CGIpaf 1.3.1 FAQ

1 Introduction to CGIpaf

2 Installation

3 Common configuration problems

4 Future Plans


1 Introduction

1.1 What is CGIpaf?

cgipaf is a combination of three cgi programs:

  • passwd.cgi: allows users to update their password
  • viewmailcfg.cgi: allows users to view their current mail configuration.
  • mailcfg.cgi: update the mail configuration

All programs use PAM for user authentication, systems without PAM are only supported if they use the standard password file location (/etc/passwd /etc/shadow) and standard crypt or md5 passwords. If a password is changed it is possible to run a script to update SAMBA passwords, NIS configuration, etc.

The mail configuration is done by procmail by default, mailcfg.cgi creates a .procmailrc in the user's home directory. If autoreply is enabled the autoreply message is stored in ~/vacations.txt. When a user enables mail forwarding the user can choose to keep the messages. If you want to use another auto responder like vacation you can define an external script to update the user's mail configuration. A perl script with vacation support is included see examples/ for an example config.

For the user authentication viewmailcfg.cgi creates a cookie, this cookie is stored in the accessdb. mailcfg.cgi reads the cookie out the accessdb and compares it with the cookie send by the users browser. Users with too many invalid logins can be locked. The minimum and maximum uid can be set in the configuration file, so you can specify a range of uid's that are allowed to use cgipaf. CGIpaf has access control lists support this allow you to deny or allow access to groups or users.

You can specify html files with a few PHP extensions for the login screen and error messages. It's possible to use a redirect for the error messages, instead of plain html files.

1.2 How secure is CGIpaf

The CGIpaf cgi's are suid root programs, this means they run as root. Viewmailcfg.cgi and mailcfg.cgi runs as the user when the authentication is completed. All suid programs are a security risk, I try to keep them so secure as possible...

If you use CGIpaf on the internet you must use CGIpaf over https otherwise the users passwords are send unencrypted over the internet.

1.3 Website

I finally got a stable place for my homepage ( http://www.wagemakers.be ).
thanks to ProcoliX for hosting my site and sponsoring my domain.

The current locations are:

If you're unable to access the website check http://freshmeat.net/projects/cgipaf for the correct location.

1.4 Mailinglist

http://groups.yahoo.com/group/cgipaf/

Post message cgipaf@yahoogroups.com
Subscribe: cgipaf-subscribe@yahoogroups.com
Unsubscribe: cgipaf-unsubscribe@yahoogroups.com
List owner: cgipaf-owner@yahoogroups.com

1.5 Support

Please post your questions / install problems to the mailinglist. I usually read my private email at the evening after my work but I follow the mailinglist during the workday, so you'll get the answer faster in the mailinglist. Your problem can be useful to the other CGIpaf users...

1.6 License

CGIpaf is Free software published under the GNU General Public License. see http://www.gnu.org/licenses/gpl.html for more information.


2 Installation

2.1What platforms are supported

  • GNU/Linux

    CGIpaf should compile and run on most GNU/Linux distributions. Slackware is only supported if you compile CGIpaf without PAM support since Slackware doesn't support PAM. Both passwd types (standard crypt, md5) are supported on a non-PAM system. Blowfish and others aren't supported.

  • SUN Solaris

    CGIpaf works on Solaris ( only tested on solaris 8 )

  • FreeBSD

    FreeBSD is supported, but the PAM password updater doesn't seems to work on FreeBSD. Therefor CGIpaf is compiled without PAM support on FreeBSD.

  • NetBSD

    NetBSD is suppored.

  • OpenBSD

    Unfortunately OpenBSD isn't supported (yet). I hope to start a port some day.

  • Other

    CGIpaf might work on other Un*ces with pam support. Systems without pam support are only supported if they use the standard password file location /etc/passwd /etc/shadow and standard crypt or md5 passwords.

2.2 What libraries are required?

CGIpaf uses only standard libraries that are installed on most common Un*x installations, you need the development packages ( headers files etc ) to compile CGIpaf.

List of required libraries:

  • ndbm, gdbm of compatible library
  • libPAM ( optional )
  • libc ( of course )
  • cracklib ( optional )

2.3 Does CGIpaf depends on PHP?

No! CGIpaf only emulate a few PHP functions ( include and echo ) in his html files.
If you need full PHP support you've to use a redirect.

2.4 Common installation problems

  1. I get a "configure: error: no valid ndbm library found" error message

    CGIpaf depends on ndbm or compatible library, you need the development files to compile it. If ndbm and the development files aren't installed on your system install them, look for a gdbm or ndbm package
    If ndbm isn't installed on standard location on your system ( e.g. /opt ) try to create symbolic links:


    ln -s /opt/lib/libndbm.so /usr/lib/libndbm.so
    ln -s /opt/include/db1/ndbm.h /usr/include/ndbm.h

    and rerun ./configure

  2. pam development files

    To compile CGIpaf with PAM support you need the PAM development files, which aren't install on every default installation. Look for a package with a name like *libpam-dev and install it. ( Type apt-get install libpam0g-dev on a Debian GNU/Linux system )

  3. cracklib

    To compile cgipaf with cracklib support you need the libcrack development files... If you've a system with PAM support try to enable cracklib support through PAM (see below).

    On a non-PAM system set "cracklib" to "on" and "cracklib_dictpath" you your cracklib dict path.
    The cracklib_dictpath is the path to the dictionary filename without the extension ( .pwi ), not the directory path.
    The correct_dictpath on Debian ( potato and woody ) is /var/cache/cracklib/cracklib_dict , on RedHat 6.2 you'll have to use /usr/lib/cracklib_dict.


