Gnous/mailcow
2
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Merge pull request #5764 from mailcow/fix/nightly-issues

Browse Source 
Fix nightly issues with new ldap provider
This commit is contained in:
Patrick Schult 2024-02-26 13:33:44 +01:00 committed by GitHub
commit a3af2d8392
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 39 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
data/Dockerfiles/dovecot/docker-entrypoint.sh
View File

@ -200,13 +200,6 @@ EOF
# Create random master Password for SOGo SSO # Create random master Password for SOGo SSO
RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1) RAND_PASS=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1)
echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass echo -n ${RAND_PASS} > /etc/phpfpm/sogo-sso.pass
cat <<EOF > /etc/dovecot/sogo-sso.conf
# Autogenerated by mailcow
passdb {
driver = static
args = allow_real_nets=${IPV4_NETWORK}.248/32 password={plain}${RAND_PASS}
}
EOF
if [[ "${MASTER}" =~ ^([nN][oO]|[nN])+$ ]]; then if [[ "${MASTER}" =~ ^([nN][oO]|[nN])+$ ]]; then
# Toggling MASTER will result in a rebuild of containers, so the quota script will be recreated # Toggling MASTER will result in a rebuild of containers, so the quota script will be recreated

20
data/conf/dovecot/auth/mailcowauth.php
View File

@ -45,20 +45,30 @@ require_once 'functions.auth.inc.php';
require_once 'sessions.inc.php'; require_once 'sessions.inc.php';
require_once 'functions.mailbox.inc.php'; require_once 'functions.mailbox.inc.php';
// Init provider
$iam_provider = identity_provider('init');
$isSOGoRequest = $post['real_rip'] == getenv('IPV4_NETWORK') . '.248';
$result = false;
$protocol = $post['protocol']; $protocol = $post['protocol'];
if ($post['real_rip'] == getenv('IPV4_NETWORK') . '.248') { if ($isSOGoRequest) {
$protocol = null; $protocol = null;
// This is a SOGo Auth request. First check for SSO password.
$sogo_sso_pass = file_get_contents("/etc/sogo-sso/sogo-sso.pass");
if ($sogo_sso_pass === $post['password']){
error_log('MAILCOWAUTH: SOGo SSO auth for user ' . $post['username']);
$result = true;
}
} }
$result = user_login($post['username'], $post['password'], $protocol, array('is_internal' => true));
if ($result === false){ if ($result === false){
$result = apppass_login($post['username'], $post['password'], $protocol, array( $result = apppass_login($post['username'], $post['password'], $protocol, array(
'is_internal' => true, 'is_internal' => true,
'remote_addr' => $post['real_rip'] 'remote_addr' => $post['real_rip']
)); ));
if ($result) error_log('MAILCOWAUTH: App auth for user ' . $post['username']);
}
if ($result === false){
$result = user_login($post['username'], $post['password'], $protocol, array('is_internal' => true));
if ($result) error_log('MAILCOWAUTH: User auth for user ' . $post['username']);
} }
if ($result) { if ($result) {

1
data/conf/dovecot/dovecot.conf
View File

@ -303,7 +303,6 @@ replication_dsync_parameters = -d -l 30 -U -n INBOX
!include_try /etc/dovecot/sni.conf !include_try /etc/dovecot/sni.conf
!include_try /etc/dovecot/sogo_trusted_ip.conf !include_try /etc/dovecot/sogo_trusted_ip.conf
!include_try /etc/dovecot/extra.conf !include_try /etc/dovecot/extra.conf
!include_try /etc/dovecot/sogo-sso.conf
!include_try /etc/dovecot/shared_namespace.conf !include_try /etc/dovecot/shared_namespace.conf
# </Includes> # </Includes>
default_client_limit = 10400 default_client_limit = 10400

5
data/conf/phpfpm/crons/keycloak-sync.php
View File

@ -70,8 +70,6 @@ $_SESSION['acl']['protocol_access'] = "1";
$_SESSION['acl']['mailbox_relayhost'] = "1"; $_SESSION['acl']['mailbox_relayhost'] = "1";
$_SESSION['acl']['unlimited_quota'] = "1"; $_SESSION['acl']['unlimited_quota'] = "1";
// Init Keycloak Provider
$iam_provider = identity_provider('init');
$iam_settings = identity_provider('get'); $iam_settings = identity_provider('get');
if ($iam_settings['authsource'] != "keycloak" || (intval($iam_settings['periodic_sync']) != 1 && intval($iam_settings['import_users']) != 1)) { if ($iam_settings['authsource'] != "keycloak" || (intval($iam_settings['periodic_sync']) != 1 && intval($iam_settings['import_users']) != 1)) {
session_destroy(); session_destroy();
@ -109,6 +107,9 @@ $lock_file_handle = fopen($lock_file, 'w');
fwrite($lock_file_handle, getmypid()); fwrite($lock_file_handle, getmypid());
fclose($lock_file_handle); fclose($lock_file_handle);
// Init Keycloak Provider
$iam_provider = identity_provider('init');
// Loop until all users have been retrieved // Loop until all users have been retrieved
while (true) { while (true) {
// Get admin access token // Get admin access token

