faq.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <title>CGIpaf 1.3.5 FAQ</title>
  </head>

  <body>
    
    <h1>CGIpaf 1.3.5 FAQ</h1>
<hr>
<a name="copyright"></a>
<h2>Copyright Notice</h2>
<a name="copyright_documentation"></a>
<h3>Copyright documentation</h2>
<p>
The documentation for CGIpaf is licensed under the terms of the FreeBSD
Documentation License.
<h4>The FreeBSD Documentation License</h4>
<p>
Copyright &copy; 2001 - 2020 Staf Wagemakers
<p>
Redistribution and use in source (plaintext, HTML) and 'compiled' forms (SGML, HTML, PDF, PostScript, RTF and so forth) with or without modification, are permitted provided that the following conditions are met:
<ol>
  <li>
Redistributions of source code (plaintext, HTML) must retain the above copyright notice, this list of conditions and the following disclaimer.
  </li>
  <li>
Redistributions in compiled form (transformed to other DTDs, converted to PDF, PostScript, RTF and other formats) must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  </li>
</ol>
 <p>
 THIS DOCUMENTATION IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED 
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF
THE POSSIBILITY OF SUCH DAMAGE.
 </p>
<a name="copyright_software"></a>
<h3>Copyright Software</h2>
CGIpaf (the software) is licensed under the terms of the GNU General Public
License version 2 or later.
<p>
Copyright &copy; 2001 - 2020 Staf Wagemnakers
<p>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 2 of the License, or
(at your option) any later version.
<p>
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.
<p>
You should have received a copy of the GNU General Public License
along with this program.  If not, see <a href="https://www.gnu.org/licenses/">https://www.gnu.org/licenses/</a>.
<hr>
    <p>
    <h2>1 <a href="#s1">Introduction to CGIpaf</a></h2>
    <ul>
      <li>1.1 <a href="#ss1.1">What is CGIpaf?</a></li>
      <li>1.2 <a href="#ss1.2">How secure is CGIpaf</a></li>
      <li>1.3 <a href="#ss1.3">Website</a></li>
      <li>1.4 <a href="#ss1.4">Mailinglist</a></li>
      <li>1.5 <a href="#ss1.5">Support</a></li>
      <li>1.6 <a href="#ss1.6">License</a></li>
    </ul>
    
    <p>
    <h2>2 <a href="#s2">Installation</a></h2>
    <ul>
      <li>2.1 <a href="#ss2.1">What platforms are supported?</a></li>
      <li>2.2 <a href="#ss2.2">Which libraries are required?</a></li>
      <li>2.3 <a href="#ss2.3">Does CGIpaf depends on PHP?</a></li>
      <li>2.4 <a href="#ss2.4">Common installation problems</a></li>
    </ul>
    
    <p>
    <h2>3 <a href="#s3">Common configuration problems</a></h2>
    <ul>
      <li>3.1 <a href="#ss3.1">passwd.cgi is unable to update the system password</a></li>
      <li>3.2 <a href="#ss3.2">Can I update the SAMBA password?</a></li>
      <li>3.3 <a href="#ss3.3">Is NIS supported?</a></li>
      <li>3.4 <a href="#ss3.4">Is ldap supported?</a></li>
      <li>3.5 <a href="#ss3.5">I get an internal server error</a></li>
      <li>3.6 <a href="#ss3.6">How do I get debug output?</a></li>
      <li>3.7 <a href="#ss3.7">Which authentication methods are supported</a></li>
      <li>3.8 <a href="#ss3.8">CGIpaf is unable to authenticate?</a></li>
      <li>3.9 <a href="#ss3.9">How do I enabled cracklib password testing?</a></li>
      <li>3.10 <a href="#ss3.10">My .procmailrc is wipe out!</a></li>
      <li>3.11 <a href="#ss3.11">My .forward is deleted!</a></li>
      <li>3.12 <a href="#ss3.12">I get a "file not found" error message</a></li>
      <li>3.13 <a href="#ss3.13">Mail forwarding and autoreply doesn't work</a></li>
      <li>3.14 <a href="#ss3.14">Can I create my own html pages?</a></li>
      <li>3.15 <a href="#ss3.15">Can I use vacation/.forward instead of procmail?</a></li>
      <li>3.16 <a href="#ss3.16">I can't login with passwords longer than ...</a></li>
     </ul>
 
