update params template and move mailserver stuff

ab-openldap/ab-openldap.params.template

@@ -9,15 +9,20 @@
 #      incorrect: ORG_NAME="MyOrganization"
 #      correct:   ORG_NAME=MyOrganization
 #
-# Instead of typing a myriad of "-e ...", you can fill them all out in this 
+# Instead of typing a myriad of "-e ...", you can fill them all out in this
 # file and then use "--env-file ab-openldap.params" to tell docker to source
-# it's variables from here.  You can also combine both methods if you like.  
+# its variables from here.  You can also combine both methods if you like.
 # Most important, if you're using the convenience script, it draws all info from
 # this file!
 #
-# You should probably protect this file via file permissions since it likely 
+# You should probably protect this file via file permissions since it likely
 # will contain things like passwords!  Suggest restricting it to root only
 #    ex: chown root:root ab-openldap.parms && chmod 600 ab-openldap.parms
+#
+# N.B. If you change the convenience script name, you must also change this
+# file's name to match.
+#    ex: script name is 'runldap.sh' --> this file must be 'runldap.params'
+#
 ###
 
 ### Your timezone (https://en.wikipedia.org/wiki/List_of_tz_database_time_zones)
@@ -43,17 +48,17 @@ BROWSER_PASS=ldapbind
 ANONYMOUS_BINDING=yes
 
 ### Location of your TLS files
-# Note: This section is only automated if using the script file to start the 
-# container.  If you are starting it manually and using '--env-file', you still 
+# Note: This section is only automated if using the script file to start the
+# container.  If you are starting it manually and using '--env-file', you still
 # have to manually bind-mount these files using '-v source:/certs/dest.file:ro'.
 #
-# If you're bind-mounting symlinks, remember that you have to fully expand them 
-# or Docker will try to bind the link instead of the target!  This is most 
+# If you're bind-mounting symlinks, remember that you have to fully expand them
+# or Docker will try to bind the link instead of the target!  This is most
 # common with Let's Encrypt.
 #
 # Example that does not work (binding directory instead of files):
 #   /etc/letsencrypt/live/mydomain.net:/certs:ro
-#   This will end up copying the symlinks themselves and, since the targets are 
+#   This will end up copying the symlinks themselves and, since the targets are
 #   not available to the container, it doesn't work!
 # Example of the right way (bind actual files):
 #   /etc/letsencrypt/live/mydomain.net/privkey.pem:/certs/privkey.pem:ro
@@ -62,7 +67,7 @@ ANONYMOUS_BINDING=yes
 #TLS_KEY=/etc/letsencrypt/live/mydomain.net/privkey.pem
 #TLS_CHAIN=/etc/letsencrypt/live/mydomain.net/chain.pem
 
-# The container will generate Diffie-Hellman parameters automatically the first 
+# The container will generate Diffie-Hellman parameters automatically the first
 # time it's launched with TLS certificates defined.
 
 ### Custom LDIFs
@@ -70,5 +75,24 @@ ANONYMOUS_BINDING=yes
 # variable commented-out if you don't have any LDIFs to apply.
 # MY_LDIF=/path/to/my/LDIFs
 
+### Enable checking passwords against IMAP/S server
+#
+# Setting the DOMAILAUTH variable to '1' tells openLDAP to verify SASL passwords
+# in the directory against an IMAP/S remote host. In other words, any user with
+# a password '{SASL}user@server.tld' will have their password checked by the
+# IMAP/S server using the provided email address and a 'NO/OK' reponse is fed
+# back to openLDAP. Please note, the remote mailserver *must* support IMAP/S
+# (i.e. secured IMAP).
+#
+# Specify the remote mailserver hostname using the MAILSERVER variable.
+#
+# If the remote mailserver implements IMAP/S (secure IMAP) on a non-standard
+# port (not port 993) then supply that using the MAILAUTHPORT variable.
+#
+# More details can be found in the wiki.
+###
+#DOMAILAUTH=0
+#MAILSERVER=mail.myserver.tld
+#MAILAUTHPORT=imaps
 
 #EOF