Community » Applications » Passwd
Installing Passwd H5
| Contact: | horde@lists.horde.org |
|---|
Contents
This document contains instructions for installing the Passwd Password Changing application on your system.
For information on the capabilities and features of Passwd, see the file README.
1 Prerequisites
To function properly, Passwd requires the following:
A working Horde installation.
Passwd runs within the Horde Application Framework, a set of common tools for web applications written in PHP. You must install Horde before installing Passwd.
Important
Passwd H5 requires version 5.0+ of the Horde Framework - earlier versions of Horde will not work.
Important
Be sure to have completed all of the steps in the horde/docs/INSTALL file for the Horde Framework before installing Passwd. Many of Passwd's prerequisites are also Horde prerequisites. Additionally, many of Passwd's optional features are configured via the Horde install.
The following PHP capabilities, depending on the drivers you want use:
Character Type support --enable-ctype
LDAP support --with-ldap [OPTIONAL]
LDAP support is required for the kolab, ldap, and smbldap drivers.
Hash support [OPTIONAL]
Hash support is necessary for the smbldap driver. See LDAP Implementation Information for details.
Mcrypt support --with-mcrypt [OPTIONAL]
Mcrypt support is necessary for the smbldap driver. See LDAP Implementation Information for details.
SOAP support --enable-soap [OPTIONAL]
SOAP support is necessary for the soap driver.
The following PEAR modules: (See horde/docs/INSTALL for instructions on installing PEAR modules)
Important
If you are going to install Passwd the recommended way, i.e. using the PEAR installer, you can skip the remainder of this section. Installing Passwd through PEAR will automatically download and install all required PEAR modules.
Crypt_CHAP [OPTIONAL]
Passwd uses this package to encrypt passwords for the smbldap driver.
The following items might be required, depending on the drivers you want to use:
- A poppassd server installed, running, and working on a system.
- An LDAP server installed, running, and working for authentication.
- A working smbpasswd program on the web server. It can access a remote server, but the smbpasswd binary must be installed on the local system.
- A working SQL authentication system.
- Expect installed, and access to telnet or ssh to the machine where passwords are stored/set (could be localhost).
- A SOAP service endpoint.
2 Installing Passwd
The RECOMMENDED way to install Passwd is using the PEAR installer. Alternatively, if you want to run the latest development code or get the latest not yet released fixes, you can install Passwd from Git.
2.1 Installing with PEAR
First follow the instructions in horde/docs/INSTALL to prepare a PEAR environment for Horde and install the Horde Framework.
When installing Passwd through PEAR now, the installer will automatically install any dependencies of Passwd too. If you want to install Passwd with all optional dependencies, but without the binary PECL packages that need to be compiled, specify both the -a and the -B flag:
pear install -a -B horde/passwd
By default, only the required dependencies will be installed:
pear install horde/passwd
If you want to install Passwd even with all binary dependencies, you need to remove the -B flag. Please note that this might also try to install PHP extensions through PECL that might need further configuration or activation in your PHP configuration:
pear install -a horde/passwd
3 Configuring Passwd
Configuring Passwd
You must login to Horde as a Horde Administrator to finish the configuration of Passwd. Use the Horde Administration menu item to get to the administration page, and then click on the Configuration icon to get the configuration page. Select Password from the selection list of applications. Fill in or change any configuration values as needed. When done click on Generate Password Configuration to generate the conf.php file. If your web server doesn't have write permissions to the Passwd configuration directory or file, it will not be able to write the file. In this case, go back to Configuration and choose one of the other methods to create the configuration file passwd/config/conf.php.
Documentation on the format and purpose of the other configuration files in the config/ directory can be found in each file. You may create *.local.php versions of these files if you wish to customize Passwd's appearance and behavior. See the header of the configuration files for details and examples. The defaults will be correct for most sites.
