From 66bc157c1dfad445bae4a5ac22cd352b3890a125 Mon Sep 17 00:00:00 2001 From: Moritz Marquardt Date: Sat, 22 May 2021 22:52:56 +0200 Subject: [PATCH] fix!: Allow protocol in SASLAUTHD_LDAP_SERVER & adjust SASLAUTHD_LDAP_ default values (#1989) * fix: make sure the SASLAUTHD_LDAP_HOST/PROTO logic makes sense and use LDAP_SERVER_HOST as a fallback (#1983) * chore(docs): document changes to LDAP/SASLAUTHD as of #1983 * fix!: apply default value modifications suggested in #1983 https://github.com/docker-mailserver/docker-mailserver/issues/1983#issuecomment-844848224 * chore(test): Test SASLAUTHD_LDAP_SERVER with protocol and ..._SSL=0, as well as with default bind credentials Note that there are currently no regression tests for this as there's only one setup_file, so that would require big changes to the testing methodology. * refactor!: completely remove SASLAUTHD_LDAP_SSL and SASLAUTHD_LDAP_PROTO Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Co-authored-by: Frederic Werner <20406381+wernerfred@users.noreply.github.com> --- docs/content/config/advanced/auth-ldap.md | 5 ----- docs/content/config/environment.md | 21 +++++++------------ ...nly-mailserver-with-ldap-authentication.md | 1 - mailserver.env | 17 +++++++-------- target/scripts/startup/setup-stack.sh | 13 +++++++----- test/mail_with_ldap.bats | 4 ---- 6 files changed, 23 insertions(+), 38 deletions(-) diff --git a/docs/content/config/advanced/auth-ldap.md b/docs/content/config/advanced/auth-ldap.md index 0066c4bb..f33e0e98 100644 --- a/docs/content/config/advanced/auth-ldap.md +++ b/docs/content/config/advanced/auth-ldap.md @@ -226,11 +226,6 @@ To enable LDAP over StartTLS (on port 389), you need to set the following enviro # >>> SASL Authentication - ENABLE_SASLAUTHD=1 - - SASLAUTHD_LDAP_SERVER= - - SASLAUTHD_LDAP_PROTO= - - SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=loc - - SASLAUTHD_LDAP_PASSWORD=mypassword - - SASLAUTHD_LDAP_SEARCH_BASE=dc=mydomain,dc=loc - SASLAUTHD_LDAP_FILTER=(&(sAMAccountName=%U)(objectClass=person)) - SASLAUTHD_MECHANISMS=ldap # <<< SASL Authentication diff --git a/docs/content/config/environment.md b/docs/content/config/environment.md index 2bd37156..e134648b 100644 --- a/docs/content/config/environment.md +++ b/docs/content/config/environment.md @@ -479,7 +479,6 @@ The following variables overwrite the default values for ```/etc/dovecot/dovecot - => Bind dn for LDAP connection. (e.g. `cn=admin,dc=domain,dc=com`) ##### DOVECOT_DNPASS - - **empty** => same as `LDAP_BIND_PW` - => Password for LDAP dn sepecifified in `DOVECOT_DN`. @@ -566,7 +565,7 @@ Note: This postgrey setting needs `ENABLE_POSTGREY=1` ##### SASLAUTHD_MECHANISMS -- empty => pam +- **empty** => pam - `ldap` => authenticate against ldap server - `shadow` => authenticate against local user db - `mysql` => authenticate against mysql db @@ -575,17 +574,13 @@ Note: This postgrey setting needs `ENABLE_POSTGREY=1` ##### SASLAUTHD_MECH_OPTIONS -- empty => None +- **empty** => None - e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx ##### SASLAUTHD_LDAP_SERVER -- empty => localhost - -##### SASLAUTHD_LDAP_SSL - -- empty or 0 => `ldap://` will be used -- 1 => `ldaps://` will be used +- **empty** => same as `LDAP_SERVER_HOST` +- Note: since version 10.0.0, you can specify a protocol here (like ldaps://); this deprecates SASLAUTHD_LDAP_SSL. ##### SASLAUTHD_LDAP_START_TLS @@ -613,23 +608,23 @@ File containing CA (Certificate Authority) certificate(s). ##### SASLAUTHD_LDAP_BIND_DN -- empty => anonymous bind +- **empty** => same as `LDAP_BIND_DN` - specify an object with privileges to search the directory tree - e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net - e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net ##### SASLAUTHD_LDAP_PASSWORD -- empty => anonymous bind +- **empty** => same as `LDAP_BIND_PW` ##### SASLAUTHD_LDAP_SEARCH_BASE -- empty => Reverting to SASLAUTHD_MECHANISMS pam +- **empty** => same as `LDAP_SEARCH_BASE` - specify the search base ##### SASLAUTHD_LDAP_FILTER -- empty => default filter `(&(uniqueIdentifier=%u)(mailEnabled=TRUE))` +- **empty** => default filter `(&(uniqueIdentifier=%u)(mailEnabled=TRUE))` - e.g. for active directory: `(&(sAMAccountName=%U)(objectClass=person))` - e.g. for openldap: `(&(uid=%U)(objectClass=person))` diff --git a/docs/content/examples/uses-cases/forward-only-mailserver-with-ldap-authentication.md b/docs/content/examples/uses-cases/forward-only-mailserver-with-ldap-authentication.md index b62964e6..25d6711d 100644 --- a/docs/content/examples/uses-cases/forward-only-mailserver-with-ldap-authentication.md +++ b/docs/content/examples/uses-cases/forward-only-mailserver-with-ldap-authentication.md @@ -40,7 +40,6 @@ LDAP_BIND_PW=pass1234 ENABLE_SASLAUTHD=1 SASLAUTHD_MECHANISMS=ldap SASLAUTHD_LDAP_SERVER=ldap.example.org -SASLAUTHD_LDAP_SSL=0 SASLAUTHD_LDAP_START_TLS=yes SASLAUTHD_LDAP_BIND_DN=cn=mailserver,dc=example,dc=org SASLAUTHD_LDAP_PASSWORD=pass1234 diff --git a/mailserver.env b/mailserver.env index 25f0d27d..ac9fc7ed 100644 --- a/mailserver.env +++ b/mailserver.env @@ -356,30 +356,27 @@ ENABLE_SASLAUTHD=0 # `shadow` => authenticate against local user db # `mysql` => authenticate against mysql db # `rimap` => authenticate against imap server -# NOTE: can be a list of mechanisms like pam ldap shadow +# Note: can be a list of mechanisms like pam ldap shadow SASLAUTHD_MECHANISMS= # empty => None # e.g. with SASLAUTHD_MECHANISMS rimap you need to specify the ip-address/servername of the imap server ==> xxx.xxx.xxx.xxx SASLAUTHD_MECH_OPTIONS= -# empty => localhost +# empty => Use value of LDAP_SERVER_HOST +# Note: since version 10.0.0, you can specify a protocol here (like ldaps://); this deprecates SASLAUTHD_LDAP_SSL. SASLAUTHD_LDAP_SERVER= -# empty or 0 => `ldap://` will be used -# 1 => `ldaps://` will be used -SASLAUTHD_LDAP_SSL= - -# empty => anonymous bind +# empty => Use value of