merge d'un bout de develop-ldap3

1 year ago · 9bbc2ee401
19 changed files with 231 additions and 88 deletions
--- a/bin/ldap/ldapvi.sh
+++ b/bin/ldap/ldapvi.sh
@ -10,4 +10,4 @@ setKazVars
 LDAP_IP=$(docker inspect -f '{{.NetworkSettings.Networks.ldapNet.IPAddress}}' ldapServ)

 export EDITOR=vi
-ldapvi -h $LDAP_IP -D "cn=nobody,ou=users,${ldap_root}" -w ${ldap_LDAP_NOBODY_PASSWORD} --discover
+ldapvi -h $LDAP_IP -D "cn=adminro,ou=system,${ldap_root}" -w ${ldap_LDAP_ADMINRO_PASSWORD} --discover
--- a/bin/ldap/ldapvi_admin.sh
+++ b/bin/ldap/ldapvi_admin.sh
@ -10,4 +10,4 @@ setKazVars
 LDAP_IP=$(docker inspect -f '{{.NetworkSettings.Networks.ldapNet.IPAddress}}' ldapServ)

 export EDITOR=vi
-ldapvi -h $LDAP_IP -D "${ldap_LDAP_ADMIN_BIND_DN}" -w ${ldap_LDAP_ADMIN_PASSWORD} --discover
+ldapvi -h $LDAP_IP -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -w ${ldap_LDAP_ADMIN_PASSWORD} --discover
--- a/bin/ldap/migrate_to_ldap.sh
+++ b/bin/ldap/migrate_to_ldap.sh
@ -19,17 +19,17 @@ do
 	pass=$(echo $line | awk -F '|' '{print $2}' | sed -e "s/SHA512-//")
 	echo -e "\n\ndn: cn=${mail},ou=users,${ldap_root}\n\
 changeType: add\n\
-objectclass: inetOrgPerson\n\
-objectClass: organizationalPerson\n\
-objectClass: person\n\
-objectClass: top\n\
-objectClass: PostfixBookMailAccount\n\
-objectClass: extensibleObject\n\
+objectClass: inetOrgPerson\n\
 sn: ${mail}\n\
-mail: ${mail}\n\
 \n\n\
 dn: cn=${mail},ou=users,${ldap_root}\n\
-changeType: modify
+changeType: modify\n\
+replace: objectClass\n\
+objectClass: inetOrgPerson\n\
+objectClass: kaznaute\n\
+objectClass: PostfixBookMailAccount\n\
+objectClass: nextcloudAccount\n\
+-\n\
 replace: sn\n\
 sn: ${mail}\n\
 -\n\
@ -54,11 +54,20 @@ mailStorageDirectory: maildir:/var/mail/${domain}/${user}/\n\
 replace: mailUidNumber\n\
 mailUidNumber: 5000\n\
 -\n\
-replace: uniqueIdentifier\n\
-uniqueIdentifier: ${mail}\n\
+replace: nextcloudQuota\n\
+nextcloudQuota: 10 GB\n\
+-\n\
+replace: nextcloudEnabled\n\
+nextcloudEnabled: TRUE\n\
+-\n\
+replace: mailDeSecours\n\
+mailDeSecours: ${mail}\n\
+-\n\
+replace: quota\n\
+quota: 10\n\
 -\n\
 replace: userPassword\n\
-userPassword: $pass\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "${ldap_LDAP_ADMIN_BIND_DN}" -x -w ${ldap_LDAP_ADMIN_PASSWORD}
+userPassword: $pass\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldap_LDAP_ADMIN_PASSWORD}
 done


