tests: LDAP - Improvements to LDIF (#3506)

- The `uniqueIdentifier` attribute is not appropriate and was relying on `objectClass: extensibleObject` as a workaround to allow it. A more appropriate attribute to use instead is `userID` (_short name: `uid`_).
- Removing `extensibleObject` now requires switching the user accounts to use `inetOrgPerson` class (_which inherits from `organizationalPerson`_). which allows the attributes `givenName`, `userID` and `mail` (_also provided via the `PostfixBookMailAccount` class_).
- The LDAP root object now uses `dc` attributes for `example.test` instead of `localhost.localdomain`. This has nothing to do with DMS or LDAP containers networking config, nor the users mail addresses.
- Users are now grouped under the organizational unit of `users` instead of `people`. Purely a naming change out of preference, no functional difference.

The LDAP test ENV has been updated to accommodate the above changes. An additional ENV override was required for SASLAuthd to switch an attribute set for `ldap_filter` in `/etc/saslauthd.conf` from the implicit default of `uniqueIdentifier` (_that we set during startup as an ENV default for fallback_) to the `userID` attribute.
This commit is contained in:
Brennan Kinney 2023-08-29 10:16:08 +12:00 committed by GitHub
parent e9f04cf8a7
commit 351ef2afa1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 34 additions and 29 deletions

View file

@ -1,11 +1,16 @@
# The root object, all entries will branch off this one: # The root object of the tree, all entries will branch off this one:
dn: dc=localhost,dc=localdomain dn: dc=example,dc=test
# DN is formed from `example.test` DNS labels:
# NOTE: This is just a common convention (not dependent on hostname or any external config)
objectClass: dcObject objectClass: dcObject
# Must reference left most component:
dc: example
# It's required to use an `objectClass` that implements a "Structural Class":
objectClass: organization objectClass: organization
dc: localhost # Value is purely descriptive, not important to tests:
o: DMS Test o: DMS Test
# User accounts will belong to this subtree: # User accounts will belong to this subtree:
dn: ou=people,dc=localhost,dc=localdomain dn: ou=users,dc=example,dc=test
objectClass: organizationalUnit objectClass: organizationalUnit
ou: people ou: users

View file

@ -1,12 +1,11 @@
# NOTE: A standard user account to test against # NOTE: A standard user account to test against
dn: uniqueIdentifier=some.user,ou=people,dc=localhost,dc=localdomain dn: uid=some.user,ou=users,dc=example,dc=test
objectClass: organizationalPerson objectClass: inetOrgPerson
objectClass: PostfixBookMailAccount objectClass: PostfixBookMailAccount
objectClass: extensibleObject
cn: Some User cn: Some User
givenName: Some givenName: Some
surname: User surname: User
uniqueIdentifier: some.user userID: some.user
# Password is: secret # Password is: secret
userPassword: {SSHA}eLtqGpid+hkSVhxvsdTPztv4uapRofGx userPassword: {SSHA}eLtqGpid+hkSVhxvsdTPztv4uapRofGx
mail: some.user@localhost.localdomain mail: some.user@localhost.localdomain

View file

@ -1,13 +1,12 @@
# NOTE: This user differs via the domain-part of their mail address # NOTE: This user differs via the domain-part of their mail address
# They also have their mail directory attributes using the primary domain, not their domain-part # They also have their mail directory attributes using the primary domain, not their domain-part
dn: uniqueIdentifier=some.other.user,ou=people,dc=localhost,dc=localdomain dn: uid=some.other.user,ou=users,dc=example,dc=test
objectClass: organizationalPerson objectClass: inetOrgPerson
objectClass: PostfixBookMailAccount objectClass: PostfixBookMailAccount
objectClass: extensibleObject
cn: Some Other User cn: Some Other User
givenName: Some givenName: Some
surname: Other User surname: Other User
uniqueIdentifier: some.other.user userID: some.other.user
# Password is: secret # Password is: secret
userPassword: {SSHA}eLtqGpid+hkSVhxvsdTPztv4uapRofGx userPassword: {SSHA}eLtqGpid+hkSVhxvsdTPztv4uapRofGx
mail: some.other.user@localhost.otherdomain mail: some.other.user@localhost.otherdomain

