mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
fix!: Allow protocol in SASLAUTHD_LDAP_SERVER & adjust SASLAUTHD_LDAP_ default values (#1989)
* fix: make sure the SASLAUTHD_LDAP_HOST/PROTO logic makes sense and use LDAP_SERVER_HOST as a fallback (#1983) * chore(docs): document changes to LDAP/SASLAUTHD as of #1983 * fix!: apply default value modifications suggested in #1983 https://github.com/docker-mailserver/docker-mailserver/issues/1983#issuecomment-844848224 * chore(test): Test SASLAUTHD_LDAP_SERVER with protocol and ..._SSL=0, as well as with default bind credentials Note that there are currently no regression tests for this as there's only one setup_file, so that would require big changes to the testing methodology. * refactor!: completely remove SASLAUTHD_LDAP_SSL and SASLAUTHD_LDAP_PROTO Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Co-authored-by: Frederic Werner <20406381+wernerfred@users.noreply.github.com>
This commit is contained in:
parent
dd723f53ee
commit
66bc157c1d
|
@ -226,11 +226,6 @@ To enable LDAP over StartTLS (on port 389), you need to set the following enviro
|
||||||
|
|
||||||
# >>> SASL Authentication
|
# >>> SASL Authentication
|
||||||
- ENABLE_SASLAUTHD=1
|
- ENABLE_SASLAUTHD=1
|
||||||
- SASLAUTHD_LDAP_SERVER=<yourLdapContainer/yourLdapServer>
|
|
||||||
- SASLAUTHD_LDAP_PROTO=
|
|
||||||
- SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=loc
|
|
||||||
- SASLAUTHD_LDAP_PASSWORD=mypassword
|
|
||||||
- SASLAUTHD_LDAP_SEARCH_BASE=dc=mydomain,dc=loc
|
|
||||||
- SASLAUTHD_LDAP_FILTER=(&(sAMAccountName=%U)(objectClass=person))
|
- SASLAUTHD_LDAP_FILTER=(&(sAMAccountName=%U)(objectClass=person))
|
||||||
- SASLAUTHD_MECHANISMS=ldap
|
- SASLAUTHD_MECHANISMS=ldap
|
||||||
# <<< SASL Authentication
|
# <<< SASL Authentication
|
||||||
|
|
|
@ -479,7 +479,6 @@ The following variables overwrite the default values for ```/etc/dovecot/dovecot
|
||||||
- => Bind dn for LDAP connection. (e.g. `cn=admin,dc=domain,dc=com`)
|
- => Bind dn for LDAP connection. (e.g. `cn=admin,dc=domain,dc=com`)
|
||||||
|
|
||||||
##### DOVECOT_DNPASS
|
##### DOVECOT_DNPASS
|
||||||
|
|
||||||
- **empty** => same as `LDAP_BIND_PW`
|
- **empty** => same as `LDAP_BIND_PW`
|
||||||
- => Password for LDAP dn sepecifified in `DOVECOT_DN`.
|
- => Password for LDAP dn sepecifified in `DOVECOT_DN`.
|
||||||
|
|
||||||
|
@ -566,7 +565,7 @@ Note: This postgrey setting needs `ENABLE_POSTGREY=1`
|
||||||
|
|
||||||
##### SASLAUTHD_MECHANISMS
|
##### SASLAUTHD_MECHANISMS
|
||||||
|
|
||||||
- empty => pam
|
- **empty** => pam
|
||||||
- `ldap` => authenticate against ldap server
|
- `ldap` => authenticate against ldap server
|
||||||
- `shadow` => authenticate against local user db
|
- `shadow` => authenticate against local user db
|
||||||
- `mysql` => authenticate against mysql db
|
- `mysql` => authenticate against mysql db
|
||||||
|
@ -575,17 +574,13 @@ Note: This postgrey setting needs `ENABLE_POSTGREY=1`
|
||||||
|
|
||||||
##### SASLAUTHD_MECH_OPTIONS
|
##### SASLAUTHD_MECH_OPTIONS
|
||||||
|
|
||||||
- empty => None
|
- **empty** => None
|
||||||
- e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx
|
- e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx
|
||||||
|
|
||||||
##### SASLAUTHD_LDAP_SERVER
|
##### SASLAUTHD_LDAP_SERVER
|
||||||
|
|
||||||
- empty => localhost
|
- **empty** => same as `LDAP_SERVER_HOST`
|
||||||
|
- Note: since version 10.0.0, you can specify a protocol here (like ldaps://); this deprecates SASLAUTHD_LDAP_SSL.
