From edba57caaf6c0cc034b5646f6499a96b42bdd61f Mon Sep 17 00:00:00 2001 From: Asif Bacchus Date: Mon, 14 Sep 2020 16:21:58 -0600 Subject: [PATCH] update params template and move mailserver stuff --- ab-openldap/ab-openldap.params.template | 42 +++++++++++++++++++------ ab-openldap/ab-openldap.sh | 24 +------------- 2 files changed, 34 insertions(+), 32 deletions(-) diff --git a/ab-openldap/ab-openldap.params.template b/ab-openldap/ab-openldap.params.template index ee6e5d3..6b4fe7e 100644 --- a/ab-openldap/ab-openldap.params.template +++ b/ab-openldap/ab-openldap.params.template @@ -9,15 +9,20 @@ # incorrect: ORG_NAME="MyOrganization" # correct: ORG_NAME=MyOrganization # -# Instead of typing a myriad of "-e ...", you can fill them all out in this +# Instead of typing a myriad of "-e ...", you can fill them all out in this # file and then use "--env-file ab-openldap.params" to tell docker to source -# it's variables from here. You can also combine both methods if you like. +# its variables from here. You can also combine both methods if you like. # Most important, if you're using the convenience script, it draws all info from # this file! # -# You should probably protect this file via file permissions since it likely +# You should probably protect this file via file permissions since it likely # will contain things like passwords! Suggest restricting it to root only # ex: chown root:root ab-openldap.parms && chmod 600 ab-openldap.parms +# +# N.B. If you change the convenience script name, you must also change this +# file's name to match. +# ex: script name is 'runldap.sh' --> this file must be 'runldap.params' +# ### ### Your timezone (https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) @@ -43,17 +48,17 @@ BROWSER_PASS=ldapbind ANONYMOUS_BINDING=yes ### Location of your TLS files -# Note: This section is only automated if using the script file to start the -# container. If you are starting it manually and using '--env-file', you still +# Note: This section is only automated if using the script file to start the +# container. If you are starting it manually and using '--env-file', you still # have to manually bind-mount these files using '-v source:/certs/dest.file:ro'. # -# If you're bind-mounting symlinks, remember that you have to fully expand them -# or Docker will try to bind the link instead of the target! This is most +# If you're bind-mounting symlinks, remember that you have to fully expand them +# or Docker will try to bind the link instead of the target! This is most # common with Let's Encrypt. # # Example that does not work (binding directory instead of files): # /etc/letsencrypt/live/mydomain.net:/certs:ro -# This will end up copying the symlinks themselves and, since the targets are +# This will end up copying the symlinks themselves and, since the targets are # not available to the container, it doesn't work! # Example of the right way (bind actual files): # /etc/letsencrypt/live/mydomain.net/privkey.pem:/certs/privkey.pem:ro @@ -62,7 +67,7 @@ ANONYMOUS_BINDING=yes #TLS_KEY=/etc/letsencrypt/live/mydomain.net/privkey.pem #TLS_CHAIN=/etc/letsencrypt/live/mydomain.net/chain.pem -# The container will generate Diffie-Hellman parameters automatically the first +# The container will generate Diffie-Hellman parameters automatically the first # time it's launched with TLS certificates defined. ### Custom LDIFs @@ -70,5 +75,24 @@ ANONYMOUS_BINDING=yes # variable commented-out if you don't have any LDIFs to apply. # MY_LDIF=/path/to/my/LDIFs +### Enable checking passwords against IMAP/S server +# +# Setting the DOMAILAUTH variable to '1' tells openLDAP to verify SASL passwords +# in the directory against an IMAP/S remote host. In other words, any user with +# a password '{SASL}user@server.tld' will have their password checked by the +# IMAP/S server using the provided email address and a 'NO/OK' reponse is fed +# back to openLDAP. Please note, the remote mailserver *must* support IMAP/S +# (i.e. secured IMAP). +# +# Specify the remote mailserver hostname using the MAILSERVER variable. +# +# If the remote mailserver implements IMAP/S (secure IMAP) on a non-standard +# port (not port 993) then supply that using the MAILAUTHPORT variable. +# +# More details can be found in the wiki. +### +#DOMAILAUTH=0 +#MAILSERVER=mail.myserver.tld +#MAILAUTHPORT=imaps #EOF \ No newline at end of file diff --git a/ab-openldap/ab-openldap.sh b/ab-openldap/ab-openldap.sh index ce21d33..a3b628f 100755 --- a/ab-openldap/ab-openldap.sh +++ b/ab-openldap/ab-openldap.sh @@ -70,7 +70,7 @@ scriptHelp () { printf "\n" textblock "If you run the script with no parameters, it will execute the container 'normally'. That is: Run in detached mode with openLDAP automatically launched and logging to stdout. If you specified certificates, openLDAP will require a TLS connection. All modes of operation allow you to enter the container and connect directly using UNIX sockets as root with *unrestricted* access to all DITs and objects." printf "\n" - textblock "Specifying the '--mailserver mail.server.tld' option, tells openLDAP to verify SASL passwords in the directory against an IMAP/S remote host. In other words, any user with a password '{SASL}user@server.tld' will have their password checked by the IMAP/S server using the provided email address and a 'NO/OK' reponse is fed back to openLDAP. Please note 2 things: You *must* provide the hostname of a mailserver after the '--mailserver' switch; and the remote server *must* implement IMAP/S. More details can be found in the wiki." + textblock "If you want to verify SASL passwords against an IMAP/S server, please refer to the '.params' template file and the wiki for more information." printf "\n" textblock "Containers run in SHELL mode are ALWAYS removed upon exit as they are meant for testing only. By default, containers run without '--rm' will be restarted automatically unless they are manually stopped via 'docker stop...'" printf "\n" @@ -89,12 +89,6 @@ scriptHelp () { textblock "${cyan}--ldif ${yellow}(ab-openldap_ldif)${norm}" textblock "Change the name of the docker volume used to persist LDIFs." printf "\n" - textblock "${cyan}--mailserver ${magenta}mail.server.tld${norm}" - textblock "Verify SASL passwords against 'mail.server.tld'. Replace with proper mailserver hostname. Mailserver MUST support IMAP/S." - printf "\n" - textblock "${cyan}--mailserver-port ${yellow}(imaps)${norm}" - textblock "If your IMAP/S server uses a non-standard IMAP/S port (not 993) then specify it here. This parameter is ignored if not using '--mailserver'." - printf "\n" textblock "${cyan}--rm|--remove${norm}" textblock "Switch parameter. Automatically remove the container and associated volumes (unless data is written) after it exits." printf "\n" @@ -181,22 +175,6 @@ while [ $# -gt 0 ]; do volume_ldif="$2" shift ;; - --mailserver) - # mailserver for IMAP/S password verification - if [ -z "$2" ]; then - consoleError '1' 'You must specify a mailserver hostname when using --mailserver.' - fi - mailserver="$2" - shift - ;; - --mailserver-port) - # specify IMAP/S port for mailserver - if [ -z "$2" ]; then - consoleError '1' 'You must specify a port when using --mailserver-port.' - fi - mailserver_port="$2" - shift - ;; --backupdir) # location of backup files to restore if [ -z "$2" ]; then