Merge branch 'ldap-auth-bind' into 'main'

dovecot: fix non-default `cfg.ldap.attributes.password`, reintroduce LDAP bind auth for passdb Closes #360 See merge request simple-nixos-mailserver/nixos-mailserver!524
2026-05-24 00:20:28 +00:00
parent e5102c5502 eea473ea12
commit e4e18e01de
3 changed files with 58 additions and 5 deletions
@@ -483,13 +483,21 @@ in
        };

        password = mkOption {
-          type = types.str;
-          default = "userPassword";
-          example = "unix_password";
+          type = types.nullOr types.str;
+          default = null;
+          example = "userPassword";
          description = ''
            The LDAP attribute referencing the account password used to login with.

+            The account passwords stored in LDAP must be hashed with a supported
+            [Password Scheme] in order for Dovecot to understand them.
+
            Typically the `userPassword` attribute which is part of the `inetOrgPerson` schema.
+
+            If `null`, [Authentication Binds] will be used instead.
+
+            [Password Scheme]: https://doc.dovecot.org/2.4.4/core/config/auth/schemes.html
+            [Authentication Binds]: https://doc.dovecot.org/2.4.4/core/config/auth/databases/ldap.html#authentication-binds
          '';
        };

@@ -437,8 +437,9 @@ in
          "passdb ldap" = {
            driver = "ldap";
            filter = cfg.ldap.dovecot.passFilter;
+            bind = cfg.ldap.attributes.password == null;
            fields = {
-              password = "%{ldap:userPassword}";
+              password = mkIf (cfg.ldap.attributes.password != null) "%{ldap:${cfg.ldap.attributes.password}}";
            };
            ldap_connection_group = "ldap-passdb-conn";
          };
@@ -25,7 +25,7 @@ in

  nodes = {
    machine =
-      { pkgs, ... }:
+      { pkgs, lib, ... }:
      {
        imports = [
          ../default.nix
@@ -166,12 +166,51 @@ in
            };
            base = "ou=users,dc=example";
            scope = "sub";
+            attributes = {
+              # disable auth bind
+              password = "userPassword";
+            };
          };

          forwards = {
            "bob_fw@example.com" = "bob@example.com";
          };
        };
+
+        specialisation.auth_bind = {
+          inheritParentConfig = true;
+          configuration = {
+            mailserver = {
+              ldap = {
+                attributes = {
+                  # enable auth bind
+                  password = lib.mkForce null;
+                };
+              };
+            };
+
+            services.openldap.settings.children = {
+              "olcDatabase={1}mdb" = {
+                attrs = {
+                  olcAccess = [
+                    # disallow access to userPassword
+                    ''
+                      to * attrs=userPassword
+                        by anonymous auth
+                        by * none
+                    ''
+
+                    # default policy (same as if we would specify none as all)
+                    ''
+                      to *
+                        by * read
+                    ''
+                  ];
+                };
+              };
+            };
+          };
+        };
      };
  };
  testScript =
@@ -331,5 +370,10 @@ in
          "--dst-password-file <(echo '${malloryPassword}')",
          "--ignore-dkim-spf"
        ]))
+
+      with subtest("LDAP Authentication Binds"):
+        machine.succeed("/run/booted-system/specialisation/auth_bind/bin/switch-to-configuration test")
+        machine.wait_for_unit("openldap.service")
+        machine.succeed("doveadm auth test alice '${alicePassword}'")
    '';
 }