forked from stove/dataset
roundcube multi domain
This commit is contained in:
parent
fc548a6377
commit
b81292fa7f
18 changed files with 137 additions and 94 deletions
|
@ -8,6 +8,7 @@
|
|||
<file>/etc/postfix/main.cf</file>
|
||||
<file>/etc/postfix/master.cf</file>
|
||||
<file>/etc/postfix/relay_passwd</file>
|
||||
<file>/etc/postfix/ldapsource.cf</file>
|
||||
<file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file>
|
||||
<file>/etc/pki/tls/certs/postfix.crt</file>
|
||||
<file owner="root" group="postfix" mode="440">/etc/pki/tls/private/postfix.key</file>
|
||||
|
@ -41,8 +42,6 @@
|
|||
<file>/etc/dovecot/conf.d/auth-oauth2.conf.ext</file>
|
||||
<file>/etc/dovecot/dovecot-oauth2.conf.ext</file>
|
||||
<!--internal authentification-->
|
||||
<file>/etc/dovecot/conf.d/auth-passwdfile.conf.ext</file>
|
||||
<file>/etc/dovecot/risotto_users</file>
|
||||
<file>/etc/pki/ca-trust/source/anchors/ca_IMAPServer.crt</file>
|
||||
<file>/etc/pki/tls/certs/dovecot.crt</file>
|
||||
<file owner="root" group="dovecot" mode="440">/etc/pki/tls/private/dovecot.key</file>
|
||||
|
@ -77,13 +76,9 @@
|
|||
<variable name="well_known_filenames" type="filename" hidden='True' multi="True"/>
|
||||
<variable name='external_imap_crt' type="filename" hidden='True' multi='True'/>
|
||||
<variable name='external_imap_key' type="filename" hidden='True' multi='True'/>
|
||||
<variable name='dovecot_local_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/>
|
||||
<family name="local_authentification_" description="Local server authentification" dynamic='dovecot_local_authentifications'>
|
||||
<variable name="local_authentification_ip_" type="ip" provider="mail_ip"/>
|
||||
<variable name="local_authentification_password_" type="secret" auto_save="True" provider="mail_password"/>
|
||||
</family>
|
||||
</family>
|
||||
<family name="nginx">
|
||||
<variable name="revprox_client_external_domainname" redefine="True" mandatory="False"/>
|
||||
<family name="revprox_client">
|
||||
<variable name="revprox_client_location" redefine="True" mandatory="False">
|
||||
<value/>
|
||||
|
@ -92,13 +87,6 @@
|
|||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<fill name="get_password">
|
||||
<param name="server_name" type="variable">domain_name_eth0</param>
|
||||
<param name="username" type="suffix"/>
|
||||
<param name="description">local authentification</param>
|
||||
<param name="type">cleartext</param>
|
||||
<target>local_authentification_password_</target>
|
||||
</fill>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_server" type="variable">smtp_relay_address</param>
|
||||
<param name="linked_provider">lmtp_server</param>
|
||||
|
@ -175,5 +163,12 @@
|
|||
<param type="variable">mail_domains</param>
|
||||
<target>well_knowns</target>
|
||||
</fill>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_value">all</param>
|
||||
<param name="linked_server" type="variable">ldap_server_address</param>
|
||||
<param name="linked_provider">client_family</param>
|
||||
<param name="dynamic" type="variable">domain_name_eth0</param>
|
||||
<target>mail_domains_calc</target>
|
||||
</check>
|
||||
</constraints>
|
||||
</rougail>
|
||||
|
|
|
@ -137,6 +137,4 @@ auth_mechanisms = $auth_mechanisms xoauth2
|
|||
!include auth-oauth2.conf.ext
|
||||
# IMAP auth
|
||||
!include auth-ldap.conf.ext
|
||||
# Internal users (ie. roundcube)
|
||||
!include auth-passwdfile.conf.ext
|
||||
#<GNUNUX
|
||||
|
|
|
@ -8,6 +8,6 @@ version = 3
|
|||
bind = yes
|
||||
bind_dn = %%ldapclient_remote_user
|
||||
bind_pw = %%ldapclient_remote_user_password
|
||||
search_base = ou=users,%%ldap_base_dn
|
||||
search_base = %%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)
|
||||
query_filter = (mail=%s)
|
||||
result_attribute = cn
|
||||
|
|
|
@ -8,7 +8,14 @@ def valid_base_dn(base_dn: str) -> None:
|
|||
|
||||
def calc_ldapclient_base_dn(ldap_base_dn: str,
|
||||
