Enable LDAP

tasks/main.yml

@@ -5,14 +5,30 @@
     - dovecot-imapd
     - dovecot-managesieved
 
+- name: install dovecot-ldap
+  apt:
+    pkg:
+      - dovecot-ldap
+  when: dovecot.ldap.enable
+
 - name: add vmail group
   group:
     name: vmail
+  register: vmail_group
 
 - name: add vmail user
   user:
     name: vmail
     group: vmail
+  register: vmail_user
+
+- name: Create /var/vmail
+  file:
+    path: /var/vmail
+    state: directory
+    owner: vmail
+    group: vmail
+    mode: '0750'
 
 - name: copy dovecot config
   template:
@@ -27,6 +43,8 @@
     - { src: "15-lda.conf.j2", dest: "/etc/dovecot/conf.d/15-lda.conf" }
     - { src: "20-managesieve.conf.j2", dest: "/etc/dovecot/conf.d/20-managesieve.conf" }
     - { src: "auth-system.conf.j2", dest: "/etc/dovecot/conf.d/auth-system.conf" }
+    - { src: "auth-ldap.conf.j2", dest: "/etc/dovecot/conf.d/auth-ldap.conf" }
+    - { src: "dovecot-ldap.conf.ext.j2", dest: "/etc/dovecot/dovecot-ldap.conf.ext" }
   notify:
   - restart dovecot
 

templates/10-auth.conf.j2

@@ -119,9 +119,12 @@ auth_mechanisms = {{ dovecot.auth_mechanisms|join(' ') }}
 #!include auth-deny.conf.ext
 #!include auth-master.conf.ext
 
+{% if dovecot.ldap.enable %}
+!include auth-ldap.conf.ext
+{% else %}
 !include auth-system.conf.ext
+{% endif %}
 #!include auth-sql.conf.ext
-#!include auth-ldap.conf.ext
 #!include auth-passwdfile.conf.ext
 #!include auth-checkpassword.conf.ext
 #!include auth-vpopmail.conf.ext

templates/10-mail.conf.j2

@@ -50,7 +50,7 @@ namespace inbox {
 
   # Prefix required to access this namespace. This needs to be different for
   # all namespaces. For example "Public/".
-  #prefix = 
+  #prefix =
 
   # Physical location of the mailbox. This is in same format as
   # mail_location, which is also the default for it.
@@ -132,7 +132,7 @@ namespace inbox {
 
 # A comment or note that is associated with the server. This value is
 # accessible for authenticated users through the IMAP METADATA server
-# entry "/shared/comment". 
+# entry "/shared/comment".
 #mail_server_comment = ""
 
 # Indicates a method for contacting the server administrator. According to
@@ -140,7 +140,7 @@ namespace inbox {
 # is currently not enforced. Use for example mailto:admin@example.com. This
 # value is accessible for authenticated users through the IMAP METADATA server
 # entry "/shared/admin".
-#mail_server_admin = 
+#mail_server_admin =
 
 ##
 ## Mail processes
@@ -172,15 +172,15 @@ namespace inbox {
 # to make sure that users can't log in as daemons or other system users.
 # Note that denying root logins is hardcoded to dovecot binary and can't
 # be done even if first_valid_uid is set to 0.
-#first_valid_uid = 500
-#last_valid_uid = 0
+first_valid_uid = {{ vmail_user.uid }}
+last_valid_uid = {{ vmail_user.uid }}
 
 # Valid GID range for users, defaults to non-root/wheel. Users having
 # non-valid GID as primary group ID aren't allowed to log in. If user
 # belongs to supplementary groups with non-valid GIDs, those groups are
 # not set.
-#first_valid_gid = 1
-#last_valid_gid = 0
+first_valid_gid = {{ vmail_group.gid }}
+last_valid_gid = {{ vmail_group.gid }}
 
 # Maximum allowed length for mail keyword name. It's only forced when trying
 # to create new keywords.
@@ -193,7 +193,7 @@ namespace inbox {
 # WARNING: Never add directories here which local users can modify, that
 # may lead to root exploit. Usually this should be done only if you don't
 # allow shell access for users. <doc/wiki/Chrooting.txt>
-#valid_chroot_dirs = 
+#valid_chroot_dirs =
 
 # Default chroot directory for mail processes. This can be overridden for
 # specific users in user database by giving /./ in user's home directory
@@ -201,7 +201,7 @@ namespace inbox {
 # need to do chrooting, Dovecot doesn't allow users to access files outside
 # their mail directory anyway. If your home directories are prefixed with
 # the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
-#mail_chroot = 
+#mail_chroot =
 
 # UNIX socket path to master authentication server to find users.
 # This is used by imap (for shared users) and lda.
@@ -212,7 +212,7 @@ namespace inbox {
 
 # Space separated list of plugins to load for all services. Plugins specific to
 # IMAP, LDA, etc. are added to this list in their own .conf files.
-#mail_plugins = 
+#mail_plugins =
 
 ##
 ## Mailbox handling optimizations
@@ -318,7 +318,7 @@ mailbox_list_index = yes
 # fallbacks to re-reading the whole mbox file whenever something in mbox isn't
 # how it's expected to be. The only real downside to this setting is that if
 # some other MUA changes message flags, Dovecot doesn't notice it immediately.
-# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK 
+# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
 # commands.
 #mbox_dirty_syncs = yes
 

templates/10-master.conf.j2

@@ -61,37 +61,6 @@ service imap-login {
 # login user, so that login processes can't disturb other processes.
 #default_internal_user = dovecot
 
