Sophie: squirrelmail-1.4.20-0.RC2.2mdv2010.0 noarch

squirrelmail-1.4.20-0.RC2.2mdv2010.0.noarch.rpm

Change LDAP Password plugin for SquirrelMail
----------------------------------------

This is a Squirrelmail plugin to change
a users password which is stored in an LDAP database
(in a posixAccount objectClass)
and optionally to syncronise the password change in
samba's smbpasswd (encrypted password) file.
For smbpasswd to be updated, you must supply the
path to the executable smbpasswd (usually in /usr/bin)

An LDAP databse can be used to keep user authentication and other descriptive
data for email and samba accounts (or any UNIX services requiring
authentication for that matter). On our site we keep Unix service
accounts in the traditional passwd/shadow files, but user accounts are stored
in LDAP. An extra 'ldap' entry in nsswitch.conf (in conjunction with the
nss/pam_ldap library) means you can authenticate imap and samba users against
the LDAP database. This becomes a single sign on db for all UNIX services used
by your users.
The only thing you can't store in LDAP (as of mid 2001) with the production
version of Samba is the encrypted passwords normally stored in /etc/smbpasswd.
These are manually synced using the smbpasswd client/server utility.

It is possible now to tell samba to store everything in LDAP. This code
does not yet support native changing of LM and NT password fields in an LDAP
database, but, by using PAM, and pam_ldap.so in the samba PAM file it should
be possible to do this using the smbpasswd utility.

SAMBA PASSWORDS
---------------
Information about password format is taken from LinuxJournal article:
http://www2.linuxjournal.com/article/2717

LanManager-style hashes are generated using this algorithm:
1. Convert the password entered by a user to all capitals.
2. Either truncate the resulting password to 14 characters if it is longer, or
pad the password with null bytes if it is shorter than 14 characters.
3. Use this 14-byte value as two 56-bit DES keys to encrypt a secret 8-byte
value twice, creating a 16-byte value. This value is the hashed password
which is stored in the password file. This secret value is a string
consisting of the characters KGS!@#$%.

The NT hashing algorithm consists of computing a 128-bit MD4 hash of a Unicode
version of the user's password. Other source
(http://users.tkk.fi/~ekoivune/Studies/Tik-110.452/II_pwd.html) mentions that
there are NTLM_v1 and NTLM_v2 passwords.

MD4 hash can be calculated with mhash extension. 56-bit DES might be encrypted
with mcrypt extension.

CONTRIBUTIONS
-------------
Portions of code, ideas, suggestions and bug fixes have been posted by:
* Simon Annetts (Original Author)
* Matt Butcher
* Henrique de Moraes Holschuh
* David Hall
* Martin Bartosch
* Artemios G. Voyiatzis
* Todd Lyons
* Greg Schueler
* BeÃ±at
* Georg Lehner
* Ray Ferguson
* Maciej Skalski
* Marcio Merlone
* Fernando Maior

Apologies if I've missed anyone :-)

CHANGE LOG
----------
ver 2.2 2007-07-29
- Updated Lithuanian translation.
- 2.2-rc1 code released as 2.2.

ver 2.2-rc1 2007-07-22
- Added PHP Crack support.
- Fixed escapes in detection of allowed password symbols. Thanks to Zend Studio.
- config.php.sample renamed to config_sample.php.
- Added Dutch translation by Tony den Haan. Closes SquirrelMail bug tracker (#1692115).
- Added mkntpwd sources.
- Samba-LDAP passwords are changed only when user entry supports Samba
objectclass attributes. Thanks to AndrÃ©s Tarallo.
- smbpasswd command updated to Samba 3.0.5+ smbpasswd syntax. Thanks to Tom Olson.
- smbpasswd return code is used to detect status of operation instead of
reading last line. Fixes invalid evaluation of smbpasswd output.
- Configuration file is loaded with include_once.
- Detect ldap filters enclosed in parenthesis. Thanks to Cleber P. de Souza.