   <p>
   <h2>4 <a href="#s4">Future Plans</a></h2>
   <ul>
      <li>4.1 <a href="#ss4.1">Supported Platforms</a></li>
    </ul>
<hr />
<h1><a name="s1">1</a> Introduction</h1>
<h2><a name="ss1.1">1.1</a> What is CGIpaf?</h2>

<p>
    cgipaf is a combination of three cgi programs:
</p>
<ul>
<li><b>passwd.cgi</b>: allows users to update their password</li>
<li><b>viewmailcfg.cgi</b>: allows users to view their current mail configuration.</li>
<li><b>mailcfg.cgi</b>: update the mail configuration</li>
</ul>
<p>
    All programs use PAM for user authentication, systems without PAM
    are only supported if they use the standard password file location
    (/etc/passwd /etc/shadow) and standard crypt or md5 passwords. 
    If a password is changed it is possible to run a script to update
    SAMBA passwords, NIS configuration, etc.
</p>
<p>
    The mail configuration is done by procmail by default, mailcfg.cgi
    creates a .procmailrc in the user's home directory. If autoreply is
    enabled the autoreply message is stored in ~/vacations.txt. When a user
    enables mail forwarding the user can choose to keep the messages.
    If you want to use another auto responder like vacation you can define
    an external script to update the user's mail configuration. A perl script with
    vacation support is included see examples/ for an example config.
</p>
<p>
    For the user authentication viewmailcfg.cgi creates a cookie, this cookie
    is stored in the accessdb. mailcfg.cgi reads the cookie out the accessdb
    and compares it with the cookie send by the users browser.
    Users with too many invalid logins can be locked. The minimum and maximum 
    uid can be set in the configuration file, so you can specify a range of uid's 
    that are allowed to use cgipaf. CGIpaf has <b>a</b>ccess <b>c</b>ontrol <b>l</b>ists 
    support this allow you to deny or allow access to groups or users.
</p>
<p>
    You can specify html files with a few PHP extensions for the login screen
    and error messages. It's possible to use a redirect for the error messages, instead 
    of plain html files.
</p>

<h2><a name="ss1.2">1.2 </a>How secure is CGIpaf</h2>

<p>
The CGIpaf cgi's are suid root programs, this means they run as root. Viewmailcfg.cgi and
mailcfg.cgi runs as the user when the authentication is completed. All suid programs are
a security risk, I try to keep them so secure as possible...</p>
<p>
If you use CGIpaf on the internet you must use CGIpaf over https otherwise the users passwords
are send unencrypted over the internet.
</p>

<h2><a name="ss1.3">1.3 </a>Website</h2>

<p>
I finally got a stable place for my homepage ( <a href="http://www.wagemakers.be">http://www.wagemakers.be</a> ).<br>
<strong>thanks</strong> to <a href="http://www.procolix.com/">ProcoliX</a> for hosting my site and sponsoring my domain.
<p>
The current locations are:
</p>

<ul>
<li>main site: <a href="http://www.wagemakers.be/english/programs/cgipaf">http://www.wagemakers.be/english/programs/cgipaf</a></li>
</li>
<li>debian packages: <a href="http://www.wagemakers.be/downloads/debian/">http://www.wagemakers.be/downloads/debian/</a>
</li>
</ul>
<p>
If you're unable to access the website check
<a href="http://freshmeat.net/projects/cgipaf">http://freshmeat.net/projects/cgipaf</a>
for the correct location.
</p>

<h2><a name="ss1.4">1.4 </a>Mailinglist</h2>

<p>
<a href="http://groups.yahoo.com/group/cgipaf/">http://groups.yahoo.com/group/cgipaf/</a></p>

