Mention how to reset user password with scripts shipped in iRedAdmin-Pro.
This commit is contained in:
parent
2f6c71e46d
commit
896c9f504f
|
@ -1,53 +1,89 @@
|
|||
# Reset user password
|
||||
|
||||
> * SSHA512 is recommended for SQL backends, don't use MD5 unless you have a reason.
|
||||
> * BCRYPT is recommended for SQL backens on BSD systems.
|
||||
[TOC]
|
||||
|
||||
With MySQL or PostgreSQL backends, you can generate a password hash with
|
||||
`openssl` or `doveadm` command first, then replace old one with this newly
|
||||
generated one.
|
||||
## Reset password with SQL/LDAP command line
|
||||
|
||||
For example: generate a SSHA512 password hash with `doveadm`:
|
||||
### Generate password hash for new password
|
||||
|
||||
Storing password in plain text is dangerous, so we need to hash the password.
|
||||
In case the SQL/LDAP database was leaked/cracked, cracker still need some time
|
||||
to decode the password hash to get plain password, this will give you some
|
||||
time to reset password to prevent mail message leak.
|
||||
|
||||
> * SSHA512 is recommended on Linux systems.
|
||||
> * BCRYPT is recommended on BSD systems.
|
||||
> * MD5 is not safe, DO NOT USE IT no matter what reasons you have.
|
||||
|
||||
To generate password hash for new password, please use `doveadm` command. For
|
||||
example: generate a SSHA512 password hash:
|
||||
|
||||
```
|
||||
$ doveadm pw -s 'ssha512' -p '123456'
|
||||
{SSHA512}jOcGSlKEz95VeuLGecbL0MwJKy0yWY9foj6UlUVfZ2O2SNkEExU3n42YJLXDbLnu3ghnIRBkwDMsM31q7OI0jY5B/5E=
|
||||
```
|
||||
|
||||
To generate a salted MD5 password hash, you can use `doveadm` or `openssl`:
|
||||
### SQL backends
|
||||
|
||||
```
|
||||
# doveadm pw -s 'MD5' -p '123456' | awk -F'{MD5}' '{print $2}'
|
||||
$1$TDG8oXHb$6YB9NO5NZaZxku0xv6RsW0
|
||||
|
||||
# openssl passwd -1 123456
|
||||
$1$fnWOb5X8$Ed6FYg9CLuWuUQplnwOQK/
|
||||
```
|
||||
|
||||
> __Important note__: SOGo groupware doesn't support salted MD5 hash without a
|
||||
> prefix, so if you're going to use MD5 password hash with SOGo,
|
||||
> please prepend `{CRYPT}` prefix in password hash. For example,
|
||||
> `{CRYPT}$1$TDG8oXHb$6YB9NO5NZaZxku0xv6RsW0`.
|
||||
|
||||
* Reset password for user `user@domain.ltd`:
|
||||
To reset password for user `user@domain.ltd`, please login to SQL server as
|
||||
either SQL root user or `vmailadmin` user (note: sql user `vmail` has read-only
|
||||
privilege to `vmail` database, so you cannot use it to change user password):
|
||||
|
||||
```
|
||||
sql> USE vmail;
|
||||
sql> UPDATE mailbox SET password='{SSHA512}jOcGSlKEz95VeuLGecbL0MwJKy0yWY9foj6UlUVfZ2O2SNkEExU3n42YJLXDbLnu3ghnIRBkwDMsM31q7OI0jY5B/5E=' WHERE username='user@domain.ltd';
|
||||
```
|
||||
|
||||
### LDAP backends
|
||||
|
||||
With OpenLDAP backend, you can reset it with `ldapvi`, phpLDAPadmin or other
|
||||
LDAP client tools. `SSHA512` is recommended, but if you have some application
|
||||
which needs to perform authentication with ldap dn directly, then `SSHA` is
|
||||
preferred.
|
||||
|
||||
It's ok to use plain password temporarily, then login to Roundcube webmail
|
||||
or iRedAdmin-Pro (with self-service enabled) to reset password immediately.
|
||||
For example:
|
||||
## Reset password with scripts shipped in iRedAdmin-Pro
|
||||
|
||||
### Reset password for one user
|
||||
|
||||
iRedAdmin-Pro ships script `tools/reset_user_password.py` to help you reset
|
||||
one user's password. For example, on CentOS 7 (iRedAdmin is installed under
|
||||
`/var/www/iredadmin`):
|
||||
|
||||
```
|
||||
sql> USE vmail;
|
||||
sql> UPDATE mailbox SET password='{PLAIN}123456' WHERE username='user@domain.ltd';
|
||||
cd /var/www/iredadmin/tools/
|
||||
python reset_user_password.py user@domain.ltd '123456'
|
||||
```
|
||||
|
||||
Sample output:
|
||||
|
||||
```
|
||||
[user@domain.ltd] Password has been reset.
