diff --git a/docker/ds389/Dockerfile b/docker/ds389/Dockerfile new file mode 100644 index 00000000..00686e5c --- /dev/null +++ b/docker/ds389/Dockerfile @@ -0,0 +1,29 @@ +FROM centos/centos7:latest + +MAINTAINER Liutauras Adomaitis + +RUN yum install -y epel-release 389-ds-base 389-adminutil gettext \ + && yum update -y \ + && yum clean all + + COPY *.tpl ./ + COPY kolab-schema.ldif 99kolab-schema.ldif + + RUN for F in $(ls *.tpl); do eval "echo \"$(cat $F)\"" | tee $(basename $F .tpl); done + + RUN useradd ldapadmin \ + && rm -fr /var/lock /usr/lib/systemd/system \ + # No persistent storage + # && mkdir /srv/dirsrv/{cnf,lib,log} && ln -s /srv/cnf/ /etc/dirsrv/ && ln -s /srv/lib/ /var/lib/dirsrv/ && ln -s /srv/log/ /var/log/dirsrv/ \ + && setup-ds.pl -ddd --silent --file /ds_setup.inf \ + && chown nobody.nobody -R /var/lib/dirsrv/ + + EXPOSE 389 + + CMD for B in $(ls /tmp/ds389-load/*_backend.ldif); do \ + ## eval "echo \"$(cat $B)\"" | tee $(basename $B .tpl); \ + /usr/lib64/dirsrv/slapd-${DS_INSTANCE_NAME}/ldif2db -Z ${DS_INSTANCE_NAME} -n $(basename ${B} _backend.ldif) -i ${B}; \ + done \ + && /usr/lib64/dirsrv/slapd-hkccp/start-slapd \ + && tail -F /var/log/dirsrv/slapd-$DS_INSTANCE_NAME/access /var/log/dirsrv/slapd-$DS_INSTANCE_NAME/errors + diff --git a/docker/ds389/ds_adjustments.ldif.tpl b/docker/ds389/ds_adjustments.ldif.tpl new file mode 100644 index 00000000..525979d9 --- /dev/null +++ b/docker/ds389/ds_adjustments.ldif.tpl @@ -0,0 +1,105 @@ +dn: cn=config +changetype: modify +replace: nsslapd-accesslog-logging-enabled +nsslapd-accesslog-logging-enabled: ${DS389_ACCESSLOG:-on} + +dn: cn=config +changetype: modify +replace: nsslapd-auditlog-logging-enabled +nsslapd-auditlog-logging-enabled: ${DS389_AUDITLOG:-on} + +dn: cn=config +changetype: modify +replace: nsslapd-sizelimit +nsslapd-sizelimit: -1 + +dn: cn=config +changetype: modify +replace: nsslapd-idletimeout +nsslapd-idletimeout: 0 + +dn: cn=config +changetype: modify +replace: nsslapd-timelimit +nsslapd-timelimit: -1 + +dn: cn=config +changetype: modify +replace: nsslapd-lookthroughlimit +nsslapd-lookthroughlimit: -1 + +dn: cn=config +changetype: modify +replace: nsslapd-allow-anonymous-access +nsslapd-allow-anonymous-access: rootdse + +dn: cn=alias,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config +changetype: add +objectClass: top +objectClass: nsIndex +cn: alias +nsSystemIndex: false +nsIndexType: pres +nsIndexType: eq +nsIndexType: sub + +dn: cn=mailAlternateAddress,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config +changetype: modify +add: nsIndexType +nsIndexType: pres +nsIndexType: sub + +dn: cn=associateddomain,cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config +changetype: add +objectclass: top +objectclass: nsindex +cn: associateddomain +nsSystemIndex: false +nsindextype: pres +nsindextype: eq + +dn: cn=ACL Plugin,cn=plugins,cn=config +changetype: modify +replace: nsslapd-aclpb-max-selected-acls +nsslapd-aclpb-max-selected-acls: 8192 + +dn: cn=7-bit check,cn=plugins,cn=config +changetype: modify +replace: nsslapd-pluginEnabled +nsslapd-pluginEnabled: off + +dn: cn=attribute uniqueness,cn=plugins,cn=config +changetype: modify +replace: nsslapd-pluginEnabled +nsslapd-pluginEnabled: on + +dn: cn=referential integrity postoperation,cn=plugins,cn=config +changetype: modify +replace: nsslapd-pluginEnabled +nsslapd-pluginEnabled: on + +dn: cn=Account Policy Plugin,cn=plugins,cn=config +changetype: modify +replace: nsslapd-pluginEnabled +nsslapd-pluginEnabled: on + +dn: cn=Account Policy Plugin,cn=plugins,cn=config +changetype: modify +replace: nsslapd-pluginarg0 +nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config + +dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config +changetype: modify +replace: alwaysrecordlogin +alwaysrecordlogin: yes + +dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config +changetype: modify +replace: stateattrname +stateattrname: lastLoginTime + +dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config +changetype: modify +replace: altstateattrname +altstateattrname: createTimestamp + diff --git a/docker/ds389/ds_admin_backend.ldif.tpl b/docker/ds389/ds_admin_backend.ldif.tpl new file mode 100644 index 00000000..e269b7ab --- /dev/null +++ b/docker/ds389/ds_admin_backend.ldif.tpl @@ -0,0 +1,20 @@ +dn: cn=\"${LDAP_ADMIN_ROOT_DN}\",cn=mapping tree,cn=config +objectClass: top +objectClass: extensibleObject +objectClass: nsMappingTree +cn: ${LDAP_ADMIN_ROOT_DN} +nsslapd-state: backend +nsslapd-backend: ${DOMAIN_DB} + +dn: cn=${DOMAIN_DB},cn=ldbm database,cn=plugins,cn=config +objectClass: top +objectClass: extensibleObject +objectClass: nsBackendInstance +cn: ${DOMAIN_DB} +nsslapd-suffix: ${LDAP_ADMIN_ROOT_DN} +nsslapd-cachesize: -1 +nsslapd-cachememsize: 10485760 +nsslapd-readonly: off +nsslapd-require-index: off +nsslapd-directory: /var/lib/dirsrv/slapd-${DS_INSTANCE_NAME:-$(hostname -s)}/db/${DOMAIN_DB} +nsslapd-dncachememsize: 10485760 diff --git a/docker/ds389/ds_hosted_backend.ldif.tpl b/docker/ds389/ds_hosted_backend.ldif.tpl new file mode 100644 index 00000000..329a4978 --- /dev/null +++ b/docker/ds389/ds_hosted_backend.ldif.tpl @@ -0,0 +1,21 @@ +dn: cn=\"${LDAP_HOSTED_ROOT_DN}\",cn=mapping tree,cn=config +objectClass: top +objectClass: extensibleObject +objectClass: nsMappingTree +nsslapd-state: backend +cn: ${LDAP_HOSTED_ROOT_DN} +nsslapd-backend: ${HOSTED_DOMAIN_DB} + +dn: cn=${HOSTED_DOMAIN_DB},cn=ldbm database,cn=plugins,cn=config +objectClass: top +objectClass: extensibleobject +objectClass: nsbackendinstance +cn: ${HOSTED_DOMAIN_DB} +nsslapd-suffix: ${LDAP_HOSTED_ROOT_DN} +nsslapd-cachesize: -1 +nsslapd-cachememsize: 10485760 +nsslapd-readonly: off +nsslapd-require-index: