Enable LDAP

tasks/main.yml

@@ -5,14 +5,30 @@
     - dovecot-imapd
     - dovecot-managesieved
 
+- name: install dovecot-ldap
+  apt:
+    pkg:
+      - dovecot-ldap
+  when: dovecot.ldap.enable
+
 - name: add vmail group
   group:
     name: vmail
+  register: vmail_group
 
 - name: add vmail user
   user:
     name: vmail
     group: vmail
+  register: vmail_user
+
+- name: Create /var/vmail
+  file:
+    path: /var/vmail
+    state: directory
+    owner: vmail
+    group: vmail
+    mode: '0750'
 
 - name: copy dovecot config
   template:
@@ -27,6 +43,8 @@
     - { src: "15-lda.conf.j2", dest: "/etc/dovecot/conf.d/15-lda.conf" }
     - { src: "20-managesieve.conf.j2", dest: "/etc/dovecot/conf.d/20-managesieve.conf" }
     - { src: "auth-system.conf.j2", dest: "/etc/dovecot/conf.d/auth-system.conf" }
+    - { src: "auth-ldap.conf.j2", dest: "/etc/dovecot/conf.d/auth-ldap.conf" }
+    - { src: "dovecot-ldap.conf.ext.j2", dest: "/etc/dovecot/dovecot-ldap.conf.ext" }
   notify:
   - restart dovecot
 

templates/10-auth.conf.j2

@@ -119,9 +119,12 @@ auth_mechanisms = {{ dovecot.auth_mechanisms|join(' ') }}
 #!include auth-deny.conf.ext
 #!include auth-master.conf.ext
 
+{% if dovecot.ldap.enable %}
+!include auth-ldap.conf.ext
+{% else %}
 !include auth-system.conf.ext
+{% endif %}
 #!include auth-sql.conf.ext
-#!include auth-ldap.conf.ext
 #!include auth-passwdfile.conf.ext
 #!include auth-checkpassword.conf.ext
 #!include auth-vpopmail.conf.ext

templates/10-mail.conf.j2

@@ -172,15 +172,15 @@ namespace inbox {
 # to make sure that users can't log in as daemons or other system users.
 # Note that denying root logins is hardcoded to dovecot binary and can't
 # be done even if first_valid_uid is set to 0.
-#first_valid_uid = 500
+first_valid_uid = {{ vmail_user.uid }}
-#last_valid_uid = 0
+last_valid_uid = {{ vmail_user.uid }}
 
 # Valid GID range for users, defaults to non-root/wheel. Users having
 # non-valid GID as primary group ID aren't allowed to log in. If user
 # belongs to supplementary groups with non-valid GIDs, those groups are
 # not set.
-#first_valid_gid = 1
+first_valid_gid = {{ vmail_group.gid }}
-#last_valid_gid = 0
+last_valid_gid = {{ vmail_group.gid }}
 
 # Maximum allowed length for mail keyword name. It's only forced when trying
 # to create new keywords.

templates/10-master.conf.j2

@@ -61,37 +61,6 @@ service imap-login {
 # login user, so that login processes can't disturb other processes.
 #default_internal_user = dovecot
 
-service imap-login {
-  inet_listener imap {
-    port = 0
-  }
-  inet_listener imaps {
-    port = 993
-    ssl = yes
-  }
-
-  # Number of connections to handle before starting a new process. Typically
-  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
-  # is faster. <doc/wiki/LoginProcess.txt>
-  #service_count = 1
-
-  # Number of processes to always keep waiting for more connections.
-  #process_min_avail = 0
-
-  # If you set service_count=0, you probably need to grow this.
-  #vsz_limit = $default_vsz_limit
-}
-
-#service pop3-login {
-  #inet_listener pop3 {
-    #port = 110
-  #}
-  #inet_listener pop3s {
-    #port = 995
-    #ssl = yes
-  #}
-#}
-
 service auth {
   # auth_socket_path points to this userdb socket by default. It's typically
   # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have

templates/10-ssl.conf.j2

@@ -39,7 +39,7 @@ ssl_dh = </etc/ssl/dh-4096.pem
 
 ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-ssl_prefer_server_ciphers = no
+ssl_prefer_server_ciphers = yes
 
