Since I got no response on the PAM method, I tried the chpasswd method.
After much research, trial and error, and the like, I did get it to work.
Here are the instructions to save future researchers the trouble:
1) enable password function
vi /var/www/html/roundcube/config/config.inc.php
- alter the following line as follows:
$config['plugins'] = array('password');
cd /var/www/html/roundcube/plugins/password
cp config.inc.php.dist config.inc.php
2) enable the password plugin
cd /var/www/html/roundcube/plugins/password
cp config.inc.php.dist config.inc.php
vi config.inc.php
- alter the following as follows:
$config['password_driver'] = 'chpasswd';
3) allow apache to run the script
visudo
- add to bottom
Defaults:apache !requiretty
apache ALL=(root) NOPASSWD: /usr/sbin/chpass-wrapper.py
4) add blacklisted users and minimum UID below
vi /var/www/html/roundcube/plugins/password/helpers/chpass-wrapper.py
BLACKLIST = (
# add blacklisted users here comma separated
'root'
)
if user.pw_uid < 494:
sys.exit('Changing the password for user id < 494 is forbidden')
5) copy the helper to executable directory & set make it executable
cp /var/www/html/roundcube/plugins/password/helpers/chpass-wrapper.py /usr/sbin
chmod 755 /usr/sbin/chpass-wrapper.py
6) alter the driver to run the helper which in turn runs the driver (wraps it)
vi /var/www/html/roundcube/plugins/password/config.inc.php
old:
$config['password_chpasswd_cmd'] = 'sudo /usr/sbin/chpasswd 2> /dev/null';
new:
$config['password_chpasswd_cmd'] = 'sudo /usr/sbin/chpass-wrapper.py 2> /dev/null';
Thanks for helping the community by posting this. Too many people ask questions, but never post back what works, thereby perpetuating the issues.
Password plugins can be tricky to configure, in part because everyone's systems are different, and what works for one person may not be quite right for someone else's very similar system. But your how-to may help someone figure out a way to make it work.