|
||||
```
|
||||
|
||||
### Reset passwords for multiple users with a CSV file
|
||||
|
||||
If you need to update many users' passwords, another way is resetting passwords
|
||||
with script shipped in iRedAdmin-Pro: `tools/update_password_in_csv.py`. It
|
||||
reads the user email addresses and NEW passwords from a CSV file.
|
||||
|
||||
The content is CSV file is:
|
||||
|
||||
```
|
||||
<email> <new_password>
|
||||
```
|
||||
|
||||
One mail user (and new password) per line. For example, file `new_passwords.csv`:
|
||||
|
||||
```
|
||||
user1@domain.com pF4mTq4jaRzDLlWl
|
||||
user2@domain.com SPhkTUlZs1TBxvmJ
|
||||
user3@domain.com 8deNR8IBLycRujDN
|
||||
```
|
||||
|
||||
Then run script with this file:
|
||||
|
||||
```
|
||||
python update_password_in_csv.py new_passwords.csv
|
||||
```
|
||||
|
||||
## See also
|
||||
|
|
|
@ -20,50 +20,86 @@
|
|||
<p><a href="./reset.user.password-zh_CN.html">简体中文</a> /</p>
|
||||
</div>
|
||||
<h1 id="reset-user-password">Reset user password</h1>
|
||||
<div class="toc">
|
||||
<ul>
|
||||
<li><a href="#reset-user-password">Reset user password</a><ul>
|
||||
<li><a href="#reset-password-with-sqlldap-command-line">Reset password with SQL/LDAP command line</a><ul>
|
||||
<li><a href="#generate-password-hash-for-new-password">Generate password hash for new password</a></li>
|
||||
<li><a href="#sql-backends">SQL backends</a></li>
|
||||
<li><a href="#ldap-backends">LDAP backends</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="#reset-password-with-scripts-shipped-in-iredadmin-pro">Reset password with scripts shipped in iRedAdmin-Pro</a><ul>
|
||||
<li><a href="#reset-password-for-one-user">Reset password for one user</a></li>
|
||||
<li><a href="#reset-passwords-for-multiple-users-with-a-csv-file">Reset passwords for multiple users with a CSV file</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="#see-also">See also</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
<h2 id="reset-password-with-sqlldap-command-line">Reset password with SQL/LDAP command line</h2>
|
||||
<h3 id="generate-password-hash-for-new-password">Generate password hash for new password</h3>
|
||||
<p>Storing password in plain text is dangerous, so we need to hash the password.
|
||||
In case the SQL/LDAP database was leaked/cracked, cracker still need some time
|
||||
to decode the password hash to get plain password, this will give you some
|
||||
time to reset password to prevent mail message leak.</p>
|
||||
<blockquote>
|
||||
<ul>
|
||||
<li>SSHA512 is recommended for SQL backends, don't use MD5 unless you have a reason.</li>
|
||||
<li>BCRYPT is recommended for SQL backens on BSD systems.</li>
|
||||
<li>SSHA512 is recommended on Linux systems.</li>
|
||||
<li>BCRYPT is recommended on BSD systems.</li>
|
||||
<li>MD5 is not safe, DO NOT USE IT no matter what reasons you have.</li>
|
||||
</ul>
|
||||
</blockquote>
|
||||
<p>With MySQL or PostgreSQL backends, you can generate a password hash with
|
||||
<code>openssl</code> or <code>doveadm</code> command first, then replace old one with this newly
|
||||
generated one.</p>
|
||||
<p>For example: generate a SSHA512 password hash with <code>doveadm</code>:</p>
|
||||
<p>To generate password hash for new password, please use <code>doveadm</code> command. For
|
||||
example: generate a SSHA512 password hash:</p>
|
||||
<pre><code>$ doveadm pw -s 'ssha512' -p '123456'
|
||||
{SSHA512}jOcGSlKEz95VeuLGecbL0MwJKy0yWY9foj6UlUVfZ2O2SNkEExU3n42YJLXDbLnu3ghnIRBkwDMsM31q7OI0jY5B/5E=
|
||||
</code></pre>
|
||||
|
||||
<p>To generate a salted MD5 password hash, you can use <code>doveadm</code> or <code>openssl</code>:</p>