family_name: str,
|
||||
accounts: bool=False,
|
||||
) -> str:
|
||||
base = f'ou=accounts,{ldap_base_dn}'
|
||||
if accounts:
|
||||
return base
|
||||
if not family_name:
|
||||
return f'ou=users,{ldap_base_dn}'
|
||||
return f'ou={family_name},ou=families,{ldap_base_dn}'
|
||||
return f'ou=users,{base}'
|
||||
families = f'ou=families,{base}'
|
||||
if family_name != '-':
|
||||
return f'ou={family_name},{families}'
|
||||
return families
|
||||
|
|
|
@ -29,4 +29,13 @@
|
|||
<variable name="lemon_mail_admin" type="mail" description="Courriel de l'administrateur" mandatory="True"/>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_value">all</param>
|
||||
<param name="linked_server" type="variable">ldap_server_address</param>
|
||||
<param name="linked_provider">client_family</param>
|
||||
<param name="dynamic" type="variable">domain_name_eth0</param>
|
||||
<target>lemon_mail_admin</target>
|
||||
</check>
|
||||
</constraints>
|
||||
</rougail>
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
<variable name="description_" description="Remote description for" hidden="True" provider="oauth2_description"/>
|
||||
<variable name="category_" hidden="True" provider="oauth2_category"/>
|
||||
<variable name="login_" description="Remote URL to login" hidden="True" provider="oauth2_login"/>
|
||||
<variable name="external_" description="Remote external for" hidden="True" provider="oauth2_external"/>
|
||||
<variable name="external_" description="Remote external for" hidden="True" provider="oauth2_external" multi="True"/>
|
||||
<variable name="logo_" hidden="True" provider="oauth2_logo"/>
|
||||
<variable name="token_signature_algo_" type="choice" description="OAuth2 token signature algorithm" mandatory='True' hidden="True" provider="oauth2_token_signature_algo">
|
||||
<choice>HS512</choice>
|
||||
|
|
|
@ -29,7 +29,7 @@ commentStartToken = §
|
|||
"ldapServer" : "ldaps://%%ldap_server_address",
|
||||
"ldapVerify" : "required",
|
||||
"ldapTimeout" : 120,
|
||||
"cfgAuthor" : "EOLE",
|
||||
"cfgAuthor" : "Risotto",
|
||||
"cfgNum" : 1,
|
||||
"cfgVersion" : "2.0.9",
|
||||
"demoExportedVars" : {
|
||||
|
@ -187,17 +187,19 @@ commentStartToken = §
|
|||
"cat_%%index" : {
|
||||
"catname" : "%%cat",
|
||||
%for %%dico in %%remotes[%%cat]
|
||||
"%%dico['key']" : {
|
||||
%for %%idx, %%uri in %%enumerate(%%dico['uri'])
|
||||
"%%{dico['key']}_%%idx" : {
|
||||
"options" : {
|
||||
"description" : "%%dico['description']",
|
||||
"display" : "auto",
|
||||
"logo" : "%%dico['logo']",
|
||||
"name" : "%%dico['name']",
|
||||
"uri" : "%%dico['uri']"
|
||||
"uri" : "%%uri"
|
||||
},
|
||||
"type" : "application"
|
||||
},
|
||||
%end for
|
||||
%end for
|
||||
%end for
|
||||
"type" : "category"
|
||||
}%slurp
|
||||
%end for
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
<variables>
|
||||
<family name="mailman" description="Gestionnaire de liste">
|
||||
<variable name="mailman_mail_owner" type="mail" description="Courriel du gestionnaire de liste du site"/>
|
||||
<variable name="mailman_domains" type="domainname" description="Nom de domaine des listes" multi="True" mandatory="True" provider="domain_list"/>
|
||||
<variable name="mailman_domains" type="domainname" description="Nom de domaine des listes" multi="True" mandatory="True"/>
|
||||
<variable name="postorius_secret_key" type="password" description="Internal secret key" mandatory="True" hidden="True" auto_save="True"/>
|
||||
</family>
|
||||
<family name="oauth2_client">
|
||||
|
|
|
@ -14,9 +14,6 @@
|
|||
<value>80</value>
|
||||
<value>443</value>
|
||||
</variable>
|
||||
<family name="interface_">
|
||||
<variable name="ip_eth" redefine="True" provider="ip"/>
|
||||
</family>
|
||||
<family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
|
||||
<variable name="nginx_default" redefine="True" mandatory="True"/>
|
||||