View file

@ -1,13 +1,12 @@
# NOTE: This user differs by local-part of mail address not matching their uniqueIdentifier attribute # NOTE: This user differs by local-part of mail address not matching their uniqueIdentifier attribute
# They also do not have any alias or groups configured # They also do not have any alias or groups configured
dn: uniqueIdentifier=some.user.id,ou=people,dc=localhost,dc=localdomain dn: uid=some.user.id,ou=users,dc=example,dc=test
objectClass: organizationalPerson objectClass: inetOrgPerson
objectClass: PostfixBookMailAccount objectClass: PostfixBookMailAccount
objectClass: extensibleObject
cn: Some User cn: Some User
givenName: Some givenName: Some
surname: User surname: User
uniqueIdentifier: some.user.id userID: some.user.id
# Password is: secret # Password is: secret
userPassword: {SSHA}eLtqGpid+hkSVhxvsdTPztv4uapRofGx userPassword: {SSHA}eLtqGpid+hkSVhxvsdTPztv4uapRofGx
mail: some.user.email@localhost.localdomain mail: some.user.email@localhost.localdomain

View file

@ -21,7 +21,7 @@ function setup_file() {
# Setup local openldap service: # Setup local openldap service:
docker run --rm -d --name "${CONTAINER2_NAME}" \ docker run --rm -d --name "${CONTAINER2_NAME}" \
--env LDAP_ADMIN_PASSWORD=admin \ --env LDAP_ADMIN_PASSWORD=admin \
--env LDAP_ROOT='dc=localhost,dc=localdomain' \ --env LDAP_ROOT='dc=example,dc=test' \
--env LDAP_PORT_NUMBER=389 \ --env LDAP_PORT_NUMBER=389 \
--env LDAP_SKIP_DEFAULT_TREE=yes \ --env LDAP_SKIP_DEFAULT_TREE=yes \
--volume './test/config/ldap/docker-openldap/bootstrap/ldif/:/ldifs/:ro' \ --volume './test/config/ldap/docker-openldap/bootstrap/ldif/:/ldifs/:ro' \
@ -37,26 +37,29 @@ function setup_file() {
# #
local ENV_LDAP_CONFIG=( local ENV_LDAP_CONFIG=(
# Configure for LDAP account provisioner and alternative to Dovecot SASL:
--env ACCOUNT_PROVISIONER=LDAP --env ACCOUNT_PROVISIONER=LDAP
# Postfix SASL auth provider (SASLAuthd instead of default Dovecot provider):
--env ENABLE_SASLAUTHD=1 --env ENABLE_SASLAUTHD=1
--env SASLAUTHD_MECHANISMS=ldap --env SASLAUTHD_MECHANISMS=ldap
--env SASLAUTHD_LDAP_FILTER='(&(userID=%U)(mailEnabled=TRUE))'
# ENV to configure LDAP configs for Dovecot + Postfix: # ENV to configure LDAP configs for Dovecot + Postfix:
# NOTE: `scripts/startup/setup.d/ldap.sh:_setup_ldap()` uses `_replace_by_env_in_file()` to configure settings (stripping `DOVECOT_` / `LDAP_` prefixes): # NOTE: `scripts/startup/setup.d/ldap.sh:_setup_ldap()` uses `_replace_by_env_in_file()` to configure settings (stripping `DOVECOT_` / `LDAP_` prefixes):
# Dovecot: # Dovecot:
--env DOVECOT_PASS_FILTER='(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))' --env DOVECOT_PASS_FILTER='(&(objectClass=PostfixBookMailAccount)(userID=%n))'
--env DOVECOT_TLS=no --env DOVECOT_TLS=no
--env DOVECOT_USER_FILTER='(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))' --env DOVECOT_USER_FILTER='(&(objectClass=PostfixBookMailAccount)(userID=%n))'
# Postfix: # Postfix:
--env LDAP_BIND_DN='cn=admin,dc=localhost,dc=localdomain' --env LDAP_BIND_DN='cn=admin,dc=example,dc=test'
--env LDAP_BIND_PW='admin' --env LDAP_BIND_PW='admin'
