-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feature request: Extended OAuth2 + LDAP configuration options #3830
Comments
I assigned the maintainer that has the most experience with OAUTH2. I will unsubscribe from this issue, though (too many balls in the air); ping me if you need me again. |
This is possible once I get this PR merged (pending on docs, which requires me to not be spending time elsewhere in DMS), although it's not likely to make it for v14 and as it's a breaking change will be deferred to v15.
Are you sure that one is required? I don't recall it being required for LDAP which is what this context is really related to IIRC. Just looked up this setting and
The OAuth2 feature got merged early to avoid being stale, I wasn't a fan of the final config approach but stalling the merge may have been problematic. Plans are to adopt the same config templates feature instead. I am reluctant towards ENV configs as they're unnecessary, you can provide these configs via volume mount files or compose The config templates feature will simplify that by allowing more flexibility (while still supporting ENV override implicitly).
You should be handling this via You'll need to wait on the above concerns being addressed in a future release before you can drop the These are ENV requests that I'm personally against adding into DMS (an ENV that serves the single purpose of updating one setting in a config file, with no real logic beyond applying the value). |
O.k., nice!
Might be that we do not need this anymore since we changed the username attribute to cn using (I would need to verify this tho): But before we applied this change, the imap login failed without %n. |
Presently the LDAP tests have this configuration and notes: docker-mailserver/test/tests/serial/mail_with_ldap.bats Lines 85 to 90 in 47f8d50
Also this if using docker-mailserver/test/tests/serial/mail_with_ldap.bats Lines 74 to 83 in 47f8d50
docker-mailserver/test/tests/serial/mail_with_ldap.bats Lines 104 to 113 in 47f8d50
|
Offtopic but I think the comment is misleading:
In postfix the ldap query match is not the attribute passed to the backend. The query is just used to match an entry. The matched entries attribute to be passed is defined by a different setting ( When using dovecot directly this is not a problem, as we can work this around using %u ("just use the localpart") in the dovecot query. |
Yes, it is presently:
Also the default query filter for saslauthd:
My docs rewrite for LDAP does touch on that and it'll be easy to configure once the new approach is merged. If SASLAUTHD is enabled:
That caveat isn't an issue when using Dovecot as the default SASL provider, so better to not use the saslauthd feature when it's not serving you any value (it was contributed for when Dovecot was not used).
You should have a similar experience with Postfix if you disable SASLAUTHD, authentication then becomes Postfix => Dovecot => LDAP, instead of Postfix => SASLAUTHD => LDAP. |
so, what is the correct solution for making that working correctly ? |
Be more specific? What in the above discussion are you referring to? The OAuth feature was merged and released earlier than desired, the improved config support will depend upon the LDAP improvements PR to be merged first (will not arrive in v14, must wait until v15 release of DMS). You can manually manage your config changes with |
Context
We did set up a rather complex podman + DMS + openldap + OAuth2 (keycloak) + roundcube stack and found some configurations that would be benifitial to expose via environment variables. Namely:
Description
Allow setting the configs described above using following env variables:
OAUTH2_USERNAME_ATTRIBUTE
LDAP_TLS_REQUIRE_CERT
DOVECOT_AUTH_USERNAME_FORMAT
Alternatives
We now did hack some echo/sed magic into the docker-compose command attribute, thats applies the settings described above right before starting DMS.
Applicable Users
DMS-Administrator
Are you going to implement it?
Yes, because I know the probability of someone else doing it is low and I can learn from it.
What are you going to contribute?
Not sure how fast I can provide these changes, if somebody hints me to the files I need to touch I would be glad.
The text was updated successfully, but these errors were encountered: