diff --git a/target/dovecot/auth-ldap.conf.ext b/target/dovecot/auth-ldap.conf.ext index a1cae923..d44077c4 100644 --- a/target/dovecot/auth-ldap.conf.ext +++ b/target/dovecot/auth-ldap.conf.ext @@ -4,18 +4,36 @@ # This prevents unnecessary auth failure logs triggering Fail2Ban when # additional passdb are enabled (OAuth2). -passdb { - driver = ldap - mechanisms = plain login +# Replaced by ldap.sh +ldap_uris = REPLACED +ldap_base = REPLACED +ldap_auth_dn = REPLACED +ldap_auth_dn_password = REPLACED - # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext - args = /etc/dovecot/dovecot-ldap.conf.ext +passdb ldap { + driver = ldap +user_filter = (&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n)) + + fields { +default_pass_scheme = SSHA +tls = no +ldap_version = 3 +pass_attrs = uniqueIdentifier=user,userPassword=password +user_attrs = mailHomeDirectory=home,mailUidNumber=uid,mailGidNumber=gid,mailStorageDirectory=mail +auth_bind = no + } } -userdb { +userdb ldap { driver = ldap - args = /etc/dovecot/dovecot-ldap.conf.ext +pass_filter = (&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n)) - # Default fields can be used to specify defaults that LDAP may override - #default_fields = home=/home/virtual/%u + fields { +default_pass_scheme = SSHA +tls = no +ldap_version = 3 +pass_attrs = uniqueIdentifier=user,userPassword=password +user_attrs = mailHomeDirectory=home,mailUidNumber=uid,mailGidNumber=gid,mailStorageDirectory=mail +auth_bind = no + } } diff --git a/target/scripts/startup/setup.d/ldap.sh b/target/scripts/startup/setup.d/ldap.sh index 1451ec32..d62b3194 100644 --- a/target/scripts/startup/setup.d/ldap.sh +++ b/target/scripts/startup/setup.d/ldap.sh @@ -35,10 +35,10 @@ function _setup_ldap() { declare -A DOVECOT_LDAP_MAPPING - DOVECOT_LDAP_MAPPING['DOVECOT_BASE']="${DOVECOT_BASE:="${LDAP_SEARCH_BASE}"}" - DOVECOT_LDAP_MAPPING['DOVECOT_DN']="${DOVECOT_DN:="${LDAP_BIND_DN}"}" - DOVECOT_LDAP_MAPPING['DOVECOT_DNPASS']="${DOVECOT_DNPASS:="${LDAP_BIND_PW}"}" - DOVECOT_LDAP_MAPPING['DOVECOT_URIS']="${DOVECOT_URIS:="${LDAP_SERVER_HOST}"}" + DOVECOT_LDAP_MAPPING['DOVECOT_LDAP_URIS']="${DOVECOT_URIS:="${LDAP_SERVER_HOST}"}" + DOVECOT_LDAP_MAPPING['DOVECOT_LDAP_BASE']="${DOVECOT_BASE:="${LDAP_SEARCH_BASE}"}" + DOVECOT_LDAP_MAPPING['DOVECOT_LDAP_AUTH_DN']="${DOVECOT_DN:="${LDAP_BIND_DN}"}" + DOVECOT_LDAP_MAPPING['DOVECOT_LDAP_AUTH_DN_PASSWORD']="${DOVECOT_DNPASS:="${LDAP_BIND_PW}"}" # Default DOVECOT_PASS_FILTER to the same value as DOVECOT_USER_FILTER DOVECOT_LDAP_MAPPING['DOVECOT_PASS_FILTER']="${DOVECOT_PASS_FILTER:="${DOVECOT_USER_FILTER}"}" @@ -47,7 +47,11 @@ function _setup_ldap() { export "${VAR}=${DOVECOT_LDAP_MAPPING[${VAR}]}" done - _replace_by_env_in_file 'DOVECOT_' '/etc/dovecot/dovecot-ldap.conf.ext' + _replace_by_env_in_file 'DOVECOT_' /etc/dovecot/conf.d/auth-ldap.conf.ext + sed -i -E \ + -e 's|user_filter| filter|' \ + -e 's|pass_filter| filter|' \ + /etc/dovecot/conf.d/auth-ldap.conf.ext _log 'trace' 'Enabling Dovecot LDAP authentication' diff --git a/test/tests/serial/mail_with_ldap.bats b/test/tests/serial/mail_with_ldap.bats index b5dd5ad6..fff3ea0e 100644 --- a/test/tests/serial/mail_with_ldap.bats +++ b/test/tests/serial/mail_with_ldap.bats @@ -81,14 +81,14 @@ function setup_file() { # As the `userID` is not a mail address, we ensure any domain-part is ignored, as a login name is not # required to match the mail accounts actual `mail` attribute (nor the local-part), they are distinct. # TODO: Docs should better cover this difference, as it does confuse some users of DMS (and past contributors to our tests..). - local SASLAUTHD_QUERY='(&(userID=%U)(mailEnabled=TRUE))' + local SASLAUTHD_QUERY='(&(userID=%{user | username})(mailEnabled=TRUE))' # Dovecot is configured to lookup a user account by their login name (`userID` in this case, but it could be any attribute like `mail`). - # Dovecot syntax token `%n` is the local-part of the full email address supplied as the login name. There must be a unique match on `userID` (which there will be as each account is configured via LDIF to use it in their DN) + # Dovecot syntax token `%{user | username}` is the local-part of the full email address supplied as the login name. There must be a unique match on `userID` (which there will be as each account is configured via LDIF to use it in their DN) # NOTE: We already have a constraint on the LDAP tree to search (`LDAP_SEARCH_BASE`), if all objects in that subtree use `PostfixBookMailAccount` class then there is no benefit in the extra constraint. - # TODO: For tests, that additional constraint is meaningless. We can detail it in our docs instead and just use `userID=%n`. - local DOVECOT_QUERY_PASS='(&(userID=%n)(objectClass=PostfixBookMailAccount))' - local DOVECOT_QUERY_USER='(&(userID=%n)(objectClass=PostfixBookMailAccount))' + # TODO: For tests, that additional constraint is meaningless. We can detail it in our docs instead and just use `userID=%{user | username}`. + local DOVECOT_QUERY_PASS='(&(userID=%{user | username})(objectClass=PostfixBookMailAccount))' + local DOVECOT_QUERY_USER='(&(userID=%{user | username})(objectClass=PostfixBookMailAccount))' local ENV_LDAP_CONFIG=( --env ACCOUNT_PROVISIONER=LDAP @@ -168,8 +168,8 @@ function setup_file() { # Set default implicit container fallback for helpers: - export CONTAINER_NAME=${CONTAINER1_NAME} } + export CONTAINER_NAME=${CONTAINER1_NAME} function teardown_file() { docker rm -f "${CONTAINER1_NAME}" "${CONTAINER2_NAME}"