-
Notifications
You must be signed in to change notification settings - Fork 216
/
openldap
172 lines (133 loc) · 5.69 KB
/
openldap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
#!/usr/bin/env bash
# Author: Zhang Huangbin (zhb _at_ iredmail.org)
#---------------------------------------------------------------------
# This file is part of iRedMail, which is an open source mail server
# solution for Red Hat(R) Enterprise Linux, CentOS, Debian and Ubuntu.
#
# iRedMail is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# iRedMail is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with iRedMail. If not, see <http://www.gnu.org/licenses/>.
#---------------------------------------------------------------------
# Variables for OpenLDAP and related. Refer to 'dialog/ldap_config.sh'.
# OpenLDAP version number.
export OPENLDAP_VERSION='2.4'
# Support password verification with SSHA512. Require OpenLDAP-2.4.32 or later.
export OPENLDAP_HAS_SHA2='YES'
# Module name
export OPENLDAP_MOD_PW_SHA2='pw-sha2'
# LDAP service info.
# LDAP_SERVER_HOST, LDAP_SERVER_PORT are defined in conf/global
export LDAP_USE_TLS='NO'
export LDAP_BIND='yes'
export LDAP_BIND_VERSION='3'
# OpenLDAP daemon user and group name.
export SYS_USER_LDAP='ldap'
export SYS_GROUP_LDAP='ldap'
export OPENLDAP_RC_SCRIPT_NAME='slapd'
# Configuration files.
export OPENLDAP_CONF_ROOT='/etc/openldap'
# Database backend type.
export OPENLDAP_DEFAULT_DBTYPE='mdb'
# Default LDAP data directory.
export OPENLDAP_DATA_DIR='/var/lib/ldap' # Do *NOT* end with '/'.
export OPENLDAP_PID_FILE='/var/run/openldap/slapd.pid'
export OPENLDAP_ARGS_FILE='/var/run/openldap/slapd.args'
# Configure.
if [ X"${DISTRO}" == X'RHEL' ]; then
export OPENLDAP_SYSCONFIG_CONF="${ETC_SYSCONFIG_DIR}/slapd"
# Module related.
export OPENLDAP_MODULE_PATH='/usr/lib/openldap'
if [ X"${OS_ARCH}" == X'x86_64' ]; then
export OPENLDAP_MODULE_PATH='/usr/lib64/openldap'
fi
export OPENLDAP_HAS_SHA2='NO'
elif [ X"${DISTRO}" == X'DEBIAN' -o X"${DISTRO}" == X'UBUNTU' ]; then
# LDAP daemon user & group.
export SYS_USER_LDAP='openldap'
export SYS_GROUP_LDAP='openldap'
# Configuration files.
export OPENLDAP_CONF_ROOT="/etc/ldap"
export OPENLDAP_PID_FILE='/var/run/slapd/slapd.pid'
export OPENLDAP_ARGS_FILE='/var/run/slapd/slapd.args'
export OPENLDAP_SYSCONFIG_CONF="${ETC_SYSCONFIG_DIR}/slapd"
# Module related.
export OPENLDAP_MODULE_PATH='/usr/lib/ldap'
elif [ X"${DISTRO}" == X'FREEBSD' ]; then
# Configuration files.
export OPENLDAP_CONF_ROOT='/usr/local/etc/openldap'
# Module related.
export OPENLDAP_MODULE_PATH='/usr/local/libexec/openldap'
# Override default setting.
export OPENLDAP_DATA_DIR='/var/db/openldap-data' # Do *NOT* end with '/'.
elif [ X"${DISTRO}" == X'OPENBSD' ]; then
# LDAP daemon user & group.
export SYS_USER_LDAP='_openldap'
export SYS_GROUP_LDAP='_openldap'
export OPENLDAP_DB_CONFIG_SAMPLE='/usr/local/share/examples/openldap/DB_CONFIG'
# Module related.
export OPENLDAP_HAS_SHA2='NO'
export OPENLDAP_MODULE_PATH='/usr/local/libexec/openldap'
fi
# RC script.
export OPENLDAP_RC_SCRIPT="${DIR_RC_SCRIPTS}/${OPENLDAP_RC_SCRIPT_NAME}"
export OPENLDAP_SCHEMA_DIR="${OPENLDAP_CONF_ROOT}/schema"
export OPENLDAP_SLAPD_CONF="${OPENLDAP_CONF_ROOT}/slapd.conf"
export OPENLDAP_LDAP_CONF="${OPENLDAP_CONF_ROOT}/ldap.conf"
# Log
# OpenLDAP logs to local4 by default.
export OPENLDAP_SYSLOG_FACILITY='local4'
export OPENLDAP_LOG_DIR='/var/log/openldap'
export OPENLDAP_LOG_FILE="${OPENLDAP_LOG_DIR}/openldap.log"
export OPENLDAP_LOGROTATE_FILE="${LOGROTATE_DIR}/openldap"
# LDAP data directory.
export ldap_suffix_to_domain_name="$(echo ${LDAP_SUFFIX} | sed -e 's/dc=//g' -e 's/,/./g')"
export LDAP_DATA_DIR="${OPENLDAP_DATA_DIR}/${ldap_suffix_to_domain_name}"
# Setting for one instance. You can edit ${OPENLDAP_SLAPD_CONF} manually to hold
# multi instances.
export LDAP_INIT_LDIF="${RUNTIME_DIR}/ldap_init.ldif"
##################################################
# iRedMail LDAP schema related
#
export LDAP_IREDMAIL_SCHEMA="${SAMPLE_DIR}/iredmail/iredmail.schema"
# Domain admin related.
export LDAP_ATTR_DOMAINADMIN_DN_NAME='domainAdmins'
# Container which includes all mail accounts: o=domains,dc=xx,dc=xx
export LDAP_BASEDN_NAME='domains'
# Domain related attributes.
export LDAP_ATTR_DOMAIN_RDN='domainName'
# Group related.
export LDAP_ATTR_GROUP_RDN='ou'
export LDAP_ATTR_GROUP_USERS='Users'
export LDAP_ATTR_GROUP_GROUPS='Groups'
export LDAP_ATTR_GROUP_ALIASES='Aliases'
export LDAP_ATTR_GROUP_EXTERNALS='Externals'
# Attributes of user object.
export LDAP_ATTR_USER_RDN='mail'
##################################################
# Password scheme
#
# If no pw-sha2 support, use SSHA instead.
if [[ X"${BACKEND}" == X'OPENLDAP' ]]; then
if [[ X"${OPENLDAP_HAS_SHA2}" != X'YES' ]]; then
export DEFAULT_PASSWORD_SCHEME='SSHA'
else
# Although Dovecot 2.3 supports BCRYPT, but some web applications
# perform user auth against LDAP directly, and OpenLDAP doesn't support
# auth with BCRYPT hash yet, so have to fall back to SSHA512.
export DEFAULT_PASSWORD_SCHEME='SSHA512'
fi
fi
export LDAP_BINDDN="cn=${SYS_USER_VMAIL},${LDAP_SUFFIX}"
export LDAP_ADMIN_DN="cn=${VMAIL_DB_ADMIN_USER},${LDAP_SUFFIX}"
export LDAP_ROOTDN="cn=Manager,${LDAP_SUFFIX}"
export LDAP_BASEDN="o=${LDAP_BASEDN_NAME},${LDAP_SUFFIX}"
export LDAP_ADMIN_BASEDN="o=${LDAP_ATTR_DOMAINADMIN_DN_NAME},${LDAP_SUFFIX}"