roundcube multi domain

This commit is contained in:
Emmanuel Garette 2022-05-07 08:11:18 +02:00
parent fc548a6377
commit b81292fa7f
18 changed files with 137 additions and 94 deletions

View file

@ -8,6 +8,7 @@
<file>/etc/postfix/main.cf</file>
<file>/etc/postfix/master.cf</file>
<file>/etc/postfix/relay_passwd</file>
<file>/etc/postfix/ldapsource.cf</file>
<file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file>
<file>/etc/pki/tls/certs/postfix.crt</file>
<file owner="root" group="postfix" mode="440">/etc/pki/tls/private/postfix.key</file>
@ -41,8 +42,6 @@
<file>/etc/dovecot/conf.d/auth-oauth2.conf.ext</file>
<file>/etc/dovecot/dovecot-oauth2.conf.ext</file>
<!--internal authentification-->
<file>/etc/dovecot/conf.d/auth-passwdfile.conf.ext</file>
<file>/etc/dovecot/risotto_users</file>
<file>/etc/pki/ca-trust/source/anchors/ca_IMAPServer.crt</file>
<file>/etc/pki/tls/certs/dovecot.crt</file>
<file owner="root" group="dovecot" mode="440">/etc/pki/tls/private/dovecot.key</file>
@ -77,13 +76,9 @@
<variable name="well_known_filenames" type="filename" hidden='True' multi="True"/>
<variable name='external_imap_crt' type="filename" hidden='True' multi='True'/>
<variable name='external_imap_key' type="filename" hidden='True' multi='True'/>
<variable name='dovecot_local_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/>
<family name="local_authentification_" description="Local server authentification" dynamic='dovecot_local_authentifications'>
<variable name="local_authentification_ip_" type="ip" provider="mail_ip"/>
<variable name="local_authentification_password_" type="secret" auto_save="True" provider="mail_password"/>
</family>
</family>
<family name="nginx">
<variable name="revprox_client_external_domainname" redefine="True" mandatory="False"/>
<family name="revprox_client">
<variable name="revprox_client_location" redefine="True" mandatory="False">
<value/>
@ -92,13 +87,6 @@
</family>
</variables>
<constraints>
<fill name="get_password">
<param name="server_name" type="variable">domain_name_eth0</param>
<param name="username" type="suffix"/>
<param name="description">local authentification</param>
<param name="type">cleartext</param>
<target>local_authentification_password_</target>
</fill>
<check name="set_linked_configuration">
<param name="linked_server" type="variable">smtp_relay_address</param>
<param name="linked_provider">lmtp_server</param>
@ -175,5 +163,12 @@
<param type="variable">mail_domains</param>
<target>well_knowns</target>
</fill>
<check name="set_linked_configuration">
<param name="linked_value">all</param>
<param name="linked_server" type="variable">ldap_server_address</param>
<param name="linked_provider">client_family</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>mail_domains_calc</target>
</check>
</constraints>
</rougail>

View file

@ -137,6 +137,4 @@ auth_mechanisms = $auth_mechanisms xoauth2
!include auth-oauth2.conf.ext
# IMAP auth
!include auth-ldap.conf.ext
# Internal users (ie. roundcube)
!include auth-passwdfile.conf.ext
#<GNUNUX

View file

@ -8,6 +8,6 @@ version = 3
bind = yes
bind_dn = %%ldapclient_remote_user
bind_pw = %%ldapclient_remote_user_password
search_base = ou=users,%%ldap_base_dn
search_base = %%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)
query_filter = (mail=%s)
result_attribute = cn

View file

@ -8,7 +8,14 @@ def valid_base_dn(base_dn: str) -> None:
def calc_ldapclient_base_dn(ldap_base_dn: str,
family_name: str,
accounts: bool=False,
) -> str:
base = f'ou=accounts,{ldap_base_dn}'
if accounts:
return base
if not family_name:
return f'ou=users,{ldap_base_dn}'
return f'ou={family_name},ou=families,{ldap_base_dn}'
return f'ou=users,{base}'
families = f'ou=families,{base}'
if family_name != '-':
return f'ou={family_name},{families}'
return families

View file

@ -29,4 +29,13 @@
<variable name="lemon_mail_admin" type="mail" description="Courriel de l'administrateur" mandatory="True"/>
</family>
</variables>
<constraints>
<check name="set_linked_configuration">
<param name="linked_value">all</param>
<param name="linked_server" type="variable">ldap_server_address</param>
<param name="linked_provider">client_family</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>lemon_mail_admin</target>
</check>
</constraints>
</rougail>

