Changing password in Roundcube doesn't update existing password

psymantz

Verified User
Joined
Mar 4, 2015
Messages
11
Hi everyone,

First post here..I'm experiencing a problem with Roundcube whereby changing password doesn't replace existing password and I'm still able to login to the Webmail using the old password. Logging in with the new password says Login failed.

- Roundcube v1.1.0
- DirectAdmin Password Driver v2.1

- config/config.inc.php

// List of active plugins (in plugins/ directory)
$config['plugins'] = array(
'password',
'archive',
'zipdownload',
);

- plugins/password/config.inc.php
$config['password_driver'] = 'directadmin';
$config['password_directadmin_host'] = 'tcp://localhost';
$config['password_directadmin_port'] = 2222;

- nc output
# nc -z -v localhost 2222
Connection to localhost 2222 port [tcp/*] succeeded!

The configurations seem to be in place. Just don't know where else to look.

Before and after changing the password from webmail, I notice the password field in /etc/virtual/$domain/passwd isn't being updated.

Any thoughts ?
 
Hi John,

Ran what you suggested and this is the last line of the debug output:

didn't find the encrytped text

When I checked the password file(/etc/virtual/domain/passwd), the password field isn't being changed.

What should I do next ?

/Darryl
 
Hi John,

Ran what you suggested and this is the last line of the debug output:



When I checked the password file(/etc/virtual/domain/passwd), the password field isn't being changed.

What should I do next ?

/Darryl

Sorry you requested the string as well:-

Post string: email=user%40domain.com&oldpassword=oldPwd&password1=NewPwd%21&password2=NewPwd%21&api=1
didn't find the encrytped text
 
Ok, so we can see that DA is indeed getting the info.
I've just added code to DA to output all info that is sent to the client, but to the debug output, level 2100.

So grab the pre-release binaries:
http://help.directadmin.com/item.php?id=408

Then try the above debug mode again, but use b2100 instead of b2000.
It should give you a few lines, the first starting with:
Code:
sendResult(snd
which is the function that's always called to spit out the resulting text, for all of the email/ftp password resets.

John
 
So grab the pre-release binaries:
http://help.directadmin.com/item.php?id=408

Then try the above debug mode again, but use b2100 instead of b2000.
It should give you a few lines, the first starting with:
Code:
sendResult(snd
which is the function that's always called to spit out the resulting text, for all of the email/ftp password resets.

Hi John,

Grabbed the pre-release for my distro and ran it and here's the output:

# ./directadmin b2100
./directadmin: /usr/local/mysql/lib/libmysqlclient.so.16: no version information available (required by ./directadmin)
Debug mode. Level 2100

DirectAdmin 1.44.0
Accepting Connections on port 2222
Sockets::handshake - begin
Sockets::handshake - end
/CMD_API_CHANGE_EMAIL_PASSWORD
0: Accept: */*
1: Connection: Close
2: Content-length: 97
3: Content-type: application/x-www-form-urlencoded
4: Host: tcp://localhost:2222
5: User-Agent: HTTPSocket/2.7.2
Post string: email=redaemon%40bsd.my&oldpassword=Oldpwd123&password1=Newpwd123%21&password2=Newpwd123%21&api=1
didn't find the encrytped text
^C

No mention of sendResult
 
Hi John,

Downgraded Roundcube to 1.0.5 and re-ran directadmin in debug mode b2100 and I get similar output. The password doesn't get updated.
 
Please can you share your /var/www/html/roundcube/plugins/password/drivers/directadmin.php with us?

I want know why your header contains the "User-Agent: HTTPSocket/2.7.2" string because the latest DirectAdmin Password Driver should use the HTTPSocket/2.8 (a customized version from our developer, who is the creator of the plugin).

Thanks
 
I actually swapped it out with our newer class version quite a while back, which better supports ssl, if it's not set, location redirect handling, many improvements.
I did email the author about the change, but never got a reply.

Do you know what changes were done in the custom 2.8? This could be re-examined.
"diff" isn't playing nicely, as it looks like the tabs were swapped for spaces...
But in a side-by-side glance 2.8 looks just like 2.7.1.. but with "port = 80;" changed to "port = 2222"; as the fallback.. which shouldn't really matter, as 2222 should be set by the caller, so wouldn't hit that.
If you have a proper diff for the changes 2.7.1 to 2.8, that would help.. but I not yet suspecting 2.7.2 vs 2.8 is at play for the cause.