off +nsslapd-directory: /var/lib/dirsrv/slapd-${DS_INSTANCE_NAME:-$(hostname -s)}/db/${HOSTED_DOMAIN_DB} +nsslapd-dncachememsize: 10485760 + diff --git a/docker/ds389/ds_install.ldif.tpl b/docker/ds389/ds_install.ldif.tpl new file mode 100644 index 00000000..f0f5ef0f --- /dev/null +++ b/docker/ds389/ds_install.ldif.tpl @@ -0,0 +1,197 @@ +# ${LDAP_ADMIN_ROOT_DN} +dn: ${LDAP_ADMIN_ROOT_DN} +aci: (targetattr = \"carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || l || labeledURI || mobile || o || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier || kolabDelegate || kolabInvitationPolicy || kolabAllowSMTPSender\") (version 3.0; acl \"Enable self write for common attributes\"; allow (read,compare,search,write)(userdn = \"ldap:///self\");) +aci: (targetattr = \"*\") (version 3.0;acl \"Directory Administrators Group\";allow (all)(groupdn = \"ldap:///cn=Directory Administrators,dc=klab,dc=cc\" or roledn = \"ldap:///cn=kolab-admin,dc=klab,dc=cc\");) +aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";) +aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";) +aci: (targetattr = \"*\")(version 3.0; acl \"SIE Group\"; allow (all) groupdn = \"ldap:///cn=slapd-ldap-k8s,cn=389 Directory Server,cn=Server Group,cn=ldap-k8s.klab.cc,ou=klab.cc,o=NetscapeRoot\";) +aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///all\");) +objectClass: top +objectClass: domain + +# Directory Administrators, ${DOMAIN} +dn: cn=Directory Administrators,${LDAP_ADMIN_ROOT_DN} +objectClass: top +objectClass: groupofuniquenames +cn: Directory Administrators +uniqueMember: cn=Directory Manager + +# Domains definition location ${DOMAIN} +dn: ${LDAP_DOMAIN_BASE_DN} +objectclass: top +objectclass: extensibleobject +ou: Domains +aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Services\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${LDAP_ADMIN_ROOT_DN}\");) + +# Groups, ${DOMAIN} +dn: ou=Groups,${LDAP_ADMIN_ROOT_DN} +objectClass: top +objectClass: organizationalunit +ou: Groups + +# People, ${DOMAIN} +dn: ou=People,${LDAP_ADMIN_ROOT_DN} +objectClass: top +objectClass: organizationalunit +ou: People + +# Resources, ${DOMAIN} +dn: ou=Resources,${LDAP_ADMIN_ROOT_DN} +objectClass: top +objectClass: organizationalunit +ou: Resources + +# Shared Folders, ${DOMAIN} +dn: ou=Shared Folders,${LDAP_ADMIN_ROOT_DN} +objectClass: top +objectClass: organizationalunit +ou: Shared Folders + +# Special User, ${DOMAIN} +dn: ou=Special Users,${LDAP_ADMIN_ROOT_DN} +objectClass: top +objectClass: organizationalUnit +ou: Special Users +description: Special Administrative Accounts + +# Add kolab-admin role +dn: cn=kolab-admin,${LDAP_ADMIN_ROOT_DN} +objectClass: top +objectClass: ldapsubentry +objectClass: nsroledefinition +objectClass: nssimpleroledefinition +objectClass: nsmanagedroledefinition +cn: kolab-admin +description: Kolab Administrator + +# cyrus-admin, Special Users, ${DOMAIN} +dn: uid=cyrus-admin,ou=Special Users,${LDAP_ADMIN_ROOT_DN} +sn: Administrator +uid: cyrus-admin +objectClass: top +objectClass: person +objectClass: inetorgperson +objectClass: organizationalperson +givenName: Cyrus +cn: Cyrus Administrator +userPassword: ${CM_CYRUS_ADMIN_PW} + +# kolab-service, Special Users, ${DOMAIN} +dn: ${LDAP_SERVICE_BIND_DN} +sn: Service +uid: kolab-service +objectClass: top +objectClass: person +objectClass: inetorgperson +objectClass: organizationalperson +givenName: Kolab +cn: Kolab Service +userPassword: ${LDAP_SERVICE_BIND_PW} +nsIdleTimeout: -1 +nsTimeLimit: -1 +nsSizeLimit: -1 +nsLookThroughLimit: -1 + +# hosted-kolab-service, Special Users, ${DOMAIN} +dn: ${LDAP_HOSTED_BIND_DN} +objectclass: top +objectclass: inetorgperson +objectclass: person +uid: hosted-kolab-service +cn: Hosted Kolab Service Account +sn: Service Account +givenname: Hosted Kolab +userpassword: ${LDAP_HOSTED_BIND_PW} +nsIdleTimeout: -1 +nsTimeLimit: -1 +nsSizeLimit: -1 +nsLookThroughLimit: -1 + +# ${DOMAIN}, ${LDAP_DOMAIN_BASE_DN} +dn: associateddomain=${DOMAIN},${LDAP_DOMAIN_BASE_DN} +objectclass: top +objectclass: domainrelatedobject +associateddomain: ${DOMAIN} +associateddomain: localhost.localdomain +associateddomain: localhost +aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///${LDAP_SERVICE_BIND_DN} || ldap:///${LDAP_ADMIN_ROOT_DN}??sub?\(objectclass=*\)\");) +aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///${LDAP_HOSTED_BIND_DN}\");) + +################################### +# ${HOSTED_DOMAIN}, ${LDAP_DOMAIN_BASE_DN} +dn: associateddomain=${HOSTED_DOMAIN},${LDAP_DOMAIN_BASE_DN} +objectclass: top +objectclass: domainrelatedobject +objectclass: inetdomain +inetdomainstatus: active +associateddomain: ${HOSTED_DOMAIN} +inetdomainbasedn: ${LDAP_HOSTED_ROOT_DN} + +# ${LDAP_HOSTED_ROOT_DN} +dn: ${LDAP_HOSTED_ROOT_DN} +aci: (targetattr=\"carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier\")(version 3.0; acl \"Enable self write for common attributes\"; allow (write) userdn=\"ldap:///self\";) +aci: (targetattr=\"*\")(version 3.0;acl \"Directory Administrators Group\";allow (all) (groupdn=\"ldap:///cn=Directory Administrators,${LDAP_HOSTED_ROOT_DN}\" or roledn=\"ldap:///cn=kolab-admin,${LDAP_HOSTED_ROOT_DN}\");) +aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";) +aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";) +aci: (targetattr=\"*\")(version 3.0; acl \"SIE Group\"; allow (all) groupdn = \"ldap:///cn=slapd-${DS_INSTANCE_NAME},cn=389 Directory Server,cn=Server Group,cn=${FULL_MACHINE_NAME},ou=${DOMAIN},o=NetscapeRoot\";) +aci: (targetattr=\"*\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///${LDAP_HOSTED_ROOT_DN}??sub?