Testing Passwd
Once you have configured Passwd, bring up the included test page in your Web browser to ensure that all necessary prerequisites have been met. See the horde/docs/INSTALL document for further details on Horde test scripts. If you installed Passwd as described above, the URL to the test page would be:
http://your-server/horde/test.php?app=passwd
4 Security considerations
Note
Some drivers like poppassd always use clear text password transmissions. Others may also use clear text passwords (e.g. the expect script driver using telnet rather than ssh). This can be considered somewhat safe if the server is on the same machine, there are no user interactive logins allowed on that machine, and the connection uses the loopback (localhost) interface. It is up to the administrator to evaluate the security implications of using this module, and to understand the security implications of how their server and this module is configured.
Note
Setting this module to allow guest access might also be considered a security risk. By default, guest access is disabled. It is up to the administrator to evaluate the security implications of using this module with guest access if they choose to do so.
5 Poppassd Server Software
The following are some links that users have submitted. No warrenty is made for the following links or any software obtained from then. These are all user submitted links, and have not been tested or verified. Use these links are your own risk!
6 LDAP Implementation Information
The module includes support for changing LDAP stored passwords.
LDAP can store passwords in multiple ways, namely:
- Plain text passwords
- SHA encrypted passwords
- SSHA encrypted passwords
- Crypt encrypted passwords
- MD5 encrypted passwords (using base64 encoding - md5-base64)
- SMD5 encrypted passwords
The smbldap extension require the php hash and mcrypt extensions. To enable these you must compile php with --with-mcrypt[=DIR] and without the --disable-hash parameters. DIR is the mcrypt install directory.
Crypt cannot handle passwords longer than eight characters (it accepts them but truncates them at 8 characters). If you want to use longer passwords, you may use SHA.
The user must be able to authenticate to the LDAP directory and change his own password now (we no longer do root access to LDAP). This assumes that the LDAP administrator has allowed everyone to write their own password, something like:
access to attribute=userPassword
by self write
by anonymous auth
by * none
7 SQL Implementation Information
The module includes support for changing passwords stored in a SQL database. The SQL driver is similar to the LDAP driver except that it also supports MD5 encryption using hex encoding (md5-hex). If you created your passwords using the PHP md5() function then use md5-hex.
8 Smbpasswd Implementation Information
To use this module, you must pass the address of your Samba domain controller on which to change the password. This can be "localhost" for the server that Horde runs on. The remote system name may be passed as the NETBIOS name, the DNS name, or the IP address of the SMB/CIFS server to connect to. The username is run through escapeshellcmd(), so any usernames with strange characters ($, &, etc) may not work. I'm not sure if any of these are even valid for SMB/CIFS authentication, but if so, they may not work in this module.
Note
If changing a Windows NT Domain password the remote machine specified must be the Primary Domain Controller for the domain (Backup Domain Controllers only have a read-only copy of the user account database and will not allow the password change).
Since smbpasswd works in client-server mode communicating with a local smbd for a non-root user, the smbd daemon must be running for this to work. A common problem is to add a restriction to the hosts that may access the smbd running on the local machine by specifying a allow hosts or deny hosts entry in the smb.conf file and neglecting to allow "localhost" access to the smbd.
In addition, the smbpasswd command is only useful if Samba has been set up to use encrypted passwords.
9 Expect Script Information
This code allows users to change their passwords via an expect script. The module requires the expect program and a telnet or ssh program. You may need to change some of the expect patterns in passwd-expect such as the badpassword_string or success_string (as only two examples).
For security reasons, it is generally suggested to use ssh rather than telnet for the transport, if possible.
10 Expect PECL Information
This code allows users to change their passwords via the PHP PECL expect extension. It requires the PECL expect extension and a ssh program.
You can find the extension on http://pecl.php.net/package/expect
11 Obtaining Support
If you encounter problems with Passwd, help is available!
The Horde Frequently Asked Questions List (FAQ), available on the Web at
http://wiki.horde.org/FAQ
The Horde Project runs a number of mailing lists, for individual applications and for issues relating to the project as a whole. Information, archives, and subscription information can be found at
http://www.horde.org/community/mail
Lastly, Horde developers, contributors and users may also be found on IRC, on the channel #horde on the Freenode Network (irc.freenode.net).
Please keep in mind that Passwd is free software written by volunteers. For information on reasonable support expectations, please read
http://www.horde.org/community/support
Thanks for using Passwd!
The Passwd team