diff --git a/docs/content/config/advanced/auth-ldap.md b/docs/content/config/advanced/auth-ldap.md index 0066c4bb..f33e0e98 100644 --- a/docs/content/config/advanced/auth-ldap.md +++ b/docs/content/config/advanced/auth-ldap.md @@ -226,11 +226,6 @@ To enable LDAP over StartTLS (on port 389), you need to set the following enviro # >>> SASL Authentication - ENABLE_SASLAUTHD=1 - - SASLAUTHD_LDAP_SERVER= - - SASLAUTHD_LDAP_PROTO= - - SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=loc - - SASLAUTHD_LDAP_PASSWORD=mypassword - - SASLAUTHD_LDAP_SEARCH_BASE=dc=mydomain,dc=loc - SASLAUTHD_LDAP_FILTER=(&(sAMAccountName=%U)(objectClass=person)) - SASLAUTHD_MECHANISMS=ldap # <<< SASL Authentication diff --git a/docs/content/config/environment.md b/docs/content/config/environment.md index 2bd37156..e134648b 100644 --- a/docs/content/config/environment.md +++ b/docs/content/config/environment.md @@ -479,7 +479,6 @@ The following variables overwrite the default values for ```/etc/dovecot/dovecot - => Bind dn for LDAP connection. (e.g. `cn=admin,dc=domain,dc=com`) ##### DOVECOT_DNPASS - - **empty** => same as `LDAP_BIND_PW` - => Password for LDAP dn sepecifified in `DOVECOT_DN`. @@ -566,7 +565,7 @@ Note: This postgrey setting needs `ENABLE_POSTGREY=1` ##### SASLAUTHD_MECHANISMS -- empty => pam +- **empty** => pam - `ldap` => authenticate against ldap server - `shadow` => authenticate against local user db - `mysql` => authenticate against mysql db @@ -575,17 +574,13 @@ Note: This postgrey setting needs `ENABLE_POSTGREY=1` ##### SASLAUTHD_MECH_OPTIONS -- empty => None +- **empty** => None - e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx ##### SASLAUTHD_LDAP_SERVER -- empty => localhost - -##### SASLAUTHD_LDAP_SSL - -- empty or 0 => `ldap://` will be used -- 1 => `ldaps://` will be used +- **empty** => same as `LDAP_SERVER_HOST` +- Note: since version 10.0.0, you can specify a protocol here (like ldaps://); this deprecates SASLAUTHD_LDAP_SSL. ##### SASLAUTHD_LDAP_START_TLS @@ -613,23 +608,23 @@ File containing CA (Certificate Authority) certificate(s). ##### SASLAUTHD_LDAP_BIND_DN -- empty => anonymous bind +- **empty** => same as `LDAP_BIND_DN` - specify an object with privileges to search the directory tree - e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net - e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net ##### SASLAUTHD_LDAP_PASSWORD -- empty => anonymous bind +- **empty** => same as `LDAP_BIND_PW` ##### SASLAUTHD_LDAP_SEARCH_BASE -- empty => Reverting to SASLAUTHD_MECHANISMS pam +- **empty** => same as `LDAP_SEARCH_BASE` - specify the search base ##### SASLAUTHD_LDAP_FILTER -- empty => default filter `(&(uniqueIdentifier=%u)(mailEnabled=TRUE))` +- **empty** => default filter `(&(uniqueIdentifier=%u)(mailEnabled=TRUE))` - e.g. for active directory: `(&(sAMAccountName=%U)(objectClass=person))` - e.g. for openldap: `(&(uid=%U)(objectClass=person))` diff --git a/docs/content/examples/uses-cases/forward-only-mailserver-with-ldap-authentication.md b/docs/content/examples/uses-cases/forward-only-mailserver-with-ldap-authentication.md index b62964e6..25d6711d 100644 --- a/docs/content/examples/uses-cases/forward-only-mailserver-with-ldap-authentication.md +++ b/docs/content/examples/uses-cases/forward-only-mailserver-with-ldap-authentication.md @@ -40,7 +40,6 @@ LDAP_BIND_PW=pass1234 ENABLE_SASLAUTHD=1 SASLAUTHD_MECHANISMS=ldap SASLAUTHD_LDAP_SERVER=ldap.example.org -SASLAUTHD_LDAP_SSL=0 SASLAUTHD_LDAP_START_TLS=yes SASLAUTHD_LDAP_BIND_DN=cn=mailserver,dc=example,dc=org SASLAUTHD_LDAP_PASSWORD=pass1234 diff --git a/mailserver.env b/mailserver.env index 25f0d27d..ac9fc7ed 100644 --- a/mailserver.env +++ b/mailserver.env @@ -356,30 +356,27 @@ ENABLE_SASLAUTHD=0 # `shadow` => authenticate against local user db # `mysql` => authenticate against mysql db # `rimap` => authenticate against imap server -# NOTE: can be a list of mechanisms like pam ldap shadow +# Note: can be a list of mechanisms like pam ldap shadow SASLAUTHD_MECHANISMS= # empty => None # e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx SASLAUTHD_MECH_OPTIONS= -# empty => localhost +# empty => Use value of LDAP_SERVER_HOST +# Note: since version 10.0.0, you can specify a protocol here (like ldaps://); this deprecates SASLAUTHD_LDAP_SSL. SASLAUTHD_LDAP_SERVER= -# empty or 0 => `ldap://` will be used -# 1 => `ldaps://` will be used -SASLAUTHD_LDAP_SSL= - -# empty => anonymous bind +# empty => Use value of LDAP_BIND_DN # specify an object with priviliges to search the directory tree # e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net # e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net SASLAUTHD_LDAP_BIND_DN= -# empty => anonymous bind +# empty => Use value of LDAP_BIND_PW SASLAUTHD_LDAP_PASSWORD= -# empty => Reverting to SASLAUTHD_MECHANISMS pam +# empty => Use value of LDAP_SEARCH_BASE # specify the search base SASLAUTHD_LDAP_SEARCH_BASE= @@ -390,7 +387,7 @@ SASLAUTHD_LDAP_FILTER= # empty => no # yes => LDAP over TLS enabled for SASL -# Must not be used together with SASLAUTHD_LDAP_SSL=1_ +# If set to yes, the protocol in SASLAUTHD_LDAP_SERVER must be ldap:// or missing. SASLAUTHD_LDAP_START_TLS= # empty => no diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh index 205cab1a..385d2dab 100644 --- a/target/scripts/startup/setup-stack.sh +++ b/target/scripts/startup/setup-stack.sh @@ -618,13 +618,16 @@ function _setup_saslauthd # checking env vars and setting defaults [[ -z ${SASLAUTHD_MECHANISMS:-} ]] && SASLAUTHD_MECHANISMS=pam - [[ ${SASLAUTHD_MECHANISMS:-} == ldap ]] && [[ -z ${SASLAUTHD_LDAP_SEARCH_BASE} ]] && SASLAUTHD_MECHANISMS=pam - [[ -z ${SASLAUTHD_LDAP_SERVER} ]] && SASLAUTHD_LDAP_SERVER=localhost + [[ -z ${SASLAUTHD_LDAP_SERVER} ]] && SASLAUTHD_LDAP_SERVER="${LDAP_SERVER_HOST}" [[ -z ${SASLAUTHD_LDAP_FILTER} ]] && SASLAUTHD_LDAP_FILTER='(&(uniqueIdentifier=%u)(mailEnabled=TRUE))' - if [[ -z ${SASLAUTHD_LDAP_SSL} ]] || [[ ${SASLAUTHD_LDAP_SSL} -eq 0 ]] + [[ -z ${SASLAUTHD_LDAP_BIND_DN} ]] && SASLAUTHD_LDAP_BIND_DN="${LDAP_BIND_DN}" + [[ -z ${SASLAUTHD_LDAP_PASSWORD} ]] && SASLAUTHD_LDAP_PASSWORD="${LDAP_BIND_PW}" + [[ -z ${SASLAUTHD_LDAP_SEARCH_BASE} ]] && SASLAUTHD_LDAP_SEARCH_BASE="${LDAP_SEARCH_BASE}" + + if [[ "${SASLAUTHD_LDAP_SERVER}" != *'://'* ]] then - SASLAUTHD_LDAP_PROTO='ldap://' || SASLAUTHD_LDAP_PROTO='ldaps://' + SASLAUTHD_LDAP_SERVER="ldap://${SASLAUTHD_LDAP_SERVER}" fi [[ -z ${SASLAUTHD_LDAP_START_TLS} ]] && SASLAUTHD_LDAP_START_TLS=no @@ -663,7 +666,7 @@ function _setup_saslauthd then _notify 'inf' 'Creating /etc/saslauthd.conf' cat > /etc/saslauthd.conf << EOF -ldap_servers: ${SASLAUTHD_LDAP_PROTO}${SASLAUTHD_LDAP_SERVER} +ldap_servers: ${SASLAUTHD_LDAP_SERVER} ldap_auth_method: ${SASLAUTHD_LDAP_AUTH_METHOD} ldap_bind_dn: ${SASLAUTHD_LDAP_BIND_DN} diff --git a/test/mail_with_ldap.bats b/test/mail_with_ldap.bats index a65e2da4..5ce69c98 100644 --- a/test/mail_with_ldap.bats +++ b/test/mail_with_ldap.bats @@ -40,10 +40,6 @@ function setup_file() { -e REPORT_RECIPIENT=1 \ -e ENABLE_SASLAUTHD=1 \ -e SASLAUTHD_MECHANISMS=ldap \ - -e SASLAUTHD_LDAP_SERVER=ldap \ - -e SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \ - -e SASLAUTHD_LDAP_PASSWORD=admin \ - -e SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \ -e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \ -e DMS_DEBUG=0 \ --link ldap_for_mail:ldap \