ldap mis à jour

1 year ago · b36fba8e85
11 changed files with 268 additions and 19 deletions
--- a/bin/init.sh
+++ b/bin/init.sh
@ -163,6 +163,7 @@ fi
 	-e "s%^\s*MAIN_IP\s*=.*$%MAIN_IP=${MAIN_IP}%" \
 	-e "s%^\s*SYMPA_IP\s*=.*$%SYMPA_IP=${SYMPA_IP}%" \
 	-e "s%^\s*restartPolicy\s*=.*$%restartPolicy=${RESTART_POLICY}%" \
+  -e "s%^\s*ldapRoot\s*=.*$%ldapRoot=dc=${DOMAIN_SYMPA/\./,dc=}%" \
 	-e "s%^\s*jirafeauDir\s*=.*$%jirafeauDir=${JIRAFEAU_DIR}%"
 }

@ -170,6 +171,7 @@ if [ ! -f "${KAZ_CONF_DIR}/container-mail.list" ]; then
    cat > "${KAZ_CONF_DIR}/container-mail.list"  <<EOF
 # e-mail server composer
 postfix
+ldap
 #sympa
 EOF
 fi
--- a/bin/migrate_to_ldap.sh
+++ b/bin/migrate_to_ldap.sh
@ -0,0 +1,80 @@
+#!/bin/bash
+
+KAZ_ROOT=/kaz
+. $KAZ_ROOT/bin/.commonFunctions.sh
+setKazVars
+
+. $DOCKERS_ENV
+. $KAZ_ROOT/secret/SetAllPass.sh
+
+SOURCE=/kaz/dockers/postfix/config/postfix-accounts.cf
+
+LDAP_IP=$(docker inspect -f '{{.NetworkSettings.Networks.ldapNet.IPAddress}}' ldapServ)
+
+for line in `cat ${SOURCE}`
+do
+	mail=$(echo $line | awk -F '|' '{print $1}')
+	user=$(echo $mail | awk -F '@' '{print $1}')
+	domain=$(echo $mail | awk -F '@' '{print $2}')
+	pass=$(echo $line | awk -F '|' '{print $2}' | sed -e "s/SHA512-//")
+	echo -e "\n\ndn: cn=${mail},ou=users,${ldap_root}\n\
+changeType: add\n\
+objectclass: inetOrgPerson\n\
+objectClass: organizationalPerson\n\
+objectClass: person\n\
+objectClass: top\n\
+objectClass: PostfixBookMailAccount\n\
+objectClass: extensibleObject\n\
+sn: ${mail}\n\
+mail: ${mail}\n\
+\n\n\
+dn: cn=${mail},ou=users,${ldap_root}\n\
+changeType: modify
+replace: sn\n\
+sn: ${mail}\n\
+-\n\
+replace: mail\n\
+mail: ${mail}\n\
+-\n\
+replace: mailEnabled\n\
+mailEnabled: TRUE\n\
+-\n\
+replace: mailGidNumber\n\
+mailGidNumber: 5000\n\
+-\n\
+replace: mailHomeDirectory\n\
+mailHomeDirectory: /var/mail/${domain}/${user}/\n\
+-\n\
+replace: mailQuota\n\
+mailQuota: 10240\n\
+-\n\
+replace: mailStorageDirectory\n\
+mailStorageDirectory: maildir:/var/mail/${domain}/${user}/\n\
+-\n\
+replace: mailUidNumber\n\
+mailUidNumber: 5000\n\
+-\n\
+replace: uniqueIdentifier\n\
+uniqueIdentifier: ${mail}\n\
+-\n\
+replace: userPassword\n\
+userPassword: $pass\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "${ldap_LDAP_ADMIN_BIND_DN}" -x -w ${ldap_LDAP_ADMIN_PASSWORD}
+done
+
+OLDIFS=${IFS}
+IFS=$'\n'
+ALIASES="/kaz/dockers/postfix/config/postfix-virtual.cf"
+for line in `cat ${ALIASES}`
+do
+	LIST=""
+	mail=$(echo $line | awk -F '[[:space:]]*' '{print $2}')
+	for alias in `grep ${mail} ${ALIASES} | cut -d' ' -f1`
+	do
+		LIST=${LIST}"mailAlias: $alias\n"
+	done
+	echo -e "dn: cn=${mail},ou=users,${ldap_root}\n\
+changeType: modify
+replace: mailAlias\n\
+$LIST\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "${ldap_LDAP_ADMIN_BIND_DN}" -x -w ${ldap_LDAP_ADMIN_PASSWORD}
+done
+IFS=${OLDIFS}
--- a/bin/updateDockerPassword.sh
+++ b/bin/updateDockerPassword.sh
@ -105,6 +105,7 @@ updateEnv "vigilo" "${KAZ_KEY_DIR}/env-${vigiloServName}"
 updateEnv "wp" "${KAZ_KEY_DIR}/env-${wordpressServName}"
 updateEnv "ldap" "${KAZ_KEY_DIR}/env-${ldapServName}"
 updateEnv "sympa" "${KAZ_KEY_DIR}/env-${sympaServName}"
+updateEnv "mail" "${KAZ_KEY_DIR}/env-${smtpServName}"
 updateEnv "mobilizon" "${KAZ_KEY_DIR}/env-${mobilizonServName}"
 updateEnv "mobilizon" "${KAZ_KEY_DIR}/env-${mobilizonDBName}"

