From 94b5ac49c177c4d257a620f453ecec01e55f5c1c Mon Sep 17 00:00:00 2001 From: Moritz Marquardt Date: Mon, 19 Apr 2021 09:02:03 +0200 Subject: [PATCH] fix!: use dovecot's LDAP uris option instead of hosts (#1901) * Use dovecot's LDAP uris option instead of hosts (fixes #1510) * Clean up variables & environment documentation for #1901 Co-authored-by: Frederic Werner <20406381+wernerfred@users.noreply.github.com> Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> --- ENVIRONMENT.md | 9 ++++++--- target/dovecot/dovecot-ldap.conf.ext | 2 +- target/scripts/startup/setup-stack.sh | 26 ++++++++++++++++---------- test/mail_with_ldap.bats | 2 +- 4 files changed, 24 insertions(+), 15 deletions(-) diff --git a/ENVIRONMENT.md b/ENVIRONMENT.md index a3db7087..d98f1c79 100644 --- a/ENVIRONMENT.md +++ b/ENVIRONMENT.md @@ -385,7 +385,7 @@ Note: The defaults of your fetchmailrc file need to be at the top of the file. O ##### LDAP_SERVER_HOST - **empty** => mail.domain.com -- => Specify the dns-name/ip-address where the ldap-server +- => Specify the dns-name/ip-address where the ldap-server is listening, or an URI like `ldaps://mail.domain.com` - NOTE: If you going to use the mailserver in combination with docker-compose you can set the service name here ##### LDAP_SEARCH_BASE @@ -457,10 +457,12 @@ The following variables overwrite the default values for ```/etc/dovecot/dovecot - **empty** => same as `LDAP_BIND_PW` - => Password for LDAP dn sepecifified in `DOVECOT_DN`. -##### DOVECOT_HOSTS +##### DOVECOT_URIS - **empty** => same as `LDAP_SERVER_HOST` -- => Specify a space separated list of LDAP hosts. +- => Specify a space separated list of LDAP uris. +- Note: If the protocol is missing, `ldap://` will be used. +- Note: This deprecates `DOVECOT_HOSTS` (as it didn't allow to use LDAPS), which is currently still supported for backwards compatibility. ##### DOVECOT_LDAP_VERSION @@ -488,6 +490,7 @@ The following variables overwrite the default values for ```/etc/dovecot/dovecot ##### DOVECOT_PASS_FILTER - e.g. `(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))` +- **empty** => same as `DOVECOT_USER_FILTER` ##### DOVECOT_PASS_ATTRS diff --git a/target/dovecot/dovecot-ldap.conf.ext b/target/dovecot/dovecot-ldap.conf.ext index 064e9b22..edf04b9e 100644 --- a/target/dovecot/dovecot-ldap.conf.ext +++ b/target/dovecot/dovecot-ldap.conf.ext @@ -2,7 +2,7 @@ base = ou=people,dc=domain,dc=com default_pass_scheme = SSHA dn = cn=admin,dc=domain,dc=com dnpass = admin -hosts = mail.domain.com +uris = ldap://mail.domain.com tls = no ldap_version = 3 pass_attrs = uniqueIdentifier=user,userPassword=password diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh index 654e64fa..2a607e57 100644 --- a/target/scripts/startup/setup-stack.sh +++ b/target/scripts/startup/setup-stack.sh @@ -437,20 +437,26 @@ function _setup_ldap _notify 'inf' "Configuring dovecot LDAP" - declare -A _dovecot_ldap_mapping + declare -A DOVECOT_LDAP_MAPPING - _dovecot_ldap_mapping["DOVECOT_BASE"]="${DOVECOT_BASE:="${LDAP_SEARCH_BASE}"}" - _dovecot_ldap_mapping["DOVECOT_DN"]="${DOVECOT_DN:="${LDAP_BIND_DN}"}" - _dovecot_ldap_mapping["DOVECOT_DNPASS"]="${DOVECOT_DNPASS:="${LDAP_BIND_PW}"}" - _dovecot_ldap_mapping["DOVECOT_HOSTS"]="${DOVECOT_HOSTS:="${LDAP_SERVER_HOST}"}" + DOVECOT_LDAP_MAPPING["DOVECOT_BASE"]="${DOVECOT_BASE:="${LDAP_SEARCH_BASE}"}" + DOVECOT_LDAP_MAPPING["DOVECOT_DN"]="${DOVECOT_DN:="${LDAP_BIND_DN}"}" + DOVECOT_LDAP_MAPPING["DOVECOT_DNPASS"]="${DOVECOT_DNPASS:="${LDAP_BIND_PW}"}" + DOVECOT_LDAP_MAPPING["DOVECOT_URIS"]="${DOVECOT_URIS:="${DOVECOT_HOSTS:="${LDAP_SERVER_HOST}"}"}" - # Not sure whether this can be the same or not - # _dovecot_ldap_mapping["DOVECOT_PASS_FILTER"]="${DOVECOT_PASS_FILTER:="${LDAP_QUERY_FILTER_USER}"}" - # _dovecot_ldap_mapping["DOVECOT_USER_FILTER"]="${DOVECOT_USER_FILTER:="${LDAP_QUERY_FILTER_USER}"}" + # Add protocol to DOVECOT_URIS so that we can use dovecot's "uris" option: + # https://doc.dovecot.org/configuration_manual/authentication/ldap/ + if [[ "${DOVECOT_LDAP_MAPPING["DOVECOT_URIS"]}" != *'://'* ]] + then + DOVECOT_LDAP_MAPPING["DOVECOT_URIS"]="ldap://${DOVECOT_LDAP_MAPPING["DOVECOT_URIS"]}" + fi - for VAR in "${!_dovecot_ldap_mapping[@]}" + # Default DOVECOT_PASS_FILTER to the same value as DOVECOT_USER_FILTER + DOVECOT_LDAP_MAPPING["DOVECOT_PASS_FILTER"]="${DOVECOT_PASS_FILTER:="${DOVECOT_USER_FILTER}"}" + + for VAR in "${!DOVECOT_LDAP_MAPPING[@]}" do - export "${VAR}=${_dovecot_ldap_mapping[${VAR}]}" + export "${VAR}=${DOVECOT_LDAP_MAPPING[${VAR}]}" done configomat.sh "DOVECOT_" "/etc/dovecot/dovecot-ldap.conf.ext" diff --git a/test/mail_with_ldap.bats b/test/mail_with_ldap.bats index 3ff75f8b..a65e2da4 100644 --- a/test/mail_with_ldap.bats +++ b/test/mail_with_ldap.bats @@ -156,7 +156,7 @@ function teardown_file() { } @test "checking dovecot: ldap config overwrites success" { - run docker exec mail_with_ldap /bin/sh -c "grep 'hosts = ldap' /etc/dovecot/dovecot-ldap.conf.ext" + run docker exec mail_with_ldap /bin/sh -c "grep 'uris = ldap://ldap' /etc/dovecot/dovecot-ldap.conf.ext" assert_success run docker exec mail_with_ldap /bin/sh -c "grep 'tls = no' /etc/dovecot/dovecot-ldap.conf.ext" assert_success