<variable name="revprox_domainnames" type="domainname" description="Nom des domaines à configurer dans le serveur mandataire inverse" help="Liste des domaines gérés par le serveur mandataire inverse" multi="True"/>
|
||||
|
|
|
@ -1,4 +1,10 @@
|
|||
from risotto.utils import multi_function as _multi_function
|
||||
|
||||
|
||||
@_multi_function
|
||||
def calc_oauth2_client_external(external, location, *extras):
|
||||
if not external or not location or None in extras:
|
||||
return
|
||||
if isinstance(external, list):
|
||||
return [f'https://{exter}{location[0]}' + ''.join(extras) for exter in external]
|
||||
return f'https://{external}{location[0]}' + ''.join(extras)
|
||||
|
|
|
@ -9,9 +9,9 @@ ldapsearch -D cn=admin,ou=in,o=gnunux,o=info -y /usr/local/lib/secrets/admin_lda
|
|||
Search with nexcloud admin user:
|
||||
|
||||
```
|
||||
USER="cn=nextcloud_in_gnunux_info,ou=in,o=gnunux,o=info"
|
||||
USER="cn=lemonldap.in.silique.fr,ou=in,o=silique,o=fr"
|
||||
PASS="01CXZAjVr4A2iSoqdYIU5CFiC2BCuCQlvCR-wmeG6ns"
|
||||
DN="ou=users,ou=in,o=gnunux,o=info"
|
||||
DN="ou=accounts,ou=in,o=gnunux,o=info"
|
||||
ldapsearch -D "$USER" -w "$PASS" -b "$DN"
|
||||
```
|
||||
|
||||
|
|
|
@ -13,7 +13,11 @@ olcAccess: {0}to attrs=userPassword
|
|||
by * none
|
||||
%set %%aclidx = 1
|
||||
%for %%family, %%remotes in %%dns.items()
|
||||
%if %%family == 'all'
|
||||
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)"
|
||||
%else
|
||||
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)"
|
||||
%end if
|
||||
by self read
|
||||
%for %%remote in %%remotes
|
||||
by dn="%%remote[0]" %slurp
|
||||
|
|
|
@ -21,14 +21,22 @@ objectClass: top
|
|||
objectClass: inetOrgPerson
|
||||
|
||||
%end for
|
||||
# Users
|
||||
dn: ou=users,%%ldap_base_dn
|
||||
# Accounts
|
||||
%set %%users = %%calc_ldapclient_base_dn(%%ldap_base_dn, '')
|
||||
dn: %%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)
|
||||
ou: accounts
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
|
||||
## Users
|
||||
%set %%users = %%calc_ldapclient_base_dn(%%ldap_base_dn, '')
|
||||
dn: %%users
|
||||
ou: users
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
|
||||
%for %%user in %%accounts.users.ldap_user_mail
|
||||
dn: cn=%%user,ou=users,%%ldap_base_dn
|
||||
dn: cn=%%user,%%users
|
||||
cn: %%user
|
||||
mail: %%user
|
||||
sn: %%user.ldap_user_sn
|
||||
|
@ -43,20 +51,21 @@ objectClass: inetOrgPerson
|
|||
objectClass: posixAccount
|
||||
|
||||
%end for
|
||||
# Families
|
||||
dn: ou=families,%%ldap_base_dn
|
||||
## Families
|
||||
dn: %%calc_ldapclient_base_dn(%%ldap_base_dn, '-')
|
||||
ou: families
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
|
||||
%for %%family in %%accounts.families
|
||||
dn: ou=%%family,ou=families,%%ldap_base_dn
|
||||
%set %%families = %%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)
|
||||
dn: %%families
|
||||
ou: %%family
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
|
||||
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
|
||||
dn: cn=%%user,ou=%%family,ou=families,%%ldap_base_dn
|
||||
dn: cn=%%user,%%families
|
||||
cn: %%user
|
||||
mail: %%user
|
||||
sn: %%user['ldap_user_sn_' + %%family]
|
||||
|
|
|
@ -8,8 +8,9 @@ userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name
|
|||
|
||||
%end for
|
||||
## Users
|
||||
#%set %%users = %%calc_ldapclient_base_dn(%%ldap_base_dn, '')
|
||||
#%for %%user in %%accounts.users.ldap_user_mail
|
||||
#dn: cn=%%user,ou=users,%%ldap_base_dn
|
||||
#dn: cn=%%user,%%users
|
||||
#changetype: modify
|
||||
#replace: homeDirectory
|
||||
#homeDirectory: /srv/home/users/%%user
|
||||
|
@ -17,8 +18,9 @@ userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name
|
|||
#%end for
|
||||
## Families
|
||||
#%for %%family in %%accounts.families
|
||||
# %set %%families = %%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)
|
||||
# %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
|
||||
