docker-mailserver/docs/content/advanced/auth-ldap.md

119 lines
3.5 KiB
Markdown
Raw Normal View History

2017-07-03 11:47:12 +00:00
### Introduction
Getting started with ldap and this mailserver we need to take 3 parts in account:
* POSTFIX
* DOVECOT
* SASLAUTHD (this can also be handled by dovecot above)
2017-07-03 11:47:48 +00:00
### List with the variables to control the container provisioning
2017-07-03 11:47:12 +00:00
__POSTFIX__:
* `LDAP_QUERY_FILTER_USER`
* `LDAP_QUERY_FILTER_GROUP`
* `LDAP_QUERY_FILTER_ALIAS`
2017-08-31 08:32:43 +00:00
* `LDAP_QUERY_FILTER_DOMAIN`
2017-07-03 11:47:12 +00:00
__SASLAUTHD__:
* `SASLAUTHD_LDAP_FILTER`
__DOVECOT__:
* `DOVECOT_USER_FILTER`
* `DOVECOT_PASS_FILTER`
2017-04-19 08:49:26 +00:00
**NOTE**: This page will provide several use cases like recipes to show, how this project can be used with it's LDAP Features.
### Ldap Setup - Kopano/Zarafa
2020-12-05 20:01:26 +00:00
```yml
2017-04-19 08:49:26 +00:00
---
version: '2'
services:
mail:
2017-04-27 16:01:51 +00:00
image: tvial/docker-mailserver:latest
2017-04-19 08:49:26 +00:00
hostname: mail
domainname: domain.com
container_name: mail
ports:
- "25:25"
- "143:143"
- "587:587"
- "993:993"
volumes:
- maildata:/var/mail
- mailstate:/var/mail-state
- ./config/:/tmp/docker-mailserver/
environment:
2017-07-03 11:52:19 +00:00
# We are not using dovecot here
2017-04-19 08:49:26 +00:00
- SMTP_ONLY=1
- ENABLE_SPAMASSASSIN=1
- ENABLE_CLAMAV=1
- ENABLE_FAIL2BAN=1
- ENABLE_POSTGREY=1
- SASLAUTHD_PASSWD=
2017-07-03 11:52:19 +00:00
2017-04-19 08:49:26 +00:00
# >>> SASL Authentication
- ENABLE_SASLAUTHD=1
- SASLAUTHD_LDAP_SERVER=<yourLdapContainer/yourLdapServer>
- SASLAUTHD_LDAP_PROTO=
- SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=loc
- SASLAUTHD_LDAP_PASSWORD=mypassword
- SASLAUTHD_LDAP_SEARCH_BASE=dc=mydomain,dc=loc
- SASLAUTHD_LDAP_FILTER=(&(sAMAccountName=%U)(objectClass=person))
2017-04-19 08:49:26 +00:00
- SASLAUTHD_MECHANISMS=ldap
# <<< SASL Authentication
2017-07-03 11:52:19 +00:00
2017-04-19 08:49:26 +00:00
# >>> Postfix Ldap Integration
- ENABLE_LDAP=1
- LDAP_SERVER_HOST=<yourLdapContainer/yourLdapServer>
- LDAP_SEARCH_BASE=dc=mydomain,dc=loc
- LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=loc
- LDAP_BIND_PW=mypassword
- LDAP_QUERY_FILTER_USER=(&(objectClass=user)(mail=%s))
- LDAP_QUERY_FILTER_GROUP=(&(objectclass=group)(mail=%s))
- LDAP_QUERY_FILTER_ALIAS=(&(objectClass=user)(otherMailbox=%s))
- LDAP_QUERY_FILTER_DOMAIN=(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))
2017-04-19 08:49:26 +00:00
# <<< Postfix Ldap Integration
2017-07-03 11:52:19 +00:00
2017-04-19 08:49:26 +00:00
# >>> Kopano Integration
- ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1
- POSTFIX_DAGENT=lmtp:kopano:2003
# <<< Kopano Integration
2017-07-03 11:52:19 +00:00
2017-04-19 08:49:26 +00:00
- ONE_DIR=1
- DMS_DEBUG=0
- SSL_TYPE=letsencrypt
- PERMIT_DOCKER=host
cap_add:
- NET_ADMIN
volumes:
maildata:
driver: local
mailstate:
driver: local
```
2018-12-31 14:18:03 +00:00
If your directory has not the postfix-book schema installed, then you must change the internal attribute handling for dovecot. For this you have to change the ```pass_attr``` and the ```user_attr``` mapping, as shown in the example below:
2020-12-05 20:01:26 +00:00
```yml
- DOVECOT_PASS_ATTR=<YOUR_USER_IDENTIFYER_ATTRIBUTE>=user,<YOUR_USER_PASSWORD_ATTRIBUTE>=password
- DOVECOT_USER_ATTR=<YOUR_USER_HOME_DIRECTORY_ATTRIBUTE>=home,<YOUR_USER_MAILSTORE_ATTRIBUTE>=mail,<YOUR_USER_MAIL_UID_ATTRIBUTE>=uid, <YOUR_USER_MAIL_GID_ATTRIBUTE>=gid
```
2018-12-31 14:18:03 +00:00
The following example illustrates this for a directory that has the qmail-schema installed and that uses ```uid```:
2020-12-05 20:01:26 +00:00
```yml
- DOVECOT_PASS_ATTRS=uid=user,userPassword=password
- DOVECOT_USER_ATTRS=homeDirectory=home,qmailUID=uid,qmailGID=gid,mailMessageStore=mail
- DOVECOT_PASS_FILTER=(&(objectClass=qmailUser)(uid=%u)(accountStatus=active))
- DOVECOT_USER_FILTER=(&(objectClass=qmailUser)(uid=%u)(accountStatus=active))
```