fix!: use dovecot's LDAP uris option instead of hosts (#1901)

* Use dovecot's LDAP uris option instead of hosts (fixes #1510) * Clean up variables & environment documentation for #1901 Co-authored-by: Frederic Werner <20406381+wernerfred@users.noreply.github.com> Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
2024-01-19 02:48:50 +00:00 · 2021-04-19 09:02:03 +02:00 · 2021-04-19 09:02:03 +02:00 · 94b5ac49c1
parent 8313d9753b
commit 94b5ac49c1
4 changed files with 24 additions and 15 deletions
--- a/ENVIRONMENT.md
+++ b/ENVIRONMENT.md
@ -385,7 +385,7 @@ Note: The defaults of your fetchmailrc file need to be at the top of the file. O
 ##### LDAP_SERVER_HOST

 - **empty** => mail.domain.com
- => Specify the dns-name/ip-address where the ldap-server
+- => Specify the dns-name/ip-address where the ldap-server is listening, or an URI like `ldaps://mail.domain.com`
 - NOTE: If you going to use the mailserver in combination with docker-compose you can set the service name here

 ##### LDAP_SEARCH_BASE
@ -457,10 +457,12 @@ The following variables overwrite the default values for ```/etc/dovecot/dovecot
 - **empty** => same as `LDAP_BIND_PW`
 - => Password for LDAP dn sepecifified in `DOVECOT_DN`.

-##### DOVECOT_HOSTS
+##### DOVECOT_URIS

 - **empty** => same as `LDAP_SERVER_HOST`
- => Specify a space separated list of LDAP hosts.
+- => Specify a space separated list of LDAP uris.
+- Note: If the protocol is missing, `ldap://` will be used.
+- Note: This deprecates `DOVECOT_HOSTS` (as it didn't allow to use LDAPS), which is currently still supported for backwards compatibility.

 ##### DOVECOT_LDAP_VERSION

@ -488,6 +490,7 @@ The following variables overwrite the default values for ```/etc/dovecot/dovecot
 ##### DOVECOT_PASS_FILTER

 - e.g. `(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))`
+- **empty** => same as `DOVECOT_USER_FILTER`

 ##### DOVECOT_PASS_ATTRS

--- a/target/dovecot/dovecot-ldap.conf.ext
+++ b/target/dovecot/dovecot-ldap.conf.ext
@ -2,7 +2,7 @@ base                = ou=people,dc=domain,dc=com
 default_pass_scheme = SSHA
 dn                  = cn=admin,dc=domain,dc=com
 dnpass              = admin
-hosts               = mail.domain.com
+uris                = ldap://mail.domain.com
 tls                 = no
 ldap_version        = 3
 pass_attrs          = uniqueIdentifier=user,userPassword=password
--- a/target/scripts/startup/setup-stack.sh
+++ b/target/scripts/startup/setup-stack.sh
@ -437,20 +437,26 @@ function _setup_ldap

  _notify 'inf' "Configuring dovecot LDAP"

-  declare -A _dovecot_ldap_mapping
+  declare -A DOVECOT_LDAP_MAPPING

-  _dovecot_ldap_mapping["DOVECOT_BASE"]="${DOVECOT_BASE:="${LDAP_SEARCH_BASE}"}"
-  _dovecot_ldap_mapping["DOVECOT_DN"]="${DOVECOT_DN:="${LDAP_BIND_DN}"}"
-  _dovecot_ldap_mapping["DOVECOT_DNPASS"]="${DOVECOT_DNPASS:="${LDAP_BIND_PW}"}"
-  _dovecot_ldap_mapping["DOVECOT_HOSTS"]="${DOVECOT_HOSTS:="${LDAP_SERVER_HOST}"}"
+  DOVECOT_LDAP_MAPPING["DOVECOT_BASE"]="${DOVECOT_BASE:="${LDAP_SEARCH_BASE}"}"
+  DOVECOT_LDAP_MAPPING["DOVECOT_DN"]="${DOVECOT_DN:="${LDAP_BIND_DN}"}"
+  DOVECOT_LDAP_MAPPING["DOVECOT_DNPASS"]="${DOVECOT_DNPASS:="${LDAP_BIND_PW}"}"
+  DOVECOT_LDAP_MAPPING["DOVECOT_URIS"]="${DOVECOT_URIS:="${DOVECOT_HOSTS:="${LDAP_SERVER_HOST}"}"}"

-  # Not sure whether this can be the same or not
-  # _dovecot_ldap_mapping["DOVECOT_PASS_FILTER"]="${DOVECOT_PASS_FILTER:="${LDAP_QUERY_FILTER_USER}"}"
-  # _dovecot_ldap_mapping["DOVECOT_USER_FILTER"]="${DOVECOT_USER_FILTER:="${LDAP_QUERY_FILTER_USER}"}"
+  # Add protocol to DOVECOT_URIS so that we can use dovecot's "uris" option:
+  # https://doc.dovecot.org/configuration_manual/authentication/ldap/
+  if [[ "${DOVECOT_LDAP_MAPPING["DOVECOT_URIS"]}" != *'://'* ]]
+  then
+    DOVECOT_LDAP_MAPPING["DOVECOT_URIS"]="ldap://${DOVECOT_LDAP_MAPPING["DOVECOT_URIS"]}"
+  fi

-  for VAR in "${!_dovecot_ldap_mapping[@]}"
+  # Default DOVECOT_PASS_FILTER to the same value as DOVECOT_USER_FILTER
+  DOVECOT_LDAP_MAPPING["DOVECOT_PASS_FILTER"]="${DOVECOT_PASS_FILTER:="${DOVECOT_USER_FILTER}"}"
+
+  for VAR in "${!DOVECOT_LDAP_MAPPING[@]}"
  do
-    export "${VAR}=${_dovecot_ldap_mapping[${VAR}]}"
+    export "${VAR}=${DOVECOT_LDAP_MAPPING[${VAR}]}"
  done

  configomat.sh "DOVECOT_" "/etc/dovecot/dovecot-ldap.conf.ext"
--- a/test/mail_with_ldap.bats
+++ b/test/mail_with_ldap.bats
@ -156,7 +156,7 @@ function teardown_file() {
 }

@test "checking dovecot: ldap config overwrites success" {
-  run docker exec mail_with_ldap /bin/sh -c "grep 'hosts = ldap' /etc/dovecot/dovecot-ldap.conf.ext"
+  run docker exec mail_with_ldap /bin/sh -c "grep 'uris = ldap://ldap' /etc/dovecot/dovecot-ldap.conf.ext"
  assert_success
  run docker exec mail_with_ldap /bin/sh -c "grep 'tls = no' /etc/dovecot/dovecot-ldap.conf.ext"
  assert_success