--- a/dockers/ldap/acl.ldif.tmpl
+++ b/dockers/ldap/acl.ldif.tmpl
@ -1,7 +0,0 @@
-dn: olcDatabase={2}mdb,cn=config
-changeType: modify
-replace: olcAccess
-olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="$BINDDN" write by * none
-olcAccess: {1}to dn.base="" by * read
-olcAccess: {2}to dn.base="ou=users,$LDAPROOT" by users read
-olcAccess: {3}to * by self write by dn="$BINDDN" write by * read
--- a/dockers/ldap/base/acl.ldif.tmpl
+++ b/dockers/ldap/base/acl.ldif.tmpl
@ -0,0 +1,21 @@
+dn: olcDatabase={2}mdb,cn=config
+changeType: modify
+replace: olcAccess
+olcAccess: {0}to attrs=userPassword,shadowLastChange
+  by self write
+  by anonymous auth
+  by dn="cn=ldapui,ou=applications,$LDAPROOT" write
+  by dn="$BINDDN" write
+  by * none
+olcAccess: {1}to dn.subtree="$LDAPROOT"
+  by self read
+  by dn="cn=ldapui,ou=applications,$LDAPROOT" read
+  by dn="cn=postfix,ou=applications,$LDAPROOT" read
+  by dn="cn=mattermost,ou=applications,$LDAPROOT" read
+  by dn="cn=cloud,ou=applications,$LDAPROOT" read
+  by dn="cn=mobilizon,ou=applications,$LDAPROOT" read
+  by dn="$BINDDN" write
+  by * none
+olcAccess: {2}to *
+  by dn="$BINDDN" write
+  by * none
--- a/dockers/ldap/base/kaz-schema.ldif.tmpl
+++ b/dockers/ldap/base/kaz-schema.ldif.tmpl
@ -0,0 +1,30 @@
+dn: cn={$KAZNUMBER}kaz,cn=schema,cn=config
+changeType: modify
+replace: olcAttributeTypes
+olcAttributeTypes: {0}( 1.3.6.1.4.1.5656.1.1.1 NAME 'mailDeSecours'
+        DESC 'Adresse mail de secours'
+        EQUALITY caseIgnoreIA5Match
+        SUBSTR caseIgnoreIA5SubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{320} )
+olcAttributeTypes: {1}( 1.3.6.1.4.1.5656.1.1.2 NAME 'quota'
+        DESC 'Quota en GO (integer)'
+        EQUALITY integerMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
+olcAttributeTypes: {2}( 1.3.6.1.4.1.5656.1.1.3 NAME 'agoraEnabled'
+        DESC 'acces a agora'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
+olcAttributeTypes: {3}( 1.3.6.1.4.1.5656.1.1.4 NAME 'mobilizonEnabled'
+        DESC 'acces a mobilizon'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
+-
+replace: olcObjectClasses
+olcObjectClasses: {0}( 1.3.6.1.4.1.5656.1.2.1 NAME 'kaznaute'
+        DESC 'Un kaznaute'
+        SUP top AUXILIARY
+        MUST ( cn $ quota $ mailDeSecours  )
+        MAY ( agoraEnabled $ mobilizonEnabled )
+        )
--- a/dockers/ldap/base/skeleton.ldif.tmpl
+++ b/dockers/ldap/base/skeleton.ldif.tmpl
@ -0,0 +1,32 @@
+dn: ou=users,$LDAPROOT
+objectClass: organizationalUnit
+ou: users
+
+dn: ou=applications,$LDAPROOT
+objectClass: organizationalUnit
+ou: system
+
+dn: cn=postfix,ou=applications,$LDAPROOT
+objectClass: person
+sn: postfix
+userPassword: $POSTFIX_PASSWORD
+
+dn: cn=ldapui,ou=applications,$LDAPROOT
+objectClass: person
+sn: ldapui
+userPassword: $LDAPUI_PASSWORD
+
+dn: cn=mattermost,ou=applications,$LDAPROOT
+objectClass: person
+sn: mattermost
+userPassword: $MATTERMOST_PASSWORD
+
+dn: cn=cloud,ou=applications,$LDAPROOT
+objectClass: person
+sn: cloud
+userPassword: $CLOUD_PASSWORD
+
+dn: cn=mobilizon,ou=applications,$LDAPROOT
+objectClass: person
+sn: mobilizon
+userPassword: $MOBILIZON_PASSWORD
--- a/dockers/ldap/bootstrap.ldif.tmpl
+++ b/dockers/ldap/bootstrap.ldif.tmpl
@ -1,29 +0,0 @@
-# docker exec -it ldapServ ldapsearch -x -b "$LDAPROOT"
-
-dn: $LDAPROOT
-objectClass: dcObject
-objectClass: organization
-dc: $DC
-o: example
-
-dn: ou=users,$LDAPROOT
-objectClass: organizationalUnit
-ou: users
-
-dn: cn=nobody,ou=users,$LDAPROOT
-cn: nobody
-sn: nobody
-objectClass: inetOrgPerson
-objectClass: posixAccount
-objectClass: shadowAccount
-userPassword: $NOBODYPASSWORD
-uid: nobody
-uidNumber: 1000
-gidNumber: 1000
-homeDirectory: /home/nobody
-
-
-dn: cn=readers,ou=users,$LDAPROOT
-cn: readers
-objectClass: groupOfNames
-member: cn=nobody,ou=users,$LDAPROOT
--- a/dockers/ldap/first.sh
+++ b/dockers/ldap/first.sh
@ -13,7 +13,7 @@ cd $(dirname $0)

 checkDockerRunning "${ldapServName}" "LDAP" || exit

-printKazMsg "\n  *** Premier lancement de LDAP : Mise en place des ACL"
+printKazMsg "\n  *** Premier lancement de LDAP : Mise en place"

