mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
tests: LDAP - Improvements to LDIF (#3506)
- The `uniqueIdentifier` attribute is not appropriate and was relying on `objectClass: extensibleObject` as a workaround to allow it. A more appropriate attribute to use instead is `userID` (_short name: `uid`_). - Removing `extensibleObject` now requires switching the user accounts to use `inetOrgPerson` class (_which inherits from `organizationalPerson`_). which allows the attributes `givenName`, `userID` and `mail` (_also provided via the `PostfixBookMailAccount` class_). - The LDAP root object now uses `dc` attributes for `example.test` instead of `localhost.localdomain`. This has nothing to do with DMS or LDAP containers networking config, nor the users mail addresses. - Users are now grouped under the organizational unit of `users` instead of `people`. Purely a naming change out of preference, no functional difference. The LDAP test ENV has been updated to accommodate the above changes. An additional ENV override was required for SASLAuthd to switch an attribute set for `ldap_filter` in `/etc/saslauthd.conf` from the implicit default of `uniqueIdentifier` (_that we set during startup as an ENV default for fallback_) to the `userID` attribute.
This commit is contained in:
parent
e9f04cf8a7
commit
351ef2afa1
|
@ -1,11 +1,16 @@
|
||||||
# The root object, all entries will branch off this one:
|
# The root object of the tree, all entries will branch off this one:
|
||||||
dn: dc=localhost,dc=localdomain
|
dn: dc=example,dc=test
|
||||||
|
# DN is formed from `example.test` DNS labels:
|
||||||
|
# NOTE: This is just a common convention (not dependent on hostname or any external config)
|
||||||
objectClass: dcObject
|
objectClass: dcObject
|
||||||
|
# Must reference left most component:
|
||||||
|
dc: example
|
||||||
|
# It's required to use an `objectClass` that implements a "Structural Class":
|
||||||
objectClass: organization
|
objectClass: organization
|
||||||
dc: localhost
|
# Value is purely descriptive, not important to tests:
|
||||||
o: DMS Test
|
o: DMS Test
|
||||||
|
|
||||||
# User accounts will belong to this subtree:
|
# User accounts will belong to this subtree:
|
||||||
dn: ou=people,dc=localhost,dc=localdomain
|
dn: ou=users,dc=example,dc=test
|
||||||
objectClass: organizationalUnit
|
objectClass: organizationalUnit
|
||||||
ou: people
|
ou: users
|
||||||
|
|
|
@ -1,12 +1,11 @@
|
||||||
# NOTE: A standard user account to test against
|
# NOTE: A standard user account to test against
|
||||||
dn: uniqueIdentifier=some.user,ou=people,dc=localhost,dc=localdomain
|
dn: uid=some.user,ou=users,dc=example,dc=test
|
||||||
objectClass: organizationalPerson
|
objectClass: inetOrgPerson
|
||||||
objectClass: PostfixBookMailAccount
|
objectClass: PostfixBookMailAccount
|
||||||
objectClass: extensibleObject
|
|
||||||
cn: Some User
|
cn: Some User
|
||||||
givenName: Some
|
givenName: Some
|
||||||
surname: User
|
surname: User
|
||||||
uniqueIdentifier: some.user
|
userID: some.user
|
||||||
# Password is: secret
|
# Password is: secret
|
||||||
userPassword: {SSHA}eLtqGpid+hkSVhxvsdTPztv4uapRofGx
|
userPassword: {SSHA}eLtqGpid+hkSVhxvsdTPztv4uapRofGx
|
||||||
mail: some.user@localhost.localdomain
|
mail: some.user@localhost.localdomain
|
||||||
|
|
|
@ -1,13 +1,12 @@
|
||||||
# NOTE: This user differs via the domain-part of their mail address
|
# NOTE: This user differs via the domain-part of their mail address
|
||||||
# They also have their mail directory attributes using the primary domain, not their domain-part
|
# They also have their mail directory attributes using the primary domain, not their domain-part
|
||||||
dn: uniqueIdentifier=some.other.user,ou=people,dc=localhost,dc=localdomain
|
dn: uid=some.other.user,ou=users,dc=example,dc=test
|
||||||
objectClass: organizationalPerson
|
objectClass: inetOrgPerson
|
||||||
