ldap: migrate to UUID based Dovecot home directories

The LDAP support was not in a good shape when it was merged. This is a breaking change and course correction to apply best practices going forward. This fixes various issues experienced with the Dovecot LDAP home directory. The gravest issue is that the `homeDirectory` attribute from the `posixAccount` schema would overwrite the Dovecot home directory and cause permission errors. This was possible because we defined the home variable in `default_fields` that is inherently mutable and just a preset if no other value gets transmitted from LDAP. This did not surface in tests, because our LDAP schema was too minimal compared to a common production dataset. The most annoying issue and the actual breaking change is that we now default to UUID based home directories. Every entry in an IDM that supports LDAP comes with a unique identifier that does not change upon account name changes. We want those to enable simple account name migrations that don't require any manual data migration. To migrate existing dovecot home directories a migration script is included, which will be backported to the 25.11 release, so the migration can already be started from the previous release version.
2026-03-12 03:18:48 +01:00
parent fa0d5c9694
commit 091eda1ed2
3 changed files with 37 additions and 21 deletions
@@ -379,19 +379,24 @@ in
        '';
      };

-      dovecot = {
-        userAttrs = mkOption {
-          type = types.nullOr types.str;
-          default = null;
+      attributes = {
+        uuid = mkOption {
+          type = types.str;
+          default = "entryUUID";
+          example = "uuid";
          description = ''
-            LDAP attributes to be retrieved during userdb lookups.
+            The long-term stable LDAP attribute to reference accounts across
+            username changes. Used to determine a stable Dovecot home and
+            mail directory location.

-            See the users_attrs reference at
-            https://doc.dovecot.org/2.3/configuration_manual/authentication/ldap_settings_auth/#user-attrs
-            in the Dovecot manual.
+            Typically the `entryUUID` attribute as defined by [RFC4530].
+
+            [RFC4530]: https://www.rfc-editor.org/rfc/rfc4530.html
          '';
        };
+      };

+      dovecot = {
        userFilter = mkOption {
          type = types.str;
          default = "mail=%{user}";
@@ -1630,5 +1635,8 @@ in
      [ "mailserver" "dkimKeyBits" ]
      [ "mailserver" "dkim" "defaults" "keyLength" ]
    )
+    (mkRemovedOptionModule [ "mailserver" "ldap" "dovecot" "userAttrs" ] ''
+      The user_attrs field is now used internally to map the home and mail directories.
+    '')
  ];
 }