 
 # SSL crypto device to use, for valid values run "openssl engine"

templates/auth-ldap.conf.j2

@@ -0,0 +1,33 @@
+# Authentication for LDAP users. Included from 10-auth.conf.
+#
+# <doc/wiki/AuthDatabase.LDAP.txt>
+
+passdb {
+  driver = ldap
+
+  # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
+  args = /etc/dovecot/dovecot-ldap.conf.ext
+}
+
+# "prefetch" user database means that the passdb already provided the
+# needed information and there's no need to do a separate userdb lookup.
+# <doc/wiki/UserDatabase.Prefetch.txt>
+#userdb {
+#  driver = prefetch
+#}
+
+userdb {
+  driver = ldap
+  args = /etc/dovecot/dovecot-ldap.conf.ext
+
+  # Default fields can be used to specify defaults that LDAP may override
+  #default_fields = home=/home/virtual/%u
+}
+
+# If you don't have any user-specific settings, you can avoid the userdb LDAP
+# lookup by using userdb static instead of userdb ldap, for example:
+# <doc/wiki/UserDatabase.Static.txt>
+#userdb {
+  #driver = static
+  #args = uid=vmail gid=vmail home=/var/vmail/%u
+#}

templates/dovecot-ldap.conf.ext.j2

@@ -0,0 +1,49 @@
+{% if dovecot.ldap.enable %}
+## Debug everything
+# debug_level = -1
+
+uris = {{ dovecot.ldap.uris }}
+
+# Use TLS to connect to the LDAP server.
+# Set to no because we use LDAPS and dovecot tells you this is not possible together
+tls = no
+
+dn = {{ dovecot.ldap.bind_dn }}
+dnpass = {{ dovecot.ldap.bind_pw }}
+
+# TLS options, currently supported only with OpenLDAP:
+tls_ca_cert_file = {{ dovecot.ldap.tls.ca }}
+#tls_ca_cert_dir =
+#tls_cipher_suite =
+
+# TLS cert/key. This must be set only if LDAP server requires a client certificate.
+# If you set it in other cases, the LDAP connection will fail.
+# tls_cert_file =
+# tls_key_file =
+
+# Valid values: never, hard, demand, allow, try
+tls_require_cert = hard
+
+auth_bind = yes
+ldap_version = 3
+base = {{ dovecot.ldap.base }}
+deref = never
+scope = subtree
+
+user_attrs = \
+{% for attr in dovecot.ldap.user_attrs %}
+={{ attr.attr }}={{ attr.value }}{% if not loop.last %}, \
+{% endif %}
+{% endfor %}
+
+user_filter = {{ dovecot.ldap.filter }}
+pass_filter = {{ dovecot.ldap.filter }}
+
+default_pass_scheme = {{ dovecot.ldap.default_pass_scheme }}
+
+# iterate_attrs = mail=user # Wird vor allem von "doveadm" benötigt, um Benutzer zu finden
+# iterate_filter = (objectClass=person)
+{% else %}
+# LDAP is not configured for this instance.
+{% endif %}
+

templates/dovecot.conf.j2

@@ -73,6 +73,12 @@ dict {
   #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
 }
 
+
+# Specifies the user and group id. As we use virtual mailboxes, this is set to
+# the vmail user and group
+mail_uid = {{ vmail_user.uid }}
+mail_gid = {{ vmail_group.gid }}
+
 # Most of the actual configuration gets included below. The filenames are
 # first sorted by their ASCII value and parsed in that order. The 00-prefixes
 # in filenames are intended to make it easier to understand the ordering.

templates/passwd.j2

@@ -1,3 +1,7 @@
+{% if not dovecot.ldap.enable %}
 {% for i in dovecot.user %}
 {{ i.name }}:{PLAIN}{{ i.password }}
 {% endfor %}
+{% else %}
+# LDAP is enabled for this instance, no local users can be configured.
+{% endif %}