(objectclass=*)\");) +aci: (targetattr=\"*\") (version 3.0;acl \"Service Search Access\";allow (read,compare,search)(userdn = \"ldap:///${LDAP_SERVICE_BIND_DN}\");) +objectClass: top +objectClass: domain +dc: ${HOSTED_DOMAIN%.com} + +# cn=2fa-user, ${LDAP_HOSTED_ROOT_DN} +dn: cn=2fa-user,${LDAP_HOSTED_ROOT_DN} +cn: 2fa-user +description: 2fa-user role +objectclass: top +objectclass: ldapsubentry +objectclass: nsmanagedroledefinition +objectclass: nsroledefinition +objectclass: nssimpleroledefinition + +# cn=activesync-user, ${LDAP_HOSTED_ROOT_DN} +dn: cn=activesync-user,${LDAP_HOSTED_ROOT_DN} +cn: activesync-user +description: activesync-user role +objectclass: top +objectclass: ldapsubentry +objectclass: nsmanagedroledefinition +objectclass: nsroledefinition +objectclass: nssimpleroledefinition + +# cn=imap-user, ${LDAP_HOSTED_ROOT_DN} +dn: cn=imap-user,${LDAP_HOSTED_ROOT_DN} +cn: imap-user +description: imap-user role +objectclass: top +objectclass: ldapsubentry +objectclass: nsmanagedroledefinition +objectclass: nsroledefinition +objectclass: nssimpleroledefinition + +# ou=Groups, ${LDAP_HOSTED_ROOT_DN} +dn: ou=Groups,${LDAP_HOSTED_ROOT_DN} +ou: Groups +objectClass: top +objectClass: organizationalunit + +# ou=People, ${LDAP_HOSTED_ROOT_DN} +dn: ou=People,${LDAP_HOSTED_ROOT_DN} +aci: (targetattr=\"*\") (version 3.0;acl \"Hosted Kolab Services\";allow (all)(userdn = \"ldap:///${LDAP_HOSTED_BIND_DN}\");) +ou: People +objectClass: top +objectClass: organizationalunit + +# ou=Resources, ${LDAP_HOSTED_ROOT_DN} +dn: ou=Resources,${LDAP_HOSTED_ROOT_DN} +ou: Resources +objectClass: top +objectClass: organizationalunit + +# ou=Shared Folders, ${LDAP_HOSTED_ROOT_DN} +dn: ou=Shared Folders,${LDAP_HOSTED_ROOT_DN} +ou: Shared Folders +objectClass: top +objectClass: organizationalunit + diff --git a/docker/ds389/ds_setup.inf.tpl b/docker/ds389/ds_setup.inf.tpl new file mode 100644 index 00000000..e23db9f5 --- /dev/null +++ b/docker/ds389/ds_setup.inf.tpl @@ -0,0 +1,27 @@ +[General] +FullMachineName = ${FULL_MACHINE_NAME} +SuiteSpotUserID = nobody +SuiteSpotGroup = nobody +AdminDomain = ${DOMAIN} +StrictHostCheck = ${STRICT_HOST_CHECK} +ConfigDirectoryLdapURL = ldap://${DS_INSTANCE_NAME}:389/o=NetscapeRoot +ConfigDirectoryAdminID = admin +ConfigDirectoryAdminPwd = ${LDAP_ADMIN_BIND_PW} + +[slapd] +start_server = 0 +SlapdConfigForMC = Yes +UseExistingMC = 0 +ServerPort = 389 +ServerIdentifier = ${DS_INSTANCE_NAME} +RootDN = ${LDAP_ADMIN_BIND_DN} +RootDNPwd = ${LDAP_ADMIN_BIND_PW} +AddSampleEntries = No +SchemaFile = /99kolab-schema.ldif +## InstallLdifFile = /ds_install.ldif +ConfigFile = /ds_adjustments.ldif +ds_bename = ${DOMAIN_DB} +Suffix = ${LDAP_ADMIN_ROOT_DN} +ConfigFile = /ds_admin_backend.ldif +ConfigFile = /ds_hosted_backend.ldif + diff --git a/docker/ds389/kolab-schema.ldif b/docker/ds389/kolab-schema.ldif new file mode 100644 index 00000000..222891d0 --- /dev/null +++ b/docker/ds389/kolab-schema.ldif @@ -0,0 +1,384 @@ +# $Id$ +# (c) 2003, 2004 Tassilo Erlewein +# (c) 2003-2009 Martin Konold +# (c) 2003 Achim Frank +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# +# Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# The name of the author may not be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# This schema highly depends on the core.schema, cosine.schema and the inetorgperson.schema +# as provided by 3rd parties like OpenLDAP. +# +# slapd.conf then looks like +# include /kolab/etc/openldap/schema/core.schema +# include /kolab/etc/openldap/schema/cosine.schema +# include /kolab/etc/openldap/schema/inetorgperson.schema +# include /kolab/etc/openldap/schema/rfc2739.schema +# include /kolab/etc/openldap/schema/kolab3.schema +# Prefix for OIDs: 1.3.6.1.4.1.19414 <- registered +# Prefix for OIDs: 1.3.6.1.4.1.19414.2000 <-- temporarily reserved for ob +# Prefix for attributes: 1.3.6.1.4.1.19414.1 +# Prefix for attributes: 1.3.6.1.4.1.19414.2 +# Prefix for objectclasses: 1.3.6.1.4.1.19414.3 +# nameprefix: kolab +# +dn: cn=schema +#################### +# kolab attributes # +#################### +# kolabDeleteflag used to be a boolean but describes with Kolab 2 +# the fqdn of the server which is requested to delete this objects +# in its local store +attributeTypes: ( 1.3.6.1.4.1.19414.2.1.2 + NAME 'kolabDeleteflag' + DESC 'Per host deletion status' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +# alias used to provide alternative rfc822 email addresses for kolab users +attributeTypes: ( 1.3.6.1.4.1.19414.2.1.3 + NAME 'alias' + DESC 'RFC1274: RFC822 Mailbox' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +# Specifies the email delegates. +# An email delegate can send email on behalf of the account +# which means using the "from" of the account. +# Delegates are specified by the syntax of rfc822 email addresses. +attributeTypes: ( 1.3.6.1.4.1.19414.1.1.1.3 + NAME 'kolabDelegate' + DESC 'Kolab user allowed to act as delegates - RFC822 Mailbox/Alias' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +# For user, group and resource Kolab accounts +# Describes how to respond to invitations +# We keep the attribute as a string, but actually it can only have one +# of the following values: +# +# ACT_ALWAYS_ACCEPT +# ACT_ALWAYS_REJECT +# ACT_REJECT_IF_CONFLICTS +# ACT_MANUAL_IF_CONFLICTS +# ACT_MANUAL +# In addition one of these values may be prefixed with a primary email +# address followed by a colon like +# user@domain.tld: ACT_ALWAYS_ACCEPT +attributeTypes: ( 1.3.6.1.4.1.19414.1.1.1.4 + NAME ( 'kolabInvitationPolicy' 'kolabResourceAction' ) + DESC 'defines how to respond to invitations' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +# Begin date of Kolab vacation period. Sender will +# be notified every kolabVacationResendIntervall days +# that recipient is absent until kolabVacationEnd. +# Values in this syntax are encoded