Use dovecot's LDAP uris option instead of hosts (fixes #1510)#1901
Use dovecot's LDAP uris option instead of hosts (fixes #1510)#1901wernerfred merged 6 commits intodocker-mailserver:masterfrom
Conversation
moqmar
force-pushed
the
bugfix/dovecot-ldaps
branch
from
7228e98 to
6ac6c24
Compare
moqmar
force-pushed
the
bugfix/dovecot-ldaps
branch
from
6ac6c24 to
0a3ab87
Compare
georglauterbach
left a comment
georglauterbach
left a comment
There was a problem hiding this comment.
I can approve this PR style-wise. I cannot say anything about the functionality. I re-requested a review from @wernerfred
|
Whoops, seems like I have broken something with the style changes. Will evaluate. 🙃 Edit: seems like I just used a wrong variable somewhere: https://github.com/docker-mailserver/docker-mailserver/compare/f9f9fc4570a15c0268e30bcca0be4e229d8d432f..18b4f1a26e126a2dff281897d7b89ff3b59f039d |
|
Please also note that your commit signatures are invalid - you may want to fix this as well :D |
|
@reneploetz you commented on #1902. Can you please review here as well? |
moqmar
force-pushed
the
bugfix/dovecot-ldaps
branch
from
f9f9fc4 to
aa3f829
Compare
moqmar
force-pushed
the
bugfix/dovecot-ldaps
branch
from
aa3f829 to
18b4f1a
Compare
As I'm not using dovecot + LDAP I'm unable to test this on an actual test system (my system is using Kopano + LDAP). But the change appears to fine to be given that there is a test that is checking the correct replacement inside the config after the container start as well as a test that dovecot starts with that configuration. Afterwards there is a test on whether one can connect with a username that is present in ldap. |
That'd be awesome! |
|
I think the most interesting test would be LDAP with StartTLS, as I think that it hasn't been tested yet with the change. It seems like it should work with the |
If you could to this it would be great! If you do not find time then I would consider it safe to merge as we have the same opinion by just looking at the changes. But only a real test can show if we are right. Thanks in advance! |
I agree. |
|
@wernerfred If you're comfortable merging this, I am too. I will update the branch first :) |
|
I would wait for a reply of @reneploetz :) |
|
I can confirm that the following configurations are working: All of them lead to this content in dovecot-ldap.conf.ext which allows dovecot to successfully connect to LDAP via TLS: So as far as I'm concerned the configuration works with TLS. As a side note in case somebody asks later: we currently do not support custom certificates for LDAP due to the lack of "tls_require_cert" or "tls_ca_cert_*" settings in the configuration. |
georglauterbach
left a comment
georglauterbach
left a comment
There was a problem hiding this comment.
Then I will approve these changes. @wernerfred if you're fine with this too, go ahead and merge this.
We can afterwards merge the PR about Gh actions
| - => Specify a space separated list of LDAP hosts. | ||
| - => Specify a space separated list of LDAP uris. | ||
| - Note: If the protocol is missing, `ldap://` will be used. | ||
| - Note: This deprecates `DOVECOT_HOSTS` (as it didn't allow to use LDAPS), which is currently still supported for backwards compatibility. |
There was a problem hiding this comment.
This is actually a breaking change. @aendeavor another reason for v10.0.0 😄
The note should be removed at some time in the future.
There was a problem hiding this comment.
Yes - I said this earlier that this note will go with 10.0.0
|
Does this change require documentation updates? |
|
Ah @moqmar proposed to do this with a separate PR in #1902 (comment). |
5 participants
Description
According to https://doc.dovecot.org/configuration_manual/authentication/ldap/, the "uris" option has to be used when using LDAPS, while the "hosts" option seems to only work with STARTTLS. So, this PR fixes the problem that docker-mailserver can't be used with LDAPS.
The change is made in a way that allows backwards-compatibility with configurations that assume the "hosts" option to be set by LDAP_SERVER_HOST, in which case it's using "ldap://" as a default protocol if none is specified. The only change for the user is that LDAP_SERVER_HOST now supports specifying a protocol like "ldaps://...".
Fixes #1510
Type of change
Checklist: