From d465dd2b6fba5a46296254874a2186a91d38dd01 Mon Sep 17 00:00:00 2001 From: Stephane de Labrusse Date: Mon, 29 Apr 2024 11:13:52 +0200 Subject: [PATCH 1/5] Update build-images.sh to add cluster:accountconsumer authorization label --- build-images.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-images.sh b/build-images.sh index 40aaa7d..6abdf40 100644 --- a/build-images.sh +++ b/build-images.sh @@ -32,7 +32,7 @@ buildah add "${container}" imageroot /imageroot buildah add "${container}" ui/dist /ui # Setup the entrypoint, ask to reserve one TCP port with the label and set a rootless container buildah config --entrypoint=/ \ - --label="org.nethserver.authorizations=traefik@node:routeadm mail@any:mailadm" \ + --label="org.nethserver.authorizations=traefik@node:routeadm mail@any:mailadm cluster:accountconsumer" \ --label="org.nethserver.tcp-ports-demand=1" \ --label="org.nethserver.rootfull=0" \ --label="org.nethserver.images=docker.io/mariadb:10.11.5 docker.io/roundcube/roundcubemail:1.6.6-apache" \ From 202b07127aed75275d2c334563fb118e38de451a Mon Sep 17 00:00:00 2001 From: Stephane de Labrusse Date: Mon, 29 Apr 2024 11:13:56 +0200 Subject: [PATCH 2/5] Update LDAP configuration in discover-service script --- imageroot/bin/discover-service | 80 ++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/imageroot/bin/discover-service b/imageroot/bin/discover-service index 8fd241a..4ba2d52 100755 --- a/imageroot/bin/discover-service +++ b/imageroot/bin/discover-service @@ -13,6 +13,7 @@ import os import sys import json import agent +from agent.ldapproxy import Ldapproxy # This script must rely on local node resources to ensure service startup # even if the leader node is not reachable: connect to local Redis @@ -76,3 +77,82 @@ with open("config/config.nethserver.php", "w") as f: f.write("$config['mail_domain'] = array('"+imap_server+"' => '"+ user_domain +"'); \n") # allow the browser to save login/credential and to fill them f.write("$config['login_autocomplete'] = 2; \n") + +# retrieve ldap user domain and following shcematype write the addressbook ldap configuration +lp = Ldapproxy() +domain = lp.get_domain(imap[0]['user_domain']) +schema = domain['schema'] +base_dn = domain['base_dn'] +bind_dn = domain['bind_dn'] +bind_password = domain['bind_password'] +port = domain['port'] + +openldap = f"""$config['ldap_public']['public'] = array( + 'name' => 'Public LDAP Addressbook', + 'hosts' => array('ldap://10.0.2.2:{port}'), + 'port' => {port}, + 'use_tls' => false, + 'user_specific' => false, + 'base_dn' => '{base_dn}', + 'bind_dn' => '{bind_dn}', + 'bind_pass' => '{bind_password}', + 'scope' => 'sub', + 'referrals' => 0, + 'filter' => '(objectClass=inetOrgPerson)', + 'search_fields' => array('mail','cn'), + 'fuzzy_search' => true, + 'fieldmap' => array( + 'name' => 'cn', + 'surname' => 'sn', + 'firstname' => 'givenName', + 'jobtitle' => 'title', + 'email' => 'uid', + 'locality' => 'l', + 'organization' => 'o', + 'department' => 'ou', + 'phone' => 'telephoneNumber', + 'street' => 'street', + ) +); +$config['autocomplete_addressbooks'] = array('sql','public'); +""" + +ad = f"""$config['ldap_public']['public'] = array( + 'name' => 'Public LDAP Addressbook', + 'hosts' => array('ldap://10.0.2.2:{port}'), + 'port' => {port}, + 'use_tls' => false, + 'user_specific' => false, + 'base_dn' => '{base_dn}', + 'bind_dn' => '{bind_dn}', + 'bind_pass' => '{bind_password}', + 'scope' => 'sub', + 'referrals' => 0, + 'filter' => '(&(objectClass=user)(objectCategory=person)(!