#dn: cn=%%user,ou=%%family,ou=families,%%ldap_base_dn
|
||||
#dn: cn=%%user,%%families
|
||||
#replace: homeDirectory
|
||||
#homeDirectory: /srv/home/families/%%family/%%user
|
||||
#
|
||||
|
|
|
@ -8,3 +8,4 @@ depends:
|
|||
- oauth2-client
|
||||
- nginx-https
|
||||
- php-fpm
|
||||
- ldap-client-fedora
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
<service name="roundcube" engine="creole" target="multi-user">
|
||||
<file owner="root" group="nginx" mode="640">/etc/roundcubemail/config.inc.php</file>
|
||||
<file>/etc/nginx/default.d/roundcubemail.conf</file>
|
||||
<file source="domain.inc.php">/etc/roundcubemail/courriel.cloud.silique.fr.inc.php</file>
|
||||
<file>/secrets/roundcube-init.php</file>
|
||||
<file engine="none">/static/silique_cloud.svg</file>
|
||||
<file engine="none">/static/watermark.html</file>
|
||||
|
@ -13,6 +14,10 @@
|
|||
<variables>
|
||||
<family name="roundcube" description="Interface web de consultation des courriels Roundcube">
|
||||
<variable name="roundcube_des_key" type="secret" auto_freeze="True" hidden="True"/>
|
||||
<family name="domaines" description="Noms de domaine extérieur" leadership="True">
|
||||
<variable name="revprox_client_external_domainnames" multi="True" description="Nom de domaine"/>
|
||||
<variable name="ldap_family" description="Nom de la famille LDAP"/>
|
||||
</family>
|
||||
</family>
|
||||
<family name="oauth2_client">
|
||||
<variable name="oauth2_is_client_application" redefine='True'>
|
||||
|
@ -30,8 +35,10 @@
|
|||
<variable name="oauth2_client_logo" redefine='True'>
|
||||
<value>silique_email.png</value>
|
||||
</variable>
|
||||
<variable name="oauth2_client_external" redefine="True" multi='True'/>
|
||||
</family>
|
||||
<family name="nginx">
|
||||
<variable name="revprox_client_external_domainname" redefine="True" mandatory="False" hidden="True"/>
|
||||
<variable name="nginx_root" redefine="True">
|
||||
<value>/usr/share/roundcubemail/</value>
|
||||
</variable>
|
||||
|
@ -39,9 +46,6 @@
|
|||
<value>/</value>
|
||||
</variable>
|
||||
</family>
|
||||
<family name="annuaire">
|
||||
<variable name='ldapclient_family' redefine="True" exists="True" mandatory="True"/>
|
||||
</family>
|
||||
</variables>
|
||||
<constraints>
|
||||
<fill name="get_password">
|
||||
|
@ -52,10 +56,17 @@
|
|||
<target>roundcube_des_key</target>
|
||||
</fill>
|
||||
<fill name="calc_oauth2_client_external">
|
||||
<param type="variable" optional="True">revprox_client_external_domainname</param>
|
||||
<param type="variable" optional="True">revprox_client_external_domainnames</param>
|
||||
<param type="variable" optional="True">revprox_client_location</param>
|
||||
<param>index.php/login/oauth</param>
|
||||
<target>oauth2_client_login</target>
|
||||
<target>oauth2_client_external</target>
|
||||
</fill>
|
||||
<check name="set_linked_configuration">
|
||||
<param name="linked_value">all</param>
|
||||
<param name="linked_server" type="variable">ldap_server_address</param>
|
||||
<param name="linked_provider">client_family</param>
|
||||
<param name="dynamic" type="variable">domain_name_eth0</param>
|
||||
<target>ldap_family</target>
|
||||
</check>
|
||||
</constraints>
|
||||
</rougail>
|
||||
|
|
|
@ -763,7 +763,8 @@ $config['useragent'] = null;
|
|||
// try to load host-specific configuration
|
||||
// see https://github.com/roundcube/roundcubemail/wiki/Configuration:-Multi-Domain-Setup
|
||||
// for more details
|
||||
$config['include_host_config'] = false;
|
||||
$config['include_host_config'] = array("%%revprox_client_external_domainname" => "%%{revprox_client_external_domainname}.inc.php"
|
||||
);
|
||||
|
||||
// path to a text file which will be added to each sent message
|
||||
// paths are relative to the Roundcube root folder
|
||||
|
@ -1058,55 +1059,6 @@ $config['address_book_type'] = 'sql';
|
|||
// example further below. if you would like to test, simply uncomment the example.