--- a/bin/updateLook.sh
+++ b/bin/updateLook.sh
@ -23,6 +23,7 @@ docker cp kazdate.png framadateServ:/var/framadate/images/logo-framadate.png
 docker cp kazmel.png roundcubeServ:/var/www/html/skins/elastic/images/kazmel.png
 docker cp kaz-tete.png sympaServ:/usr/share/sympa/static_content/icons/logo_sympa.png
 docker cp kaz-tete.png dokuwikiServ:/dokuwiki/lib/tpl/docnavwiki/images/logo.png
+docker cp kaz-tete.png ldapUI:/var/www/html/images/ltb-logo.png
 docker cp kaz-entier.svg webServ:/usr/share/nginx/html/images/logo.svg
 docker cp kaz-signature.png webServ:/usr/share/nginx/html/m/logo.png

--- a/dockers/ldap/acl.ldif.tmpl
+++ b/dockers/ldap/acl.ldif.tmpl
@ -0,0 +1,7 @@
+dn: olcDatabase={2}mdb,cn=config
+changeType: modify
+replace: olcAccess
+olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="$BINDDN" write by * none
+olcAccess: {1}to dn.base="" by * read
+olcAccess: {2}to dn.base="ou=users,$LDAPROOT" by users read
+olcAccess: {3}to * by self write by dn="$BINDDN" write by * read
--- a/dockers/ldap/bootstrap.ldif.tmpl
+++ b/dockers/ldap/bootstrap.ldif.tmpl
@ -0,0 +1,29 @@
+# docker exec -it ldapServ ldapsearch -x -b "$LDAPROOT"
+
+dn: $LDAPROOT
+objectClass: dcObject
+objectClass: organization
+dc: $DC
+o: example
+
+dn: ou=users,$LDAPROOT
+objectClass: organizationalUnit
+ou: users
+
+dn: cn=nobody,ou=users,$LDAPROOT
+cn: nobody
+sn: nobody
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+userPassword: $NOBODYPASSWORD
+uid: nobody
+uidNumber: 1000
+gidNumber: 1000
+homeDirectory: /home/nobody
+
+
+dn: cn=readers,ou=users,$LDAPROOT
+cn: readers
+objectClass: groupOfNames
+member: cn=nobody,ou=users,$LDAPROOT
--- a/dockers/ldap/docker-compose.yml
+++ b/dockers/ldap/docker-compose.yml
@ -10,26 +10,25 @@ version: '2'
 services:

  web:
-    # ports:
-    #    - 8083:80
-    image: wheelybird/ldap-user-manager
+    image: ltbproject/self-service-password
    container_name: ${ldapUIName}
    depends_on:
      - ldap
    networks:
      - ldapNet
+      - postfixNet
    links:
      - ldap
-    env_file:
-      - ../../secret/env-${ldapUIName}
-    environment:
-      - SERVER_HOSTNAME=${domain}
-      - EMAIL_DOMAIN=${domain}
-      - NO_HTTPS=TRUE
+    external_links:
+      - ${smtpServName}:${smtpHost}
    volumes:
      - /etc/ssl:/etc/ssl:ro
+      - /usr/local/share/ca-certificates:/usr/local/share/ca-certificates:ro
      - /etc/timezone:/etc/timezone:ro
      - /root/mkcert:/root/mkcert:ro
+      - configSSP:/var/www/conf/
+      - icons:/var/www/html/images/
+

