Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 13th October 2009, 12:15
voltron81 voltron81 is offline
Senior Member
 
Join Date: Sep 2009
Posts: 292
Thanks: 1
Thanked 4 Times in 3 Posts
Default How to setup the plugin change password of Roundcube with ISPConfig3

Hi to everybody,
I'm trying to add the plugin of Rooundcube 0.3 that allow to the customer to change the password.
Basically with this plugin the customer have to write the old password and the new password.
I changed the database, but I don't know the encryption that ISPConfig is using for the password.
Finding on the forum, I discover that ISPConfig is using a crypt md5 encryption with salt, and the salt is a random 8 character value.

So first of all I'll cancel the part concerning the "old password", so I simplify the configuration.

Analizing the passwords, I noticed that the first 3 characters are always the same ($1$)

Finding on internet I found this tutorial for Squirremail: http://www.howtoforge.com/how-to-con...onfig-3-server

Trying this command in mysql:
Code:
SELECT SUBSTRING(PASSWORD, 4, 8) FROM mail_user WHERE email = "my@email";
I'll have the next 8 characters of the password.

After that the next chatacter will be $.

How can I find the encryption for the other 22 characters?

Thanks a lot
Michele

Last edited by voltron81; 13th October 2009 at 14:48.
Reply With Quote
Sponsored Links
  #2  
Old 13th October 2009, 15:00
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

The sql command you used is wrong. you have to fetch the complete password as the first part is also part of the password. The encoding that is used is a crypt-md5 encoding with salt as it is used for passwords in linux distributions, e.g. in /etc/passwd too.

The PHP manual describes how to create these passwords:

http://de3.php.net/manual/en/function.crypt.php
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 14th October 2009, 10:44
voltron81 voltron81 is offline
Senior Member
 
Join Date: Sep 2009
Posts: 292
Thanks: 1
Thanked 4 Times in 3 Posts
Default

Hi Till,
thanks for your answer.
Ok the encryption is crypt-md5.
There are a couple of things that I didn't get.

1) what is exatly the string that we are going to encrypt with crypt-md5? It is for sure not only the password, but it must be also the email address.

2) Is possible to realize the crypt-md5 encryption with mysql? I think is not possible. In that case, how can I change the the configuration file of the this roundcube 's plugin?
I'll attach this configuration file:
Code:
<?php

// Password Plugin options
// -----------------------
// A driver to use for password change. Default: "sql".
$rcmail_config['password_driver'] = 'sql';

// Determine whether current password is required to change password.
// Default: false.
$rcmail_config['password_confirm_current'] = true;


// SQL Driver options
// ------------------
// PEAR database DSN for performing the query. By default
// Roundcube DB settings are used.
$rcmail_config['password_db_dsn'] = 'mysql://user:password@localhost/dbispconfig';

// The SQL query used to change the password.
// The query can contain the following macros that will be expanded as follows:
//      %p is replaced with the plaintext new password
//      %c is replaced with the crypt version of the new password, MD5 if available
//         otherwise DES.
//      %o is replaced with the password before the change
//      %n is replaced with the hashed version of the new password
//      %q is replaced with the hashed password before the change
//      %h is replaced with the imap host (from the session info)
//      %u is replaced with the username (from the session info)
//      %l is replaced with the local part of the username

//      %d is replaced with the domain part of the username
//         (in case the username is an email address)
// Escaping of macros is handled by this module.
// Default: "SELECT update_passwd(%c, %u)"
$rcmail_config['password_query'] = 'UPDATE mail_user SET password=%p WHERE email=%u AND password=%o LIMIT 1';

// Using a password hash for %n and %q variables.
// Determine which hashing algorithm should be used to generate
// the hashed new and current password for using them within the
// SQL query. Requires PHP's 'hash' extension.
$rcmail_config['password_hash_algorithm'] = 'sha1';

// You can also decide whether the hash should be provided
// as hex string or in base64 encoded format.
$rcmail_config['password_hash_base64'] = false;


// Poppassd Driver options
// -----------------------
// The host which changes the password
$rcmail_config['password_pop_host'] = 'localhost';

