fix!: Allow protocol in SASLAUTHD_LDAP_SERVER & adjust SASLAUTHD_LDAP_ default values (#1989)

* fix: make sure the SASLAUTHD_LDAP_HOST/PROTO logic makes sense and use LDAP_SERVER_HOST as a fallback (#1983)

* chore(docs): document changes to LDAP/SASLAUTHD as of #1983

* fix!: apply default value modifications suggested in #1983

https://github.com/docker-mailserver/docker-mailserver/issues/1983#issuecomment-844848224

* chore(test): Test SASLAUTHD_LDAP_SERVER with protocol and ..._SSL=0, as well as with default bind credentials

Note that there are currently no regression tests for this as there's only one setup_file, so that would require big changes to the testing methodology.

* refactor!: completely remove SASLAUTHD_LDAP_SSL and SASLAUTHD_LDAP_PROTO

Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
Co-authored-by: Frederic Werner <20406381+wernerfred@users.noreply.github.com>

docs/content/config/advanced/auth-ldap.md

@@ -226,11 +226,6 @@ To enable LDAP over StartTLS (on port 389), you need to set the following enviro
 
           # >>> SASL Authentication
           - ENABLE_SASLAUTHD=1
-          - SASLAUTHD_LDAP_SERVER=<yourLdapContainer/yourLdapServer>
-          - SASLAUTHD_LDAP_PROTO=
-          - SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=loc
-          - SASLAUTHD_LDAP_PASSWORD=mypassword
-          - SASLAUTHD_LDAP_SEARCH_BASE=dc=mydomain,dc=loc
           - SASLAUTHD_LDAP_FILTER=(&(sAMAccountName=%U)(objectClass=person))
           - SASLAUTHD_MECHANISMS=ldap
           # <<< SASL Authentication

docs/content/config/environment.md

@@ -479,7 +479,6 @@ The following variables overwrite the default values for ```/etc/dovecot/dovecot
 - => Bind dn for LDAP connection. (e.g. `cn=admin,dc=domain,dc=com`)
 
 ##### DOVECOT_DNPASS
-
 - **empty** => same as `LDAP_BIND_PW`
 - => Password for LDAP dn sepecifified in `DOVECOT_DN`.
 
@@ -566,7 +565,7 @@ Note: This postgrey setting needs `ENABLE_POSTGREY=1`
 
 ##### SASLAUTHD_MECHANISMS
 
-- empty => pam
+- **empty** => pam
 - `ldap` => authenticate against ldap server
 - `shadow` => authenticate against local user db
 - `mysql` => authenticate against mysql db
@@ -575,17 +574,13 @@ Note: This postgrey setting needs `ENABLE_POSTGREY=1`
 
 ##### SASLAUTHD_MECH_OPTIONS
 
-- empty => None
+- **empty** => None
 - e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server  ==> xxx.xxx.xxx.xxx
 
 ##### SASLAUTHD_LDAP_SERVER
 
-- empty => localhost
-
-##### SASLAUTHD_LDAP_SSL
-
-- empty or 0 => `ldap://` will be used
-- 1 => `ldaps://` will be used
+- **empty** => same as `LDAP_SERVER_HOST`
+- Note: since version 10.0.0, you can specify a protocol here (like ldaps://); this deprecates SASLAUTHD_LDAP_SSL.
 
 ##### SASLAUTHD_LDAP_START_TLS
 
@@ -613,23 +608,23 @@ File containing CA (Certificate Authority) certificate(s).
 
 ##### SASLAUTHD_LDAP_BIND_DN
 
-- empty => anonymous bind
+- **empty** => same as `LDAP_BIND_DN`
 - specify an object with privileges to search the directory tree
 - e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net
 - e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
 
 ##### SASLAUTHD_LDAP_PASSWORD
 
-- empty => anonymous bind
+- **empty** => same as `LDAP_BIND_PW`
 
 ##### SASLAUTHD_LDAP_SEARCH_BASE
 
-- empty => Reverting to SASLAUTHD_MECHANISMS pam
+- **empty** => same as `LDAP_SEARCH_BASE`
 - specify the search base
 
 ##### SASLAUTHD_LDAP_FILTER
 
-- empty => default filter `(&(uniqueIdentifier=%u)(mailEnabled=TRUE))`
+- **empty** => default filter `(&(uniqueIdentifier=%u)(mailEnabled=TRUE))`
 - e.g. for active directory: `(&(sAMAccountName=%U)(objectClass=person))`
 - e.g. for openldap: `(&(uid=%U)(objectClass=person))`
 

docs/content/examples/uses-cases/forward-only-mailserver-with-ldap-authentication.md

@@ -40,7 +40,6 @@ LDAP_BIND_PW=pass1234
 ENABLE_SASLAUTHD=1
 SASLAUTHD_MECHANISMS=ldap
 SASLAUTHD_LDAP_SERVER=ldap.example.org
-SASLAUTHD_LDAP_SSL=0
 SASLAUTHD_LDAP_START_TLS=yes
 SASLAUTHD_LDAP_BIND_DN=cn=mailserver,dc=example,dc=org
 SASLAUTHD_LDAP_PASSWORD=pass1234

mailserver.env

@@ -356,30 +356,27 @@ ENABLE_SASLAUTHD=0
 # `shadow` => authenticate against local user db
 # `mysql` => authenticate against mysql db
 # `rimap` => authenticate against imap server
-# NOTE: can be a list of mechanisms like pam ldap shadow
+# Note: can be a list of mechanisms like pam ldap shadow
 SASLAUTHD_MECHANISMS=
 