|
||||||
##### SASLAUTHD_LDAP_SSL
|
|
||||||
|
|
||||||
- empty or 0 => `ldap://` will be used
|
|
||||||
- 1 => `ldaps://` will be used
|
|
||||||
|
|
||||||
##### SASLAUTHD_LDAP_START_TLS
|
##### SASLAUTHD_LDAP_START_TLS
|
||||||
|
|
||||||
|
@ -613,23 +608,23 @@ File containing CA (Certificate Authority) certificate(s).
|
||||||
|
|
||||||
##### SASLAUTHD_LDAP_BIND_DN
|
##### SASLAUTHD_LDAP_BIND_DN
|
||||||
|
|
||||||
- empty => anonymous bind
|
- **empty** => same as `LDAP_BIND_DN`
|
||||||
- specify an object with privileges to search the directory tree
|
- specify an object with privileges to search the directory tree
|
||||||
- e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net
|
- e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net
|
||||||
- e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
|
- e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
|
||||||
|
|
||||||
##### SASLAUTHD_LDAP_PASSWORD
|
##### SASLAUTHD_LDAP_PASSWORD
|
||||||
|
|
||||||
- empty => anonymous bind
|
- **empty** => same as `LDAP_BIND_PW`
|
||||||
|
|
||||||
##### SASLAUTHD_LDAP_SEARCH_BASE
|
##### SASLAUTHD_LDAP_SEARCH_BASE
|
||||||
|
|
||||||
- empty => Reverting to SASLAUTHD_MECHANISMS pam
|
- **empty** => same as `LDAP_SEARCH_BASE`
|
||||||
- specify the search base
|
- specify the search base
|
||||||
|
|
||||||
##### SASLAUTHD_LDAP_FILTER
|
##### SASLAUTHD_LDAP_FILTER
|
||||||
|
|
||||||
- empty => default filter `(&(uniqueIdentifier=%u)(mailEnabled=TRUE))`
|
- **empty** => default filter `(&(uniqueIdentifier=%u)(mailEnabled=TRUE))`
|
||||||
- e.g. for active directory: `(&(sAMAccountName=%U)(objectClass=person))`
|
- e.g. for active directory: `(&(sAMAccountName=%U)(objectClass=person))`
|
||||||
- e.g. for openldap: `(&(uid=%U)(objectClass=person))`
|
- e.g. for openldap: `(&(uid=%U)(objectClass=person))`
|
||||||
|
|
||||||
|
|
|
@ -40,7 +40,6 @@ LDAP_BIND_PW=pass1234
|
||||||
ENABLE_SASLAUTHD=1
|
ENABLE_SASLAUTHD=1
|
||||||
SASLAUTHD_MECHANISMS=ldap
|
SASLAUTHD_MECHANISMS=ldap
|
||||||
SASLAUTHD_LDAP_SERVER=ldap.example.org
|
SASLAUTHD_LDAP_SERVER=ldap.example.org
|
||||||
SASLAUTHD_LDAP_SSL=0
|
|
||||||
SASLAUTHD_LDAP_START_TLS=yes
|
SASLAUTHD_LDAP_START_TLS=yes
|
||||||
SASLAUTHD_LDAP_BIND_DN=cn=mailserver,dc=example,dc=org
|
SASLAUTHD_LDAP_BIND_DN=cn=mailserver,dc=example,dc=org
|
||||||
SASLAUTHD_LDAP_PASSWORD=pass1234
|
SASLAUTHD_LDAP_PASSWORD=pass1234
|
||||||
|
|
|
@ -356,30 +356,27 @@ ENABLE_SASLAUTHD=0
|
||||||
# `shadow` => authenticate against local user db
|
# `shadow` => authenticate against local user db
|
||||||
# `mysql` => authenticate against mysql db
|
