elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Mention how to reset user password with scripts shipped in iRedAdmin-Pro.

This commit is contained in:
Zhang Huangbin 2017-04-11 10:12:08 +08:00
parent 2f6c71e46d
commit 896c9f504f
2 changed files with 126 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
en_US/howto/reset.user.password.md
View File

@ -1,53 +1,89 @@
# Reset user password
> * SSHA512 is recommended for SQL backends, don't use MD5 unless you have a reason.
> * BCRYPT is recommended for SQL backens on BSD systems.
[TOC]
With MySQL or PostgreSQL backends, you can generate a password hash with
`openssl` or `doveadm` command first, then replace old one with this newly
generated one.
## Reset password with SQL/LDAP command line
For example: generate a SSHA512 password hash with `doveadm`:
### Generate password hash for new password
Storing password in plain text is dangerous, so we need to hash the password.
In case the SQL/LDAP database was leaked/cracked, cracker still need some time
to decode the password hash to get plain password, this will give you some
time to reset password to prevent mail message leak.
> * SSHA512 is recommended on Linux systems.
> * BCRYPT is recommended on BSD systems.
> * MD5 is not safe, DO NOT USE IT no matter what reasons you have.
To generate password hash for new password, please use `doveadm` command. For
example: generate a SSHA512 password hash:
```
$ doveadm pw -s 'ssha512' -p '123456'
{SSHA512}jOcGSlKEz95VeuLGecbL0MwJKy0yWY9foj6UlUVfZ2O2SNkEExU3n42YJLXDbLnu3ghnIRBkwDMsM31q7OI0jY5B/5E=
```
To generate a salted MD5 password hash, you can use `doveadm` or `openssl`:
### SQL backends
```
# doveadm pw -s 'MD5' -p '123456' | awk -F'{MD5}' '{print $2}'
$1$TDG8oXHb$6YB9NO5NZaZxku0xv6RsW0
# openssl passwd -1 123456
$1$fnWOb5X8$Ed6FYg9CLuWuUQplnwOQK/
```
> __Important note__: SOGo groupware doesn't support salted MD5 hash without a
> prefix, so if you're going to use MD5 password hash with SOGo,
> please prepend `{CRYPT}` prefix in password hash. For example,
> `{CRYPT}$1$TDG8oXHb$6YB9NO5NZaZxku0xv6RsW0`.
* Reset password for user `user@domain.ltd`:
To reset password for user `user@domain.ltd`, please login to SQL server as
either SQL root user or `vmailadmin` user (note: sql user `vmail` has read-only
privilege to `vmail` database, so you cannot use it to change user password):
```
sql> USE vmail;
sql> UPDATE mailbox SET password='{SSHA512}jOcGSlKEz95VeuLGecbL0MwJKy0yWY9foj6UlUVfZ2O2SNkEExU3n42YJLXDbLnu3ghnIRBkwDMsM31q7OI0jY5B/5E=' WHERE username='user@domain.ltd';
```
### LDAP backends
With OpenLDAP backend, you can reset it with `ldapvi`, phpLDAPadmin or other
LDAP client tools. `SSHA512` is recommended, but if you have some application
which needs to perform authentication with ldap dn directly, then `SSHA` is
preferred.
It's ok to use plain password temporarily, then login to Roundcube webmail
or iRedAdmin-Pro (with self-service enabled) to reset password immediately.
For example:
## Reset password with scripts shipped in iRedAdmin-Pro
### Reset password for one user
iRedAdmin-Pro ships script `tools/reset_user_password.py` to help you reset
one user's password. For example, on CentOS 7 (iRedAdmin is installed under
`/var/www/iredadmin`):
```
sql> USE vmail;
sql> UPDATE mailbox SET password='{PLAIN}123456' WHERE username='user@domain.ltd';
cd /var/www/iredadmin/tools/
python reset_user_password.py user@domain.ltd '123456'
```
Sample output:
```
[user@domain.ltd] Password has been reset.
```
### Reset passwords for multiple users with a CSV file
If you need to update many users' passwords, another way is resetting passwords
with script shipped in iRedAdmin-Pro: `tools/update_password_in_csv.py`. It
reads the user email addresses and NEW passwords from a CSV file.
The content is CSV file is:
```
<email> <new_password>
```
One mail user (and new password) per line. For example, file `new_passwords.csv`:
```
user1@domain.com pF4mTq4jaRzDLlWl
user2@domain.com SPhkTUlZs1TBxvmJ
user3@domain.com 8deNR8IBLycRujDN
```
Then run script with this file:
```
python update_password_in_csv.py new_passwords.csv
```
## See also