View file

@ -8,7 +8,7 @@
<variable name="description_" description="Remote description for" hidden="True" provider="oauth2_description"/>
<variable name="category_" hidden="True" provider="oauth2_category"/>
<variable name="login_" description="Remote URL to login" hidden="True" provider="oauth2_login"/>
<variable name="external_" description="Remote external for" hidden="True" provider="oauth2_external"/>
<variable name="external_" description="Remote external for" hidden="True" provider="oauth2_external" multi="True"/>
<variable name="logo_" hidden="True" provider="oauth2_logo"/>
<variable name="token_signature_algo_" type="choice" description="OAuth2 token signature algorithm" mandatory='True' hidden="True" provider="oauth2_token_signature_algo">
<choice>HS512</choice>

View file

@ -29,7 +29,7 @@ commentStartToken = §
"ldapServer" : "ldaps://%%ldap_server_address",
"ldapVerify" : "required",
"ldapTimeout" : 120,
"cfgAuthor" : "EOLE",
"cfgAuthor" : "Risotto",
"cfgNum" : 1,
"cfgVersion" : "2.0.9",
"demoExportedVars" : {
@ -187,17 +187,19 @@ commentStartToken = §
"cat_%%index" : {
"catname" : "%%cat",
%for %%dico in %%remotes[%%cat]
"%%dico['key']" : {
%for %%idx, %%uri in %%enumerate(%%dico['uri'])
"%%{dico['key']}_%%idx" : {
"options" : {
"description" : "%%dico['description']",
"display" : "auto",
"logo" : "%%dico['logo']",
"name" : "%%dico['name']",
"uri" : "%%dico['uri']"
"uri" : "%%uri"
},
"type" : "application"
},
%end for
%end for
%end for
"type" : "category"
}%slurp
%end for

View file

@ -21,7 +21,7 @@
<variables>
<family name="mailman" description="Gestionnaire de liste">
<variable name="mailman_mail_owner" type="mail" description="Courriel du gestionnaire de liste du site"/>
<variable name="mailman_domains" type="domainname" description="Nom de domaine des listes" multi="True" mandatory="True" provider="domain_list"/>
<variable name="mailman_domains" type="domainname" description="Nom de domaine des listes" multi="True" mandatory="True"/>
<variable name="postorius_secret_key" type="password" description="Internal secret key" mandatory="True" hidden="True" auto_save="True"/>
</family>
<family name="oauth2_client">

View file

@ -14,9 +14,6 @@
<value>80</value>
<value>443</value>
</variable>
<family name="interface_">
<variable name="ip_eth" redefine="True" provider="ip"/>
</family>
<family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
<variable name="nginx_default" redefine="True" mandatory="True"/>
<variable name="revprox_domainnames" type="domainname" description="Nom des domaines à configurer dans le serveur mandataire inverse" help="Liste des domaines gérés par le serveur mandataire inverse" multi="True"/>

View file

@ -1,4 +1,10 @@
from risotto.utils import multi_function as _multi_function
@_multi_function
def calc_oauth2_client_external(external, location, *extras):
if not external or not location or None in extras:
return
if isinstance(external, list):
return [f'https://{exter}{location[0]}' + ''.join(extras) for exter in external]
return f'https://{external}{location[0]}' + ''.join(extras)

View file

@ -9,9 +9,9 @@ ldapsearch -D cn=admin,ou=in,o=gnunux,o=info -y /usr/local/lib/secrets/admin_lda
Search with nexcloud admin user:
```
USER="cn=nextcloud_in_gnunux_info,ou=in,o=gnunux,o=info"
USER="cn=lemonldap.in.silique.fr,ou=in,o=silique,o=fr"
PASS="01CXZAjVr4A2iSoqdYIU5CFiC2BCuCQlvCR-wmeG6ns"
DN="ou=users,ou=in,o=gnunux,o=info"
DN="ou=accounts,ou=in,o=gnunux,o=info"
ldapsearch -D "$USER" -w "$PASS" -b "$DN"
```

View file

@ -13,7 +13,11 @@ olcAccess: {0}to attrs=userPassword
by * none
%set %%aclidx = 1
%for %%family, %%remotes in %%dns.items()
%if %%family == 'all'
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)"
%else
olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)"
%end if
by self read
%for %%remote in %%remotes
by dn="%%remote[0]" %slurp