<p>
<table border="0" cellspacing="1" cellpadding="1">
<tr>
<td><font face="arial,helvetica" size=-1>Post message</font></td>
<td><font face="arial,helvetica" size=-1>cgipaf@yahoogroups.com</font></td>
</tr>
<tr>
<td><font face="arial,helvetica" size=-1>Subscribe:</font></td>
<td><font face="arial,helvetica" size=-1>cgipaf-subscribe@yahoogroups.com</font></td>
</tr>
<tr>
<td><font face="arial,helvetica" size=-1>Unsubscribe:</font></td>
<td><font face="arial,helvetica" size=-1>cgipaf-unsubscribe@yahoogroups.com</font></td>
</tr>
<tr>
<td><font face="arial,helvetica" size=-1>List owner:</font></td>
<td><font face="arial,helvetica" size=-1>cgipaf-owner@yahoogroups.com</font></td>
</tr>
</table>

<h2><a name="ss1.5">1.5 </a> Support</h2>

<p>
Please post your questions / install problems to the mailinglist. I usually read my private email at the 
evening after my work but I follow the mailinglist during the workday, so you'll get the answer faster
in the mailinglist. Your problem can be useful to the other CGIpaf users...
</p>

<h2><a name="ss1.6">1.6 </a> License</h2>

<p>
CGIpaf is Free software published under the GNU General Public License.
see <a href="http://www.gnu.org/licenses/gpl.html">http://www.gnu.org/licenses/gpl.html</a>
for more information.
</p>

<hr />

<h1><a name="s2">2</a> Installation</h1>
<h2><a name="ss2.1">2.1</a>What platforms are supported</h2>

<ul>
<li><b>GNU/Linux</b>
<p>
CGIpaf should compile and run on most GNU/Linux distributions. Slackware is
only supported if you compile CGIpaf without PAM support since Slackware doesn't support PAM. 
Both passwd types (standard crypt, md5) are supported on a non-PAM system. Blowfish and others aren't supported.
</p>
</li>
<li><b>SUN Solaris</b>
<p>
CGIpaf works on Solaris ( only tested on solaris 8 )
</p>
</li>
<li><b>FreeBSD</b>
<p>
FreeBSD is supported.
The PAM password changer is supported on FreeBSD 7.3 or above.
</p></li>
<li><b>NetBSD</b>
<p>
NetBSD is suppored.
The PAM password changer is supported on NetBSD 6.0 or above.
</p>
<li><b>OpenBSD</b>
<p>
Unfortunately OpenBSD isn't supported (yet). I hope to start a port some day.
</p>
</li>
<li><b>Other</b>
<p>
CGIpaf might work on other Un*ces with pam support. Systems without pam support 
are only supported if they use the standard password file location /etc/passwd 
/etc/shadow and standard crypt or md5 passwords.
</p>
</li>
</ul>
<h2><a name="ss2.2">2.2</a> What libraries are required?</h2>
<p>
CGIpaf uses only standard libraries that are installed on most common Un*x installations, you need the 
development packages ( headers files etc ) to compile CGIpaf.
</p>
<p>
List of required libraries:
<ul>
  <li>ndbm, gdbm of compatible library</li>
  <li>libPAM ( optional )</li>
  <li>libc ( of course )</li>
  <li>cracklib ( optional )</li>
</ul>
<h2><a name="ss2.3">2.3</a> Does CGIpaf depends on PHP?</h2>