-service imap-login {
-  inet_listener imap {
-    port = 0
-  }
-  inet_listener imaps {
-    port = 993
-    ssl = yes
-  }
-
-  # Number of connections to handle before starting a new process. Typically
-  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
-  # is faster. <doc/wiki/LoginProcess.txt>
-  #service_count = 1
-
-  # Number of processes to always keep waiting for more connections.
-  #process_min_avail = 0
-
-  # If you set service_count=0, you probably need to grow this.
-  #vsz_limit = $default_vsz_limit
-}
-
-#service pop3-login {
-  #inet_listener pop3 {
-    #port = 110
-  #}
-  #inet_listener pop3s {
-    #port = 995
-    #ssl = yes
-  #}
-#}
-
 service auth {
   # auth_socket_path points to this userdb socket by default. It's typically
   # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have

templates/10-ssl.conf.j2

@@ -16,7 +16,7 @@ ssl_dh = </etc/ssl/dh-4096.pem
 # PEM encoded trusted certificate authority. Set this only if you intend to use
 # ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
 # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
-#ssl_ca = 
+#ssl_ca =
 
 # Require that CRL check succeeds for client certificates.
 #ssl_require_crl = yes
@@ -39,7 +39,7 @@ ssl_dh = </etc/ssl/dh-4096.pem
 
 ssl_min_protocol = TLSv1.2
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-ssl_prefer_server_ciphers = no
+ssl_prefer_server_ciphers = yes
 
 
 # SSL crypto device to use, for valid values run "openssl engine"

templates/auth-ldap.conf.j2

@@ -0,0 +1,33 @@
+# Authentication for LDAP users. Included from 10-auth.conf.
+#
+# <doc/wiki/AuthDatabase.LDAP.txt>
+
+passdb {
+  driver = ldap
+
+  # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
+  args = /etc/dovecot/dovecot-ldap.conf.ext
+}
+
+# "prefetch" user database means that the passdb already provided the
+# needed information and there's no need to do a separate userdb lookup.
+# <doc/wiki/UserDatabase.Prefetch.txt>
+#userdb {
+#  driver = prefetch
+#}
+
+userdb {
+  driver = ldap
+  args = /etc/dovecot/dovecot-ldap.conf.ext
+
+  # Default fields can be used to specify defaults that LDAP may override
+  #default_fields = home=/home/virtual/%u
+}
+
+# If you don't have any user-specific settings, you can avoid the userdb LDAP
+# lookup by using userdb static instead of userdb ldap, for example:
+# <doc/wiki/UserDatabase.Static.txt>
+#userdb {
+  #driver = static
+  #args = uid=vmail gid=vmail home=/var/vmail/%u
+#}

templates/dovecot-ldap.conf.ext.j2

@@ -0,0 +1,49 @@
+{% if dovecot.ldap.enable %}
+## Debug everything
+# debug_level = -1
+
+uris = {{ dovecot.ldap.uris }}
+
+# Use TLS to connect to the LDAP server.
+# Set to no because we use LDAPS and dovecot tells you this is not possible together
+tls = no
+
+dn = {{ dovecot.ldap.bind_dn }}
+dnpass = {{ dovecot.ldap.bind_pw }}
+
+# TLS options, currently supported only with OpenLDAP:
+tls_ca_cert_file = {{ dovecot.ldap.tls.ca }}
+#tls_ca_cert_dir =
+#tls_cipher_suite =
+
+# TLS cert/key. This must be set only if LDAP server requires a client certificate.
+# If you set it in other cases, the LDAP connection will fail.
+# tls_cert_file =
+# tls_key_file =
+
+# Valid values: never, hard, demand, allow, try
+tls_require_cert = hard
+
+auth_bind = yes
+ldap_version = 3
+base = {{ dovecot.ldap.base }}
+deref = never
+scope = subtree
+
+user_attrs = \
+{% for attr in dovecot.ldap.user_attrs %}
+={{ attr.attr }}={{ attr.value }}{% if not loop.last %}, \
+{% endif %}
+{% endfor %}
+
+user_filter = {{ dovecot.ldap.filter }}
+pass_filter = {{ dovecot.ldap.filter }}
+
+default_pass_scheme = {{ dovecot.ldap.default_pass_scheme }}
+
+# iterate_attrs = mail=user # Wird vor allem von "doveadm" benötigt, um Benutzer zu finden
+# iterate_filter = (objectClass=person)
+{% else %}
+# LDAP is not configured for this instance.
+{% endif %}
+

templates/dovecot.conf.j2

@@ -73,6 +73,12 @@ dict {
   #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
 }
 
+
+# Specifies the user and group id. As we use virtual mailboxes, this is set to
+# the vmail user and group
+mail_uid = {{ vmail_user.uid }}
+mail_gid = {{ vmail_group.gid }}
+
 # Most of the actual configuration gets included below. The filenames are
 # first sorted by their ASCII value and parsed in that order. The 00-prefixes
 # in filenames are intended to make it easier to understand the ordering.

templates/passwd.j2

@@ -1,3 +1,7 @@
+{% if not dovecot.ldap.enable %}
 {% for i in dovecot.user %}
 {{ i.name }}:{PLAIN}{{ i.password }}
 {% endfor %}
+{% else %}
+# LDAP is enabled for this instance, no local users can be configured.
+{% endif %}