objectClass: PostfixBookMailAccount
|
objectClass: PostfixBookMailAccount
|
||||||
objectClass: extensibleObject
|
|
||||||
cn: Some Other User
|
cn: Some Other User
|
||||||
givenName: Some
|
givenName: Some
|
||||||
surname: Other User
|
surname: Other User
|
||||||
uniqueIdentifier: some.other.user
|
userID: some.other.user
|
||||||
# Password is: secret
|
# Password is: secret
|
||||||
userPassword: {SSHA}eLtqGpid+hkSVhxvsdTPztv4uapRofGx
|
userPassword: {SSHA}eLtqGpid+hkSVhxvsdTPztv4uapRofGx
|
||||||
mail: some.other.user@localhost.otherdomain
|
mail: some.other.user@localhost.otherdomain
|
||||||
|
|
|
@ -1,13 +1,12 @@
|
||||||
# NOTE: This user differs by local-part of mail address not matching their uniqueIdentifier attribute
|
# NOTE: This user differs by local-part of mail address not matching their uniqueIdentifier attribute
|
||||||
# They also do not have any alias or groups configured
|
# They also do not have any alias or groups configured
|
||||||
dn: uniqueIdentifier=some.user.id,ou=people,dc=localhost,dc=localdomain
|
dn: uid=some.user.id,ou=users,dc=example,dc=test
|
||||||
objectClass: organizationalPerson
|
objectClass: inetOrgPerson
|
||||||
objectClass: PostfixBookMailAccount
|
objectClass: PostfixBookMailAccount
|
||||||
objectClass: extensibleObject
|
|
||||||
cn: Some User
|
cn: Some User
|
||||||
givenName: Some
|
givenName: Some
|
||||||
surname: User
|
surname: User
|
||||||
uniqueIdentifier: some.user.id
|
userID: some.user.id
|
||||||
# Password is: secret
|
# Password is: secret
|
||||||
userPassword: {SSHA}eLtqGpid+hkSVhxvsdTPztv4uapRofGx
|
userPassword: {SSHA}eLtqGpid+hkSVhxvsdTPztv4uapRofGx
|
||||||
mail: some.user.email@localhost.localdomain
|
mail: some.user.email@localhost.localdomain
|
||||||
|
|
|
@ -21,7 +21,7 @@ function setup_file() {
|
||||||
# Setup local openldap service:
|
# Setup local openldap service:
|
||||||
docker run --rm -d --name "${CONTAINER2_NAME}" \
|
docker run --rm -d --name "${CONTAINER2_NAME}" \
|
||||||
--env LDAP_ADMIN_PASSWORD=admin \
|
--env LDAP_ADMIN_PASSWORD=admin \
|
||||||
--env LDAP_ROOT='dc=localhost,dc=localdomain' \
|
--env LDAP_ROOT='dc=example,dc=test' \
|
||||||
--env LDAP_PORT_NUMBER=389 \
|
--env LDAP_PORT_NUMBER=389 \
|
||||||
--env LDAP_SKIP_DEFAULT_TREE=yes \
|
--env LDAP_SKIP_DEFAULT_TREE=yes \
|
||||||
--volume './test/config/ldap/docker-openldap/bootstrap/ldif/:/ldifs/:ro' \
|
--volume './test/config/ldap/docker-openldap/bootstrap/ldif/:/ldifs/:ro' \
|
||||||
|
@ -37,26 +37,29 @@ function setup_file() {
|
||||||
#
|
#
|
||||||
|
|
||||||
local ENV_LDAP_CONFIG=(
|
local ENV_LDAP_CONFIG=(
|
||||||
# Configure for LDAP account provisioner and alternative to Dovecot SASL:
|
|
||||||
--env ACCOUNT_PROVISIONER=LDAP
|
--env ACCOUNT_PROVISIONER=LDAP
|
||||||
|
|
||||||
|
# Postfix SASL auth provider (SASLAuthd instead of default Dovecot provider):
|
||||||
--env ENABLE_SASLAUTHD=1
|
--env ENABLE_SASLAUTHD=1
|
||||||
--env SASLAUTHD_MECHANISMS=ldap
|
--env SASLAUTHD_MECHANISMS=ldap
|
||||||
|
--env SASLAUTHD_LDAP_FILTER='(&(userID=%U)(mailEnabled=TRUE))'
|
||||||
|
|
||||||
# ENV to configure LDAP configs for Dovecot + Postfix:
|
# ENV to configure LDAP configs for Dovecot + Postfix:
|
||||||
# NOTE: `scripts/startup/setup.d/ldap.sh:_setup_ldap()` uses `_replace_by_env_in_file()` to configure settings (stripping `DOVECOT_` / `LDAP_` prefixes):
|
# NOTE: `scripts/startup/setup.d/ldap.sh:_setup_ldap()` uses `_replace_by_env_in_file()` to configure settings (stripping `DOVECOT_` / `LDAP_` prefixes):
|
||||||
# Dovecot:
|
# Dovecot:
|
||||||
--env DOVECOT_PASS_FILTER='(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))'
|
--env DOVECOT_PASS_FILTER='(&(objectClass=PostfixBookMailAccount)(userID=%n))'
|
||||||
--env DOVECOT_TLS=no
|
--env DOVECOT_TLS=no
|
||||||
--env DOVECOT_USER_FILTER='(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))'
|
--env DOVECOT_USER_FILTER='(&(objectClass=PostfixBookMailAccount)(userID=%n))'