// TCP port used for poppassd connections
$rcmail_config['password_pop_port'] = 106;


// SASL Driver options
// -------------------
// Additional arguments for the saslpasswd2 call
$rcmail_config['password_saslpasswd_args'] = '';


// LDAP Driver options
// -------------------
// LDAP server name to connect to.
// You can provide one or several hosts in an array in which case the hosts are tried from left to right.
// Exemple: array('ldap1.exemple.com', 'ldap2.exemple.com');
// Default: 'localhost'
$rcmail_config['password_ldap_host'] = 'localhost';

// LDAP server port to connect to
// Default: '389'
$rcmail_config['password_ldap_port'] = '389';

// TLS is started after connecting
// Using TLS for password modification is recommanded.
// Default: false
$rcmail_config['password_ldap_starttls'] = false;

// LDAP version
// Default: '3'
$rcmail_config['password_ldap_version'] = '3';

// LDAP base name (root directory)
// Exemple: 'dc=exemple,dc=com'
$rcmail_config['password_ldap_basedn'] = 'dc=exemple,dc=com';

// LDAP connection method
// There is two connection method for changing a user's LDAP password.
// 'user': use user credential (recommanded, require password_confirm_current=true)
// 'admin': use admin credential (this mode require password_ldap_adminDN and password_ldap_adminPW)
// Default: 'user'
$rcmail_config['password_ldap_method'] = 'user';

// LDAP Admin DN
// Used only in admin connection mode
// Default: null
$rcmail_config['password_ldap_adminDN'] = null;

// LDAP Admin Password
// Used only in admin connection mode
// Default: null
$rcmail_config['password_ldap_adminPW'] = null;

// LDAP user DN mask
// The user's DN is mandatory and as we only have his login,
// we need to re-create his DN using a mask
// '%login' will be replaced by the current roundcube user's login
// '%name' will be replaced by the current roundcube user's name part
// '%domain' will be replaced by the current roundcube user's domain part
// Exemple: 'uid=%login,ou=people,dc=exemple,dc=com'
$rcmail_config['password_ldap_userDN_mask'] = 'uid=%login,ou=people,dc=exemple,dc=com';
// LDAP password hash type
// Standard LDAP encryption type which must be one of: crypt,
// ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, or clear.
// Please note that most encodage types require external libraries
// to be included in your PHP installation, see function hashPassword in drivers/ldap.php for more info.
// Default: 'crypt'
$rcmail_config['password_ldap_encodage'] = 'crypt';

// LDAP password attribute
// Name of the ldap's attribute used for storing user password
// Default: 'userPassword'
$rcmail_config['password_ldap_pwattr'] = 'userPassword';

// LDAP password force replace
// Force LDAP replace in cases where ACL allows only replace not read
// See http://pear.php.net/package/Net_LDAP2/docs/latest/Net_LDAP2/Net_LDAP2_Entry.html#methodreplace
// Default: true
$rcmail_config['password_ldap_force_replace'] = true;


// DirectAdmin Driver options
// --------------------------
// The host which changes the password
$rcmail_config['password_directadmin_host'] = 'localhost';

// TCP port used for DirectAdmin connections
$rcmail_config['password_directadmin_port'] = 2222;

?>
Thanks for your help
Michele
Reply With Quote
  #4  
Old 14th October 2009, 10:50
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 34,586
Thanks: 792
Thanked 4,983 Times in 3,903 Posts
Default

1) It is just the password and not the email address.
2) mysql is not able to create crypt-md5 password. I posted you the link above that explains in the php-manual how to encode passwords with crypt-md5, the first post in the comments contains a complete encryption function.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
spanish (11th January 2010)
  #5  
Old 14th October 2009, 10:52
voltron81 voltron81 is offline
Senior Member
 
Join Date: Sep 2009
Posts: 292
Thanks: 1
Thanked 4 Times in 3 Posts
Default

As readed in the link that you suggest me, the encryption string should be something like crypt-md5crypt('password', '$1$emailaddress$')
But I don't konw how to put this command into the configuration file of this plugin, as this encryption is not working with mysql and I can not put it into the mysql command.

