fix!: Allow protocol in SASLAUTHD_LDAP_SERVER & adjust SASLAUTHD_LDAP_ default values (#1989)

* fix: make sure the SASLAUTHD_LDAP_HOST/PROTO logic makes sense and use LDAP_SERVER_HOST as a fallback (#1983)

* chore(docs): document changes to LDAP/SASLAUTHD as of #1983

* fix!: apply default value modifications suggested in #1983

https://github.com/docker-mailserver/docker-mailserver/issues/1983#issuecomment-844848224

* chore(test): Test SASLAUTHD_LDAP_SERVER with protocol and ..._SSL=0, as well as with default bind credentials

Note that there are currently no regression tests for this as there's only one setup_file, so that would require big changes to the testing methodology.

* refactor!: completely remove SASLAUTHD_LDAP_SSL and SASLAUTHD_LDAP_PROTO

Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
Co-authored-by: Frederic Werner <20406381+wernerfred@users.noreply.github.com>
This commit is contained in:
Moritz Marquardt 2021-05-22 22:52:56 +02:00 committed by GitHub
parent dd723f53ee
commit 66bc157c1d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 23 additions and 38 deletions

View file

@ -226,11 +226,6 @@ To enable LDAP over StartTLS (on port 389), you need to set the following enviro
# >>> SASL Authentication # >>> SASL Authentication
- ENABLE_SASLAUTHD=1 - ENABLE_SASLAUTHD=1
- SASLAUTHD_LDAP_SERVER=<yourLdapContainer/yourLdapServer>
- SASLAUTHD_LDAP_PROTO=
- SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=loc
- SASLAUTHD_LDAP_PASSWORD=mypassword
- SASLAUTHD_LDAP_SEARCH_BASE=dc=mydomain,dc=loc
- SASLAUTHD_LDAP_FILTER=(&(sAMAccountName=%U)(objectClass=person)) - SASLAUTHD_LDAP_FILTER=(&(sAMAccountName=%U)(objectClass=person))
- SASLAUTHD_MECHANISMS=ldap - SASLAUTHD_MECHANISMS=ldap
# <<< SASL Authentication # <<< SASL Authentication

View file

@ -479,7 +479,6 @@ The following variables overwrite the default values for ```/etc/dovecot/dovecot
- => Bind dn for LDAP connection. (e.g. `cn=admin,dc=domain,dc=com`) - => Bind dn for LDAP connection. (e.g. `cn=admin,dc=domain,dc=com`)
##### DOVECOT_DNPASS ##### DOVECOT_DNPASS
- **empty** => same as `LDAP_BIND_PW` - **empty** => same as `LDAP_BIND_PW`
- => Password for LDAP dn sepecifified in `DOVECOT_DN`. - => Password for LDAP dn sepecifified in `DOVECOT_DN`.
@ -566,7 +565,7 @@ Note: This postgrey setting needs `ENABLE_POSTGREY=1`
##### SASLAUTHD_MECHANISMS ##### SASLAUTHD_MECHANISMS
- empty => pam - **empty** => pam
- `ldap` => authenticate against ldap server - `ldap` => authenticate against ldap server
- `shadow` => authenticate against local user db - `shadow` => authenticate against local user db
- `mysql` => authenticate against mysql db - `mysql` => authenticate against mysql db
@ -575,17 +574,13 @@ Note: This postgrey setting needs `ENABLE_POSTGREY=1`
##### SASLAUTHD_MECH_OPTIONS ##### SASLAUTHD_MECH_OPTIONS
- empty => None - **empty** => None
- e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx - e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx
##### SASLAUTHD_LDAP_SERVER ##### SASLAUTHD_LDAP_SERVER
- empty => localhost - **empty** => same as `LDAP_SERVER_HOST`
- Note: since version 10.0.0, you can specify a protocol here (like ldaps://); this deprecates SASLAUTHD_LDAP_SSL.
##### SASLAUTHD_LDAP_SSL
- empty or 0 => `ldap://` will be used
- 1 => `ldaps://` will be used
##### SASLAUTHD_LDAP_START_TLS ##### SASLAUTHD_LDAP_START_TLS
@ -613,23 +608,23 @@ File containing CA (Certificate Authority) certificate(s).
##### SASLAUTHD_LDAP_BIND_DN ##### SASLAUTHD_LDAP_BIND_DN
- empty => anonymous bind - **empty** => same as `LDAP_BIND_DN`
- specify an object with privileges to search the directory tree - specify an object with privileges to search the directory tree
- e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net - e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net
- e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net - e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
##### SASLAUTHD_LDAP_PASSWORD ##### SASLAUTHD_LDAP_PASSWORD
- empty => anonymous bind - **empty** => same as `LDAP_BIND_PW`
##### SASLAUTHD_LDAP_SEARCH_BASE ##### SASLAUTHD_LDAP_SEARCH_BASE
- empty => Reverting to SASLAUTHD_MECHANISMS pam - **empty** => same as `LDAP_SEARCH_BASE`
- specify the search base - specify the search base
##### SASLAUTHD_LDAP_FILTER ##### SASLAUTHD_LDAP_FILTER
- empty => default filter `(&(uniqueIdentifier=%u)(mailEnabled=TRUE))` - **empty** => default filter `(&(uniqueIdentifier=%u)(mailEnabled=TRUE))`
- e.g. for active directory: `(&(sAMAccountName=%U)(objectClass=person))` - e.g. for active directory: `(&(sAMAccountName=%U)(objectClass=person))`
- e.g. for openldap: `(&(uid=%U)(objectClass=person))` - e.g. for openldap: `(&(uid=%U)(objectClass=person))`