ver 2.1 2007-01-20
- Non-maintainer upload. Closes SquirrelMail bug tracker (#1606152).
- Added $ldap_filter option.
- Don't use 'None' mailbox name in displayPageHeader() function calls.

ver 2.0 2006-10-07
- Non-maintainer upload designed to fix LDAP bind protocol and compatibility
plugin issues. Closes SquirrelMail bug trackers #1255733, #1562911, #1567110.
Thanks to cubito@users.sourceforge.net, spectroman@users.sourceforge.net and
lotabi@users.sourceforge.net.
- This plugin version is licensed under GPL. Older versions used BSD license.
- Removed dependency on compatibility plugin. Minimal required SquirrelMail
version increased to 1.4.0.
- Added LDAP bind protocol version controls.
- Removed pound symbol and space from list of allowed password characters.

ver 1.8 12/12/04
-Added no_NO, el_GR, fr_FR locales
-Added patch from Joerg Pulz which corrects and extends samba password support
-Fixed some sloppy translation strings. This will break some previously translated debug text.
-Fixed general i18n crappyness, I think.
-Minor additions config.php.sample. See comments in the file.
-Bumped version / tested against 1.4.3a

ver 1.7 3/5/04
-I've been sitting on this for four months. Sorry about that. I
requested some folks actually test the features they requested
and of course no one replied and of course I forgot all about it
while waiting. Bummer. This may be the last release if we manage
to make the super secret combined change password plugin. Anyway...
we'll see. I'm considering adding cracklib support to. Anyway.
It lives enjoy.

ver 1.7-rc2 12/1/03 10:00
-duh.

ver 1.7-rc1 12/1/03 9:30
-change ldap_sha_passwd function to leverage php sha1 builtin if you
are using php>=4.3.0. You now have a choice for sha & ssha support.
Use php with compiled in mhash libraries or php>=4.3.0.
-added support for LanManager or NT compatable passwords in ldap.
requires mkntpwd http://www.samba.org/cgi-bin/cvsweb/samba/examples/LDAP/smbldap-tools/mkntpwd/
-added pt_BR locale
-added support for ssha encryption.
-fixed bug w/ bind as manager. We now bind before looking up dn which
allows us to work on systems that do not allow anon query.
-odds and ends, some stuff, and some things.

Ver 1.6 July 26 2003 - SMD5 support and polish gettext translation file.

Ver 1.5 May 11, 2003 - Fix Squirrelmail-1.4.0 compatibility, etc.
NEW MAINTAINOR: Ray Ferguson, foo@share-foo.com
Made minor changes for 1.4.0 compatiblity, now requires compatibility plugin.
Changed action on successful password change.
Now reports success without redirecting to options.
Merged internationalization from Georg Lehner
Minor bug fixes and documentation changes.

Simon Annetts, simon@ateb.co.uk
Ver 1.4, Jan 09 2002 - Fix a security vunerability with smbpasswd and added clear text
password support.

Simon Annetts, simon@ateb.co.uk
Ver 1.3, Oct 29 2002 - Changed autodetect to be extensible and fixed bugs.

Changed password detection to support salted DES, MD5 and BLOWFISH as well as
unsalted MD5 and SHA. Unsalted MD5 and SHA are *untested* by me but based on other
users code. Please give me feedback on their fitness....
Fixed bugs pointed out by other people.
Improved binding techniques, - we bind anonymously to get the users dn, then bind
as the user.
Removed global variables for SQM 1.2.8

Simon Annetts, simon@ateb.co.uk
Ver 1.2, Apr 15 2002 - Added MD5 password support with autodetect.

Added code necessary to support MD5 passwords as well as original crypt passwords.
Autodetection is done by looking at the length of the password and the first three
characters (should always be $1$ for MD5).

Simon Annetts, simon@ateb.co.uk
Ver 1.1, Nov 16 2001 - Changed authentication options.

Added an option which selects whether to bind to the LDAP server as manager
or as the current user before attempting to change the password.

Simon Annetts, simon@ateb.co.uk
Ver 1.0, Feb 23 2001 - Initial Version