as printable strings, +# represented as specified in X.208. +# Note that the time zone must be specified. +# For Kolab we limit ourself to GMT +# YYYYMMDDHHMMZ e.g. 200512311458Z. +# see also: rfc 2252. +# Currently this attribute is not used in Kolab. +attributeTypes: ( 1.3.6.1.4.1.19414.1.1.1.8 + NAME 'kolabVacationBeginDateTime' + DESC 'Begin date of vacation' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE ) +# End date of Kolab vacation period. Sender will +# be notified every kolabVacationResendIntervall days +# that recipient is absent starting from kolabVacationBeginDateTime. +# Values in this syntax are encoded as printable strings, +# represented as specified in X.208. +# Note that the time zone must be specified. +# For Kolab we limit ourself to GMT +# YYYYMMDDHHMMZ e.g. 200601012258Z. +# see also: rfc 2252. +# Currently this attribute is not used in Kolab. +attributeTypes: ( 1.3.6.1.4.1.19414.1.1.1.9 + NAME 'kolabVacationEndDateTime' + DESC 'End date of vacation' + EQUALITY generalizedTimeMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE ) +# Intervall in days after which senders get +# another vacation message. +# Currently this attribute is not used in Kolab. +attributeTypes: ( 1.3.6.1.4.1.19414.1.1.1.10 + NAME 'kolabVacationResendInterval' + DESC 'Vacation notice interval in days' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +# Email recipient addresses which are handled by the +# vacation script. There can be multiple kolabVacationAddress +# entries for each kolabInetOrgPerson. +# Default is the primary email address and all +# email aliases of the kolabInetOrgPerson. +# Currently this attribute is not used in Kolab. +attributeTypes: ( 1.3.6.1.4.1.19414.1.1.1.11 + NAME 'kolabVacationAddress' + DESC 'Email address for vacation to response upon' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +# Enable sending vacation notices in reaction +# unsolicited commercial email. +# Default is no. +# Currently this attribute is not used in Kolab. +attributeTypes: ( 1.3.6.1.4.1.19414.1.1.1.12 + NAME 'kolabVacationReplyToUCE' + DESC 'Enable vacation notices to UCE' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE ) +# Email recipient domains which are handled by the +# vacation script. There can be multiple kolabVacationReactDomain +# entries for each kolabInetOrgPerson +# Default is to handle all domains. +# Currently this attribute is not used in Kolab. +attributeTypes: ( 1.3.6.1.4.1.19414.1.1.1.13 + NAME 'kolabVacationReactDomain' + DESC 'Multivalued -- Email domain for vacation to response upon' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +# Keep local copy when forwarding emails to list of +# kolabForwardAddress. +# Default is no. +# Currently this attribute is not used in Kolab. +attributeTypes: ( 1.3.6.1.4.1.19414.1.1.1.15 + NAME 'kolabForwardKeepCopy' + DESC 'Keep copy when forwarding' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE ) +# Enable forwarding of UCE. +# Default is yes. +# Currently this attribute is not used in Kolab. +attributeTypes: ( 1.3.6.1.4.1.19414.1.1.1.16 + NAME 'kolabForwardUCE' + DESC 'Enable forwarding of mails known as UCE' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE ) +# Describes the allowed or disallowed smtp recipient addresses for mail sent +# by the user associated with the LDAP object this attribute is associated with. +# +# If this attribute is not set for a user or distribution group, +# no Kolab recipient policy does apply. +# +# Example entries: +# .tld - allow mail to every recipient for this tld +# domain.tld - allow mail to everyone in domain.tld +# .domain.tld - allow mail to everyone in domain.tld and its subdomains +# user@domain.tld - allow mail to explicit user@domain.tld +# user@ - allow mail to this user but any domain +# -.tld - disallow mail to every recipient for this tld +# -domain.tld - disallow mail to everyone in domain.tld +# -.domain.tld - disallow mail to everyone in domain.tld and its subdomains +# -user@domain.tld - disallow mail to explicit user@domain.tld +# -user@ - disallow mail to this user but any domain +attributeTypes: ( 1.3.6.1.4.1.19414.1.1.1.18 + NAME 'kolabAllowSMTPRecipient' + DESC 'SMTP address allowed for destination (multi-valued)' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{512} ) +# Jeroen van Meeuwen (Kolab Systems): Unnecessary in this deployment, as users +# will be created on one server only, however we keep this in here to allow the +# mail server to use to be specified from the user provisioning batch operation. +# +# Create the user mailbox on the kolabHomeServer only. +# Default is no. +attributeTypes: ( 1.3.6.1.4.1.19414.1.1.1.19 + NAME 'kolabHomeServerOnly' + DESC 'Create the user mailbox on the kolabHomeServer only' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 + SINGLE-VALUE ) +# Describes the allowed or disallowed smtp envelope sender addresses used for +# the recipient this attribute is associated with. +# +# If this attribute is not set for a user or distribution +# kolab sender policy does apply. +# +# Example entries: +# .tld - allow mail to every recipient for this tld +# domain.tld - allow mail to everyone in domain.tld +# .domain.tld - allow mail to everyone in domain.tld and its subdomains +# user@domain.tld - allow mail to explicit user@domain.tld +# user@ - allow mail to this user but any domain +# -.tld - disallow mail to every recipient for this tld +# -domain.tld - disallow mail to everyone in domain.tld +# -.domain.tld - disallow mail to everyone in domain.tld and its subdomains +# -user@domain.tld - disallow mail to explicit user@domain.tld +# -user@ - disallow mail to this user but any domain +attributeTypes: ( 1.3.6.1.4.1.19414.1.1.1.43 + NAME 'kolabAllowSMTPSender' + DESC 'SMTP envelope sender address accepted for delivery (multi-valued)' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{512} ) +# kolabFolderType describes the kind of Kolab folder +# as defined in the kolab format specification. +# We will annotate all folders with an entry +# /vendor/kolab/folder-type containing the attribute +# value.shared set to: [.]