  ldap:
    image: docker.io/bitnami/openldap:2.6
@ -45,8 +44,12 @@ services:
      - LDAP_ROOT=${ldap_root}
      - LDAP_PORT_NUMBER=389
      - LDAP_LDAPS_PORT_NUMBER=636
+      - LDAP_CONFIG_ADMIN_ENABLED=yes
+      - LDAP_SKIP_DEFAULT_TREE=yes
+      - LDAP_ENABLE_TLS=no
    volumes:
      - openldapData:/bitnami/openldap
+      #- ./ldifs:/ldifs:ro
      - /etc/letsencrypt:/etc/letsencrypt:ro
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
@ -55,8 +58,13 @@ services:

 volumes:
  openldapData:
+  configSSP:
+  icons:

 networks:
  ldapNet:
    external:
      name: ldapNet
+  postfixNet:
+    external:
+      name: postfixNet
--- a/dockers/ldap/first.sh
+++ b/dockers/ldap/first.sh
@ -0,0 +1,84 @@
+#!/bin/bash
+
+SERV_DIR=$(cd $(dirname $0); pwd)
+KAZ_ROOT=$(cd $(dirname $0)/../..; pwd)
+. "${KAZ_ROOT}/bin/.commonFunctions.sh"
+setKazVars
+
+cd $(dirname $0)
+. "${DOCKERS_ENV}"
+. "${KAZ_KEY_DIR}/env-${ldapServName}"
+. "${KAZ_KEY_DIR}/env-${ldapUIName}"
+
+
+checkDockerRunning "${ldapServName}" "LDAP" || exit
+
+printKazMsg "\n  *** Premier lancement de LDAP : Mise en place des ACL"
+
+LDAP_IP=$(docker inspect -f '{{.NetworkSettings.Networks.ldapNet.IPAddress}}' ldapServ)
+MAIL_IP=$(docker inspect -f '{{.NetworkSettings.Networks.ldapNet.IPAddress}}' mailServ)
+
+docker exec ${ldapUIName} bash -c "echo '${MAIL_IP} ${smtpHost}.${domain}' >> /etc/hosts"
+
+BINDDN=cn=${LDAP_ADMIN_USERNAME},${ldap_root}
+DC=$(echo ${ldap_root} | cut -d',' -f1 | cut -d'=' -f2)
+
+cp acl.ldif.tmpl acl.ldif
+sed -i -e "s/\$BINDDN/${BINDDN}/g" acl.ldif
+sed -i -e "s/\$LDAPROOT/${ldap_root}/g" acl.ldif
+
+cp bootstrap.ldif.tmpl bootstrap.ldif
+sed -i -e "s/\$LDAPROOT/${ldap_root}/g" bootstrap.ldif
+sed -i -e "s/\$DC/${DC}/g" bootstrap.ldif
+sed -i -e "s%\$NOBODYPASSWORD%\{CRYPT\}`mkpasswd -m sha512crypt ${LDAP_NOBODY_PASSWORD}`%g" bootstrap.ldif
+
+ldapadd -H ldap://$LDAP_IP -D "cn=${LDAP_CONFIG_ADMIN_USERNAME},cn=config" -w ${LDAP_CONFIG_ADMIN_PASSWORD} -f acl.ldif
+ldapadd -H ldap://$LDAP_IP -D "cn=${LDAP_CONFIG_ADMIN_USERNAME},cn=config" -w ${LDAP_CONFIG_ADMIN_PASSWORD} -f postfixbook.ldif
+ldapadd -H ldap://$LDAP_IP -D "${BINDDN}" -w ${LDAP_ADMIN_PASSWORD} -f bootstrap.ldif
+
+CONFIG_IHM="${DOCK_VOL}/ldap_configSSP/_data/config.inc.php"
+
+updateVarInConf(){
+    # $1 key
+    # $2 val
+    # $3 file
+    # $4 : vide => la valeur sera encadré par des guillement, sinon c'est du php
+    if grep -q "\$$1" "$3" ; then
+	echo "   update ${CYAN}${BOLD}$1${NC} => $2"
+	# !!! les valeur ne doivent pas contenir le caractère '%'
+	if [ -z "$4" ]; then
