Community » Applications » Passwd
Installing Passwd H5
- 1 Prerequisites
- 2 Installing Passwd
- 3 Configuring Passwd
- 4 Security considerations
- 5 Poppassd Server Software
- 6 LDAP Implementation Information
- 7 SQL Implementation Information
- 8 Smbpasswd Implementation Information
- 9 Expect Script Information
- 10 Expect PECL Information
- 11 Obtaining Support
This document contains instructions for installing the Passwd Password Changing application on your system.
For information on the capabilities and features of Passwd, see the file README.
To function properly, Passwd requires the following:
A working Horde installation.
Passwd runs within the Horde Application Framework, a set of common tools for web applications written in PHP. You must install Horde before installing Passwd.
Passwd H5 requires version 5.0+ of the Horde Framework - earlier versions of Horde will not work.
Be sure to have completed all of the steps in the horde/docs/INSTALL file for the Horde Framework before installing Passwd. Many of Passwd's prerequisites are also Horde prerequisites. Additionally, many of Passwd's optional features are configured via the Horde install.
The following PHP capabilities, depending on the drivers you want use:
Character Type support --enable-ctype
LDAP support --with-ldap [OPTIONAL]
LDAP support is required for the kolab, ldap, and smbldap drivers.
Hash support [OPTIONAL]
Hash support is necessary for the smbldap driver. See LDAP Implementation Information for details.
Mcrypt support --with-mcrypt [OPTIONAL]
Mcrypt support is necessary for the smbldap driver. See LDAP Implementation Information for details.
SOAP support --enable-soap [OPTIONAL]
SOAP support is necessary for the soap driver.
The following PEAR modules: (See horde/docs/INSTALL for instructions on installing PEAR modules)
If you are going to install Passwd the recommended way, i.e. using the PEAR installer, you can skip the remainder of this section. Installing Passwd through PEAR will automatically download and install all required PEAR modules.
Passwd uses this package to encrypt passwords for the smbldap driver.
The following items might be required, depending on the drivers you want to use:
- A poppassd server installed, running, and working on a system.
- An LDAP server installed, running, and working for authentication.
- A working smbpasswd program on the web server. It can access a remote server, but the smbpasswd binary must be installed on the local system.
- A working SQL authentication system.
- Expect installed, and access to telnet or ssh to the machine where passwords are stored/set (could be localhost).
- A SOAP service endpoint.
The RECOMMENDED way to install Passwd is using the PEAR installer. Alternatively, if you want to run the latest development code or get the latest not yet released fixes, you can install Passwd from Git.
First follow the instructions in horde/docs/INSTALL to prepare a PEAR environment for Horde and install the Horde Framework.
When installing Passwd through PEAR now, the installer will automatically install any dependencies of Passwd too. If you want to install Passwd with all optional dependencies, but without the binary PECL packages that need to be compiled, specify both the -a and the -B flag:
pear install -a -B horde/passwd
By default, only the required dependencies will be installed:
pear install horde/passwd
If you want to install Passwd even with all binary dependencies, you need to remove the -B flag. Please note that this might also try to install PHP extensions through PECL that might need further configuration or activation in your PHP configuration:
pear install -a horde/passwd
You must login to Horde as a Horde Administrator to finish the configuration of Passwd. Use the Horde Administration menu item to get to the administration page, and then click on the Configuration icon to get the configuration page. Select Password from the selection list of applications. Fill in or change any configuration values as needed. When done click on Generate Password Configuration to generate the conf.php file. If your web server doesn't have write permissions to the Passwd configuration directory or file, it will not be able to write the file. In this case, go back to Configuration and choose one of the other methods to create the configuration file passwd/config/conf.php.
Documentation on the format and purpose of the other configuration files in the config/ directory can be found in each file. You may create *.local.php versions of these files if you wish to customize Passwd's appearance and behavior. See the header of the configuration files for details and examples. The defaults will be correct for most sites.