|
||||
<pre><code># doveadm pw -s 'MD5' -p '123456' | awk -F'{MD5}' '{print $2}'
|
||||
$1$TDG8oXHb$6YB9NO5NZaZxku0xv6RsW0
|
||||
|
||||
# openssl passwd -1 123456
|
||||
$1$fnWOb5X8$Ed6FYg9CLuWuUQplnwOQK/
|
||||
</code></pre>
|
||||
|
||||
<blockquote>
|
||||
<p><strong>Important note</strong>: SOGo groupware doesn't support salted MD5 hash without a
|
||||
prefix, so if you're going to use MD5 password hash with SOGo,
|
||||
please prepend <code>{CRYPT}</code> prefix in password hash. For example,
|
||||
<code>{CRYPT}$1$TDG8oXHb$6YB9NO5NZaZxku0xv6RsW0</code>.</p>
|
||||
</blockquote>
|
||||
<ul>
|
||||
<li>Reset password for user <code>user@domain.ltd</code>:</li>
|
||||
</ul>
|
||||
<h3 id="sql-backends">SQL backends</h3>
|
||||
<p>To reset password for user <code>user@domain.ltd</code>, please login to SQL server as
|
||||
either SQL root user or <code>vmailadmin</code> user (note: sql user <code>vmail</code> has read-only
|
||||
privilege to <code>vmail</code> database, so you cannot use it to change user password):</p>
|
||||
<pre><code>sql> USE vmail;
|
||||
sql> UPDATE mailbox SET password='{SSHA512}jOcGSlKEz95VeuLGecbL0MwJKy0yWY9foj6UlUVfZ2O2SNkEExU3n42YJLXDbLnu3ghnIRBkwDMsM31q7OI0jY5B/5E=' WHERE username='user@domain.ltd';
|
||||
</code></pre>
|
||||
|
||||
<h3 id="ldap-backends">LDAP backends</h3>
|
||||
<p>With OpenLDAP backend, you can reset it with <code>ldapvi</code>, phpLDAPadmin or other
|
||||
LDAP client tools. <code>SSHA512</code> is recommended, but if you have some application
|
||||
which needs to perform authentication with ldap dn directly, then <code>SSHA</code> is
|
||||
preferred.</p>
|
||||
<p>It's ok to use plain password temporarily, then login to Roundcube webmail
|
||||
or iRedAdmin-Pro (with self-service enabled) to reset password immediately.
|
||||
For example:</p>
|
||||
<pre><code>sql> USE vmail;
|
||||
sql> UPDATE mailbox SET password='{PLAIN}123456' WHERE username='user@domain.ltd';
|
||||
<h2 id="reset-password-with-scripts-shipped-in-iredadmin-pro">Reset password with scripts shipped in iRedAdmin-Pro</h2>
|
||||
<h3 id="reset-password-for-one-user">Reset password for one user</h3>
|
||||
<p>iRedAdmin-Pro ships script <code>tools/reset_user_password.py</code> to help you reset
|
||||
one user's password. For example, on CentOS 7 (iRedAdmin is installed under
|
||||
<code>/var/www/iredadmin</code>):</p>
|
||||
<pre><code>cd /var/www/iredadmin/tools/
|
||||
python reset_user_password.py user@domain.ltd '123456'
|
||||
</code></pre>
|
||||
|
||||
<p>Sample output:</p>
|
||||
<pre><code>[user@domain.ltd] Password has been reset.
|
||||
</code></pre>
|
||||
|
||||
<h3 id="reset-passwords-for-multiple-users-with-a-csv-file">Reset passwords for multiple users with a CSV file</h3>
|
||||
<p>If you need to update many users' passwords, another way is resetting passwords
|
||||
with script shipped in iRedAdmin-Pro: <code>tools/update_password_in_csv.py</code>. It
|
||||
reads the user email addresses and NEW passwords from a CSV file.</p>
|
||||
<p>The content is CSV file is:</p>
|
||||
<pre><code><email> <new_password>
|
||||
</code></pre>
|
||||
|
||||
<p>One mail user (and new password) per line. For example, file <code>new_passwords.csv</code>:</p>
|
||||
<pre><code>user1@domain.com pF4mTq4jaRzDLlWl
|
||||
user2@domain.com SPhkTUlZs1TBxvmJ
|
||||
user3@domain.com 8deNR8IBLycRujDN
|
||||
</code></pre>
|
||||
|
||||
<p>Then run script with this file:</p>
|
||||
<pre><code>python update_password_in_csv.py new_passwords.csv
|
||||
</code></pre>
|
||||
|
||||
<h2 id="see-also">See also</h2>
|
||||
|
|
Loading…
Reference in New Issue