+	    sed -i -e "s%^\s*\(\$$1\s*=\).*$%\1 \"$2\";%" "$3"
+	else
+	    sed -i -e "s%^\s*\(\$$1\s*=\).*$%\1 $2;%" "$3"
+	fi
+    else
+	echo "   add ${CYAN}${BOLD}$1${NC} => $2"
+	if [ -z "$4" ]; then
+	    echo "\$$1 = \"$2\";" >> "$3"
+	else
+	    echo "\$$1 = $2;" >> "$3"
+	fi
+    fi
+}
+
+updateVarInConf "ldap_url" "${LDAP_URI}" "${CONFIG_IHM}"
+updateVarInConf "ldap_binddn" "${LDAP_ADMIN_BIND_DN}" "${CONFIG_IHM}"
+updateVarInConf "ldap_bindpw" "${LDAP_ADMIN_BIND_PWD}" "${CONFIG_IHM}"
+updateVarInConf "ldap_base" "${LDAP_BASE_DN}" "${CONFIG_IHM}"
+updateVarInConf "ldap_login_attribute" "sn" "${CONFIG_IHM}"
+updateVarInConf "hash" "CRYPT" "${CONFIG_IHM}"
+updateVarInConf "use_questions" "false" "${CONFIG_IHM}" "php"
+updateVarInConf "mail_from" "admin@${domain}" "${CONFIG_IHM}"
+updateVarInConf "mail_from_name" "Récupération de mot de passe Kaz" "${CONFIG_IHM}"
+updateVarInConf "mail_smtp_host" "${smtpHost}.${domain}" "${CONFIG_IHM}"
+updateVarInConf "use_sms" "false" "${CONFIG_IHM}" "php"
+updateVarInConf "keyphrase" "apOcfivnart+Osh2" "${CONFIG_IHM}"
+updateVarInConf "lang" "fr" "${CONFIG_IHM}"
+updateVarInConf "allowed_lang" "array('fr', 'br');" "${CONFIG_IHM}" "php"
+#updateVarInConf "prehook_password_encodebase64" "true" "${CONFIG_IHM}"
+#updateVarInConf "posthook_password_encodebase64" "true" "${CONFIG_IHM}"
+updateVarInConf "mail_smtp_secure" "tls" "${CONFIG_IHM}"
+updateVarInConf "mail_address_use_ldap" "true" "${CONFIG_IHM}"
+
+
+docker cp "${KAZ_BIN_DIR}/look/kaz/kaz-tete.png" "${ldapUIName}:/var/www/html/images/ltb-logo.png"
--- a/dockers/ldap/postfixbook.ldif
+++ b/dockers/ldap/postfixbook.ldif
@ -0,0 +1,41 @@
+dn: cn=postfixbook,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: postfixbook
+olcAttributeTypes: {0}( 1.3.6.1.4.1.29426.1.10.1 NAME 'mailHomeDirectory' DE
+ SC 'The absolute path to the mail user home directory' EQUALITY caseExactIA
+ 5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {1}( 1.3.6.1.4.1.29426.1.10.2 NAME 'mailAlias' DESC 'RFC8
+ 22 Mailbox - mail alias' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Su
+ bstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+olcAttributeTypes: {2}( 1.3.6.1.4.1.29426.1.10.3 NAME 'mailUidNumber' DESC '
+ UID required to access the mailbox' EQUALITY integerMatch SYNTAX 1.3.6.1.4.
+ 1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {3}( 1.3.6.1.4.1.29426.1.10.4 NAME 'mailGidNumber' DESC '
+ GID required to access the mailbox' EQUALITY integerMatch SYNTAX 1.3.6.1.4.
+ 1.1466.115.121.1.27 SINGLE-VALUE )
+olcAttributeTypes: {4}( 1.3.6.1.4.1.29426.1.10.5 NAME 'mailEnabled' DESC 'TR
