From e58020029e035573b36d3610cd31f64deb84dfa4 Mon Sep 17 00:00:00 2001 From: William Desportes Date: Tue, 8 Dec 2020 15:29:49 +0100 Subject: [PATCH] Add more sasl LDAP config options - SASLAUTHD_LDAP_PASSWORD_ATTR => ldap_password_attr - SASLAUTHD_LDAP_AUTH_METHOD => ldap_auth_method - SASLAUTHD_LDAP_MECH => ldap_mech --- README.md | 20 ++++++++++++++++++++ mailserver.env | 15 +++++++++++++++ target/start-mailserver.sh | 19 ++++++++++++++++++- 3 files changed, 53 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 74d62838..75677aef 100644 --- a/README.md +++ b/README.md @@ -854,11 +854,31 @@ File containing CA (Certificate Authority) certificate(s). - e.g. for active directory: `(&(sAMAccountName=%U)(objectClass=person))` - e.g. for openldap: `(&(uid=%U)(objectClass=person))` +##### SASLAUTHD_LDAP_PASSWORD_ATTR + +Specify what password attribute to use for password verification. + +- **empty** => Nothing is added to the configuration but the documentation says it is `userPassword` by default. +- Any value => Fills the `ldap_password_attr` option + ##### SASL_PASSWD - **empty** => No sasl_passwd will be created - string => `/etc/postfix/sasl_passwd` will be created with the string as password +##### SASLAUTHD_LDAP_AUTH_METHOD + +- **empty** => `bind` will be used as a default value +- `fastbind` => The fastbind method is used +- `custom` => The custom method uses userPassword attribute to verify the password + +##### SASLAUTHD_LDAP_MECH + +Specify the authentication mechanism for SASL bind. + +- **empty** => Nothing is added to the configuration +- Any value => Fills the `ldap_mech` option + #### SRS (Sender Rewriting Scheme) ##### SRS_SENDER_CLASSES diff --git a/mailserver.env b/mailserver.env index eb9f7e11..94c37391 100644 --- a/mailserver.env +++ b/mailserver.env @@ -356,10 +356,25 @@ SASLAUTHD_LDAP_TLS_CACERT_FILE= # Any value => Fills the `ldap_tls_cacert_dir` option SASLAUTHD_LDAP_TLS_CACERT_DIR= +# Specify what password attribute to use for password verification. +# empty => Nothing is added to the configuration but the documentation says it is `userPassword` by default. +# Any value => Fills the `ldap_password_attr` option +SASLAUTHD_LDAP_PASSWORD_ATTR= + # empty => No sasl_passwd will be created # string => `/etc/postfix/sasl_passwd` will be created with the string as password SASL_PASSWD= +# empty => `bind` will be used as a default value +# `fastbind` => The fastbind method is used +# `custom` => The custom method uses userPassword attribute to verify the password +SASLAUTHD_LDAP_AUTH_METHOD= + +# Specify the authentication mechanism for SASL bind +# empty => Nothing is added to the configuration +# Any value => Fills the `ldap_mech` option +SASLAUTHD_LDAP_MECH= + # ––––––––––––––––––––––––––––––––––––––––––––––– # ––– SRS Section ––––––––––––––––––––––––––––––– # ––––––––––––––––––––––––––––––––––––––––––––––– diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index 7862440b..666c4b75 100755 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -917,6 +917,7 @@ function _setup_saslauthd [[ -z ${SASLAUTHD_LDAP_START_TLS} ]] && SASLAUTHD_LDAP_START_TLS=no [[ -z ${SASLAUTHD_LDAP_TLS_CHECK_PEER} ]] && SASLAUTHD_LDAP_TLS_CHECK_PEER=no + [[ -z ${SASLAUTHD_LDAP_AUTH_METHOD} ]] && SASLAUTHD_LDAP_AUTH_METHOD=bind if [[ -z ${SASLAUTHD_LDAP_TLS_CACERT_FILE} ]] then @@ -932,13 +933,27 @@ function _setup_saslauthd SASLAUTHD_LDAP_TLS_CACERT_DIR="ldap_tls_cacert_dir: ${SASLAUTHD_LDAP_TLS_CACERT_DIR}" fi + if [[ -z ${SASLAUTHD_LDAP_PASSWORD_ATTR} ]] + then + SASLAUTHD_LDAP_PASSWORD_ATTR="" + else + SASLAUTHD_LDAP_PASSWORD_ATTR="ldap_password_attr: ${SASLAUTHD_LDAP_PASSWORD_ATTR}" + fi + + if [[ -z ${SASLAUTHD_LDAP_MECH} ]] + then + SASLAUTHD_LDAP_MECH="" + else + SASLAUTHD_LDAP_MECH="ldap_mech: ${SASLAUTHD_LDAP_MECH}" + fi + if [[ ! -f /etc/saslauthd.conf ]] then _notify 'inf' "Creating /etc/saslauthd.conf" cat > /etc/saslauthd.conf << EOF ldap_servers: ${SASLAUTHD_LDAP_PROTO}${SASLAUTHD_LDAP_SERVER} -ldap_auth_method: bind +ldap_auth_method: ${SASLAUTHD_LDAP_AUTH_METHOD} ldap_bind_dn: ${SASLAUTHD_LDAP_BIND_DN} ldap_bind_pw: ${SASLAUTHD_LDAP_PASSWORD} @@ -950,6 +965,8 @@ ldap_tls_check_peer: ${SASLAUTHD_LDAP_TLS_CHECK_PEER} ${SASLAUTHD_LDAP_TLS_CACERT_FILE} ${SASLAUTHD_LDAP_TLS_CACERT_DIR} +${SASLAUTHD_LDAP_PASSWORD_ATTR} +${SASLAUTHD_LDAP_MECH} ldap_referrals: yes log_level: 10