(isCriticalSystemObject=TRUE)))', + 'search_fields' => array('mail', 'cn', 'sAMAccountName', 'displayname', 'sn', 'givenName', 'userPrincipalName'), + 'fuzzy_search' => true, + 'sort' => 'cn', + 'fieldmap' => array( + 'name' => 'displayName', + 'title' => 'title', + 'email:account' => 'sAMAccountName', + 'email:extra' => 'mail:*', + 'phone:work' => 'telephoneNumber', + 'phone:mobile' => 'mobile', + 'phone:workfax' => 'facsimileTelephoneNumber', + 'street' => 'street', + 'zipcode' => 'postalCode', + 'locality' => 'l', + 'department' => 'departmentNumber', + 'notes' => 'description', + 'photo' => 'jpegPhoto', + ), +); +$config['autocomplete_addressbooks'] = array('sql','public'); +""" + +# Write the configuration to a PHP file +with open('./config/config.addressbook.php', 'w') as file: + file.write(" Date: Mon, 29 Apr 2024 11:14:13 +0200 Subject: [PATCH 3/5] Update roundcubemail.service to add network and host configurations --- imageroot/systemd/user/roundcubemail.service | 2 ++ 1 file changed, 2 insertions(+) diff --git a/imageroot/systemd/user/roundcubemail.service b/imageroot/systemd/user/roundcubemail.service index 74b8b40..a2b3c26 100644 --- a/imageroot/systemd/user/roundcubemail.service +++ b/imageroot/systemd/user/roundcubemail.service @@ -23,6 +23,8 @@ ExecStartPre=/usr/bin/podman pod create --infra-conmon-pidfile %t/roundcubemail. --pod-id-file %t/roundcubemail.pod-id \ --name roundcubemail \ --publish 127.0.0.1:${TCP_PORT}:80 \ + --network=slirp4netns:allow_host_loopback=true \ + --add-host=accountprovider:10.0.2.2 \ --replace ExecStart=/usr/bin/podman pod start --pod-id-file %t/roundcubemail.pod-id ExecStop=/usr/bin/podman pod stop --ignore --pod-id-file %t/roundcubemail.pod-id -t 10 From ac2b49fbff7957771c7ecd1dd4011efdf24103f8 Mon Sep 17 00:00:00 2001 From: Stephane de Labrusse Date: Mon, 29 Apr 2024 17:28:38 +0200 Subject: [PATCH 4/5] Add configure-module script to bind user domain in imageroot/actions --- .../configure-module/30Bind_user_domain | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100755 imageroot/actions/configure-module/30Bind_user_domain diff --git a/imageroot/actions/configure-module/30Bind_user_domain b/imageroot/actions/configure-module/30Bind_user_domain new file mode 100755 index 0000000..817a59b --- /dev/null +++ b/imageroot/actions/configure-module/30Bind_user_domain @@ -0,0 +1,19 @@ +#!/usr/bin/env python3 + +# +# Copyright (C) 2024 Nethesis S.r.l. +# SPDX-License-Identifier: GPL-3.0-or-later +# + +import agent +import os + +rdb = agent.redis_connect() + +providers = agent.list_service_providers(rdb, 'imap', 'tcp', { + 'module_uuid': os.environ['MAIL_SERVER'] +}) + +if providers: + user_domain = providers[0]['user_domain'] + agent.bind_user_domains([user_domain]) From e81595c8dc26959220e9ead953fd12879d23413c Mon Sep 17 00:00:00 2001 From: Stephane de Labrusse Date: Mon, 29 Apr 2024 17:42:18 +0200 Subject: [PATCH 5/5] Add mail-settings-changed event handler to bind user domain in imageroot/events --- .../mail-settings-changed/10bind_user_domain | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100755 imageroot/events/mail-settings-changed/10bind_user_domain diff --git a/imageroot/events/mail-settings-changed/10bind_user_domain b/imageroot/events/mail-settings-changed/10bind_user_domain new file mode 100755 index 0000000..f46c4e9 --- /dev/null +++ b/imageroot/events/mail-settings-changed/10bind_user_domain @@ -0,0 +1,25 @@ +#!/usr/bin/env python3 + +# +# Copyright (C) 2022 Nethesis S.r.l. +# SPDX-License-Identifier: GPL-3.0-or-later +# + +import json +import sys +import agent +import os + +event = json.load(sys.stdin) + +if event['module_uuid'] == os.getenv('MAIL_SERVER', ''): + # Update user domain in redis because the mail server might have changed its user_domain + rdb = agent.redis_connect() + + providers = agent.list_service_providers(rdb, 'imap', 'tcp', { + 'module_uuid': os.environ['MAIL_SERVER'] + }) + + if providers: + user_domain = providers[0]['user_domain'] + agent.bind_user_domains([user_domain])