+ UE to enable, FALSE to disable account' EQUALITY booleanMatch SYNTAX 1.3.6.
+ 1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+olcAttributeTypes: {5}( 1.3.6.1.4.1.29426.1.10.6 NAME 'mailGroupMember' DESC
+  'Name of a mail distribution list' EQUALITY caseExactIA5Match SYNTAX 1.3.6
+ .1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {6}( 1.3.6.1.4.1.29426.1.10.7 NAME 'mailQuota' DESC 'Mail
+  quota limit in kilobytes' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.14
+ 66.115.121.1.26 )
+olcAttributeTypes: {7}( 1.3.6.1.4.1.29426.1.10.8 NAME 'mailStorageDirectory'
+  DESC 'The absolute path to the mail users mailbox' EQUALITY caseExactIA5Ma
+ tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {8}( 1.3.6.1.4.1.29426.1.10.9 NAME 'mailSieveRuleSource'
+ DESC 'Sun ONE Messaging Server defined attribute' SYNTAX 1.3.6.1.4.1.1466.1
+ 15.121.1.26 X-ORIGIN 'Sun ONE Messaging Server' )
+olcAttributeTypes: {9}( 1.3.6.1.4.1.29426.1.10.10 NAME 'mailForwardingAddres
+ s' DESC 'Address(es) to forward all incoming messages to.' EQUALITY caseIgn
+ oreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{320} )
+olcObjectClasses: {0}( 1.3.6.1.4.1.29426.1.2.2.1 NAME 'PostfixBookMailAccoun
+ t' DESC 'Mail account used in Postfix Book' SUP top AUXILIARY MUST mail MAY
+  ( mailHomeDirectory $ mailAlias $ mailGroupMember $ mailUidNumber $ mailGi
+ dNumber $ mailEnabled $ mailQuota $ mailStorageDirectory $ mailSieveRuleSou
+ rce ) )
+olcObjectClasses: {1}( 1.3.6.1.4.1.29426.1.2.2.2 NAME 'PostfixBookMailForwar
+ d' DESC 'Mail forward used in Postfix Book' SUP top AUXILIARY MUST ( mail $
+  mailAlias ) MAY mailForwardingAddress )
--- a/secret.tmpl/SetAllPass.sh
+++ b/secret.tmpl/SetAllPass.sh
@ -50,10 +50,9 @@ gandi_dns_gandi_api_key="${gandi_GANDI_KEY}"
 # Openldap
 ldap_LDAP_ADMIN_USERNAME="--clean_val--"
 ldap_LDAP_ADMIN_PASSWORD="--clean_val--"
-ldap_LDAP_ENABLE_TLS="no"
-ldap_LDAP_TLS_CERT_FILE="/etc/letsencrypt/live/${domain}/cert.pem"
-ldap_LDAP_TLS_KEY_FILE="/etc/letsencrypt/live/${domain}/privkey.pem"
-ldap_LDAP_TLS_CA_FILE="/etc/letsencrypt/live/${domain}/fullchain.pem"
+ldap_LDAP_CONFIG_ADMIN_USERNAME="--clean_val--"
+ldap_LDAP_CONFIG_ADMIN_PASSWORD="--clean_val--"
+ldap_LDAP_NOBODY_PASSWORD="--clean_val--"

 ldap_LDAP_URI=ldap://ldap
 ldap_LDAP_BASE_DN=${ldap_root}
--- a/secret.tmpl/env-ldapServ
+++ b/secret.tmpl/env-ldapServ
@ -1,8 +1,5 @@
 LDAP_ADMIN_USERNAME=
 LDAP_ADMIN_PASSWORD=
-LDAP_ENABLE_TLS=
-
-LDAP_TLS_CERT_FILE=
-LDAP_TLS_KEY_FILE=
-LDAP_TLS_CA_FILE=
-LDAP_TLS_DH_PARAMS_FILE=
+LDAP_CONFIG_ADMIN_USERNAME=
+-LDAP_CONFIG_ADMIN_PASSWORD=
+-LDAP_NOBODY_PASSWORD=