I did test 2.7.2, and the directadmin.php I swap in is here:
http://files.directadmin.com/services/all/roundcube/directadmin.php
but it's entirely possible there's some change that was in the custom 2.8 that handles some case I didn't account for.
@unihostbrasil: send the author the above directadmin.php :)

To clarify, 2.7.2 is newer... the custom 2.8 is likely based on 2.7.1, but with other changes.

----

In any case, as for this current issue, we can test with the older custom 2.8 by installing it.
Run this
Code:
wget -O /var/www/html/roundcube/plugins/password/drivers/directadmin.php http://files1.directadmin.com/services/all/roundcube/directadmin-custom-old.php
to see if that makes any difference.

If the directadmin-custom-old.php file doesn't fix it (2.8)... I'd be happy to login to check the box for you, if you'd like.. as I can track things like that quite quickly.. as I wrote :)
I'm suspecting it's something in DA.. or called funny, as we do see the post string being sent to DA.
support@da, IP, root pass, admin pass, sample/test email + pass, and I'll see what's up.

John
 
In any case, as for this current issue, we can test with the older custom 2.8 by installing it.
Run this
Code:
wget -O /var/www/html/roundcube/plugins/password/drivers/directadmin.php http://files1.directadmin.com/services/all/roundcube/dectairdmin-custom-old.php
to see if that makes any difference.
John

Hi John/Everyone,

Using directadmin-custom-old.php seems to fix the problem. Here's what I did:-

1. Follow wget instructions above
2. rename old directadmin.php to directadmin.php.orig then rename directadmin-custom-old.php to directadmin.php
3. chown webapps:webapps directadmin.php
4. Go to webmail link
5. Before login in, cat /etc/virtual/domain/passwd
6. Login and change password
7. cat /etc/virtual/domain/passwd and notice the password field is updated this time
8. logout and log back in using old password - Failed (it is suppose to, good)
9. login with new password - Success
10. Logout webmail and repeated steps 6-9 twice just to be certain

Saved the day :) Thank you
 
I've already replied. Why does it take so long for my reply to show up in the forum ?
 
Hi John,

Using directadmin-custom seems to fix the problem. Password is updated after changing it as expected.
 
We don't yet know what the problem is... need more information.

In post #6, it mentions a certain string provided to DA.
Can you do the same with the manually changed file?

We'd need to know what the difference is.. we're not able to duplicate the issue with either file, on our end.

Other questions:
1) Is DA using SSL/https on port 2222?
2) How about the "force_hostname" setting?
3) and "ssl_redirect_host" setting?

John
 
It also does not work on my servers to change password in Roundcube webmail. However I do get a error message in Roundcube interface when I try to change the password, I get this error message:

An error occurred!
Could not save new password. Connection error. Can't create socket connection to ssl://localhost:2222.

I am running the newest Roundcube and DirectAdmin versions. To answer your questions:

1) Is DA using SSL/https on port 2222?
Yes.

2) How about the "force_hostname" setting?
No.

3) and "ssl_redirect_host" setting?
Yes. I have these in options.conf:
Code:
redirect_host=host.name.com
redirect_host_https=yes
use_hostname_for_alias=yes

And I have these in directadmin.conf:
Code:
SSL=1
ssl_redirect_host=host.name.com

I know changing password in Roundcube worked before, but I don't know at what time it stopped working. I have the same problem on all my servers. Please let me know if you need more information.
 
Last edited:
@psymantz:
Code:
[COLOR=#333333][I]didn't find the encrytped text[/I][/COLOR]
Update DA. The CMD_API version of CMD_CHANGE_EMAIL_PASSWD didn't exist until 1.45.1. You've got 1.44.0.
http://www.directadmin.com/features.php?id=1568
So the difference from the old php file and the new one is simply that the new one uses CMD_API_CHANGE_EMAIL_PASSWD, and the old one uses CMD_CHANGE_EMAIL_PASSWD.

