diff --git a/docs/rolereference.rst b/docs/rolereference.rst index b1d2366f34830f02914aa6da043eb0bbe553fc36..933f1f621452d5f8a59a718b9579a281588e7100 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -703,22 +703,27 @@ Both Postfix and Dovecot expect a specific directory structure in LDAP when doing look-ups: * Postfix will log-in to LDAP as user - ``cn=postfix,ou=services,MAIL_LDAP_ROOT_DN``. + ``cn=postfix,ou=services,MAIL_LDAP_BASE_DN``. * Dovecot will log-in to LDAP as user - ``cn=dovecot,ou=services,MAIL_LDAP_ROOT_DN``. + ``cn=dovecot,ou=services,MAIL_LDAP_BASE_DN``. * Domain entries need to be available as - ``dc=DOMAIN,ou=domains,ou=mail,ou=services,MAIL_LDAP_ROOT_DN``. + ``dc=DOMAIN,ou=domains,ou=mail,ou=services,MAIL_LDAP_BASE_DN``. * Alias entries need to be available as - ``cn=ALIAS,ou=aliases,ou=mail,ou=services,MAIL_LDAP_ROOT_DN``. + ``cn=ALIAS,ou=aliases,ou=mail,ou=services,MAIL_LDAP_BASE_DN``. * User entries are read from sub-tree (first-level only) - ``ou=people,MAIL_LDAP_ROOT_DN``. Query filter used for finding users is - ``(&(mail=%s)(memberOf=cn=mail,ou=groups,MAIL_LDAP_ROOT_DN))``. This allows + ``ou=people,MAIL_LDAP_BASE_DN``. Query filter used for finding users is + ``(&(mail=%s)(memberOf=cn=mail,ou=groups,MAIL_LDAP_BASE_DN))``. This allows group-based granting of mail services to users. Parameters ~~~~~~~~~~ +**mail_ldap_base_dn** (string, mandatory) + Base DN on the LDAP server. A specific directory structure is expected under + this entry (as explained above) in order to locate the available domains, + users, aliases etc. + **mail_ldap_url** (string, mandatory) LDAP URL that should be used for connecting to the LDAP server for doing domain/user look-ups. @@ -727,10 +732,6 @@ Parameters Path to TLS truststore used for verifying the LDAP certificate. Should be in PEM format. -**mail_service_ldap_base_dn** (string, mandatory) - Base DN in LDAP for the mail services under which the entries (domains, users, - aliases) can be found. - **mail_ldap_postfix_password** (string, mandatory) Password for authenticating the Postfix LDAP user. @@ -793,7 +794,7 @@ Here is an example configuration for setting-up XMPP server using Prosody: mail_ldap_url: ldap://ldap.example.com/ mail_ldap_tls_truststore: /etc/ssl/certs/truststore.pem - mail_ldap_root_dn: dc=example,dc=com + mail_ldap_base_dn: dc=example,dc=com mail_ldap_postfix_password: postfix mail_ldap_dovecot_password: dovecot diff --git a/roles/mail_server/templates/dovecot-ldap.conf.ext.j2 b/roles/mail_server/templates/dovecot-ldap.conf.ext.j2 index 269d46843ede181f07c4a9c0cb91fff439e3c961..712727e1b9988ed00d14aff066cf7a93bb776003 100644 --- a/roles/mail_server/templates/dovecot-ldap.conf.ext.j2 +++ b/roles/mail_server/templates/dovecot-ldap.conf.ext.j2 @@ -1,16 +1,16 @@ uris = {{ mail_ldap_url }} -dn = cn=dovecot,ou=services,{{ mail_service_ldap_base_dn }} +dn = cn=dovecot,ou=services,{{ mail_ldap_base_dn }} dnpass = {{ mail_ldap_dovecot_password }} tls = yes tls_ca_cert_file = {{ mail_ldap_tls_truststore }} tls_require_cert = demand auth_bind = yes -base = ou=people,{{ mail_service_ldap_base_dn }} +base = ou=people,{{ mail_ldap_base_dn }} scope = onelevel -user_filter = (&(objectClass=inetOrgPerson)(mail=%u)(memberOf=cn=mail,ou=groups,{{ mail_service_ldap_base_dn }})) +user_filter = (&(objectClass=inetOrgPerson)(mail=%u)(memberOf=cn=mail,ou=groups,{{ mail_ldap_base_dn }})) pass_attrs = mail=user,userPassword=password -pass_filter = (&(objectClass=inetOrgPerson)(mail=%u)(memberOf=cn=mail,ou=groups,{{ mail_service_ldap_base_dn }})) +pass_filter = (&(objectClass=inetOrgPerson)(mail=%u)(memberOf=cn=mail,ou=groups,{{ mail_ldap_base_dn }})) iterate_attrs = mail=user -iterate_filter = (memberOf=cn=mail,ou=groups,{{ mail_service_ldap_base_dn }}) +iterate_filter = (memberOf=cn=mail,ou=groups,{{ mail_ldap_base_dn }}) default_pass_scheme = SSHA user_attrs = diff --git a/roles/mail_server/templates/ldap-virtual-alias-maps.cf.j2 b/roles/mail_server/templates/ldap-virtual-alias-maps.cf.j2 index 6f4696fc77465716d42163ea19f3f577e949ea27..6b674715d83b0cbf4ae86bea47b7459eba2b6a96 100644 --- a/roles/mail_server/templates/ldap-virtual-alias-maps.cf.j2 +++ b/roles/mail_server/templates/ldap-virtual-alias-maps.cf.j2 @@ -4,12 +4,12 @@ start_tls = yes tls_require_cert = yes tls_ca_cert_file = {{ mail_ldap_tls_truststore }} bind = yes -bind_dn = cn=postfix,ou=services,{{ mail_service_ldap_base_dn }} +bind_dn = cn=postfix,ou=services,{{ mail_ldap_base_dn }} bind_pw = {{ mail_ldap_postfix_password }} version = 3 # Query settings. -search_base = ou=aliases,ou=mail,ou=services,{{ mail_service_ldap_base_dn }} +search_base = ou=aliases,ou=mail,ou=services,{{ mail_ldap_base_dn }} scope = one query_filter = cn=%s result_attribute = rfc822MailMember diff --git a/roles/mail_server/templates/ldap-virtual-mailbox-domains.cf.j2 b/roles/mail_server/templates/ldap-virtual-mailbox-domains.cf.j2 index 7a600c79ba4f1090288ea5076695d1c3c2b2c5c8..0902e732c1587182e994ad0da92a494a71ba3f9d 100644 --- a/roles/mail_server/templates/ldap-virtual-mailbox-domains.cf.j2 +++ b/roles/mail_server/templates/ldap-virtual-mailbox-domains.cf.j2 @@ -4,12 +4,12 @@ start_tls = yes tls_require_cert = yes tls_ca_cert_file = {{ mail_ldap_tls_truststore }} bind = yes -bind_dn = cn=postfix,ou=services,{{ mail_service_ldap_base_dn }} +bind_dn = cn=postfix,ou=services,{{ mail_ldap_base_dn }} bind_pw = {{ mail_ldap_postfix_password }} version = 3 # Query settings. -search_base = ou=domains,ou=mail,ou=services,{{ mail_service_ldap_base_dn }} +search_base = ou=domains,ou=mail,ou=services,{{ mail_ldap_base_dn }} scope = one query_filter = dc=%s result_attribute = dc diff --git a/roles/mail_server/templates/ldap-virtual-mailbox-maps.cf.j2 b/roles/mail_server/templates/ldap-virtual-mailbox-maps.cf.j2 index dc3c72a962af8e5d8653792538068f3f151eda4a..4bbaca3b6239c65c3bdb531a6cb96981b03b9fe9 100644 --- a/roles/mail_server/templates/ldap-virtual-mailbox-maps.cf.j2 +++ b/roles/mail_server/templates/ldap-virtual-mailbox-maps.cf.j2 @@ -4,12 +4,12 @@ start_tls = yes tls_require_cert = yes tls_ca_cert_file = {{ mail_ldap_tls_truststore }} bind = yes -bind_dn = cn=postfix,ou=services,{{ mail_service_ldap_base_dn }} +bind_dn = cn=postfix,ou=services,{{ mail_ldap_base_dn }} bind_pw = {{ mail_ldap_postfix_password }} version = 3 # Query settings -search_base = ou=people,{{ mail_service_ldap_base_dn }} +search_base = ou=people,{{ mail_ldap_base_dn }} scope = one -query_filter = (&(mail=%s)(memberOf=cn=mail,ou=groups,{{mail_service_ldap_base_dn}})) +query_filter = (&(mail=%s)(memberOf=cn=mail,ou=groups,{{mail_ldap_base_dn}})) result_attribute = mail diff --git a/testsite/group_vars/mail.yml b/testsite/group_vars/mail.yml index a930c71a29f3a2bbf2dc878d70aad3cf223c9c29..6fcc6c66736286eba7dfe84ebcd9f4d7a97ce909 100644 --- a/testsite/group_vars/mail.yml +++ b/testsite/group_vars/mail.yml @@ -2,7 +2,7 @@ mail_ldap_url: ldap://ldap.{{ testsite_domain }}/ mail_ldap_tls_truststore: /etc/ssl/certs/ca.pem -mail_service_ldap_base_dn: "{{ testsite_ldap_base }}" +mail_ldap_base_dn: "{{ testsite_ldap_base }}" mail_ldap_postfix_password: postfix mail_ldap_dovecot_password: dovecot