|
||||||
|
|
||||||
# Postfix:
|
# Postfix:
|
||||||
--env LDAP_BIND_DN='cn=admin,dc=localhost,dc=localdomain'
|
--env LDAP_BIND_DN='cn=admin,dc=example,dc=test'
|
||||||
--env LDAP_BIND_PW='admin'
|
--env LDAP_BIND_PW='admin'
|
||||||
--env LDAP_QUERY_FILTER_ALIAS='(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))'
|
--env LDAP_QUERY_FILTER_ALIAS='(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))'
|
||||||
--env LDAP_QUERY_FILTER_DOMAIN='(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))'
|
--env LDAP_QUERY_FILTER_DOMAIN='(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))'
|
||||||
--env LDAP_QUERY_FILTER_GROUP='(&(mailGroupMember=%s)(mailEnabled=TRUE))'
|
--env LDAP_QUERY_FILTER_GROUP='(&(mailGroupMember=%s)(mailEnabled=TRUE))'
|
||||||
--env LDAP_QUERY_FILTER_SENDERS='(|(&(mail=%s)(mailEnabled=TRUE))(&(mailGroupMember=%s)(mailEnabled=TRUE))(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))(uniqueIdentifier=some.user.id))'
|
--env LDAP_QUERY_FILTER_SENDERS='(|(&(mail=%s)(mailEnabled=TRUE))(&(mailGroupMember=%s)(mailEnabled=TRUE))(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))(userID=some.user.id))'
|
||||||
--env LDAP_QUERY_FILTER_USER='(&(mail=%s)(mailEnabled=TRUE))'
|
--env LDAP_QUERY_FILTER_USER='(&(mail=%s)(mailEnabled=TRUE))'
|
||||||
--env LDAP_SEARCH_BASE='ou=people,dc=localhost,dc=localdomain'
|
--env LDAP_SEARCH_BASE='ou=users,dc=example,dc=test'
|
||||||
--env LDAP_SERVER_HOST="${FQDN_LDAP}"
|
--env LDAP_SERVER_HOST="${FQDN_LDAP}"
|
||||||
--env LDAP_START_TLS=no
|
--env LDAP_START_TLS=no
|
||||||
)
|
)
|
||||||
|
@ -108,7 +111,7 @@ function teardown_file() {
|
||||||
# Test email receiving from a other domain then the primary domain of the mailserver
|
# Test email receiving from a other domain then the primary domain of the mailserver
|
||||||
_should_exist_in_ldap_tables "some.other.user@${FQDN_LOCALHOST_B}"
|
_should_exist_in_ldap_tables "some.other.user@${FQDN_LOCALHOST_B}"
|
||||||
|
|
||||||
# Should not require `uniqueIdentifier` to match the local part of `mail` (`.ldif` defined settings):
|
# Should not require `userID` / `uid` to match the local part of `mail` (`.ldif` defined settings):
|
||||||
# REF: https://github.com/docker-mailserver/docker-mailserver/pull/642#issuecomment-313916384
|
# REF: https://github.com/docker-mailserver/docker-mailserver/pull/642#issuecomment-313916384
|
||||||
# NOTE: This account has no `mailAlias` or `mailGroupMember` defined in it's `.ldif`.
|
# NOTE: This account has no `mailAlias` or `mailGroupMember` defined in it's `.ldif`.
|
||||||
local MAIL_ACCOUNT="some.user.email@${FQDN_LOCALHOST_A}"
|
local MAIL_ACCOUNT="some.user.email@${FQDN_LOCALHOST_A}"
|
||||||
|
@ -137,8 +140,8 @@ function teardown_file() {
|
||||||
local LDAP_SETTINGS_POSTFIX=(
|
local LDAP_SETTINGS_POSTFIX=(
|
||||||
"server_host = ${FQDN_LDAP}"
|
"server_host = ${FQDN_LDAP}"
|
||||||
'start_tls = no'
|
'start_tls = no'
|
||||||
'search_base = ou=people,dc=localhost,dc=localdomain'
|
'search_base = ou=users,dc=example,dc=test'
|
||||||
'bind_dn = cn=admin,dc=localhost,dc=localdomain'
|
'bind_dn = cn=admin,dc=example,dc=test'
|
||||||
)
|
)
|
||||||
|
|
||||||
for LDAP_SETTING in "${LDAP_SETTINGS_POSTFIX[@]}"; do
|
for LDAP_SETTING in "${LDAP_SETTINGS_POSTFIX[@]}"; do
|
||||||
|
@ -177,8 +180,8 @@ function teardown_file() {
|
||||||
local LDAP_SETTINGS_DOVECOT=(
|
local LDAP_SETTINGS_DOVECOT=(
|
||||||
"uris = ldap://${FQDN_LDAP}"
|
"uris = ldap://${FQDN_LDAP}"
|
||||||
'tls = no'
|
'tls = no'
|
||||||
'base = ou=people,dc=localhost,dc=localdomain'
|
'base = ou=users,dc=example,dc=test'
|
||||||
'dn = cn=admin,dc=localhost,dc=localdomain'
|
'dn = cn=admin,dc=example,dc=test'
|
||||||
)
|
)
|
||||||
|
|
||||||
for LDAP_SETTING in "${LDAP_SETTINGS_DOVECOT[@]}"; do
|
for LDAP_SETTING in "${LDAP_SETTINGS_DOVECOT[@]}"; do
|
||||||
|
|
Loading…
Reference in a new issue