<p>
No! CGIpaf only emulate a few PHP functions ( include and echo ) in his html files.<br>
If you need full PHP support you've to use a redirect.
</p>
<h2><a name="ss2.4">2.4</a> Common installation problems</h2>
<p>
<ol>
 <li><b>I get a "configure: error: no valid ndbm library found" error message</b>
 <p>
 CGIpaf depends on ndbm or compatible library, you need the development files to compile it. If ndbm and 
 the development files aren't installed on your system install them, look for a gdbm or ndbm package<br>
 If ndbm isn't installed on standard location on your system ( e.g.  /opt ) try to create symbolic links:
<p>
<pre><tt><kbd>
   ln -s /opt/lib/libndbm.so /usr/lib/libndbm.so
   ln -s /opt/include/db1/ndbm.h /usr/include/ndbm.h
</kbd></tt></pre>
<p>
and rerun ./configure
</p>
 <li><b>pam development files</b>
 <p>
 To compile CGIpaf with PAM support you need the PAM development files, which
aren't install on every default installation. Look for a package with a name
like *libpam-dev and install it. ( Type apt-get install libpam0g-dev on a
Debian GNU/Linux system )
 </p>
 </li>
 <li><b>cracklib</b>
 <p>
To compile cgipaf with cracklib support you need the libcrack development
files... If you've a system with PAM support try to enable cracklib
support through PAM (see below).
<p>
On a non-PAM system set "cracklib" to "on" and "cracklib_dictpath" you your
cracklib dict path.<br>
The cracklib_dictpath is the path to the dictionary filename without the extension
( .pwi ), not the directory path.<br>
The correct_dictpath on Debian ( potato and woody ) is /var/cache/cracklib/cracklib_dict
, on RedHat 6.2 you'll have to use /usr/lib/cracklib_dict.
</p>
</li>
</ol>
<hr />
<h1><a name="s3">3</a> Common configuration problems</h1>
<h2><a name="ss3.1">3.1</a> CGIpaf is unable to update the password</h2>
<p>
On a non-pam system cgipaf uses a lock file in /var/lock if this directory doesn't exists on your
system passwd.cgi will end with "Can't create lockfile" error. Create /var/lock or update pam.h 
to your own needs.
</p>
<h2><a name="ss3.2">3.2</a> Can I update the SAMBA password?</h2>
<p>
Yes, passwd.cgi doesn't support SAMBA passwords directly but you can use a
"run_success" script.
<pre><tt><code>
     run_success "/usr/sbin/smbpasswd -U %{name} &gt; /dev/null 2&gt;&amp;1" "%{password}\n%{password}\n"
</code></tt></pre>
<h2><a name="ss3.3">3.3</a> Is NIS supported?</h2>
<p>
CGIpaf doesn't support NIS directly, but it's possible to update the
NIS password on the master NIS server and run pwupdate (8) through run_success
<pre><tt><code>
    run_success     "/usr/lib/yp/pwupdate  > /dev/null 2>&1"
</code></tt></pre>
<h2><a name="ss3.4">3.4</a> Is ldap supported?</h2>
<p>
CGIpaf should support ldap through PAM, altought I didn't had the time to test it...
</p>
<h2><a name="ss3.5">3.5</a> I get an internal server error</h2>