Once you have configured Passwd, bring up the included test page in your Web browser to ensure that all necessary prerequisites have been met. See the horde/docs/INSTALL document for further details on Horde test scripts. If you installed Passwd as described above, the URL to the test page would be:
Some drivers like poppassd always use clear text password transmissions. Others may also use clear text passwords (e.g. the expect script driver using telnet rather than ssh). This can be considered somewhat safe if the server is on the same machine, there are no user interactive logins allowed on that machine, and the connection uses the loopback (localhost) interface. It is up to the administrator to evaluate the security implications of using this module, and to understand the security implications of how their server and this module is configured.
Setting this module to allow guest access might also be considered a security risk. By default, guest access is disabled. It is up to the administrator to evaluate the security implications of using this module with guest access if they choose to do so.
The following are some links that users have submitted. No warrenty is made for the following links or any software obtained from then. These are all user submitted links, and have not been tested or verified. Use these links are your own risk!
The module includes support for changing LDAP stored passwords.
LDAP can store passwords in multiple ways, namely:
- Plain text passwords
- SHA encrypted passwords
- SSHA encrypted passwords
- Crypt encrypted passwords
- MD5 encrypted passwords (using base64 encoding - md5-base64)
- SMD5 encrypted passwords
The smbldap extension require the php hash and mcrypt extensions. To enable these you must compile php with --with-mcrypt[=DIR] and without the --disable-hash parameters. DIR is the mcrypt install directory.
Crypt cannot handle passwords longer than eight characters (it accepts them but truncates them at 8 characters). If you want to use longer passwords, you may use SHA.
The user must be able to authenticate to the LDAP directory and change his own password now (we no longer do root access to LDAP). This assumes that the LDAP administrator has allowed everyone to write their own password, something like:
access to attribute=userPassword by self write by anonymous auth by * none
The module includes support for changing passwords stored in a SQL database. The SQL driver is similar to the LDAP driver except that it also supports MD5 encryption using hex encoding (md5-hex). If you created your passwords using the PHP md5() function then use md5-hex.
To use this module, you must pass the address of your Samba domain controller on which to change the password. This can be "localhost" for the server that Horde runs on. The remote system name may be passed as the NETBIOS name, the DNS name, or the IP address of the SMB/CIFS server to connect to. The username is run through escapeshellcmd(), so any usernames with strange characters ($, &, etc) may not work. I'm not sure if any of these are even valid for SMB/CIFS authentication, but if so, they may not work in this module.
If changing a Windows NT Domain password the remote machine specified must be the Primary Domain Controller for the domain (Backup Domain Controllers only have a read-only copy of the user account database and will not allow the password change).
Since smbpasswd works in client-server mode communicating with a local smbd for a non-root user, the smbd daemon must be running for this to work. A common problem is to add a restriction to the hosts that may access the smbd running on the local machine by specifying a allow hosts or deny hosts entry in the smb.conf file and neglecting to allow "localhost" access to the smbd.
In addition, the smbpasswd command is only useful if Samba has been set up to use encrypted passwords.
This code allows users to change their passwords via an expect script. The module requires the expect program and a telnet or ssh program. You may need to change some of the expect patterns in passwd-expect such as the badpassword_string or success_string (as only two examples).
For security reasons, it is generally suggested to use ssh rather than telnet for the transport, if possible.
This code allows users to change their passwords via the PHP PECL expect extension. It requires the PECL expect extension and a ssh program.
You can find the extension on http://pecl.php.net/package/expect
If you encounter problems with Passwd, help is available!
The Horde Frequently Asked Questions List (FAQ), available on the Web at
The Horde Project runs a number of mailing lists, for individual applications and for issues relating to the project as a whole. Information, archives, and subscription information can be found at
Lastly, Horde developers, contributors and users may also be found on IRC, on the channel #horde on the Freenode Network (irc.freenode.net).
Please keep in mind that Passwd is free software written by volunteers. For information on reasonable support expectations, please read
Thanks for using Passwd!
The Passwd team