--env LDAP_QUERY_FILTER_ALIAS='(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))' --env LDAP_QUERY_FILTER_ALIAS='(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))'
--env LDAP_QUERY_FILTER_DOMAIN='(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))' --env LDAP_QUERY_FILTER_DOMAIN='(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))'
--env LDAP_QUERY_FILTER_GROUP='(&(mailGroupMember=%s)(mailEnabled=TRUE))' --env LDAP_QUERY_FILTER_GROUP='(&(mailGroupMember=%s)(mailEnabled=TRUE))'
--env LDAP_QUERY_FILTER_SENDERS='(|(&(mail=%s)(mailEnabled=TRUE))(&(mailGroupMember=%s)(mailEnabled=TRUE))(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))(uniqueIdentifier=some.user.id))' --env LDAP_QUERY_FILTER_SENDERS='(|(&(mail=%s)(mailEnabled=TRUE))(&(mailGroupMember=%s)(mailEnabled=TRUE))(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))(userID=some.user.id))'
--env LDAP_QUERY_FILTER_USER='(&(mail=%s)(mailEnabled=TRUE))' --env LDAP_QUERY_FILTER_USER='(&(mail=%s)(mailEnabled=TRUE))'
--env LDAP_SEARCH_BASE='ou=people,dc=localhost,dc=localdomain' --env LDAP_SEARCH_BASE='ou=users,dc=example,dc=test'
--env LDAP_SERVER_HOST="${FQDN_LDAP}" --env LDAP_SERVER_HOST="${FQDN_LDAP}"
--env LDAP_START_TLS=no --env LDAP_START_TLS=no
) )
@ -108,7 +111,7 @@ function teardown_file() {
# Test email receiving from a other domain then the primary domain of the mailserver # Test email receiving from a other domain then the primary domain of the mailserver
_should_exist_in_ldap_tables "some.other.user@${FQDN_LOCALHOST_B}" _should_exist_in_ldap_tables "some.other.user@${FQDN_LOCALHOST_B}"
# Should not require `uniqueIdentifier` to match the local part of `mail` (`.ldif` defined settings): # Should not require `userID` / `uid` to match the local part of `mail` (`.ldif` defined settings):
# REF: https://github.com/docker-mailserver/docker-mailserver/pull/642#issuecomment-313916384 # REF: https://github.com/docker-mailserver/docker-mailserver/pull/642#issuecomment-313916384
# NOTE: This account has no `mailAlias` or `mailGroupMember` defined in it's `.ldif`. # NOTE: This account has no `mailAlias` or `mailGroupMember` defined in it's `.ldif`.
local MAIL_ACCOUNT="some.user.email@${FQDN_LOCALHOST_A}" local MAIL_ACCOUNT="some.user.email@${FQDN_LOCALHOST_A}"
@ -137,8 +140,8 @@ function teardown_file() {
local LDAP_SETTINGS_POSTFIX=( local LDAP_SETTINGS_POSTFIX=(
"server_host = ${FQDN_LDAP}" "server_host = ${FQDN_LDAP}"
'start_tls = no' 'start_tls = no'
'search_base = ou=people,dc=localhost,dc=localdomain' 'search_base = ou=users,dc=example,dc=test'
'bind_dn = cn=admin,dc=localhost,dc=localdomain' 'bind_dn = cn=admin,dc=example,dc=test'
) )
for LDAP_SETTING in "${LDAP_SETTINGS_POSTFIX[@]}"; do for LDAP_SETTING in "${LDAP_SETTINGS_POSTFIX[@]}"; do
@ -177,8 +180,8 @@ function teardown_file() {
local LDAP_SETTINGS_DOVECOT=( local LDAP_SETTINGS_DOVECOT=(
"uris = ldap://${FQDN_LDAP}" "uris = ldap://${FQDN_LDAP}"
'tls = no' 'tls = no'
'base = ou=people,dc=localhost,dc=localdomain' 'base = ou=users,dc=example,dc=test'
'dn = cn=admin,dc=localhost,dc=localdomain' 'dn = cn=admin,dc=example,dc=test'
) )
for LDAP_SETTING in "${LDAP_SETTINGS_DOVECOT[@]}"; do for LDAP_SETTING in "${LDAP_SETTINGS_DOVECOT[@]}"; do