 # empty => None
 # e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server  ==> xxx.xxx.xxx.xxx
 SASLAUTHD_MECH_OPTIONS=
 
-# empty => localhost
+# empty => Use value of LDAP_SERVER_HOST
+# Note: since version 10.0.0, you can specify a protocol here (like ldaps://); this deprecates SASLAUTHD_LDAP_SSL.
 SASLAUTHD_LDAP_SERVER=
 
-# empty or 0 => `ldap://` will be used
-# 1 => `ldaps://` will be used
-SASLAUTHD_LDAP_SSL=
-
-# empty => anonymous bind
+# empty => Use value of LDAP_BIND_DN
 # specify an object with priviliges to search the directory tree
 # e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net
 # e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
 SASLAUTHD_LDAP_BIND_DN=
 
-# empty => anonymous bind
+# empty => Use value of LDAP_BIND_PW
 SASLAUTHD_LDAP_PASSWORD=
 
-# empty => Reverting to SASLAUTHD_MECHANISMS pam
+# empty => Use value of LDAP_SEARCH_BASE
 # specify the search base
 SASLAUTHD_LDAP_SEARCH_BASE=
 
@@ -390,7 +387,7 @@ SASLAUTHD_LDAP_FILTER=
 
 # empty => no
 # yes => LDAP over TLS enabled for SASL
-# Must not be used together with SASLAUTHD_LDAP_SSL=1_
+# If set to yes, the protocol in SASLAUTHD_LDAP_SERVER must be ldap:// or missing.
 SASLAUTHD_LDAP_START_TLS=
 
 # empty => no

target/scripts/startup/setup-stack.sh

@@ -618,13 +618,16 @@ function _setup_saslauthd
 
   # checking env vars and setting defaults
   [[ -z ${SASLAUTHD_MECHANISMS:-} ]] && SASLAUTHD_MECHANISMS=pam
-  [[ ${SASLAUTHD_MECHANISMS:-} == ldap ]] && [[ -z ${SASLAUTHD_LDAP_SEARCH_BASE} ]] && SASLAUTHD_MECHANISMS=pam
-  [[ -z ${SASLAUTHD_LDAP_SERVER} ]] && SASLAUTHD_LDAP_SERVER=localhost
+  [[ -z ${SASLAUTHD_LDAP_SERVER} ]] && SASLAUTHD_LDAP_SERVER="${LDAP_SERVER_HOST}"
   [[ -z ${SASLAUTHD_LDAP_FILTER} ]] && SASLAUTHD_LDAP_FILTER='(&(uniqueIdentifier=%u)(mailEnabled=TRUE))'
 
-  if [[ -z ${SASLAUTHD_LDAP_SSL} ]] || [[ ${SASLAUTHD_LDAP_SSL} -eq 0 ]]
+  [[ -z ${SASLAUTHD_LDAP_BIND_DN} ]] && SASLAUTHD_LDAP_BIND_DN="${LDAP_BIND_DN}"
+  [[ -z ${SASLAUTHD_LDAP_PASSWORD} ]] && SASLAUTHD_LDAP_PASSWORD="${LDAP_BIND_PW}"
+  [[ -z ${SASLAUTHD_LDAP_SEARCH_BASE} ]] && SASLAUTHD_LDAP_SEARCH_BASE="${LDAP_SEARCH_BASE}"
+
+  if [[ "${SASLAUTHD_LDAP_SERVER}" != *'://'* ]]
   then
-    SASLAUTHD_LDAP_PROTO='ldap://' || SASLAUTHD_LDAP_PROTO='ldaps://'
+    SASLAUTHD_LDAP_SERVER="ldap://${SASLAUTHD_LDAP_SERVER}"
   fi
 
   [[ -z ${SASLAUTHD_LDAP_START_TLS} ]] && SASLAUTHD_LDAP_START_TLS=no
@@ -663,7 +666,7 @@ function _setup_saslauthd
   then
     _notify 'inf' 'Creating /etc/saslauthd.conf'
     cat > /etc/saslauthd.conf << EOF
-ldap_servers: ${SASLAUTHD_LDAP_PROTO}${SASLAUTHD_LDAP_SERVER}
+ldap_servers: ${SASLAUTHD_LDAP_SERVER}
 
 ldap_auth_method: ${SASLAUTHD_LDAP_AUTH_METHOD}
 ldap_bind_dn: ${SASLAUTHD_LDAP_BIND_DN}

test/mail_with_ldap.bats

@@ -40,10 +40,6 @@ function setup_file() {
 		-e REPORT_RECIPIENT=1 \
 		-e ENABLE_SASLAUTHD=1 \
 		-e SASLAUTHD_MECHANISMS=ldap \
-		-e SASLAUTHD_LDAP_SERVER=ldap \
-		-e SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \
-		-e SASLAUTHD_LDAP_PASSWORD=admin \
-		-e SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \
 		-e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \
 		-e DMS_DEBUG=0 \
 		--link ldap_for_mail:ldap \