. +# The can be: mail, event, journal, task, note, +# or contact. The for a mail folder can be +# inbox, drafts, sentitems, or junkemail (this one holds +# spam mails). For the other s, it can only be +# default, or not set. For other types of folders +# supported by the clients, these should be prefixed with +# "k-" for KMail, "h-" for Horde and "o-" for Outlook, and +# look like for example "kolab.o-voicemail". Other third-party +# clients shall use the "x-" prefix. +# We then use the ANNOTATEMORE IMAP extension to +# associate the folder type with a folder. +attributeTypes: ( 1.3.6.1.4.1.19414.2.1.7 + NAME 'kolabFolderType' + DESC 'type of a kolab folder' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} + SINGLE-VALUE ) +attributeTypes: ( 1.3.6.1.4.1.19414.2.1.8 + NAME 'kolabTargetFolder' + DESC 'Target for a Kolab Shared Folder delivery' + EQUALITY caseExactMatch + SUBSTR caseExactSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{512} + SINGLE-VALUE ) +# cyrus imapd access control list +# acls work with users and groups +attributeTypes: ( 1.3.6.1.4.1.19414.2.1.651 + NAME 'acl' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +# Extended attributes for Resources +attributeTypes: ( 1.3.6.1.4.1.19414.3.1.1 + NAME 'kolabDescAttribute' + DESC 'Descriptive attribute or parameter for a Resource' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +########################## +# kolabfilter attributes # +########################## +# enable trustable From: +attributeTypes: ( 1.3.6.1.4.1.19414.2.1.750 + NAME 'kolabfilter-verify-from-header' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) +# should Sender header be allowed instead of From +# when present? +attributeTypes: ( 1.3.6.1.4.1.19414.2.1.751 + NAME 'kolabfilter-allow-sender-header' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) +# Should reject messages with From headers that dont match +# the envelope? Default is to rewrite the header +attributeTypes: ( 1.3.6.1.4.1.19414.2.1.752 + NAME 'kolabfilter-reject-forged-from-header' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 ) +######################## +# kolab object classes # +######################## +# public folders are typically visible to everyone subscribed to +# the server without the need for an extra login. Subfolders are +# defined using the hiarchy seperator '/' e.g. "sf/sub1". Please note +# that the term public folder is prefered to shared folder because +# normal user mailboxes can also share folders using acls. +objectClasses: ( 1.3.6.1.4.1.19414.2.2.9 + NAME 'kolabSharedFolder' + DESC 'Kolab public shared folder' + SUP top AUXILIARY + MUST cn + MAY ( acl $ + alias $ + mailHost $ + kolabFolderType $ + kolabDeleteflag $ + kolabDelegate $ + kolabTargetFolder $ + kolabAllowSMTPRecipient $ + kolabAllowSMTPSender $ + owner ) ) +# kolab account +# we use an auxiliary in order to ease integration +# with existing inetOrgPerson objects +# Please note that userPassword is a may +# attribute in the schema but is mandatory for +# Kolab +objectClasses: ( 1.3.6.1.4.1.19414.3.2.2 + NAME 'kolabInetOrgPerson' + DESC 'Kolab Internet Organizational Person' + SUP top AUXILIARY + MAY ( alias $ + mailHost $ + kolabHomeServerOnly $ + kolabDelegate $ + kolabInvitationPolicy $ + kolabVacationBeginDateTime $ + kolabVacationEndDateTime $ + kolabVacationResendInterval $ + kolabVacationAddress $ + kolabVacationReplyToUCE $ + kolabVacationReactDomain $ + kolabForwardKeepCopy $ + kolabForwardUCE $ + kolabAllowSMTPRecipient $ + kolabAllowSMTPSender $ + kolabDeleteflag ) ) +# kolab groupOfNames with extra kolabDeleteflag and the required +# attribute mail. +# The mail attribute for kolab objects of the type kolabGroupOfNames +# is not arbitrary but MUST be a single attribute of the form +# of an valid SMTP address with the CN as the local part. +# E.g cn@kolabdomain (e.g. employees@mydomain.com). The +# mail attribute MUST be globally unique. +objectClasses: ( 1.3.6.1.4.1.19414.3.2.8 + NAME 'kolabGroupOfUniqueNames' + DESC 'Kolab group of names (DNs) derived from RFC2256' + SUP top AUXILIARY + MAY ( mail $ + alias $ + kolabDelegate $ + kolabDeleteflag $ + kolabAllowSMTPRecipient $ + kolabAllowSMTPSender ) ) +# kolab resources +objectClasses: ( 1.3.6.1.4.1.19414.3.2.9 + NAME 'kolabResource' + DESC 'Kolab Resource' + SUP top AUXILIARY + MAY ( kolabInvitationPolicy $ + kolabDescAttribute $ + description $ + owner ) ) diff --git a/docker/kolab/Dockerfile b/docker/kolab/Dockerfile index 9b0a6aa7..b41b3f08 100644 --- a/docker/kolab/Dockerfile +++ b/docker/kolab/Dockerfile @@ -1,25 +1,26 @@ FROM kolab/centos7:latest RUN yum -y install rsyslog && \ yum --enablerepo=kolab-16-updates-testing -y update pykolab && \ yum clean all COPY kolab-init.service /etc/systemd/system/kolab-init.service COPY kolab-vlv.service /etc/systemd/system/kolab-vlv.service +COPY utils /root/utils RUN rm -rf /etc/systemd/system/multi-user.target.wants/{avahi-daemon,sshd}.* && \ ln -s /etc/systemd/system/kolab-init.service \ /etc/systemd/system/multi-user.target.wants/kolab-init.service && \ ln -s /etc/systemd/system/kolab-vlv.service \ /etc/systemd/system/multi-user.target.wants/kolab-vlv.service RUN sed -i -r -e 's/^SELINUX=.