|
||||
// Array key must contain only safe characters, ie. a-zA-Z0-9_
|
||||
$config['ldap_public'] = [];
|
||||
#>GNUNUX
|
||||
%if %%getVar('ldap_server_address', None)
|
||||
$config['ldap_public'] = array (
|
||||
'Local' => array (
|
||||
'name' => "Ma famille",
|
||||
'hosts' => array (
|
||||
0 => 'ldaps://%%ldap_server_address',
|
||||
),
|
||||
'port' => 636,
|
||||
'use_tls' => false,
|
||||
'bind_user' => '',
|
||||
'bind_dn' => '%%ldapclient_remote_user',
|
||||
'bind_pass' => '%%ldapclient_remote_user_password',
|
||||
'auth_method' => '',
|
||||
'vlv' => false, //Samba do not support Virtual List View functions
|
||||
'user_specific' => false,
|
||||
'base_dn' => 'ou=%%ldapclient_family,ou=families,%%ldap_base_dn',
|
||||
'writable' => false,
|
||||
'required_fields' => array (
|
||||
0 => 'cn',
|
||||
1 => 'sn',
|
||||
2 => 'mail',
|
||||
3 => 'uid',
|
||||
),
|
||||
'groups' => array(
|
||||
'base_dn' => '',
|
||||
'object_classes' => ['top', 'groupOfNames'],
|
||||
),
|
||||
'LDAP_rdn' => 'mail',
|
||||
'ldap_version' => 3,
|
||||
'search_fields' => array ('mail', 'cn', 'sn', 'givenName'),
|
||||
'name_field' => 'cn',
|
||||
'email_field' => 'mail',
|
||||
'surname_field' => 'sn',
|
||||
'firstname_field' => 'gn',
|
||||
'sort' => 'cn',
|
||||
'scope' => 'sub',
|
||||
'filter' => '(mail=*)',
|
||||
'fuzzy_search' => true,
|
||||
'fieldmap' => array(
|
||||
'name' => 'cn',
|
||||
'surname' => 'sn',
|
||||
'firstname' => 'givenName',
|
||||
'email' => 'mail',
|
||||
),
|
||||
),
|
||||
);
|
||||
%end if
|
||||
#<GNUNUX
|
||||
|
||||
// If you are going to use LDAP for individual address books, you will need to
|
||||
// set 'user_specific' to true and use the variables to generate the appropriate DNs to access it.
|
||||
|
@ -1563,3 +1515,4 @@ $config['reply_all_mode'] = 0;
|
|||
// Keys directory for all users.
|
||||
// Must be writeable by PHP process, and not in the web server document root
|
||||
$config['enigma_pgp_homedir'] = '/var/lib/roundcubemail/enigma';
|
||||
?>
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
<?php
|
||||
#>GNUNUX
|
||||
$config['ldap_public'] = array (
|
||||
'Local' => array (
|
||||
'name' => "Ma famille",
|
||||
'hosts' => array (
|
||||
0 => 'ldaps://%%ldap_server_address',
|
||||
),
|
||||
'port' => 636,
|
||||
'use_tls' => false,
|
||||
'bind_user' => '',
|
||||
'bind_dn' => '%%ldapclient_remote_user',
|
||||
'bind_pass' => '%%ldapclient_remote_user_password',
|
||||
'auth_method' => '',
|
||||
'vlv' => false, //Samba do not support Virtual List View functions
|
||||
'user_specific' => false,
|
||||
'base_dn' => 'ou=%%ldapclient_family,ou=families,%%ldap_base_dn',
|
||||
'writable' => false,
|
||||
'required_fields' => array (
|
||||
0 => 'cn',
|
||||
1 => 'sn',
|
||||
2 => 'mail',
|
||||
3 => 'uid',
|
||||
),
|
||||
'groups' => array(
|
||||
'base_dn' => '',
|
||||
'object_classes' => ['top', 'groupOfNames'],
|
||||
),
|
||||
'LDAP_rdn' => 'mail',
|
||||
'ldap_version' => 3,
|
||||
'search_fields' => array ('mail', 'cn', 'sn', 'givenName'),
|
||||
'name_field' => 'cn',
|
||||
'email_field' => 'mail',
|
||||
'surname_field' => 'sn',
|
||||
'firstname_field' => 'gn',
|
||||
'sort' => 'cn',
|
||||
'scope' => 'sub',
|
||||
'filter' => '(mail=*)',
|
||||
'fuzzy_search' => true,
|
||||
'fieldmap' => array(
|
||||
'name' => 'cn',
|
||||
'surname' => 'sn',
|
||||
'firstname' => 'givenName',
|
||||
'email' => 'mail',
|
||||
),
|
||||
),
|
||||
);
|
||||
#<GNUNUX
|
||||
?>
|
Loading…
Reference in a new issue