aither/simple-nixos-mailserver
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

dovecot: reintroduce LDAP bind auth for passdb

Browse Source 
LDAP bind auth used to be enabled by default (and not configurable)
before the dovecot 2.4 migration.

I changed the default option value to match the old Dovecot 2.3
behavior.

The use of authentication bind is required for LDAP servers that simply
do not have such LDAP attribute like Kanidm, or in cases where the
password scheme used is not supported by Dovecot.
This commit is contained in:
emilylange
2026-05-24 01:41:13 +02:00
parent 57bfae2d7e
commit eea473ea12
3 changed files with 58 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
default.nix
+11 -3
View File
@@ -483,13 +483,21 @@ in
}; };
password = mkOption { password = mkOption {
type = types.str; type = types.nullOr types.str;
default = "userPassword"; default = null;
example = "unix_password"; example = "userPassword";
description = '' description = ''
The LDAP attribute referencing the account password used to login with. The LDAP attribute referencing the account password used to login with.
The account passwords stored in LDAP must be hashed with a supported
[Password Scheme] in order for Dovecot to understand them.
Typically the `userPassword` attribute which is part of the `inetOrgPerson` schema. Typically the `userPassword` attribute which is part of the `inetOrgPerson` schema.
If `null`, [Authentication Binds] will be used instead.
[Password Scheme]: https://doc.dovecot.org/2.4.4/core/config/auth/schemes.html
[Authentication Binds]: https://doc.dovecot.org/2.4.4/core/config/auth/databases/ldap.html#authentication-binds
''; '';
}; };
mail-server/dovecot.nix
+2 -1
View File
@@ -437,8 +437,9 @@ in
"passdb ldap" = { "passdb ldap" = {
driver = "ldap"; driver = "ldap";
filter = cfg.ldap.dovecot.passFilter; filter = cfg.ldap.dovecot.passFilter;
bind = cfg.ldap.attributes.password == null;
fields = { fields = {
password = "%{ldap:${cfg.ldap.attributes.password}}"; password = mkIf (cfg.ldap.attributes.password != null) "%{ldap:${cfg.ldap.attributes.password}}";
}; };
ldap_connection_group = "ldap-passdb-conn"; ldap_connection_group = "ldap-passdb-conn";
}; };
tests/ldap.nix
+45 -1
View File
@@ -25,7 +25,7 @@ in
nodes = { nodes = {
machine = machine =
{ pkgs, ... }: { pkgs, lib, ... }:
{ {
imports = [ imports = [
../default.nix ../default.nix
@@ -166,12 +166,51 @@ in
}; };
base = "ou=users,dc=example"; base = "ou=users,dc=example";
scope = "sub"; scope = "sub";
attributes = {
# disable auth bind
password = "userPassword";
};
}; };
forwards = { forwards = {
"bob_fw@example.com" = "bob@example.com"; "bob_fw@example.com" = "bob@example.com";
}; };
}; };
specialisation.auth_bind = {
inheritParentConfig = true;
configuration = {
mailserver = {
ldap = {
attributes = {
# enable auth bind
password = lib.mkForce null;
};
};
};
services.openldap.settings.children = {
"olcDatabase={1}mdb" = {
attrs = {
olcAccess = [
# disallow access to userPassword
''
to * attrs=userPassword
by anonymous auth
by * none
''
# default policy (same as if we would specify none as all)
''
to *
by * read
''
];
};
};
};
};
};
}; };
}; };
testScript = testScript =
@@ -331,5 +370,10 @@ in
"--dst-password-file <(echo '${malloryPassword}')", "--dst-password-file <(echo '${malloryPassword}')",
"--ignore-dkim-spf" "--ignore-dkim-spf"
])) ]))
with subtest("LDAP Authentication Binds"):
machine.succeed("/run/booted-system/specialisation/auth_bind/bin/switch-to-configuration test")
machine.wait_for_unit("openldap.service")
machine.succeed("doveadm auth test alice '${alicePassword}'")
''; '';
} }