*$/SELINUX=permissive/g' /etc/selinux/config 2>/dev/null || : COPY kolab-init.sh /usr/local/sbin/ RUN chmod 750 /usr/local/sbin/kolab-init.sh COPY kolab-vlv.sh /usr/local/sbin/ RUN chmod 750 /usr/local/sbin/kolab-vlv.sh CMD ["/lib/systemd/systemd"] EXPOSE 21/tcp 22/tcp 25/tcp 53/tcp 53/udp 80/tcp 110/tcp 143/tcp 389/tcp 443/tcp 465/tcp 587/tcp 993/tcp 995/tcp 5353/udp 8880/tcp 8443/tcp 8447/tcp diff --git a/docker/kolab/kolab-init.service b/docker/kolab/kolab-init.service index fdbd3db8..b293055d 100644 --- a/docker/kolab/kolab-init.service +++ b/docker/kolab/kolab-init.service @@ -1,9 +1,12 @@ [Unit] Description=Kolab Setup Service +Requires=kolab-setenv.service +After=kolab-setenv.service [Service] Type=oneshot +EnvironmentFile=/etc/openshift-environment ExecStart=/usr/local/sbin/kolab-init.sh [Install] WantedBy=multi-user.target diff --git a/docker/kolab/kolab-init.sh b/docker/kolab/kolab-init.sh index f93ceceb..01915c1c 100755 --- a/docker/kolab/kolab-init.sh +++ b/docker/kolab/kolab-init.sh @@ -1,31 +1,31 @@ #!/bin/bash if [ -d "/etc/dirsrv/slapd-kolab/" ]; then exit 0 fi pushd /root/utils/ -./01-reverse-etc-hosts.sh -./02-write-my.cnf.sh -./03-setup-kolab.sh -./04-reset-mysql-kolab-password.sh -./05-replace-localhost.sh -./06-mysql-for-kolabdev.sh -./07-adjust-base-dns.sh -./08-disable-amavisd.sh -./09-enable-debugging.sh -./10-reset-kolab-service-password.sh -./11-reset-cyrus-admin-password.sh -./12-create-hosted-kolab-service.sh -./13-create-ou-domains.sh -./14-create-management-domain.sh -./15-create-hosted-domain.sh -./16-remove-cn-kolab-cn-config.sh -./17-remove-hosted-service-access-from-mgmt-domain.sh -./18-adjust-kolab-conf.sh -./19-turn-on-vlv-in-roundcube.sh -./20-add-alias-attribute-index.sh -./21-adjust-postfix-config.sh +./01-reverse-etc-hosts.sh && echo "01 done" +./02-write-my.cnf.sh && echo "02 done" +./03-setup-kolab.sh && echo "03 done" +./04-reset-mysql-kolab-password.sh && echo "04 done" +./05-replace-localhost.sh && echo "05 done" +./06-mysql-for-kolabdev.sh && echo "06 done" +./07-adjust-base-dns.sh && echo "07 done" +./08-disable-amavisd.sh && echo "08 done" +./09-enable-debugging.sh && echo "09 done" +./10-reset-kolab-service-password.sh && echo "10 done" +./11-reset-cyrus-admin-password.sh && echo "11 done" +./12-create-hosted-kolab-service.sh && echo "12 done" +./13-create-ou-domains.sh && echo "13 done" +./14-create-management-domain.sh && echo "14 done" +./15-create-hosted-domain.sh && echo "15 done" +./16-remove-cn-kolab-cn-config.sh && echo "16 done" +./17-remove-hosted-service-access-from-mgmt-domain.sh && echo "17 done" +./18-adjust-kolab-conf.sh && echo "18 done" +./19-turn-on-vlv-in-roundcube.sh && echo "19 done" +./20-add-alias-attribute-index.sh && echo "20 done" +./21-adjust-postfix-config.sh && echo "21 done" touch /tmp/kolab-init.done diff --git a/docker/kolab/kolab-setenv.service b/docker/kolab/kolab-setenv.service new file mode 100644 index 00000000..d460888c --- /dev/null +++ b/docker/kolab/kolab-setenv.service @@ -0,0 +1,9 @@ +[Unit] +Description=Kolab Set Environment + +[Service] +Type=oneshot +ExecStart=/bin/bash -c "cat /proc/1/environ | tr '\0' '\n' > /etc/openshift-environment" + +[Install] +WantedBy=multi-user.target diff --git a/docker/kolab/utils/02-write-my.cnf.sh b/docker/kolab/utils/02-write-my.cnf.sh index df221775..d838c62e 100755 --- a/docker/kolab/utils/02-write-my.cnf.sh +++ b/docker/kolab/utils/02-write-my.cnf.sh @@ -1,9 +1,8 @@ #!/bin/bash cat > /root/.my.cnf << EOF [client] -host=127.0.0.1 +host=${DB_HOST:-127.0.0.1} user=root -password=Welcome2KolabSystems +password=${DB_ROOT_PASSWORD:-Welcome2KolabSystems} EOF - diff --git a/docker/kolab/utils/03-setup-kolab.sh b/docker/kolab/utils/03-setup-kolab.sh index 5637cb0f..53efe656 100755 --- a/docker/kolab/utils/03-setup-kolab.sh +++ b/docker/kolab/utils/03-setup-kolab.sh @@ -1,11 +1,17 @@ #!/bin/bash +if [ -f /root/kolab.conf.template ]; then + eval "echo \"$(cat /root/kolab.conf.template)\"" > /root/kolab.conf.ref + KOLAB_CONFIG_REF="--config=/root/kolab.conf.ref" + cp -f ${KOLAB_CONFIG_REF#--config=} /etc/kolab/kolab.conf +fi + setup-kolab \ - --default \ - --fqdn=kolab.mgmt.com \ + --default ${LDAP_HOST+--without-ldap} ${KOLAB_CONFIG_REF} \ + --fqdn=kolab.mgmt.com \ --timezone=Europe/Zurich \ - --mysqlhost=127.0.0.1 \ + --mysqlhost=${DB_HOST:-127.0.0.1} \ --mysqlserver=existing \ - --mysqlrootpw=Welcome2KolabSystems \ - --directory-manager-pwd=Welcome2KolabSystems 2>&1 | tee /root/setup-kolab.log + --mysqlrootpw=${DB_ROOT_PASSWORD:-Welcome2KolabSystems} \ + --directory-manager-pwd=${LDAP_ADMIN_BIND_PW:-Welcome2KolabSystems} 2>&1 | tee /root/setup-kolab.log diff --git a/docker/kolab/utils/04-reset-mysql-kolab-password.sh b/docker/kolab/utils/04-reset-mysql-kolab-password.sh index 07a18ad1..e0014f4d 100755 --- a/docker/kolab/utils/04-reset-mysql-kolab-password.sh +++ b/docker/kolab/utils/04-reset-mysql-kolab-password.sh @@ -1,7 +1,12 @@ #!/bin/bash sqlpw=$(grep ^sql_uri /etc/kolab/kolab.conf | awk -F':' '{print $3}' | awk -F'@' '{print $1}') -mysql -h 127.0.0.1 -u root --password=Welcome2KolabSystems \ - -e "SET PASSWORD FOR 'kolab'@'localhost' = PASSWORD('${sqlpw}');" +mysql -h ${DB_HOST} -u root --password=${DB_ROOT_PASSWORD} \ + -e "SET PASSWORD FOR '${DB_HKCCP_USERNAME:-kolabdev}'@'%' = PASSWORD('${DB_HKCCP_PASSWORD:-Welcome2KolabSystems}');" +mysql -h ${DB_HOST} -u root --password=${DB_ROOT_PASSWORD} \ + -e "SET PASSWORD FOR '${DB_KOLAB_USERNAME:-kolab}'@'%' = PASSWORD('${DB_KOLAB_PASSWORD:=$sqlpw}');" + +mysql -h ${DB_HOST} -u root --password=${DB_ROOT_PASSWORD} \ + -e "SET PASSWORD FOR '${DB_RC_USERNAME:-roundcube}'@'%' = PASSWORD('${DB_RC_PASSWORD:-Welcome2KolabSystems}');" diff --git a/docker/kolab/utils/05-replace-localhost.sh b/docker/kolab/utils/05-replace-localhost.sh index d7b783f0..c8f4be47 100755 --- a/docker/kolab/utils/05-replace-localhost.sh +++ b/docker/kolab/utils/05-replace-localhost.sh @@ -1,23 +1,31 @@ #!