Add saslauthd option for ldap_start_tls & ldap_tls_check_peer - (Solves: #979, #980)

2018-06-02 21:16:16 +02:00 · 2018-06-02 21:16:16 +02:00 · e27e13c1b3
parent 60656aec49
commit e27e13c1b3
4 changed files with 18 additions and 0 deletions
--- a/.env.dist
+++ b/.env.dist
@ -261,6 +261,15 @@ SASLAUTHD_LDAP_SEARCH_BASE=
 # e.g. for openldap: `(&(uid=%U)(objectClass=person))`
 SASLAUTHD_LDAP_FILTER=

+# empty => no
+# yes => LDAP over TLS enabled for SASL
+# Must not be used together with SASLAUTHD_LDAP_SSL=1_
+SASLAUTHD_LDAP_START_TLS=
+
+# empty => no
+# yes => Require and verify server certificate
+SASLAUTHD_LDAP_TLS_CHECK_PEER=
+
 # empty => No sasl_passwd will be created
 # string => `/etc/postfix/sasl_passwd` will be created with the string as password
 SASL_PASSWD=
--- a/docker-compose.elk.yml.dist
+++ b/docker-compose.elk.yml.dist
@ -68,6 +68,8 @@ services:
    - SASLAUTHD_LDAP_PASSWORD=${SASLAUTHD_LDAP_PASSWORD}
    - SASLAUTHD_LDAP_SEARCH_BASE=${SASLAUTHD_LDAP_SEARCH_BASE}
    - SASLAUTHD_LDAP_FILTER=${SASLAUTHD_LDAP_FILTER}
+    - SASLAUTHD_LDAP_START_TLS=${SASLAUTHD_LDAP_START_TLS}
+    - SASLAUTHD_LDAP_TLS_CHECK_PEER=${SASLAUTHD_LDAP_TLS_CHECK_PEER}
    - SASL_PASSWD=${SASL_PASSWD}
    cap_add:
    - NET_ADMIN
--- a/docker-compose.yml.dist
+++ b/docker-compose.yml.dist
@ -68,6 +68,8 @@ services:
    - SASLAUTHD_LDAP_PASSWORD=${SASLAUTHD_LDAP_PASSWORD}
    - SASLAUTHD_LDAP_SEARCH_BASE=${SASLAUTHD_LDAP_SEARCH_BASE}
    - SASLAUTHD_LDAP_FILTER=${SASLAUTHD_LDAP_FILTER}
+    - SASLAUTHD_LDAP_START_TLS=${SASLAUTHD_LDAP_START_TLS}
+    - SASLAUTHD_LDAP_TLS_CHECK_PEER=${SASLAUTHD_LDAP_TLS_CHECK_PEER}
    - SASL_PASSWD=${SASL_PASSWD}
    - SRS_EXCLUDE_DOMAINS=${SRS_EXCLUDE_DOMAINS}
    - SRS_SECRET=${SRS_SECRET}
--- a/target/start-mailserver.sh
+++ b/target/start-mailserver.sh
@ -695,6 +695,8 @@ function _setup_saslauthd() {
 	[ -z "$SASLAUTHD_LDAP_SERVER" ] && SASLAUTHD_LDAP_SERVER=localhost
 	[ -z "$SASLAUTHD_LDAP_FILTER" ] && SASLAUTHD_LDAP_FILTER='(&(uniqueIdentifier=%u)(mailEnabled=TRUE))'
 	([ -z "$SASLAUTHD_LDAP_SSL" ] || [ $SASLAUTHD_LDAP_SSL == 0 ]) && SASLAUTHD_LDAP_PROTO='ldap://' || SASLAUTHD_LDAP_PROTO='ldaps://'
+	[ -z "$SASLAUTHD_LDAP_START_TLS" ] && SASLAUTHD_LDAP_START_TLS=no
+	[ -z "$SASLAUTHD_LDAP_TLS_CHECK_PEER" ] && SASLAUTHD_LDAP_TLS_CHECK_PEER=no

 	if [ ! -f /etc/saslauthd.conf ]; then
 		notify 'inf' "Creating /etc/saslauthd.conf"
@ -708,6 +710,9 @@ ldap_bind_pw: ${SASLAUTHD_LDAP_PASSWORD}
 ldap_search_base: ${SASLAUTHD_LDAP_SEARCH_BASE}
 ldap_filter: ${SASLAUTHD_LDAP_FILTER}

+ldap_start_tls: $SASLAUTHD_LDAP_START_TLS
+ldap_tls_check_peer: $SASLAUTHD_LDAP_TLS_CHECK_PEER
+
 ldap_referrals: yes
 log_level: 10
 EOF