 LDAP_IP=$(docker inspect -f '{{.NetworkSettings.Networks.ldapNet.IPAddress}}' ldapServ)
 MAIL_IP=$(docker inspect -f '{{.NetworkSettings.Networks.ldapNet.IPAddress}}' mailServ)
@ -23,18 +23,18 @@ docker exec ${ldapUIName} bash -c "echo '${MAIL_IP} ${smtpHost}.${domain}' >> /e
 BINDDN=cn=${LDAP_ADMIN_USERNAME},${ldap_root}
 DC=$(echo ${ldap_root} | cut -d',' -f1 | cut -d'=' -f2)

-cp acl.ldif.tmpl acl.ldif
-sed -i -e "s/\$BINDDN/${BINDDN}/g" acl.ldif
-sed -i -e "s/\$LDAPROOT/${ldap_root}/g" acl.ldif
+for schema in `ls schemas/`
+do
+  ldapadd -H ldap://$LDAP_IP -D "cn=${LDAP_CONFIG_ADMIN_USERNAME},cn=config" -w ${LDAP_CONFIG_ADMIN_PASSWORD} -f schemas/${schema}
+done

-cp bootstrap.ldif.tmpl bootstrap.ldif
-sed -i -e "s/\$LDAPROOT/${ldap_root}/g" bootstrap.ldif
-sed -i -e "s/\$DC/${DC}/g" bootstrap.ldif
-sed -i -e "s%\$NOBODYPASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_NOBODY_PASSWORD}`%g" bootstrap.ldif
+echo "dn: ${ldap_root}
+objectClass: dcObject
+objectClass: organization
+dc: $DC
+o: Kaz" | ldapadd -H ldap://$LDAP_IP -D "${BINDDN}" -w ${LDAP_ADMIN_PASSWORD}

-ldapadd -H ldap://$LDAP_IP -D "cn=${LDAP_CONFIG_ADMIN_USERNAME},cn=config" -w ${LDAP_CONFIG_ADMIN_PASSWORD} -f acl.ldif
-ldapadd -H ldap://$LDAP_IP -D "cn=${LDAP_CONFIG_ADMIN_USERNAME},cn=config" -w ${LDAP_CONFIG_ADMIN_PASSWORD} -f postfixbook.ldif
-ldapadd -H ldap://$LDAP_IP -D "${BINDDN}" -w ${LDAP_ADMIN_PASSWORD} -f bootstrap.ldif
+./update.sh

 CONFIG_IHM="${DOCK_VOL}/ldap_configSSP/_data/config.inc.php"