/bin/bash -mysql -h 127.0.0.1 -u root --password=Welcome2KolabSystems \ - -e "UPDATE mysql.db SET Host = '127.0.0.1' WHERE Host = 'localhost';" +if [[ ${DB_HOST} == "localhost" || ${DB_HOST} == "127.0.0.1" ]]; then + mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD:-Welcome2KolabSystems} \ + -e "UPDATE mysql.db SET Host = '127.0.0.1' WHERE Host = 'localhost';" + + mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD:-Welcome2KolabSystems} \ + -e "UPDATE mysql.user SET Host = '127.0.0.1' WHERE Host = 'localhost';" + + mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD:-Welcome2KolabSystems} \ + -e "FLUSH PRIVILEGES;" +fi -mysql -h 127.0.0.1 -u root --password=Welcome2KolabSystems \ - -e "UPDATE mysql.user SET Host = '127.0.0.1' WHERE Host = 'localhost';" - -mysql -h 127.0.0.1 -u root --password=Welcome2KolabSystems \ - -e "FLUSH PRIVILEGES;" - -sed -i -e 's/localhost/127.0.0.1/g' \ - /etc/imapd.conf \ - /etc/iRony/dav.inc.php \ - /etc/kolab/kolab.conf \ - /etc/kolab-freebusy/config.ini \ - /etc/postfix/ldap/*.cf \ - /etc/roundcubemail/password.inc.php \ - /etc/roundcubemail/kolab_auth.inc.php \ - /etc/roundcubemail/config.inc.php \ - /etc/roundcubemail/calendar.inc.php +sed -i -e "s#^ldap_servers:.*#ldap_servers: ldap://${LDAP_HOST:-127.0.0.1}:389#" /etc/imapd.conf +sed -i -e "/hosts/s/localhost/${LDAP_HOST:-127.0.0.1}/" /etc/iRony/dav.inc.php +sed -i -e "s#^ldap_uri.*#ldap_uri = ldap://${LDAP_HOST:-127.0.0.1}:389#" \ + -e "s#^cache_uri.*mysql://\(.*\):\(.*\)@\(.*\)\/\(.*\)#cache_uri = mysql://${DB_KOLAB_USERNAME:-\1}:${DB_KOLAB_PASSWORD:-\2}@${DB_HOST:-127.0.0.1}/${DB_KOLAB_DATABASE:-\4}#" \ + -e "s#^sql_uri.*mysql://\(.*\):\(.*\)@\(.*\)\/\(.*\)#sql_uri = mysql://${DB_KOLAB_USERNAME:-\1}:${DB_KOLAB_PASSWORD:-\2}@${DB_HOST:-127.0.0.1}/${DB_KOLAB_DATABASE:-\4}#" \ + -e "s#^uri.*#uri = imaps://${IMAP_HOST:-127.0.0.1}:993#" /etc/kolab/kolab.conf +sed -i -e "/host/s/localhost/${LDAP_HOST:-127.0.0.1}/g" \ + -e "/fbsource/s/localhost/${IMAP_HOST:-127.0.0.1}/g" /etc/kolab-freebusy/config.ini +sed -i -e "s/server_host.*/server_host = ${LDAP_HOST:-127.0.0.1}/g" /etc/postfix/ldap/* +sed -i -e "/password_ldap_host/s/localhost/${LDAP_HOST:-127.0.0.1}/" /etc/roundcubemail/password.inc.php +sed -i -e "/hosts/s/localhost/${LDAP_HOST:-127.0.0.1}/" /etc/roundcubemail/kolab_auth.inc.php +sed -i -e "#db_dsnw#s#=.*$#= mysqli//${DB_RC_USERNAME:-roundcube}:${DB_RC_PASSWORD:-Welcome2KolabSystems}@${DB_HOST:-127.0.0.1}/${DB_RC_DATABASE:-roundcube}#" \ + -e "/default_host/s/localhost/${IMAP_HOST:-127.0.0.1}/" \ + -e "/smtp_server/s/localhost/${MAIL_HOST:-127.0.0.1}/" \ + -e "/hosts/s/localhost/${LDAP_HOST:-127.0.0.1}/" /etc/roundcubemail/config.inc.php +sed -i -e "/hosts/s/localhost/${LDAP_HOST:-127.0.0.1}/" /etc/roundcubemail/calendar.inc.php systemctl restart cyrus-imapd postfix diff --git a/docker/kolab/utils/06-mysql-for-kolabdev.sh b/docker/kolab/utils/06-mysql-for-kolabdev.sh index 7e9bb269..6d3df98f 100755 --- a/docker/kolab/utils/06-mysql-for-kolabdev.sh +++ b/docker/kolab/utils/06-mysql-for-kolabdev.sh @@ -1,11 +1,11 @@ #!/bin/bash -mysql -h 127.0.0.1 -u root --password=Welcome2KolabSystems \ - -e "CREATE DATABASE kolabdev;" +mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD:-Welcome2KolabSystems} \ + -e "CREATE DATABASE IF NOT EXISTS ${DB_HKCCP_DATABASE:-kolabdev};" -mysql -h 127.0.0.1 -u root --password=Welcome2KolabSystems \ - -e "GRANT ALL PRIVILEGES ON kolabdev.* TO 'kolabdev'@'127.0.0.1' IDENTIFIED BY 'kolab';" +mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD:-Welcome2KolabSystems} \ + -e "GRANT ALL PRIVILEGES ON ${DB_HKCCP_DATABASE:-kolabdev}.* TO '${DB_HKCCP_USERNAME:-kolabdev}'@'%' IDENTIFIED BY '${DB_HKCCP_PASSWORD:-kolab}';" -mysql -h 127.0.0.1 -u root --password=Welcome2KolabSystems \ +mysql -h ${DB_HOST:-127.0.0.1} -u root --password=${DB_ROOT_PASSWORD:-Welcome2KolabSystems} \ -e "FLUSH PRIVILEGES;" diff --git a/docker/kolab/utils/07-adjust-base-dns.sh b/docker/kolab/utils/07-adjust-base-dns.sh index 398d7435..b8894906 100755 --- a/docker/kolab/utils/07-adjust-base-dns.sh +++ b/docker/kolab/utils/07-adjust-base-dns.sh @@ -1,24 +1,26 @@ #!/bin/bash . ./settings.sh echo "ldap_domain_base_dn: ${domain_base_dn}" >> /etc/imapd.conf sed -i -r \ -e "s/(\s+)base => '.*',$/\1base => '${hosted_domain_rootdn}',/g" \ + -e "/\\\$mydomain = / a\ +\$myhostname = '${HOSTNAME:-kolab}.${DOMAIN:-mgmt.com}';" \ -e "s/^base_dn = .*$/base_dn = ${hosted_domain_rootdn}/g" \ -e "s/^search_base = .*$/search_base = ${hosted_domain_rootdn}/g" \ -e "s/(\s+)'base_dn'(\s+)=> '.*',/\1'base_dn'\2=> '${hosted_domain_rootdn}',/g" \ -e "s/(\s+)'search_base_dn'(\s+)=> '.*',/\1'search_base_dn'\2=> '${hosted_domain_rootdn}',/g" \ -e "s/(\s+)'user_specific'(\s+)=> false,/\1'user_specific'\2=> true,/g" \ /etc/amavisd/amavisd.conf \ /etc/kolab-freebusy/config.ini \ /etc/postfix/ldap/*.cf \ /etc/roundcubemail/config.inc.php \ /etc/roundcubemail/kolab_auth.inc.php sed -i -r \ -e "s/^search_base = .*$/search_base = ${domain_base_dn}/g" \ /etc/postfix/ldap/mydestination.cf systemctl restart cyrus-imapd postfix diff --git a/docker/kolab/utils/12-create-hosted-kolab-service.sh b/docker/kolab/utils/12-create-hosted-kolab-service.sh index 6af577ff..9e42381a 100755 --- a/docker/kolab/utils/12-create-hosted-kolab-service.sh +++ b/docker/kolab/utils/12-create-hosted-kolab-service.sh @@ -1,16 +1,17 @@ #!