LDAP_BIND_DN # specify an object with priviliges to search the directory tree # e.g. active directory: SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=net # e.g. openldap: SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=mydomain,dc=net SASLAUTHD_LDAP_BIND_DN= -# empty => anonymous bind +# empty => Use value of LDAP_BIND_PW SASLAUTHD_LDAP_PASSWORD= -# empty => Reverting to SASLAUTHD_MECHANISMS pam +# empty => Use value of LDAP_SEARCH_BASE # specify the search base SASLAUTHD_LDAP_SEARCH_BASE= @@ -390,7 +387,7 @@ SASLAUTHD_LDAP_FILTER= # empty => no # yes => LDAP over TLS enabled for SASL -# Must not be used together with SASLAUTHD_LDAP_SSL=1_ +# If set to yes, the protocol in SASLAUTHD_LDAP_SERVER must be ldap:// or missing. SASLAUTHD_LDAP_START_TLS= # empty => no diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh index 205cab1a..385d2dab 100644 --- a/target/scripts/startup/setup-stack.sh +++ b/target/scripts/startup/setup-stack.sh @@ -618,13 +618,16 @@ function _setup_saslauthd # checking env vars and setting defaults [[ -z ${SASLAUTHD_MECHANISMS:-} ]] && SASLAUTHD_MECHANISMS=pam - [[ ${SASLAUTHD_MECHANISMS:-} == ldap ]] && [[ -z ${SASLAUTHD_LDAP_SEARCH_BASE} ]] && SASLAUTHD_MECHANISMS=pam - [[ -z ${SASLAUTHD_LDAP_SERVER} ]] && SASLAUTHD_LDAP_SERVER=localhost + [[ -z ${SASLAUTHD_LDAP_SERVER} ]] && SASLAUTHD_LDAP_SERVER="${LDAP_SERVER_HOST}" [[ -z ${SASLAUTHD_LDAP_FILTER} ]] && SASLAUTHD_LDAP_FILTER='(&(uniqueIdentifier=%u)(mailEnabled=TRUE))' - if [[ -z ${SASLAUTHD_LDAP_SSL} ]] || [[ ${SASLAUTHD_LDAP_SSL} -eq 0 ]] + [[ -z ${SASLAUTHD_LDAP_BIND_DN} ]] && SASLAUTHD_LDAP_BIND_DN="${LDAP_BIND_DN}" + [[ -z ${SASLAUTHD_LDAP_PASSWORD} ]] && SASLAUTHD_LDAP_PASSWORD="${LDAP_BIND_PW}" + [[ -z ${SASLAUTHD_LDAP_SEARCH_BASE} ]] && SASLAUTHD_LDAP_SEARCH_BASE="${LDAP_SEARCH_BASE}" + + if [[ "${SASLAUTHD_LDAP_SERVER}" != *'://'* ]] then - SASLAUTHD_LDAP_PROTO='ldap://' || SASLAUTHD_LDAP_PROTO='ldaps://' + SASLAUTHD_LDAP_SERVER="ldap://${SASLAUTHD_LDAP_SERVER}" fi [[ -z ${SASLAUTHD_LDAP_START_TLS} ]] && SASLAUTHD_LDAP_START_TLS=no @@ -663,7 +666,7 @@ function _setup_saslauthd then _notify 'inf' 'Creating /etc/saslauthd.conf' cat > /etc/saslauthd.conf << EOF -ldap_servers: ${SASLAUTHD_LDAP_PROTO}${SASLAUTHD_LDAP_SERVER} +ldap_servers: ${SASLAUTHD_LDAP_SERVER} ldap_auth_method: ${SASLAUTHD_LDAP_AUTH_METHOD} ldap_bind_dn: ${SASLAUTHD_LDAP_BIND_DN} diff --git a/test/mail_with_ldap.bats b/test/mail_with_ldap.bats index a65e2da4..5ce69c98 100644 --- a/test/mail_with_ldap.bats +++ b/test/mail_with_ldap.bats @@ -40,10 +40,6 @@ function setup_file() { -e REPORT_RECIPIENT=1 \ -e ENABLE_SASLAUTHD=1 \ -e SASLAUTHD_MECHANISMS=ldap \ - -e SASLAUTHD_LDAP_SERVER=ldap \ - -e SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \ - -e SASLAUTHD_LDAP_PASSWORD=admin \ - -e SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \ -e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \ -e DMS_DEBUG=0 \ --link ldap_for_mail:ldap \