@ -61,11 +61,11 @@ updateVarInConf(){
    fi
 }

-updateVarInConf "ldap_url" "${LDAP_URI}" "${CONFIG_IHM}"
-updateVarInConf "ldap_binddn" "${LDAP_ADMIN_BIND_DN}" "${CONFIG_IHM}"
-updateVarInConf "ldap_bindpw" "${LDAP_ADMIN_BIND_PWD}" "${CONFIG_IHM}"
-updateVarInConf "ldap_base" "${LDAP_BASE_DN}" "${CONFIG_IHM}"
-updateVarInConf "ldap_login_attribute" "sn" "${CONFIG_IHM}"
+updateVarInConf "ldap_url" "${LDAPUI_URI}" "${CONFIG_IHM}"
+updateVarInConf "ldap_binddn" "${LDAPUI_ADMIN_BIND_DN}" "${CONFIG_IHM}"
+updateVarInConf "ldap_bindpw" "${LDAPUI_ADMIN_BIND_PWD}" "${CONFIG_IHM}"
+updateVarInConf "ldap_base" "${LDAPUI_BASE_DN}" "${CONFIG_IHM}"
+updateVarInConf "ldap_login_attribute" "cn" "${CONFIG_IHM}"
 updateVarInConf "hash" "CRYPT" "${CONFIG_IHM}"
 updateVarInConf "use_questions" "false" "${CONFIG_IHM}" "php"
 updateVarInConf "mail_from" "admin@${domain}" "${CONFIG_IHM}"
@ -79,6 +79,7 @@ updateVarInConf "allowed_lang" "array('fr', 'br');" "${CONFIG_IHM}" "php"
 #updateVarInConf "posthook_password_encodebase64" "true" "${CONFIG_IHM}"
 updateVarInConf "mail_smtp_secure" "tls" "${CONFIG_IHM}"
 updateVarInConf "mail_address_use_ldap" "true" "${CONFIG_IHM}"
+updateVarInConf "mail_attributes" "array(\"mailDeSecours\", \"mail\")" "${CONFIG_IHM}" "php"
 updateVarInConf "pwd_min_length" "10" "${CONFIG_IHM}"
 updateVarInConf "pwd_min_special" "2" "${CONFIG_IHM}"
 updateVarInConf "pwd_show_policy" "always" "${CONFIG_IHM}"
--- a/dockers/ldap/schemas/kaz.ldif
+++ b/dockers/ldap/schemas/kaz.ldif
@ -0,0 +1,11 @@
+# On crée un schéma vide, qui sera peuplé ensuite par update.sh
+# L'attribut mailDeSecours sert juste à bloquer la re-création si on relance
+
+dn: cn=kaz,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: kaz
+olcAttributeTypes: {0}( 1.3.6.1.4.1.5656.1.1.1 NAME 'mailDeSecours'
+        DESC 'Adresse mail de secours'
+        EQUALITY caseIgnoreIA5Match
+        SUBSTR caseIgnoreIA5SubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{320} )
--- a/dockers/ldap/schemas/nextcloud.ldif
+++ b/dockers/ldap/schemas/nextcloud.ldif
@ -0,0 +1,25 @@
+dn: cn=nextcloud,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: nextcloud
+olcAttributeTypes: {0}( 1.3.6.1.4.1.49213.1.1.1 NAME 'nextcloudEnabled'
+        DESC 'whether user or group should be available in Nextcloud'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
+olcAttributeTypes: {1}( 1.3.6.1.4.1.49213.1.1.2 NAME 'nextcloudQuota'
+        DESC 'defines how much disk space is available for the user'
+        EQUALITY caseIgnoreMatch
+        SUBSTR caseIgnoreSubstringsMatch
+        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
+olcObjectClasses: {0}( 1.3.6.1.4.1.49213.1.2.1 NAME 'nextcloudAccount'
+        DESC 'A Nextcloud account'
+        SUP top AUXILIARY
+        MUST ( cn  )
+        MAY ( nextcloudEnabled $ nextcloudQuota )
+        )
+olcObjectClasses: {1}( 1.3.6.1.4.1.49213.1.2.2 NAME 'nextcloudGroup'
+        DESC 'A Nextcloud group'
+        SUP top AUXILIARY
+        MUST ( cn  )
+        MAY ( nextcloudEnabled )
+        )
--- a/dockers/ldap/schemas/postfixbook.ldif
+++ b/dockers/ldap/schemas/postfixbook.ldif
--- a/dockers/ldap/update.sh
+++ b/dockers/ldap/update.sh
@ -0,0 +1,40 @@
+#!/bin/bash
+
+SERV_DIR=$(cd $(dirname $0); pwd)
+KAZ_ROOT=$(cd $(dirname $0)/../..; pwd)
+. "${KAZ_ROOT}/bin/.commonFunctions.sh"
+setKazVars
+
+cd $(dirname $0)
+. "${DOCKERS_ENV}"
+. "${KAZ_KEY_DIR}/env-${ldapServName}"
+
+checkDockerRunning "${ldapServName}" "LDAP" || exit
+
+printKazMsg "\n  *** Update du LDAP"
+
+LDAP_IP=$(docker inspect -f '{{.NetworkSettings.Networks.ldapNet.IPAddress}}' ldapServ)
+
+BINDDN=cn=${LDAP_ADMIN_USERNAME},${ldap_root}
+DC=$(echo ${ldap_root} | cut -d',' -f1 | cut -d'=' -f2)
+
+cp base/acl.ldif.tmpl /tmp/acl.ldif
+sed -i -e "s/\$BINDDN/${BINDDN}/g" /tmp/acl.ldif
+sed -i -e "s/\$LDAPROOT/${ldap_root}/g" /tmp/acl.ldif
+
+cp base/skeleton.ldif.tmpl /tmp/skeleton.ldif
+sed -i -e "s/\$LDAPROOT/${ldap_root}/g" /tmp/skeleton.ldif
+sed -i -e "s%\$POSTFIX_PASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_POSTFIX_PASSWORD}`%g" /tmp/skeleton.ldif
+sed -i -e "s%\$LDAPUI_PASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_LDAPUI_PASSWORD}`%g" /tmp/skeleton.ldif
+sed -i -e "s%\$MATTERMOST_PASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_MATTERMOST_PASSWORD}`%g" /tmp/skeleton.ldif
+sed -i -e "s%\$CLOUD_PASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_CLOUD_PASSWORD}`%g" /tmp/skeleton.ldif
+sed -i -e "s%\$MOBILIZON_PASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_MOBILIZON_PASSWORD}`%g" /tmp/skeleton.ldif
+
+cp base/kaz-schema.ldif.tmpl /tmp/kaz-schema.ldif
+KAZNUMBER=$(ldapsearch -H ldap://$LDAP_IP -D "cn=${LDAP_CONFIG_ADMIN_USERNAME},cn=config" -w ${LDAP_CONFIG_ADMIN_PASSWORD} -b cn=schema,cn=config | grep "kaz,cn=schema" | head -n1 | cut -d',' -f1 | cut -d'{' -f2 | cut -d'}' -f1)
+sed -i -e "s/\$KAZNUMBER/${KAZNUMBER}/g" /tmp/kaz-schema.ldif
+
+
+ldapmodify -H ldap://$LDAP_IP -D "cn=${LDAP_CONFIG_ADMIN_USERNAME},cn=config" -w ${LDAP_CONFIG_ADMIN_PASSWORD} -f /tmp/acl.ldif
+ldapmodify -H ldap://$LDAP_IP -D "cn=${LDAP_CONFIG_ADMIN_USERNAME},cn=config" -w ${LDAP_CONFIG_ADMIN_PASSWORD} -f /tmp/kaz-schema.ldif
+ldapadd -c -H ldap://$LDAP_IP -D "${BINDDN}" -w ${LDAP_ADMIN_PASSWORD} -f /tmp/skeleton.ldif
--- a/dockers/mobilizon/config.exs
+++ b/dockers/mobilizon/config.exs
@ -94,5 +94,5 @@ config :mobilizon, :ldap,
  uid: System.get_env("MOBILIZON_LDAP_UID", "cn"),
  require_bind_for_search: true,
  group: false,
-  bind_uid: System.get_env("MOBILIZON_LDAP_BINDUID", "nobody"),
+  bind_uid: {:full, System.get_env("MOBILIZON_LDAP_BINDUID", "nobody")},
  bind_password: System.get_env("MOBILIZON_LDAP_BINDPASSWORD", "nobody")
--- a/dockers/mobilizon/docker-compose.yml
+++ b/dockers/mobilizon/docker-compose.yml
@ -15,7 +15,6 @@ services:
      - MOBILIZON_LDAP_HOST=ldap
      - MOBILIZON_LDAP_BASE=ou=users,${ldap_root}
      - MOBILIZON_LDAP_UID=cn
-      - MOBILIZON_LDAP_BINDUID=nobody