# `mysql` => authenticate against mysql db
|
||||||
# `rimap` => authenticate against imap server
|
# `rimap` => authenticate against imap server
|
||||||
# NOTE: can be a list of mechanisms like pam ldap shadow
|
# Note: can be a list of mechanisms like pam ldap shadow
|
||||||
SASLAUTHD_MECHANISMS=
|
SASLAUTHD_MECHANISMS=
|
||||||
|
|
||||||
# empty => None
|
# empty => None
|
||||||
# e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx
|
# e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx
|
||||||
SASLAUTHD_MECH_OPTIONS=
|
SASLAUTHD_MECH_OPTIONS=
|
||||||
|
|
||||||
# empty => localhost
|
# empty => Use value of LDAP_SERVER_HOST
|
||||||
|
# Note: since version 10.0.0, you can specify a protocol here (like ldaps://); this deprecates SASLAUTHD_LDAP_SSL.
|
||||||
SASLAUTHD_LDAP_SERVER=
|
SASLAUTHD_LDAP_SERVER=
|
||||||
|
|
||||||
# empty or 0 => `ldap://` will be used
|
# empty => Use value of LDAP_BIND_DN
|
||||||
# 1 => `ldaps://` will be used
|
|
||||||
SASLAUTHD_LDAP_SSL=
|
|
||||||
|
|
||||||
# empty => anonymous bind
|
|
||||||
# specify an object with priviliges to search the directory tree
|
# specify an object with priviliges to search the directory tree
|
||||||
# e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net
|
# e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net
|
||||||
# e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
|
# e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
|
||||||
SASLAUTHD_LDAP_BIND_DN=
|
SASLAUTHD_LDAP_BIND_DN=
|
||||||
|
|
||||||
# empty => anonymous bind
|
# empty => Use value of LDAP_BIND_PW
|
||||||
SASLAUTHD_LDAP_PASSWORD=
|
SASLAUTHD_LDAP_PASSWORD=
|
||||||
|
|
||||||
# empty => Reverting to SASLAUTHD_MECHANISMS pam
|
# empty => Use value of LDAP_SEARCH_BASE
|
||||||
# specify the search base
|
# specify the search base
|
||||||
SASLAUTHD_LDAP_SEARCH_BASE=
|
SASLAUTHD_LDAP_SEARCH_BASE=
|
||||||
|
|
||||||
|
@ -390,7 +387,7 @@ SASLAUTHD_LDAP_FILTER=
|
||||||
|
|
||||||
# empty => no
|
# empty => no
|
||||||
# yes => LDAP over TLS enabled for SASL
|
# yes => LDAP over TLS enabled for SASL
|
||||||
# Must not be used together with SASLAUTHD_LDAP_SSL=1_
|
# If set to yes, the protocol in SASLAUTHD_LDAP_SERVER must be ldap:// or missing.
|
||||||
SASLAUTHD_LDAP_START_TLS=
|
SASLAUTHD_LDAP_START_TLS=
|
||||||
|
|
||||||
# empty => no
|
# empty => no
|
||||||
|
|
|
@ -618,13 +618,16 @@ function _setup_saslauthd
|
||||||
|
|
||||||
# checking env vars and setting defaults
|
# checking env vars and setting defaults
|
||||||
[[ -z ${SASLAUTHD_MECHANISMS:-} ]] && SASLAUTHD_MECHANISMS=pam
|
[[ -z ${SASLAUTHD_MECHANISMS:-} ]] && SASLAUTHD_MECHANISMS=pam