Thanks
Michele
Reply With Quote
  #6  
Old 14th October 2009, 11:46
voltron81 voltron81 is offline
Senior Member
 
Join Date: Sep 2009
Posts: 292
Thanks: 1
Thanked 4 Times in 3 Posts
Default

Ok I tried this simple PHP script and is working:
Code:
<?php
$password = crypt('password' , '$1$my@email$');
print $password . " is the CRYPT-MD5 version of mypassword<br>";
?>
Basically I've copied the result of this script and paste into the dbispconfig database, and is working.
The problem now is to add this script to the Roundcube plugin.

I tried to add something like that:
Code:
$passwd = crypt(%p , %u);
$rcmail_config['password_query'] = 'UPDATE mail_user SET password=$passwd WHERE email=%u LIMIT 1';
but I've have an error (white screen).

Any suggestion?
Thanks
Michele
Reply With Quote
  #7  
Old 14th October 2009, 12:51
voltron81 voltron81 is offline
Senior Member
 
Join Date: Sep 2009
Posts: 292
Thanks: 1
Thanked 4 Times in 3 Posts
Default

Ok I solved it.
Basically I created a new macro in /roundcube/plugins/password/drivers/sql.php where I'm doing the encryption and in the config file of the plugin I'll just use the result of that macro...
Thanks
Michele
Reply With Quote
  #8  
Old 31st January 2010, 15:12
rak rak is offline
Junior Member
 
Join Date: Jan 2010
Location: Hungary
Posts: 1
Thanks: 0
Thanked 2 Times in 1 Post
Default feedback

In roundcube/plugins/password/config.inc.php change code to this:

Code:
$rcmail_config['password_query'] = 'UPDATE mail_user SET password=%r WHERE email=%u LIMIT 1';
In roundcube/plugins/password/drivers/sql.php add a new macro (I added it after %o on line 90):

Code:
$sql = str_replace('%r', $db->quote(crypt($passwd,$_SESSION['username'])), $sql);
Worked for me, but only the crypt() function is used, so the format of the password wouldn't be "$1$lGr|wp|f$NU.MEUHPCGqBGIcDZSi321" anymore. Maybe somebody has a suggestion for the right macro ?!

Last edited by rak; 31st January 2010 at 15:46.
Reply With Quote
The Following 2 Users Say Thank You to rak For This Useful Post:
falko (1st February 2010), Samgarr (25th February 2011)
  #9  
Old 24th February 2011, 23:27
Samgarr Samgarr is offline
Junior Member
 
Join Date: Jun 2010
Posts: 14
Thanks: 3
Thanked 0 Times in 0 Posts
Default

hi,
i configured the plugin according to rak's post but the password does not change. Any ideas? Thanks!
/logs/error
Code:
[24-Feb-2011 22:14:56] MDB2 Error: syntax error (-2): _doQuery: [Error message: Could not execute statement]
[Last executed query: UPDATE mail_user SET password=%r WHERE email='admin@samtech.cz' LIMIT 1]
[Native code: 1064]
[Native message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%r WHERE email=$
Reply With Quote
  #10  
Old 27th February 2011, 13:40
Samgarr Samgarr is offline
Junior Member
 
Join Date: Jun 2010
Posts: 14
Thanks: 3
Thanked 0 Times in 0 Posts
 
Default

nobody knows? It is very important to me, thanks!
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to change ISPConfig Password from Linux Command line abndrew82 General 3 13th July 2011 05:04
ISPconfig3, password control for clients Justin Albstmeijer Installation/Configuration 1 8th July 2008 09:41
Msql Password setup problem robbiewo HOWTO-Related Questions 13 8th May 2008 21:56
help with the Postfix Spam Filter using Ubuntu Dapper, MailScanner... tutorial the block Suggest HOWTO 1 8th November 2006 18:20
SP-Server Setup - Ubuntu 5.10 "Breezy Badger" - Page 6 (changes) LuisC-SM HOWTO-Related Questions 0 21st April 2006 15:16


All times are GMT +2. The time now is 00:29.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.