Since I got no response on the PAM method, I tried the chpasswd method.
After much research, trial and error, and the like, I did get it to work.
Here are the instructions to save future researchers the trouble:
1) enable password function
vi /var/www/html/roundcube/config/config.inc.php
- alter the following line as follows:
$config['plugins'] = array('password');
cd /var/www/html/roundcube/plugins/password
cp config.inc.php.dist config.inc.php
2) enable the password plugin
cd /var/www/html/roundcube/plugins/password
cp config.inc.php.dist config.inc.php
vi config.inc.php
- alter the following as follows:
$config['password_driver'] = 'chpasswd';
3) allow apache to run the script
visudo
- add to bottom
Defaults:apache !requiretty
apache ALL=(root) NOPASSWD: /usr/sbin/chpass-wrapper.py
4) add blacklisted users and minimum UID below
vi /var/www/html/roundcube/plugins/password/helpers/chpass-wrapper.py
BLACKLIST = (
# add blacklisted users here comma separated
'root'
)
if user.pw_uid < 494:
sys.exit('Changing the password for user id < 494 is forbidden')
5) copy the helper to executable directory & set make it executable
cp /var/www/html/roundcube/plugins/password/helpers/chpass-wrapper.py /usr/sbin
chmod 755 /usr/sbin/chpass-wrapper.py
6) alter the driver to run the helper which in turn runs the driver (wraps it)
vi /var/www/html/roundcube/plugins/password/config.inc.php
old:
$config['password_chpasswd_cmd'] = 'sudo /usr/sbin/chpasswd 2> /dev/null';
new:
$config['password_chpasswd_cmd'] = 'sudo /usr/sbin/chpass-wrapper.py 2> /dev/null';