View file

@ -21,14 +21,22 @@ objectClass: top
objectClass: inetOrgPerson
%end for
# Users
dn: ou=users,%%ldap_base_dn
# Accounts
%set %%users = %%calc_ldapclient_base_dn(%%ldap_base_dn, '')
dn: %%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)
ou: accounts
objectClass: top
objectClass: organizationalUnit
## Users
%set %%users = %%calc_ldapclient_base_dn(%%ldap_base_dn, '')
dn: %%users
ou: users
objectClass: top
objectClass: organizationalUnit
%for %%user in %%accounts.users.ldap_user_mail
dn: cn=%%user,ou=users,%%ldap_base_dn
dn: cn=%%user,%%users
cn: %%user
mail: %%user
sn: %%user.ldap_user_sn
@ -43,20 +51,21 @@ objectClass: inetOrgPerson
objectClass: posixAccount
%end for
# Families
dn: ou=families,%%ldap_base_dn
## Families
dn: %%calc_ldapclient_base_dn(%%ldap_base_dn, '-')
ou: families
objectClass: top
objectClass: organizationalUnit
%for %%family in %%accounts.families
dn: ou=%%family,ou=families,%%ldap_base_dn
%set %%families = %%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)
dn: %%families
ou: %%family
objectClass: top
objectClass: organizationalUnit
%for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
dn: cn=%%user,ou=%%family,ou=families,%%ldap_base_dn
dn: cn=%%user,%%families
cn: %%user
mail: %%user
sn: %%user['ldap_user_sn_' + %%family]

View file

@ -8,8 +8,9 @@ userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name
%end for
## Users
#%set %%users = %%calc_ldapclient_base_dn(%%ldap_base_dn, '')
#%for %%user in %%accounts.users.ldap_user_mail
#dn: cn=%%user,ou=users,%%ldap_base_dn
#dn: cn=%%user,%%users
#changetype: modify
#replace: homeDirectory
#homeDirectory: /srv/home/users/%%user
@ -17,8 +18,9 @@ userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name
#%end for
## Families
#%for %%family in %%accounts.families
# %set %%families = %%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)
# %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
#dn: cn=%%user,ou=%%family,ou=families,%%ldap_base_dn
#dn: cn=%%user,%%families
#replace: homeDirectory
#homeDirectory: /srv/home/families/%%family/%%user
#

View file

@ -8,3 +8,4 @@ depends:
- oauth2-client
- nginx-https
- php-fpm
- ldap-client-fedora

View file

@ -4,6 +4,7 @@
<service name="roundcube" engine="creole" target="multi-user">
<file owner="root" group="nginx" mode="640">/etc/roundcubemail/config.inc.php</file>
<file>/etc/nginx/default.d/roundcubemail.conf</file>
<file source="domain.inc.php">/etc/roundcubemail/courriel.cloud.silique.fr.inc.php</file>
<file>/secrets/roundcube-init.php</file>
<file engine="none">/static/silique_cloud.svg</file>
<file engine="none">/static/watermark.html</file>
@ -13,6 +14,10 @@
<variables>
<family name="roundcube" description="Interface web de consultation des courriels Roundcube">
<variable name="roundcube_des_key" type="secret" auto_freeze="True" hidden="True"/>
<family name="domaines" description="Noms de domaine extérieur" leadership="True">
<variable name="revprox_client_external_domainnames" multi="True" description="Nom de domaine"/>
<variable name="ldap_family" description="Nom de la famille LDAP"/>
</family>
</family>
<family name="oauth2_client">
<variable name="oauth2_is_client_application" redefine='True'>
@ -30,8 +35,10 @@
<variable name="oauth2_client_logo" redefine='True'>
<value>silique_email.png</value>
</variable>
<variable name="oauth2_client_external" redefine="True" multi='True'/>
</family>
<family name="nginx">
<variable name="revprox_client_external_domainname" redefine="True" mandatory="False" hidden="True"/>
<variable name="nginx_root" redefine="True">
<value>/usr/share/roundcubemail/</value>
</variable>
@ -39,9 +46,6 @@
<value>/</value>
</variable>
</family>
<family name="annuaire">
<variable name='ldapclient_family' redefine="True" exists="True" mandatory="True"/>
</family>
</variables>
<constraints>
<fill name="get_password">
@ -52,10 +56,17 @@
<target>roundcube_des_key</target>
</fill>
<fill name="calc_oauth2_client_external">
<param type="variable" optional="True">revprox_client_external_domainname</param>
<param type="variable" optional="True">revprox_client_external_domainnames</param>
<param type="variable" optional="True">revprox_client_location</param>
<param>index.php/login/oauth</param>
<target>oauth2_client_login</target>
<target>oauth2_client_external</target>
</fill>
<check name="set_linked_configuration">
<param name="linked_value">all</param>
<param name="linked_server" type="variable">ldap_server_address</param>
<param name="linked_provider">client_family</param>
<param name="dynamic" type="variable">domain_name_eth0</param>
<target>ldap_family</target>
</check>
</constraints>
</rougail>