<p>
This can have several reasons...
</p>

<p>
If you've enabled cracklib in cgipaf and the cracklib_dictpath to a invalid 
location passwd.cgi will end with a internal server and an error message in
your webserver error log. Try to disable cracklib if this resolves the problem
see "How do I enable cracklib password testing".
</p>

<p>
Another reason is possible BUG or misconfiguration in cgipaf, the error_log of
your webserver and the syslog messages ( set loglovel to 7 ) should give more information.
</p>

<h2><a name="ss3.6">3.6</a> How do I get debug output?</h2>
<p>
Set the loglevel to 7 in cgipaf.conf, this will send debug messages to your system's syslog
</p>
<h2><a name="ss3.7">3.7</a> Which authentication methods are supported</h2>
<p>
CGIpaf supports PAM and standard Un*x password files ( /etc/passwd /etc/shadow ). 
BSD uses different passwd locations. On a Net|FreeBSD system /etc/passwd_master is updated
and copied to pwdb by the pw_mkdb command.<br>
OpenBSD isn't (yet) supported... 
</p>
<h2><a name="ss3.8">3.8</a> CGIpaf is unable to authenticate?</h2>
<p>
On a pam system: CGIpaf needs "auth" and "account" entries in his PAM configuration.
If you don't set the pam_service directive CGIpaf uses the "passwd" service name. The passwd
pam service ( /etc/pam.d/passwd ) usually doesn't have an entry for user authentication, therefor
/etc/pam.d/other has to have a line auth set to pam_unix.so.
<pre><code><tt>
    auth     required       pam_unix.so
    account  required       pam_unix.so
</tt></code></pre>
If you don't like this for security reason etc, you can set the pam_service directive to "cgipaf"
and create the file /etc/pam.d/cgipaf that looks like this
<pre><code><tt>
    auth     required       pam_unix.so
    account  required       pam_unix.so
    password required       pam_unix.so md5
</tt></code></pre>
Or better copy your system passwd configuration and add the lines for "auth" and "account".
<h2><a name="ss3.9">3.9</a> How do I enabled cracklib password testing?</h2>
<p>
On a PAM system: CGIpaf should support password testing trough PAM. Enable cracklib support in
your PAM configuration.
</p>
<p>
On a non pam system you've to set the cracklib directive to "on" and cracklib_dictpath to your
system's cracklib dictpath.
</p>
<h2><a name="ss3.10">3.10</a> My .procmailrc is wipe out!</h2>
<p>
CGIpaf deletes or replaces the user's ~/.procmailrc after a user has updated his mail configuration. 
It's possible to copy the your .procmailrc and restore it when autoreply and mailforwarding is disabled 
by the run_before_mailcfg and run_after_mailcfg directives.<br>
An alternative is to use .forward/vacation instead of procmail see examples/ for more information.
</p>
<h2><a name="ss3.11">3.11</a> My .forward is deleted!</h2>
<p>
The user's .forward is deleted after a mail configuration update. If you don't like this you can disable the
internal mail configuration and use your own run_mailcfg script. See examples/ for perl example with vacation support.
</p>
<h2><a name="ss3.12">3.12</a> I get a "file not found" error message in the webserver error_log</h2>
<p>
CGIpaf uses "/cgi-bin" in his action fields, if you use another cgi-bin location eg ( /cgi-bin/cgipaf )
you have to update:
</p>
<ul>
 <li>cgipasswd_top.php</li>
 <li>mailcfg_form.php</li>
 <li>mailcfg_login.php</li>
</ul>
<h2><a name="ss3.13">3.13</a> Mail forwarding and autoreply doesn't work</h2>
<p>
Basically CGIpaf is web interface to configure procmail, so you need a mailserver with procmail support.
Check the documentation of you mailserver howto enable procmail.
</p>
<h2><a name="ss3.14">3.14</a> Can I create my own html pages?</h2>
<p>
Yes! You can modify the php file that come with the installation of cgipaf. Please note that
CGIpaf doesn't have full PHP support it only emulates two PHP function (echo and include). 
If you need full PHP support or what to use another web scripting language you've to use a Redirect.<br>
e.g.:
<pre><code><tt>
       msg_success   redirect  http://your_webserver/pwchanged.php?name="%{name}"
</tt></code></pre>
<p>
Will redirect to http://your_webserver/pwchanged.php?name="loginname" after a user has succeed to update 
his password.
</p>
<h2><a name="ss3.15">3.15</a> Can I use vacation/.forward instead of procmail?</h2>
<p>
Yes! You can disable the internal .procmailrc updater of CGIpaf and define an external script
to update the user's mail configuration. See examples/ for a vacation example.
</p>
<h2><a name="ss3.16">3.16</a> I can't login with passwords longer than ...</h2>
<p>
You'll have to update mailcfg_login.php, the default maxlength for the password field is 16
If you need to support longer passwords update mailcfg_login.php
</p>
<pre><code><tt>
 &lt;td&gt;&lt;input name="passwd" type="password" size="8" maxlength="16"&gt;&lt;/td&gt;
                                                   ^^^^^^^^^^^^^^
</tt></code></pre>
<h:1
<h1><a name="s4">4</a> Future plans</h1>
<h2><a name="ss4.1">4.1</a> Supported Platforms</h2>
<p>
CGIpaf started as GNU/Linux project I needed to create site that allowed users to update their
mailconfiguration. I have added solaris support because we it at my work and I was tired to 
explain users how they've to update their Un*x password.
</p>
<p>
I've added slackware 8.0, FreeBSD and NetBSD support because some users requested a port to these
platforms. I hoped that I could reuse the BSD code for the OpenBSD port, but the odds 
were against me. The BSD port doesn't works without trouble on OpenBSD versions.
</p>
<p>
PAM on FreeBSD and NetBSD have been improved over the years.<br /> 
PAM support is enabled by default on FreeBSD 7.3 or above and NetBSD 6 or above.
<p>
<hr />
    <address><a href="mailto:staf at wagemakers.be">staf wagemakers</a></address>
<!-- Created: Mon Apr  8 20:42:51 CEST 2002 -->
<!-- hhmts start -->
Last modified: Thu Mar 14 09:33:27 CET 2013
<!-- hhmts end -->
  </body>
</html>