LDAP bind auth used to be enabled by default (and not configurable)
before the dovecot 2.4 migration.
I changed the default option value to match the old Dovecot 2.3
behavior.
The use of authentication bind is required for LDAP servers that simply
do not have such LDAP attribute like Kanidm, or in cases where the
password scheme used is not supported by Dovecot.
error[unresolved-attribute]: Attribute `group` is not defined on `None` in union `Match[str] | None`
--> testScriptWithTypes:152:21
|
152 | ldap_table_path = re.match('.* =.*ldap:(.*)', conf).group(1)
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
Create a nicer option structure that deals with the mail storage and its
owner, uid, group and gid. Also includes the directory layout as a
property of how mails are stored..
The "login" prefix makes this option more confusing rather than clearer,
because what other account types are there? LDAP ones for example, but
you can login with those too, so the prefix is pointless.
In conflicts between local addresses and LDAP addresses the local one
will always take priority in mail routing.
This is something we now document and guarantee through tests.
I fail to understand how mail became the uidAttribute way back when LDAP
support was introduced, but it was unintentional and clearly a mistake.
The uid attribute is the standard system login name per RFC4519 2.39 and
what we default to going forward.
Now that we have more experience with how we use the LDAP module options
we can make smarter decisions in how to organize them. We can also
explain much better what these options imply, which results in more
extensive option documentation.
The LDAP support was not in a good shape when it was merged. This is a
breaking change and course correction to apply best practices going
forward.
This fixes various issues experienced with the Dovecot LDAP home
directory.
The gravest issue is that the `homeDirectory` attribute from
the `posixAccount` schema would overwrite the Dovecot home directory and
cause permission errors. This was possible because we defined the home
variable in `default_fields` that is inherently mutable and just a preset
if no other value gets transmitted from LDAP. This did not surface in
tests, because our LDAP schema was too minimal compared to a common
production dataset.
The most annoying issue and the actual breaking change is that we now
default to UUID based home directories. Every entry in an IDM that
supports LDAP comes with a unique identifier that does not change upon
account name changes. We want those to enable simple account name
migrations that don't require any manual data migration.
To migrate existing dovecot home directories a migration script is
included, which will be backported to the 25.11 release, so the migration
can already be started from the previous release version.
This helps so much during development as it tells me openldap failed and
doesn't require me to do a root cause analysis on a postmap failure much
later in during the test.
instead of just smtp:// with STARTTLS.
Opted to call the flag --ssl and not --tls to keep it consistent with
the module option (mailserver.enableSubmissionSsl), dovecot internals
and smtplib in mail-check.py.
Sets up a declaratively configured OpenLDAP instance with users alice
and bob. They each own one email address,
First we test that postfix can communicate with LDAP and do the expected
lookups using the defined maps.
Then we use doveadm to make sure it can look up the two accounts.
Next we check the binding between account and mail address, by logging
in as alice and trying to send from bob@example.com, which alice is not
allowed to do. We expect postfix to reject the sender address here.
Finally we check mail delivery between alice and bob. Alice tries to
send a mail from alice@example.com to bob@example.com and bob then
checks whether it arrived in their mailbox.
emilylange
Martin Weinelt
Elian Doran
euxane
Antoine Eiche