3 Common configuration problems

3.1 CGIpaf is unable to update the password

On a non-pam system cgipaf uses a lock file in /var/lock if this directory doesn't exists on your system passwd.cgi will end with "Can't create lockfile" error. Create /var/lock or update pam.h to your own needs.

3.2 Can I update the SAMBA password?

Yes, passwd.cgi doesn't support SAMBA passwords directly but you can use a "run_success" script.


run_success "/usr/sbin/smbpasswd -U %{name} > /dev/null 2>&1" "%{password}\n%{password}\n"

3.3 Is NIS supported?

CGIpaf doesn't support NIS directly, but it's possible to update the NIS password on the master NIS server and run pwupdate (8) through run_success


run_success "/usr/lib/yp/pwupdate > /dev/null 2>&1"

3.4 Is ldap supported?

CGIpaf should support ldap through PAM, altought I didn't had the time to test it...

3.5 I get an internal server error

This can have several reasons...

If you've enabled cracklib in cgipaf and the cracklib_dictpath to a invalid location passwd.cgi will end with a internal server and an error message in your webserver error log. Try to disable cracklib if this resolves the problem see "How do I enable cracklib password testing".

Another reason is possible BUG or misconfiguration in cgipaf, the error_log of your webserver and the syslog messages ( set loglovel to 7 ) should give more information.

3.6 How do I get debug output?

Set the loglevel to 7 in cgipaf.conf, this will send debug messages to your system's syslog

3.7 Which authentication methods are supported

CGIpaf supports PAM and standard Un*x password files ( /etc/passwd /etc/shadow ). BSD uses different passwd locations. On a Net|FreeBSD system /etc/passwd_master is updated and copied to pwdb by the pw_mkdb command.
OpenBSD isn't (yet) supported...

3.8 CGIpaf is unable to authenticate?

On a pam system: CGIpaf needs "auth" and "account" entries in his PAM configuration. If you don't set the pam_service directive CGIpaf uses the "passwd" service name. The passwd pam service ( /etc/pam.d/passwd ) usually doesn't have an entry for user authentication, therefor /etc/pam.d/other has to have a line auth set to pam_unix.so.


auth required pam_unix.so
account required pam_unix.so

If you don't like this for security reason etc, you can set the pam_service directive to "cgipaf" and create the file /etc/pam.d/cgipaf that looks like this


auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so md5

Or better copy your system passwd configuration and add the lines for "auth" and "account".

3.9 How do I enabled cracklib password testing?

On a PAM system: CGIpaf should support password testing trough PAM. Enable cracklib support in your PAM configuration.

On a non pam system you've to set the cracklib directive to "on" and cracklib_dictpath to your system's cracklib dictpath.

3.10 My .procmailrc is wipe out!

CGIpaf deletes or replaces the user's ~/.procmailrc after a user has updated his mail configuration. It's possible to copy the your .procmailrc and restore it when autoreply and mailforwarding is disabled by the run_before_mailcfg and run_after_mailcfg directives.
An alternative is to use .forward/vacation instead of procmail see examples/ for more information.

3.11 My .forward is deleted!

The user's .forward is deleted after a mail configuration update. If you don't like this you can disable the internal mail configuration and use your own run_mailcfg script. See examples/ for perl example with vacation support.

3.12 I get a "file not found" error message in the webserver error_log

CGIpaf uses "/cgi-bin" in his action fields, if you use another cgi-bin location eg ( /cgi-bin/cgipaf ) you have to update:

  • cgipasswd_top.php
  • mailcfg_form.php
  • mailcfg_login.php

3.13 Mail forwarding and autoreply doesn't work

Basically CGIpaf is web interface to configure procmail, so you need a mailserver with procmail support. Check the documentation of you mailserver howto enable procmail.

3.14 Can I create my own html pages?

Yes! You can modify the php file that come with the installation of cgipaf. Please note that CGIpaf doesn't have full PHP support it only emulates two PHP function (echo and include). If you need full PHP support or what to use another web scripting language you've to use a Redirect.
e.g.:


msg_success redirect http://your_webserver/pwchanged.php?name="%{name}"

Will redirect to http://your_webserver/pwchanged.php?name="loginname" after a user has succeed to update his password.

3.15 Can I use vacation/.forward instead of procmail?

Yes! You can disable the internal .procmailrc updater of CGIpaf and define an external script to update the user's mail configuration. See examples/ for a vacation example.

3.16 I can't login with passwords longer than ...

You'll have to update mailcfg_login.php, the default maxlength for the password field is 16 If you need to support longer passwords update mailcfg_login.php


<td><input name="passwd" type="password" size="8" maxlength="16"></td>
^^^^^^^^^^^^^^

4 Future plans

4.1 Supported Platforms

CGIpaf started as GNU/Linux project I needed to create site that allowed users to update their mailconfiguration. I have added solaris support because we it at my work and I was tired to explain users how they've to update their Un*x password.

I've added slackware 8.0, FreeBSD and NetBSD support because some users requested a port to these platforms. I hoped that I could reuse the BSD code for the OpenBSD port, but the odds were against me. The BSD port doesn't works without trouble on OpenBSD versions.

I still want to support FreeBSD with PAM enabled (the non-pam code works fine, but PAM is more flexible) the authentication works but the PAM password changer doesn't -weird-.

The OpenBSD port is still in the pipeline.


staf wagemakers

Last modified: Wed Jul 13 13:25:14 CEST 2004