From 7dbac18ed15f419790bc33dec6a3f5f7b4346c8e Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem.moulin@fripost.org>
Date: Thu, 5 Apr 2012 02:45:55 +0200
Subject: LDAP: Integration with Postfix & Dovecot.

---
 fripost-docs.org | 105 +++++++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 83 insertions(+), 22 deletions(-)

diff --git a/fripost-docs.org b/fripost-docs.org
index 5e7367b..172c1fe 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -676,8 +676,8 @@ Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html).
     dn: cn=mail.fripost.org,cn=schema,cn=config
     objectClass: olcSchemaConfig
     cn: mail.fripost.org
-    olcAttributeTypes: ( 1.3.6.1.4.1.12461.1.1.1 NAME 'mailbox'
-        DESC 'The path to the mailbox.'
+    olcAttributeTypes: ( 1.3.6.1.4.1.12461.1.1.1 NAME 'maildir'
+        DESC 'The path to the maildir.'
         EQUALITY caseExactIA5Match
         SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
     olcAttributeTypes: ( 1.3.6.1.4.1.12461.1.1.3 NAME 'quota'
@@ -696,7 +696,7 @@ Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html).
     olcObjectclasses: ( 1.3.6.1.4.1.12461.1.2.2 NAME 'virtualMailbox'
         SUP top STRUCTURAL
         DESC 'Mail Account Object'
-        MUST ( mail $ userPassword $ dc $ mailbox $ isActive )
+        MUST ( mail $ userPassword $ dc $ maildir $ isActive )
         MAY ( mailLocalAddress $ gn $ sn $ quota ) )
  
 
@@ -851,7 +851,7 @@ To delete a leaf or a sub-tree:
     sn: Last Name
     userPassword: {SSHA}epZKWD1SiSe/dwL0to+jjnwFzxVUbFvg
     dc: fripost.org
-    mailbox: fripost.org/user/
+    maildir: fripost.org/user/
     isActive: TRUE
     mailLocalAddress: user-alias@fripost.org
     mailLocalAddress: user@example.org
@@ -926,11 +926,11 @@ We now ensure that the leaf has been updated:
     [...]
     userPassword:: aG9w
     entryCSN: 20120404215647.957317Z#000000#000#000000
-    modifiersName: mail=fripost@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org
+    modifiersName: mail=user@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org
     modifyTimestamp: 20120404215647Z
 
 
-Doing the same thing with eg, trying to change the `mailbox', `ldapmodify'
+Doing the same thing with eg, trying to change the `maildir', `ldapmodify'
 refuses with `Insufficient access (50)'.
 
 *** Configuring the main IMAP server
@@ -1001,11 +1001,60 @@ sudo aptitude install dovecot-imapd
 
 :: /etc/postfix/main.cf
 
+    virtual_mailbox_domains = ldap:$config_directory/ldap_virtual_mailbox_domains.cf
+    virtual_mailbox_maps    = ldap:$config_directory/ldap_virtual_mailbox_maps.cf
+    virtual_alias_maps      = ldap:$config_directory/ldap_virtual_alias_maps.cf
+
+    [...]
+
     virtual_transport = dovecot
     dovecot_destination_recipient_limit = 1
 
 http://wiki.dovecot.org/LDA/Postfix
 http://www.tehinterweb.co.uk/roundcube/#pisieverules
+
+
+:: /etc/postfix/ldap_virtual_mailbox_domains.cf
+
+    server_host = ldap://localhost/
+    version = 3
+    search_base = o=domains,dc=mail,dc=fripost,dc=org
+    bind = no
+    query_filter = (&(ObjectClass=virtualDomain)(dc=%s)(isActive=TRUE))
+    result_attribute = dc
+
+Test it:
+    postmap -q fripost.org ldap:/etc/postfix/ldap_virtual_domains_maps.cf || echo 'failed!'
+    postmap -q fake.org ldap:/etc/postfix/ldap_virtual_domains_maps.cf || echo 'failed!'
+
+
+:: /etc/postfix/ldap_virtual_mailbox_maps.cf
+
+    server_host = ldap://localhost/
+    version = 3
+    search_base = o=mailboxes,dc=mail,dc=fripost,dc=org
+    bind = no
+    query_filter = (&(ObjectClass=virtualMailbox)(mail=%s)(isActive=TRUE))
+    result_attribute = maildir
+
+Test it: 
+    postmap -q user@fripost.org ldap:/etc/ldap/local/ldap_virtual_mailbox_maps.cf
+
+
+:: /etc/postfix/ldap_virtual_alias_maps.cf
+
+    server_host = ldap://localhost/
+    version = 3
+    search_base = o=mailboxes,dc=mail,dc=fripost,dc=org
+    bind = no
+    query_filter = (&(ObjectClass=virtualMailbox)(mailLocalAddress=%s)(isActive=TRUE))
+    result_attribute = mail
+
+Test it: 
+    postmap -q user-alias@fripost.org ldap:/etc/postfix/ldap_virtual_alias_maps.cf
+    postmap -q user@example.org ldap:/etc/postfix/ldap_virtual_alias_maps.cf
+
+
 **** Test delivery
 