    volumes:
      - mobilizonUploads:/var/lib/mobilizon/uploads
--- a/secret.tmpl/SetAllPass.sh
+++ b/secret.tmpl/SetAllPass.sh
@ -52,15 +52,19 @@ ldap_LDAP_ADMIN_USERNAME="--clean_val--"
 ldap_LDAP_ADMIN_PASSWORD="--clean_val--"
 ldap_LDAP_CONFIG_ADMIN_USERNAME="--clean_val--"
 ldap_LDAP_CONFIG_ADMIN_PASSWORD="--clean_val--"
-ldap_LDAP_NOBODY_PASSWORD="--clean_val--"
-
-ldap_LDAP_URI=ldap://ldap
-ldap_LDAP_BASE_DN=${ldap_root}
-ldap_LDAP_REQUIRE_STARTTLS=FALSE
-ldap_LDAP_ADMINS_GROUP=admins
-ldap_LDAP_ADMIN_BIND_DN=cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}
-ldap_LDAP_ADMIN_BIND_PWD=${ldap_LDAP_ADMIN_PASSWORD}
-ldap_LDAP_IGNORE_CERT_ERRORS=TRUE
+ldap_LDAP_POSTFIX_PASSWORD="--clean_val--"
+ldap_LDAP_LDAPUI_PASSWORD="--clean_val--"
+ldap_LDAP_MATTERMOST_PASSWORD="--clean_val--"
+ldap_LDAP_CLOUD_PASSWORD="--clean_val--"
+ldap_LDAP_MOBILIZON_PASSWORD="--clean_val--"
+
+ldap_LDAPUI_URI=ldap://ldap
+ldap_LDAPUI_BASE_DN=${ldap_root}
+ldap_LDAPUI_REQUIRE_STARTTLS=FALSE
+ldap_LDAPUI_ADMINS_GROUP=admins
+ldap_LDAPUI_ADMIN_BIND_DN=cn=ldapui,ou=applications,${ldap_root}
+ldap_LDAPUI_ADMIN_BIND_PWD=${ldap_LDAP_LDAPUI_PASSWORD}
+ldap_LDAPUI_IGNORE_CERT_ERRORS=TRUE