View file

@ -763,7 +763,8 @@ $config['useragent'] = null;
// try to load host-specific configuration
// see https://github.com/roundcube/roundcubemail/wiki/Configuration:-Multi-Domain-Setup
// for more details
$config['include_host_config'] = false;
$config['include_host_config'] = array("%%revprox_client_external_domainname" => "%%{revprox_client_external_domainname}.inc.php"
);
// path to a text file which will be added to each sent message
// paths are relative to the Roundcube root folder
@ -1058,55 +1059,6 @@ $config['address_book_type'] = 'sql';
// example further below. if you would like to test, simply uncomment the example.
// Array key must contain only safe characters, ie. a-zA-Z0-9_
$config['ldap_public'] = [];
#>GNUNUX
%if %%getVar('ldap_server_address', None)
$config['ldap_public'] = array (
'Local' => array (
'name' => "Ma famille",
'hosts' => array (
0 => 'ldaps://%%ldap_server_address',
),
'port' => 636,
'use_tls' => false,
'bind_user' => '',
'bind_dn' => '%%ldapclient_remote_user',
'bind_pass' => '%%ldapclient_remote_user_password',
'auth_method' => '',
'vlv' => false, //Samba do not support Virtual List View functions
'user_specific' => false,
'base_dn' => 'ou=%%ldapclient_family,ou=families,%%ldap_base_dn',
'writable' => false,
'required_fields' => array (
0 => 'cn',
1 => 'sn',
2 => 'mail',
3 => 'uid',
),
'groups' => array(
'base_dn' => '',
'object_classes' => ['top', 'groupOfNames'],
),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array ('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(mail=*)',
'fuzzy_search' => true,
'fieldmap' => array(
'name' => 'cn',
'surname' => 'sn',
'firstname' => 'givenName',
'email' => 'mail',
),
),
);
%end if
#<GNUNUX
// If you are going to use LDAP for individual address books, you will need to
// set 'user_specific' to true and use the variables to generate the appropriate DNs to access it.
@ -1563,3 +1515,4 @@ $config['reply_all_mode'] = 0;
// Keys directory for all users.
// Must be writeable by PHP process, and not in the web server document root
$config['enigma_pgp_homedir'] = '/var/lib/roundcubemail/enigma';
?>

View file

@ -0,0 +1,49 @@
<?php
#>GNUNUX
$config['ldap_public'] = array (
'Local' => array (
'name' => "Ma famille",
'hosts' => array (
0 => 'ldaps://%%ldap_server_address',
),
'port' => 636,
'use_tls' => false,
'bind_user' => '',
'bind_dn' => '%%ldapclient_remote_user',
'bind_pass' => '%%ldapclient_remote_user_password',
'auth_method' => '',
'vlv' => false, //Samba do not support Virtual List View functions
'user_specific' => false,
'base_dn' => 'ou=%%ldapclient_family,ou=families,%%ldap_base_dn',
'writable' => false,
'required_fields' => array (
0 => 'cn',
1 => 'sn',
2 => 'mail',
3 => 'uid',
),
'groups' => array(
'base_dn' => '',
'object_classes' => ['top', 'groupOfNames'],
),
'LDAP_rdn' => 'mail',
'ldap_version' => 3,
'search_fields' => array ('mail', 'cn', 'sn', 'givenName'),
'name_field' => 'cn',
'email_field' => 'mail',
'surname_field' => 'sn',
'firstname_field' => 'gn',
'sort' => 'cn',
'scope' => 'sub',
'filter' => '(mail=*)',
'fuzzy_search' => true,
'fieldmap' => array(
'name' => 'cn',
'surname' => 'sn',
'firstname' => 'givenName',
'email' => 'mail',
),
),
);
#<GNUNUX
?>