View file

@ -40,7 +40,6 @@ LDAP_BIND_PW=pass1234
ENABLE_SASLAUTHD=1 ENABLE_SASLAUTHD=1
SASLAUTHD_MECHANISMS=ldap SASLAUTHD_MECHANISMS=ldap
SASLAUTHD_LDAP_SERVER=ldap.example.org SASLAUTHD_LDAP_SERVER=ldap.example.org
SASLAUTHD_LDAP_SSL=0
SASLAUTHD_LDAP_START_TLS=yes SASLAUTHD_LDAP_START_TLS=yes
SASLAUTHD_LDAP_BIND_DN=cn=mailserver,dc=example,dc=org SASLAUTHD_LDAP_BIND_DN=cn=mailserver,dc=example,dc=org
SASLAUTHD_LDAP_PASSWORD=pass1234 SASLAUTHD_LDAP_PASSWORD=pass1234

View file

@ -356,30 +356,27 @@ ENABLE_SASLAUTHD=0
# `shadow` => authenticate against local user db # `shadow` => authenticate against local user db
# `mysql` => authenticate against mysql db # `mysql` => authenticate against mysql db
# `rimap` => authenticate against imap server # `rimap` => authenticate against imap server
# NOTE: can be a list of mechanisms like pam ldap shadow # Note: can be a list of mechanisms like pam ldap shadow
SASLAUTHD_MECHANISMS= SASLAUTHD_MECHANISMS=
# empty => None # empty => None
# e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx # e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx
SASLAUTHD_MECH_OPTIONS= SASLAUTHD_MECH_OPTIONS=
# empty => localhost # empty => Use value of LDAP_SERVER_HOST
# Note: since version 10.0.0, you can specify a protocol here (like ldaps://); this deprecates SASLAUTHD_LDAP_SSL.
SASLAUTHD_LDAP_SERVER= SASLAUTHD_LDAP_SERVER=
# empty or 0 => `ldap://` will be used # empty => Use value of LDAP_BIND_DN
# 1 => `ldaps://` will be used
SASLAUTHD_LDAP_SSL=
# empty => anonymous bind
# specify an object with priviliges to search the directory tree # specify an object with priviliges to search the directory tree
# e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net # e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net
# e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net # e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net
SASLAUTHD_LDAP_BIND_DN= SASLAUTHD_LDAP_BIND_DN=
# empty => anonymous bind # empty => Use value of LDAP_BIND_PW
SASLAUTHD_LDAP_PASSWORD= SASLAUTHD_LDAP_PASSWORD=
# empty => Reverting to SASLAUTHD_MECHANISMS pam # empty => Use value of LDAP_SEARCH_BASE
# specify the search base # specify the search base
SASLAUTHD_LDAP_SEARCH_BASE= SASLAUTHD_LDAP_SEARCH_BASE=
@ -390,7 +387,7 @@ SASLAUTHD_LDAP_FILTER=
# empty => no # empty => no
# yes => LDAP over TLS enabled for SASL # yes => LDAP over TLS enabled for SASL
# Must not be used together with SASLAUTHD_LDAP_SSL=1_ # If set to yes, the protocol in SASLAUTHD_LDAP_SERVER must be ldap:// or missing.
SASLAUTHD_LDAP_START_TLS= SASLAUTHD_LDAP_START_TLS=
# empty => no # empty => no