 ###################
 # gitea
@ -142,8 +146,9 @@ roundcube_ROUNDCUBEMAIL_DB_PASSWORD="${roundcube_MYSQL_PASSWORD}"
 roundcube_ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE="1G"

 ####################
-# postfix ?
-mail_ENABLE_SPAMASSASSIN="1"
+# postfix LDAP
+mail_LDAP_BIND_DN=cn=postfix,ou=applications,${ldap_root}
+mail_LDAP_BIND_PW=${ldap_LDAP_POSTFIX_PASSWORD}

 ####################
 # sympa
@ -232,7 +237,7 @@ mobilizon_MOBILIZON_DATABASE_USERNAME="${mobilizon_POSTGRES_USER}"
 mobilizon_MOBILIZON_DATABASE_PASSWORD="${mobilizon_POSTGRES_PASSWORD}"
 mobilizon_MOBILIZON_DATABASE_DBNAME=mobilizon

-mobilizon_MOBILIZON_INSTANCE_REGISTRATIONS_OPEN=true
+mobilizon_MOBILIZON_INSTANCE_REGISTRATIONS_OPEN=false
 mobilizon_MOBILIZON_INSTANCE_NAME="Mobilizon"
 mobilizon_MOBILIZON_INSTANCE_HOST="${mobilizonHost}.${domain}"

@ -250,7 +255,8 @@ mobilizon_MOBILIZON_SMTP_USERNAME=noreply@${domain}
 mobilizon_MOBILIZON_SMTP_PASSWORD=
 mobilizon_MOBILIZON_SMTP_SSL=false

-mobilizon_MOBILIZON_LDAP_BINDPASSWORD=${ldap_LDAP_NOBODY_PASSWORD}
+mobilizon_MOBILIZON_LDAP_BINDUID=cn=mobilizon,ou=applications,${ldap_root}
+mobilizon_MOBILIZON_LDAP_BINDPASSWORD=${ldap_LDAP_MOBILIZON_PASSWORD}


 #####################
--- a/secret.tmpl/env-ldapServ
+++ b/secret.tmpl/env-ldapServ
@ -2,4 +2,8 @@ LDAP_ADMIN_USERNAME=
 LDAP_ADMIN_PASSWORD=
 LDAP_CONFIG_ADMIN_USERNAME=
 LDAP_CONFIG_ADMIN_PASSWORD=
-LDAP_NOBODY_PASSWORD=
+LDAP_POSTFIX_PASSWORD=
+LDAP_LDAPUI_PASSWORD=
+LDAP_MATTERMOST_PASSWORD=
+LDAP_CLOUD_PASSWORD=
+LDAP_MOBILIZON_PASSWORD=
--- a/secret.tmpl/env-ldapUI
+++ b/secret.tmpl/env-ldapUI
@ -1,7 +1,7 @@
-LDAP_URI=
-LDAP_BASE_DN=
-LDAP_REQUIRE_STARTTLS=
-LDAP_ADMINS_GROUP=
-LDAP_ADMIN_BIND_DN=
-LDAP_ADMIN_BIND_PWD=
-LDAP_IGNORE_CERT_ERRORS=
+LDAPUI_URI=
+LDAPUI_BASE_DN=
+LDAPUI_REQUIRE_STARTTLS=
+LDAPUI_ADMINS_GROUP=
+LDAPUI_ADMIN_BIND_DN=
+LDAPUI_ADMIN_BIND_PWD=
+LDAPUI_IGNORE_CERT_ERRORS=
--- a/secret.tmpl/env-mobilizonServ
+++ b/secret.tmpl/env-mobilizonServ
@ -23,4 +23,5 @@ MOBILIZON_DATABASE_PASSWORD=
 MOBILIZON_DATABASE_DBNAME=

 # LDAP
+MOBILIZON_LDAP_BINDUID=
 MOBILIZON_LDAP_BINDPASSWORD=