@ditto:
Code:
[COLOR=#333333][I]Can't create socket connection to ssl://localhost:2222.[/I][/COLOR]
we can work with that.
1) I would first guess the /etc/hosts may be missing
Code:
127.0.0.1   localhost
OR the ::1 line has localhost (I typically remove "localhost" from the ::1 line)
2) Test manually, eg:
Code:
telnet localhost 2222
to see if you can connect.
3) To debug, try SSL=0 in DA, to temporarily shut off SSL on port 2222... and then change the RC config back to 'tcp://localhost', so we can determine if it's a socket issue, or an SSL issue.
4) if SSL=0 works fine, then put it back to SSL=1 and ssl:// ... and I would then suspect it might be a cipher issue? Check /var/log/directadmin/error.log. Running DA in debug mode may help give us more info.

John
 
@ditto:
Code:
[COLOR=#333333][I]Can't create socket connection to ssl://localhost:2222.[/I][/COLOR]
we can work with that.
1) I would first guess the /etc/hosts may be missing
Code:
127.0.0.1   localhost
OR the ::1 line has localhost (I typically remove "localhost" from the ::1 line)

Thanks. /etc/hosts is not missing, but I do have this line in it:

Code:
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

How much should I remove from that line? Should I remove the line completely?

Please note that I do not have any ipv6 ips on my servers yet.

I do not have so much time today, but will look deeper into the rest of your reply tomorow. Thank you.
 
Remove only localhost from the ::1 line, eg:
Code:
[COLOR=#333333]::1       localhost.localdomain localhost6 localhost6.localdomain6[/COLOR]
Other things to check would be the "disable_functions" option in the php.ini... as well as the apache error logs for possible clues.

John
 
I found the solution. However I first removed localhost from ::1 in /etc/hosts, but that did not help, so I added back localhost to ::1 line in /etc/hosts

The problem was solved by changing line number 254 in /var/www/html/roundcubemail-1.1.1/plugins/password/config.inc.php, previous value was:

Code:
$config['password_directadmin_host'] = 'ssl://localhost';

New value was that I changed ssl://localhost to be my actual server hostname, like this (server.hostname.com is only a example name):

Code:
$config['password_directadmin_host'] = 'ssl://server.hostname.com';

Please note that I have these settings in options.conf:
Code:
redirect_host=host.name.com
redirect_host_https=yes
use_hostname_for_alias=yes

Ant these settings in directadmin.conf:
Code:
SSL=1
ssl_redirect_host=host.name.com

Please test with the same settings to confirm the bug, and then please make a fix, like changing line 254 in /var/www/html/roundcubemail-1.1.1/plugins/password/config.inc.php from ssl://localhost to ssl://server.hostname.com when the server has the settings I listed above.

In meantime I will keep manual custom setting of this file, so the problem is solved for me. But this should be considered a bug in DirectAdmin.
 
Hi John,

Other questions:
1) Is DA using SSL/https on port 2222?
2) How about the "force_hostname" setting?
3) and "ssl_redirect_host" setting?

None of the above are enabled in directadmin.conf and DA is running in HTTP-only mode.

When I reran debug with the replaced file, here's what I get:-

Code:
# ./directadmin b2000
./directadmin: /usr/local/mysql/lib/libmysqlclient.so.16: no version information available (required by ./directadmin)
Debug mode. Level 2000

DirectAdmin 1.44.0
Accepting Connections on port 2222
Sockets::handshake - begin
Sockets::handshake - end
/CMD_CHANGE_EMAIL_PASSWORD
 0: Accept: */*
 1: Connection: Close
 2: Content-length: 91
 3: Content-type: application/x-www-form-urlencoded
 4: Host: localhost:2222
 5: User-Agent: HTTPSocket/2.8
Post string: email=redaemon%40bsd.my&oldpassword=Tmp123%21&password1=Abc123%21&password2=Abc123%21&api=1
executeAsUser('/usr/local/bin/php', 512, diradmin, 1, '<?php

There's a bunch of PHP text after this line.

My password/config.inc.php has this:

Code:
// DirectAdmin Driver options
// --------------------------
// The host which changes the password
// Use 'ssl://host' instead of 'tcp://host' when running DirectAdmin over SSL.
// The host can contain the following macros that will be expanded as follows:
//     %h is replaced with the imap host (from the session info)
//     %d is replaced with the domain part of the username (if the username is an email)
$config['password_directadmin_host'] = 'tcp://localhost';

// TCP port used for DirectAdmin connections
$config['password_directadmin_port'] = 2222;
 
Back
Top