	* 'use_tls'
	153	enables or disables use of tls in ldap connection. Requires php
	154	4.2+, php ldap extension with ssl support and PROTOCOL_VERSION => 3
	155	setting in $cpw_ldap_connect_opts. Does not enable tls by default.
	156
	157	* 'binddn'
	158	unprivileged binddn. should be able to search ldap directory and
	159	find DN used by user. Uses anonymous bind, if set to empty string.
	160	You should not use DN with write access to ldap directory here.
	161	Defaults to anonymous bind.
	162
	163	* 'bindpw'
	164	password used for unprivileged bind
	165
	166	* 'admindn'
	167	bind DN that should be able to change password.
	168	WARNING: usually user has enough privileges to change own password.
	169	If you leave default value, plugin will try to connect with dn that
	170	is detected in $cpw_ldap_username_attr=$username search and current
	171	user password will be used for authentication.
	172
	173	* 'adminpw'
	174	password for binding with 'admindn'
	175
	176	* 'userid_attr'
	177	ldap attribute that stores username. Defaults to 'uid'
	178
	179	* 'default_crypto'
	180	crypto that is used to encode new password. If set to empty string,
	181	system tries to keep same encoding/hashing algorithm. Currently
	182	backend supports:
	183	- md5 - used name 'md5'. Implemented in standard php functions.
	184	- smd5 - used name 'smd5'. Implemented in php mhash extension functions.
2b2e606c	185	Minimal php version = 4.0.4.
2b2e606c	186	- sha - used name 'sha'. Implemented in php mhash extension functions
76063016	187	and php 4.3.0+ sha1() function. mhash extension is used only when
2b2e606c	188	sha1() function is unavailable.
	189	- ssha - used name 'ssha'. Implemented in php mhash extension functions.
	190	Minimal php version = 4.0.4.
02c81de4	191	- md5 crypt - used name 'md5crypt'. Uses php crypt function. Depends on
02c81de4	192	md5 support in system crypt libraries. Should work on linux glibc2 systems
ffa25c5c	193	and bsd systems.
2b2e606c	194	- blowfish crypt - used name 'blowfish'. Uses php crypt function. Depends on
ffa25c5c	195	blowfish support in system crypt libraries. Should work on bsd systems.
2b2e606c	196	Is not supported by glibc 2.3.2. (Tested on OpenBSD 3.5)
02c81de4	197	- extended des crypt - used name 'extcrypt'. Uses php crypt function. Depends on
ffa25c5c	198	extended des support in system crypt libraries. Should work on bsd systems.
2b2e606c	199	Is not supported by glibc 2.3.2. (Tested on OpenBSD 3.5)
02c81de4	200	- standard des crypt - used name 'crypt'. Uses php crypt function. Depends on
02c81de4	201	standard des support in system crypt libraries. Should work on libc systems
ffa25c5c	202	and bsd systems.
2b2e606c	203	- plain text passwords - used name 'plaintext'.
02c81de4	204
	205	If you use admindn, plugin should support all encryption/hashing
	206	algorithms used in your ldap server.
	207
	208	WARNINGS:
	209	* don't enforce any crypto that is not supported by ldap server.
	210	* don't enforce extcrypt, md5crypt or blowfish, if they are not supported
	211	by ldap server and web server crypt libraries.
	212
	213	Safest setting options:
	214	* If web server and ldap server is on same OS, make sure that mhash
	215	extension is present in php.
	216	* If web server and ldap server is on same OS and mhash extension is
	217	not present, enforce md5 passwords or any crypt password algorithm
	218	supported by your os. Remember that standard des crypt is limited
	219	to eight symbols. Don't use admindn override, if ldap server
	220	supports sha, ssha or smd5.
	221	* If crypt libraries differ on web server and ldap server -
	222	enforce md5 passwords or any crypt password algorithm supported by
	223	web server and ldap server. Don't use admindn override, if ldap
	224	server supports sha, ssha or smd5 and mhash extension is not
	225	present.
	226
2b2e606c	227	Configuration example:
02c81de4	228	$cpw_ldap['base_dn']='ou=users,dc=example,dc=com'; // sets base dn
	229	$cpw_ldap['connect_opts']['PROTOCOL_VERSION']=3; // forces v3 bind protocol
	230
76063016	231	-------------------
	232	ABOUT MYSQL BACKEND
	233	------------_------
	234	List of supported overrides:
	235	* 'server'
	236	address of MySQL server. Defaults to localhost.
	237
	238	* 'database'
	239	database that stores user information. Defaults to 'email'.
	240
	241	* 'table'
	242	database table that stores user information. Defaults to 'users'.
	243
	244	* 'userid_field'
	245	field that stores user's ID. Defaults to 'id'.
	246
	247	* 'password_field'
	248	field that stores password. Defaults to 'password'.
	249
	250	* 'manager_id'
	251	username that is used to log into MySQL with (must have rights).
	252	Defaults to 'email_admin'.
	253
	254	* 'manager_pw'
	255	password that is used to log into MySQL.
	256
	257	* 'saslcrypt'
	258	boolean value that controls use of SASL (MySQL) crypt in passwords.
	259	It is not enabled by default.
	260
	261	* 'unixcrypt'
	262	boolean value that controls use of unix crypt() in passwords.
	263	Setting is ignored, if saslcrypt is enabled. It is not enabled
	264	by default.
	265
	266	If saslcrypt and unixcrypt are not enabled, plugin defaults to plaintext
	267	passwords.
02c81de4	268
27663afe	269	$Id$