 sudo mkdir -p /home/mail/virtual/fripost.org/
@@ -1084,7 +1133,10 @@ sudo /etc/init.d/dovecot restart
 sudo update-rc.d -n dovecot stop 2 3 4 5 .
 sudo update-rc.d -n postfix stop 2 3 4 5 .
 
-**** Use LDAP authenticate binds.
+**** Use LDAP authenticate binds, and LDAP user queries.
+
+[TODO: The following handle the dialog the LDAP server. It should replace
+the MySQL bits above.]
 
 Instead of making a SQL query to fetch the (hashed) passwords, which implies to
 expose all credentials to Dovecot, an other approach is to forward the login
@@ -1099,26 +1151,35 @@ http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds
 Debian provides a squeleton configuration in /usr/share/dovecot/dovecot-ldap.conf .
 Copy this file in /etc/dovecot, and chmod 600 it. Uncomment the following lines:
 
-hosts = localhost    # Or wherever is our LDAP server
-auth_bind = yes
-auth_bind_userdn = uid=%u,ou=accounts,dc=fripost,dc=org
-ldap_version = 3
-base = ou=accounts,dc=fripost,dc=org
-pass_filter = (&(objectClass=posixAccount)(uid=%u))
+    hosts = localhost    # Or wherever is our LDAP server
+    ldap_version = 3
+    auth_bind = yes
+    auth_bind_userdn = mail=%u,o=mailboxes,dc=mail,dc=fripost,dc=org
+    base = o=mailboxes,dc=mail,dc=fripost,dc=org
+    deref = never
+    scope = subtree
+    user_attrs = maildir=home=/home/mail/virtual/%$
+    user_filter = (&(objectClass=virtualMailbox)(mail=%u)(domain=%d)(isActive=TRUE))
+    pass_attrs = mail=user
+    pass_filter = (&(objectClass=virtualMailbox)(mail=%u)(domain=%d)(isActive=TRUE))
 
 (And the TLS-related lines in case we are not using a tunnel.) The "base" is the root
-of our tree structure, in our case dn="ou=accounts,dc=fripost,dc=org".
+of our tree structure, in our case dn="o=mailboxes,dc=mail,dc=fripost,dc=org".
+
+[Note: the `user_attrs' and `user_filter' are only relevant if the result of the query is
+used in the `dovecot.conf', for instance with mail_location = maildir:~. Otherwise, the
+userdb would better be dropped.]
 
 We can now amend the `dovecot.conf': Comment the "passwd sql {...}" and "userdb sql {...}"
 blocks, and uncomment
 
-  passdb ldap {
-    args = /etc/dovecot/dovecot-ldap.conf
-  }
-# and
-  userdb ldap {
-    args = /etc/dovecot/dovecot-ldap-userdb.conf
-  }
+      passdb ldap {
+        args = /etc/dovecot/dovecot-ldap.conf
+      }
+      # and
+      userdb ldap {
+        args = /etc/dovecot/dovecot-ldap-userdb.conf
+      }
 
 Following http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds, `dovecot-ldap-userdb.conf'
 can simply be a symlink to `dovecot-ldap.conf'. The names have to differ for Dovecot to send
@@ -1173,7 +1234,7 @@ test our installation.)
     ldap_version: 3
     ldap_search_base: o=mailboxes,dc=mail,dc=fripost,dc=org
     ldap_scope: sub
-    ldap_filter: uid=%u
+    ldap_filter: mail=%u
     ldap_auth_method: bind
 
 After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the
-- 
cgit v1.2.3