View file

@ -618,13 +618,16 @@ function _setup_saslauthd
# checking env vars and setting defaults # checking env vars and setting defaults
[[ -z ${SASLAUTHD_MECHANISMS:-} ]] && SASLAUTHD_MECHANISMS=pam [[ -z ${SASLAUTHD_MECHANISMS:-} ]] && SASLAUTHD_MECHANISMS=pam
[[ ${SASLAUTHD_MECHANISMS:-} == ldap ]] && [[ -z ${SASLAUTHD_LDAP_SEARCH_BASE} ]] && SASLAUTHD_MECHANISMS=pam [[ -z ${SASLAUTHD_LDAP_SERVER} ]] && SASLAUTHD_LDAP_SERVER="${LDAP_SERVER_HOST}"
[[ -z ${SASLAUTHD_LDAP_SERVER} ]] && SASLAUTHD_LDAP_SERVER=localhost
[[ -z ${SASLAUTHD_LDAP_FILTER} ]] && SASLAUTHD_LDAP_FILTER='(&(uniqueIdentifier=%u)(mailEnabled=TRUE))' [[ -z ${SASLAUTHD_LDAP_FILTER} ]] && SASLAUTHD_LDAP_FILTER='(&(uniqueIdentifier=%u)(mailEnabled=TRUE))'
if [[ -z ${SASLAUTHD_LDAP_SSL} ]] || [[ ${SASLAUTHD_LDAP_SSL} -eq 0 ]] [[ -z ${SASLAUTHD_LDAP_BIND_DN} ]] && SASLAUTHD_LDAP_BIND_DN="${LDAP_BIND_DN}"
[[ -z ${SASLAUTHD_LDAP_PASSWORD} ]] && SASLAUTHD_LDAP_PASSWORD="${LDAP_BIND_PW}"
[[ -z ${SASLAUTHD_LDAP_SEARCH_BASE} ]] && SASLAUTHD_LDAP_SEARCH_BASE="${LDAP_SEARCH_BASE}"
if [[ "${SASLAUTHD_LDAP_SERVER}" != *'://'* ]]
then then
SASLAUTHD_LDAP_PROTO='ldap://' || SASLAUTHD_LDAP_PROTO='ldaps://' SASLAUTHD_LDAP_SERVER="ldap://${SASLAUTHD_LDAP_SERVER}"
fi fi
[[ -z ${SASLAUTHD_LDAP_START_TLS} ]] && SASLAUTHD_LDAP_START_TLS=no [[ -z ${SASLAUTHD_LDAP_START_TLS} ]] && SASLAUTHD_LDAP_START_TLS=no
@ -663,7 +666,7 @@ function _setup_saslauthd
then then
_notify 'inf' 'Creating /etc/saslauthd.conf' _notify 'inf' 'Creating /etc/saslauthd.conf'
cat > /etc/saslauthd.conf << EOF cat > /etc/saslauthd.conf << EOF
ldap_servers: ${SASLAUTHD_LDAP_PROTO}${SASLAUTHD_LDAP_SERVER} ldap_servers: ${SASLAUTHD_LDAP_SERVER}
ldap_auth_method: ${SASLAUTHD_LDAP_AUTH_METHOD} ldap_auth_method: ${SASLAUTHD_LDAP_AUTH_METHOD}
ldap_bind_dn: ${SASLAUTHD_LDAP_BIND_DN} ldap_bind_dn: ${SASLAUTHD_LDAP_BIND_DN}

View file

@ -40,10 +40,6 @@ function setup_file() {
-e REPORT_RECIPIENT=1 \ -e REPORT_RECIPIENT=1 \
-e ENABLE_SASLAUTHD=1 \ -e ENABLE_SASLAUTHD=1 \
-e SASLAUTHD_MECHANISMS=ldap \ -e SASLAUTHD_MECHANISMS=ldap \
-e SASLAUTHD_LDAP_SERVER=ldap \
-e SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \
-e SASLAUTHD_LDAP_PASSWORD=admin \
-e SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \
-e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \ -e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \
-e DMS_DEBUG=0 \ -e DMS_DEBUG=0 \
--link ldap_for_mail:ldap \ --link ldap_for_mail:ldap \