5
data/conf/phpfpm/crons/ldap-sync.php
View File

@ -70,8 +70,6 @@ $_SESSION['acl']['protocol_access'] = "1";
$_SESSION['acl']['mailbox_relayhost'] = "1"; $_SESSION['acl']['mailbox_relayhost'] = "1";
$_SESSION['acl']['unlimited_quota'] = "1"; $_SESSION['acl']['unlimited_quota'] = "1";
// Init Provider
$iam_provider = identity_provider('init');
$iam_settings = identity_provider('get'); $iam_settings = identity_provider('get');
if ($iam_settings['authsource'] != "ldap" || (intval($iam_settings['periodic_sync']) != 1 && intval($iam_settings['import_users']) != 1)) { if ($iam_settings['authsource'] != "ldap" || (intval($iam_settings['periodic_sync']) != 1 && intval($iam_settings['import_users']) != 1)) {
session_destroy(); session_destroy();
@ -109,6 +107,9 @@ $lock_file_handle = fopen($lock_file, 'w');
fwrite($lock_file_handle, getmypid()); fwrite($lock_file_handle, getmypid());
fclose($lock_file_handle); fclose($lock_file_handle);
// Init Provider
$iam_provider = identity_provider('init');
// Get ldap users // Get ldap users
$ldap_query = $iam_provider->query(); $ldap_query = $iam_provider->query();
if (!empty($iam_settings['filter'])) { if (!empty($iam_settings['filter'])) {

8
data/conf/sogo/custom-sogo.js
View File

@ -32,18 +32,16 @@ document.addEventListener('DOMContentLoaded', function () {
return false; return false;
} }
function mcElementsExists() { function mcElementsExists() {
if (document.getElementById("mc_logout")) if (document.getElementById("mc_backlink"))
return true; return true;
else else
return false; return false;
} }
function addMCElements() { function addMCElements() {
const toolbarElement = document.body.querySelector('.md-toolbar-tools.sg-toolbar-group-last.layout-align-end-center.layout-row'); const toolbarElement = document.body.querySelector('.md-toolbar-tools.sg-toolbar-group-last.layout-align-end-center.layout-row');
var htmlCode = '<a class="md-icon-button md-button md-ink-ripple" aria-label="mailcow" href="/user" aria-hidden="false" tabindex="-1">' + var htmlCode = '<a id="mc_backlink" class="md-icon-button md-button md-ink-ripple" aria-label="mailcow" href="/user" aria-hidden="false" tabindex="-1">' +
'<md-icon class="material-icons" role="img" aria-label="build">build</md-icon>' + '<md-icon class="material-icons" role="img" aria-label="build">build</md-icon>' +
'</a><a class="md-icon-button md-button md-ink-ripple" aria-label="mailcow" href="#" onclick="mc_logout.submit()" aria-hidden="false" tabindex="-1">' + '</a>';
'<md-icon class="material-icons" role="img" aria-label="settings_power">settings_power</md-icon>' +
'</a><form action="/" method="post" id="mc_logout"><input type="hidden" name="logout"></form>';
toolbarElement.insertAdjacentHTML('beforeend', htmlCode); toolbarElement.insertAdjacentHTML('beforeend', htmlCode);
} }

8
data/conf/sogo/plist_ldap.sh
View File

@ -3,15 +3,15 @@
domain="$1" domain="$1"
gal_status="$2" gal_status="$2"
echo ' echo "
<!-- <!--
<example> <example>
<key>canAuthenticate</key> <key>canAuthenticate</key>
<string>YES</string> <string>YES</string>
<key>id</key> <key>id</key>
<string>'"${domain}_ldap"'</string> <string>"${domain}"_ldap</string>
<key>isAddressBook</key> <key>isAddressBook</key>
<string>'"${gal_status}"'</string> <string>"${gal_status}"</string>
<key>IDFieldName</key> <key>IDFieldName</key>
<string>mail</string> <string>mail</string>
<key>UIDFieldName</key> <key>UIDFieldName</key>
@ -31,4 +31,4 @@ echo '
<key>hostname</key> <key>hostname</key>
<string>ldap://1.2.3.4:389</string> <string>ldap://1.2.3.4:389</string>
</example> </example>
-->' -->"

2
data/web/inc/functions.auth.inc.php
View File

@ -476,8 +476,8 @@ function keycloak_mbox_login_rest($user, $pass, $iam_settings, $extra = null){
} }
function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){ function ldap_mbox_login($user, $pass, $iam_settings, $extra = null){
global $pdo; global $pdo;
global $iam_provider;
$iam_provider = identity_provider();
$is_internal = $extra['is_internal']; $is_internal = $extra['is_internal'];
$create = $extra['create']; $create = $extra['create'];

8
data/web/inc/functions.inc.php
View File

@ -2099,12 +2099,20 @@ function uuid4() {
} }
function identity_provider($_action, $_data = null, $_extra = null) { function identity_provider($_action, $_data = null, $_extra = null) {
global $pdo; global $pdo;
global $iam_provider;
$data_log = $_data; $data_log = $_data;
if (isset($data_log['client_secret'])) $data_log['client_secret'] = '*'; if (isset($data_log['client_secret'])) $data_log['client_secret'] = '*';
if (isset($data_log['access_token'])) $data_log['access_token'] = '*'; if (isset($data_log['access_token'])) $data_log['access_token'] = '*';
switch ($_action) { switch ($_action) {
case NULL:
if ($iam_provider) {
return $iam_provider;
} else {
$iam_provider = identity_provider("init");
}
break;
case 'get': case 'get':
$settings = array(); $settings = array();
$stmt = $pdo->prepare("SELECT * FROM `identity_provider`;"); $stmt = $pdo->prepare("SELECT * FROM `identity_provider`;");

2
docker-compose.yml
View File

@ -237,7 +237,7 @@ services:
- sogo - sogo
dovecot-mailcow: dovecot-mailcow:
image: mailcow/dovecot:nightly-20240208 image: mailcow/dovecot:nightly-20240226
depends_on: depends_on:
- mysql-mailcow - mysql-mailcow
- netfilter-mailcow - netfilter-mailcow