mirror/docker-mailserver.docker-mailserver
1
0
Fork 0
mirror of https://github.com/docker-mailserver/docker-mailserver.git synced 2025-06-28 19:50:16 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

chore: LDAP config improvements (#3522)

Browse source 
* chore: Drop management of `SASLAUTHD_*` ENV

- `variables-stack.sh` does not need to manage all these extra ENV or store them. They're not used anywhere else.
- `saslauthd.sh` is the only consumer of these ENV which are effectively direct key/value mappings, with some defaults provided / inherited.

Instead of trying to conditionally support key/value pairs when ENV is set, we could instead use `sed` to delete lines with empty values.

* chore: Drop fallbacks + update configs to match docs

- Drop deprecated support:
  - `DOVECOT_HOSTS` is an ENV deprecated since v10.
  - Fallback for missing URI scheme introduced for Dovecot and SASLAuthd in v10.
  - Adding error log message when no LDAP URI scheme is detected for the supported ENV (when set).
- Docs updated for ENV to reflect the mandatory requirement. `mailserver.env` partially synced equivalent sections.
- Provided base LDAP configs (for overriding) likewise updated from `domain.com` to `example.com`.
- LDAP test updated for required `ldap://` URI scheme. Common ENV shared across LDAP configs hoisted out of the Postfix group.

* chore: Remove unset lines in generated `saslauthd.conf`
This commit is contained in:
Brennan Kinney 2023-09-02 22:07:02 +12:00 committed by GitHub
parent 9578aa874f
commit ed84dca147
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 69 additions and 108 deletions
Download patch file Download diff file Expand all files Collapse all files

56
target/scripts/startup/variables-stack.sh
View file

@ -17,6 +17,14 @@ function __environment_variables_backwards_compatibility() {
_log 'error' "'ENABLE_LDAP=1' has been changed to 'ACCOUNT_PROVISIONER=LDAP' since DMS v13"
fi
# Dovecot and SASLAuthd have applied an 'ldap://' fallback for compatibility since v10 (June 2021)
# This was silently applied, but users should be explicit:
if [[ ${LDAP_SERVER_HOST:-'://'} != *'://'* ]] \
|| [[ ${DOVECOT_URIS:-'://'} != *'://'* ]] \
|| [[ ${SASLAUTHD_LDAP_SERVER:-'://'} != *'://'* ]]; then
_log 'error' "The ENV for which LDAP host to connect to must include the URI scheme ('ldap://', 'ldaps://', 'ldapi://')"
fi
# TODO this can be uncommented in a PR handling the HOSTNAME/DOMAINNAME issue
# TODO see check_for_changes.sh and dns.sh
# if [[ -n ${OVERRIDE_HOSTNAME:-} ]]
@ -141,6 +149,7 @@ function __environment_variables_general_setup() {
}
# This function handles environment variables related to LDAP.
# NOTE: SASLAuthd and Dovecot LDAP support inherit these common ENV.
function _environment_variables_ldap() {
_log 'debug' 'Setting LDAP-related environment variables now'
@ -152,55 +161,12 @@ function _environment_variables_ldap() {
}
# This function handles environment variables related to SASLAUTHD
# and, if activated, variables related to SASLAUTHD and LDAP.
# LDAP specific ENV handled in: `startup/setup.d/saslauthd.sh:_setup_saslauthd()`
function _environment_variables_saslauthd() {
_log 'debug' 'Setting SASLAUTHD-related environment variables now'
# Only used by the supervisor service command (upstream default: `/etc/default/saslauthd`)
VARS[SASLAUTHD_MECHANISMS]="${SASLAUTHD_MECHANISMS:=pam}"
# SASL ENV for configuring an LDAP specific
# `saslauthd.conf` via `setup-stack.sh:_setup_sasulauthd()`
if [[ ${ACCOUNT_PROVISIONER} == 'LDAP' ]]; then
_log 'trace' 'Setting SASLSAUTH-LDAP variables nnow'
VARS[SASLAUTHD_LDAP_AUTH_METHOD]="${SASLAUTHD_LDAP_AUTH_METHOD:=bind}"
VARS[SASLAUTHD_LDAP_BIND_DN]="${SASLAUTHD_LDAP_BIND_DN:=${LDAP_BIND_DN}}"
VARS[SASLAUTHD_LDAP_FILTER]="${SASLAUTHD_LDAP_FILTER:=(&(uniqueIdentifier=%u)(mailEnabled=TRUE))}"
VARS[SASLAUTHD_LDAP_PASSWORD]="${SASLAUTHD_LDAP_PASSWORD:=${LDAP_BIND_PW}}"
VARS[SASLAUTHD_LDAP_SEARCH_BASE]="${SASLAUTHD_LDAP_SEARCH_BASE:=${LDAP_SEARCH_BASE}}"
VARS[SASLAUTHD_LDAP_SERVER]="${SASLAUTHD_LDAP_SERVER:=${LDAP_SERVER_HOST}}"
[[ ${SASLAUTHD_LDAP_SERVER} != *'://'* ]] && SASLAUTHD_LDAP_SERVER="ldap://${SASLAUTHD_LDAP_SERVER}"
VARS[SASLAUTHD_LDAP_START_TLS]="${SASLAUTHD_LDAP_START_TLS:=no}"
VARS[SASLAUTHD_LDAP_TLS_CHECK_PEER]="${SASLAUTHD_LDAP_TLS_CHECK_PEER:=no}"
if [[ -z ${SASLAUTHD_LDAP_TLS_CACERT_FILE} ]]; then
SASLAUTHD_LDAP_TLS_CACERT_FILE=''
else
SASLAUTHD_LDAP_TLS_CACERT_FILE="ldap_tls_cacert_file: ${SASLAUTHD_LDAP_TLS_CACERT_FILE}"
fi
VARS[SASLAUTHD_LDAP_TLS_CACERT_FILE]="${SASLAUTHD_LDAP_TLS_CACERT_FILE}"
if [[ -z ${SASLAUTHD_LDAP_TLS_CACERT_DIR} ]]; then
SASLAUTHD_LDAP_TLS_CACERT_DIR=''
else
SASLAUTHD_LDAP_TLS_CACERT_DIR="ldap_tls_cacert_dir: ${SASLAUTHD_LDAP_TLS_CACERT_DIR}"
fi
VARS[SASLAUTHD_LDAP_TLS_CACERT_DIR]="${SASLAUTHD_LDAP_TLS_CACERT_DIR}"
if [[ -z ${SASLAUTHD_LDAP_PASSWORD_ATTR} ]]; then
SASLAUTHD_LDAP_PASSWORD_ATTR=''
else
SASLAUTHD_LDAP_PASSWORD_ATTR="ldap_password_attr: ${SASLAUTHD_LDAP_PASSWORD_ATTR}"
fi
VARS[SASLAUTHD_LDAP_PASSWORD_ATTR]="${SASLAUTHD_LDAP_PASSWORD_ATTR}"
if [[ -z ${SASLAUTHD_LDAP_MECH} ]]; then
SASLAUTHD_LDAP_MECH=''
else
SASLAUTHD_LDAP_MECH="ldap_mech: ${SASLAUTHD_LDAP_MECH}"
fi
VARS[SASLAUTHD_LDAP_MECH]="${SASLAUTHD_LDAP_MECH}"
fi
}
# This function Writes the contents of the `VARS` map (associative array)