92
html/reset.user.password.html
View File

@ -20,50 +20,86 @@
<p><a href="./reset.user.password-zh_CN.html">简体中文</a> /</p>
</div>
<h1 id="reset-user-password">Reset user password</h1>
<div class="toc">
<ul>
<li><a href="#reset-user-password">Reset user password</a><ul>
<li><a href="#reset-password-with-sqlldap-command-line">Reset password with SQL/LDAP command line</a><ul>
<li><a href="#generate-password-hash-for-new-password">Generate password hash for new password</a></li>
<li><a href="#sql-backends">SQL backends</a></li>
<li><a href="#ldap-backends">LDAP backends</a></li>
</ul>
</li>
<li><a href="#reset-password-with-scripts-shipped-in-iredadmin-pro">Reset password with scripts shipped in iRedAdmin-Pro</a><ul>
<li><a href="#reset-password-for-one-user">Reset password for one user</a></li>
<li><a href="#reset-passwords-for-multiple-users-with-a-csv-file">Reset passwords for multiple users with a CSV file</a></li>
</ul>
</li>
<li><a href="#see-also">See also</a></li>
</ul>
</li>
</ul>
</div>
<h2 id="reset-password-with-sqlldap-command-line">Reset password with SQL/LDAP command line</h2>
<h3 id="generate-password-hash-for-new-password">Generate password hash for new password</h3>
<p>Storing password in plain text is dangerous, so we need to hash the password.
In case the SQL/LDAP database was leaked/cracked, cracker still need some time
to decode the password hash to get plain password, this will give you some
time to reset password to prevent mail message leak.</p>
<blockquote>
<ul>
<li>SSHA512 is recommended for SQL backends, don't use MD5 unless you have a reason.</li>
<li>BCRYPT is recommended for SQL backens on BSD systems.</li>
<li>SSHA512 is recommended on Linux systems.</li>
<li>BCRYPT is recommended on BSD systems.</li>
<li>MD5 is not safe, DO NOT USE IT no matter what reasons you have.</li>
</ul>
</blockquote>
<p>With MySQL or PostgreSQL backends, you can generate a password hash with
<code>openssl</code> or <code>doveadm</code> command first, then replace old one with this newly
generated one.</p>
<p>For example: generate a SSHA512 password hash with <code>doveadm</code>:</p>
<p>To generate password hash for new password, please use <code>doveadm</code> command. For
example: generate a SSHA512 password hash:</p>
<pre><code>$ doveadm pw -s 'ssha512' -p '123456'
{SSHA512}jOcGSlKEz95VeuLGecbL0MwJKy0yWY9foj6UlUVfZ2O2SNkEExU3n42YJLXDbLnu3ghnIRBkwDMsM31q7OI0jY5B/5E=
</code></pre>
<p>To generate a salted MD5 password hash, you can use <code>doveadm</code> or <code>openssl</code>:</p>
<pre><code># doveadm pw -s 'MD5' -p '123456' | awk -F'{MD5}' '{print $2}'
$1$TDG8oXHb$6YB9NO5NZaZxku0xv6RsW0
# openssl passwd -1 123456
$1$fnWOb5X8$Ed6FYg9CLuWuUQplnwOQK/
</code></pre>
<blockquote>
<p><strong>Important note</strong>: SOGo groupware doesn't support salted MD5 hash without a
prefix, so if you're going to use MD5 password hash with SOGo,
please prepend <code>{CRYPT}</code> prefix in password hash. For example,
<code>{CRYPT}$1$TDG8oXHb$6YB9NO5NZaZxku0xv6RsW0</code>.</p>
</blockquote>
<ul>
<li>Reset password for user <code>user@domain.ltd</code>:</li>
</ul>
<h3 id="sql-backends">SQL backends</h3>
<p>To reset password for user <code>user@domain.ltd</code>, please login to SQL server as
either SQL root user or <code>vmailadmin</code> user (note: sql user <code>vmail</code> has read-only
privilege to <code>vmail</code> database, so you cannot use it to change user password):</p>
<pre><code>sql&gt; USE vmail;
sql&gt; UPDATE mailbox SET password='{SSHA512}jOcGSlKEz95VeuLGecbL0MwJKy0yWY9foj6UlUVfZ2O2SNkEExU3n42YJLXDbLnu3ghnIRBkwDMsM31q7OI0jY5B/5E=' WHERE username='user@domain.ltd';
</code></pre>
<h3 id="ldap-backends">LDAP backends</h3>
<p>With OpenLDAP backend, you can reset it with <code>ldapvi</code>, phpLDAPadmin or other
LDAP client tools. <code>SSHA512</code> is recommended, but if you have some application
which needs to perform authentication with ldap dn directly, then <code>SSHA</code> is
preferred.</p>
<p>It's ok to use plain password temporarily, then login to Roundcube webmail
or iRedAdmin-Pro (with self-service enabled) to reset password immediately.
For example:</p>
<pre><code>sql&gt; USE vmail;
sql&gt; UPDATE mailbox SET password='{PLAIN}123456' WHERE username='user@domain.ltd';
<h2 id="reset-password-with-scripts-shipped-in-iredadmin-pro">Reset password with scripts shipped in iRedAdmin-Pro</h2>
<h3 id="reset-password-for-one-user">Reset password for one user</h3>
<p>iRedAdmin-Pro ships script <code>tools/reset_user_password.py</code> to help you reset
one user's password. For example, on CentOS 7 (iRedAdmin is installed under
<code>/var/www/iredadmin</code>):</p>
<pre><code>cd /var/www/iredadmin/tools/
python reset_user_password.py user@domain.ltd '123456'
</code></pre>
<p>Sample output:</p>
<pre><code>[user@domain.ltd] Password has been reset.
</code></pre>
<h3 id="reset-passwords-for-multiple-users-with-a-csv-file">Reset passwords for multiple users with a CSV file</h3>
<p>If you need to update many users' passwords, another way is resetting passwords
with script shipped in iRedAdmin-Pro: <code>tools/update_password_in_csv.py</code>. It
reads the user email addresses and NEW passwords from a CSV file.</p>
<p>The content is CSV file is:</p>
<pre><code>&lt;email&gt; &lt;new_password&gt;
</code></pre>
<p>One mail user (and new password) per line. For example, file <code>new_passwords.csv</code>:</p>
<pre><code>user1@domain.com pF4mTq4jaRzDLlWl
user2@domain.com SPhkTUlZs1TBxvmJ
user3@domain.com 8deNR8IBLycRujDN
</code></pre>
<p>Then run script with this file:</p>
<pre><code>python update_password_in_csv.py new_passwords.csv
</code></pre>
<h2 id="see-also">See also</h2>