|
||||||
[[ ${SASLAUTHD_MECHANISMS:-} == ldap ]] && [[ -z ${SASLAUTHD_LDAP_SEARCH_BASE} ]] && SASLAUTHD_MECHANISMS=pam
|
[[ -z ${SASLAUTHD_LDAP_SERVER} ]] && SASLAUTHD_LDAP_SERVER="${LDAP_SERVER_HOST}"
|
||||||
[[ -z ${SASLAUTHD_LDAP_SERVER} ]] && SASLAUTHD_LDAP_SERVER=localhost
|
|
||||||
[[ -z ${SASLAUTHD_LDAP_FILTER} ]] && SASLAUTHD_LDAP_FILTER='(&(uniqueIdentifier=%u)(mailEnabled=TRUE))'
|
[[ -z ${SASLAUTHD_LDAP_FILTER} ]] && SASLAUTHD_LDAP_FILTER='(&(uniqueIdentifier=%u)(mailEnabled=TRUE))'
|
||||||
|
|
||||||
if [[ -z ${SASLAUTHD_LDAP_SSL} ]] || [[ ${SASLAUTHD_LDAP_SSL} -eq 0 ]]
|
[[ -z ${SASLAUTHD_LDAP_BIND_DN} ]] && SASLAUTHD_LDAP_BIND_DN="${LDAP_BIND_DN}"
|
||||||
|
[[ -z ${SASLAUTHD_LDAP_PASSWORD} ]] && SASLAUTHD_LDAP_PASSWORD="${LDAP_BIND_PW}"
|
||||||
|
[[ -z ${SASLAUTHD_LDAP_SEARCH_BASE} ]] && SASLAUTHD_LDAP_SEARCH_BASE="${LDAP_SEARCH_BASE}"
|
||||||
|
|
||||||
|
if [[ "${SASLAUTHD_LDAP_SERVER}" != *'://'* ]]
|
||||||
then
|
then
|
||||||
SASLAUTHD_LDAP_PROTO='ldap://' || SASLAUTHD_LDAP_PROTO='ldaps://'
|
SASLAUTHD_LDAP_SERVER="ldap://${SASLAUTHD_LDAP_SERVER}"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[[ -z ${SASLAUTHD_LDAP_START_TLS} ]] && SASLAUTHD_LDAP_START_TLS=no
|
[[ -z ${SASLAUTHD_LDAP_START_TLS} ]] && SASLAUTHD_LDAP_START_TLS=no
|
||||||
|
@ -663,7 +666,7 @@ function _setup_saslauthd
|
||||||
then
|
then
|
||||||
_notify 'inf' 'Creating /etc/saslauthd.conf'
|
_notify 'inf' 'Creating /etc/saslauthd.conf'
|
||||||
cat > /etc/saslauthd.conf << EOF
|
cat > /etc/saslauthd.conf << EOF
|
||||||
ldap_servers: ${SASLAUTHD_LDAP_PROTO}${SASLAUTHD_LDAP_SERVER}
|
ldap_servers: ${SASLAUTHD_LDAP_SERVER}
|
||||||
|
|
||||||
ldap_auth_method: ${SASLAUTHD_LDAP_AUTH_METHOD}
|
ldap_auth_method: ${SASLAUTHD_LDAP_AUTH_METHOD}
|
||||||
ldap_bind_dn: ${SASLAUTHD_LDAP_BIND_DN}
|
ldap_bind_dn: ${SASLAUTHD_LDAP_BIND_DN}
|
||||||
|
|
|
@ -40,10 +40,6 @@ function setup_file() {
|
||||||
-e REPORT_RECIPIENT=1 \
|
-e REPORT_RECIPIENT=1 \
|
||||||
-e ENABLE_SASLAUTHD=1 \
|
-e ENABLE_SASLAUTHD=1 \
|
||||||
-e SASLAUTHD_MECHANISMS=ldap \
|
-e SASLAUTHD_MECHANISMS=ldap \
|
||||||
-e SASLAUTHD_LDAP_SERVER=ldap \
|
|
||||||
-e SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \
|
|
||||||
-e SASLAUTHD_LDAP_PASSWORD=admin \
|
|
||||||
-e SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \
|
|
||||||
-e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \
|
-e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \
|
||||||
-e DMS_DEBUG=0 \
|
-e DMS_DEBUG=0 \
|
||||||
--link ldap_for_mail:ldap \
|
--link ldap_for_mail:ldap \
|
||||||
|
|
Loading…
Reference in a new issue