/bin/bash - . ./settings.sh +. ./settings.sh + ( echo "dn: uid=hosted-kolab-service,ou=Special Users,${rootdn}" echo "objectclass: top" echo "objectclass: inetorgperson" echo "objectclass: person" echo "uid: hosted-kolab-service" echo "cn: Hosted Kolab Service Account" echo "sn: Service Account" echo "givenname: Hosted Kolab" echo "userpassword: ${hosted_kolab_service_pw}" echo "" ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" diff --git a/docker/kolab/utils/13-create-ou-domains.sh b/docker/kolab/utils/13-create-ou-domains.sh index 400002d7..7ec8d6da 100755 --- a/docker/kolab/utils/13-create-ou-domains.sh +++ b/docker/kolab/utils/13-create-ou-domains.sh @@ -1,10 +1,11 @@ #!/bin/bash . ./settings.sh + ( echo "dn: ou=Domains,${rootdn}" echo "ou: Domains" echo "objectClass: top" echo "objectClass: organizationalunit" echo "" ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" diff --git a/docker/kolab/utils/14-create-management-domain.sh b/docker/kolab/utils/14-create-management-domain.sh index 98184bb2..973a47af 100755 --- a/docker/kolab/utils/14-create-management-domain.sh +++ b/docker/kolab/utils/14-create-management-domain.sh @@ -1,14 +1,15 @@ #!/bin/bash - . ./settings.sh +. ./settings.sh + ( echo "dn: associateddomain=${domain},${domain_base_dn}" echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///${rootdn}??sub?(objectclass=*)\");)" echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" echo "inetDomainStatus: active" echo "objectClass: top" echo "objectClass: domainrelatedobject" echo "objectClass: inetdomain" echo "associatedDomain: ${domain}" echo "" ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" diff --git a/docker/kolab/utils/15-create-hosted-domain.sh b/docker/kolab/utils/15-create-hosted-domain.sh index 9e15ae0f..96647adb 100755 --- a/docker/kolab/utils/15-create-hosted-domain.sh +++ b/docker/kolab/utils/15-create-hosted-domain.sh @@ -1,99 +1,99 @@ #!/bin/bash . ./settings.sh ( - echo "dn: associateddomain=${hosted_domain},ou=Domains,${rootdn}" + echo "dn: associateddomain=${hosted_domain},${domain_base_dn}" echo "objectclass: top" echo "objectclass: domainrelatedobject" echo "objectclass: inetdomain" echo "inetdomainstatus: active" echo "associateddomain: ${hosted_domain}" echo "inetdomainbasedn: ${hosted_domain_rootdn}" echo "" echo "dn: cn=$(echo ${hosted_domain_rootdn} | sed -e 's/=/\\3D/g' -e 's/,/\\2D/g'),cn=mapping tree,cn=config" echo "objectClass: top" echo "objectClass: extensibleObject" echo "objectClass: nsMappingTree" echo "nsslapd-state: backend" echo "cn: ${hosted_domain_rootdn}" echo "nsslapd-backend: $(echo ${hosted_domain} | sed -e 's/\./_/g')" echo "" echo "dn: cn=$(echo ${hosted_domain} | sed -e 's/\./_/g'),cn=ldbm database,cn=plugins,cn=config" echo "objectClass: top" echo "objectClass: extensibleobject" echo "objectClass: nsbackendinstance" echo "cn: $(echo ${hosted_domain} | sed -e 's/\./_/g')" echo "nsslapd-suffix: ${hosted_domain_rootdn}" echo "nsslapd-cachesize: -1" echo "nsslapd-cachememsize: 10485760" echo "nsslapd-readonly: off" echo "nsslapd-require-index: off" - echo "nsslapd-directory: /var/lib/dirsrv/slapd-$(hostname -s)/db/$(echo ${hosted_domain} | sed -e 's/\./_/g')" + echo "nsslapd-directory: /var/lib/dirsrv/slapd-${DS_INSTANCE_NAME:-$(hostname -s)}/db/$(echo ${hosted_domain} | sed -e 's/\./_/g')" echo "nsslapd-dncachememsize: 10485760" echo "" ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" ( echo "dn: ${hosted_domain_rootdn}" echo "aci: (targetattr=\"carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier\")(version 3.0; acl \"Enable self write for common attributes\"; allow (write) userdn=\"ldap:///self\";)" echo "aci: (targetattr =\"*\")(version 3.0;acl \"Directory Administrators Group\";allow (all) (groupdn=\"ldap:///cn=Directory Administrators,${hosted_domain_rootdn}\" or roledn=\"ldap:///cn=kolab-admin,${hosted_domain_rootdn}\");)" echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)" echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)" echo "aci: (targetattr = \"*\")(version 3.0; acl \"SIE Group\"; allow (all) groupdn = \"ldap:///cn=slapd-$(hostname -s),cn=389 Directory Server,cn=Server Group,cn=$(hostname -f),ou=${domain},o=NetscapeRoot\";)" echo "aci: (targetattr = \"*\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///${hosted_domain_rootdn}??sub?(objectclass=*)\");)" echo "aci: (targetattr = \"*\") (version 3.0;acl \"Service Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn}\");)" echo "objectClass: top" echo "objectClass: domain" echo "dc: $(echo ${hosted_domain} | cut -d'.' -f 1)" echo "" ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" ( for role in "2fa-user" "activesync-user" "imap-user"; do echo "dn: cn=${role},${hosted_domain_rootdn}" echo "cn: ${role}" echo "description: ${role} role" echo "objectclass: top" echo "objectclass: ldapsubentry" echo "objectclass: nsmanagedroledefinition" echo "objectclass: nsroledefinition" echo "objectclass: nssimpleroledefinition" echo "" done echo "dn: ou=Groups,${hosted_domain_rootdn}" echo "ou: Groups" echo "objectClass: top" echo "objectClass: organizationalunit" echo "" echo "dn: ou=People,${hosted_domain_rootdn}" echo "aci: (targetattr = \"*\") (version 3.0;acl \"Hosted Kolab Services\";allow (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" echo "ou: People" echo "objectClass: top" echo "objectClass: organizationalunit" echo "" echo "dn: ou=Special Users,${hosted_domain_rootdn}" echo "ou: Special Users" echo "objectClass: top" echo "objectClass: organizationalunit" echo "" echo "dn: ou=Resources,${hosted_domain_rootdn}" echo "ou: Resources" echo "objectClass: top" echo "objectClass: organizationalunit" echo "" echo "dn: ou=Shared Folders,${hosted_domain_rootdn}" echo "ou: Shared Folders" echo "objectClass: top" echo "objectClass: organizationalunit" echo "" ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" diff --git a/docker/kolab/utils/17-remove-hosted-service-access-from-mgmt-domain.sh b/docker/kolab/utils/17-remove-hosted-service-access-from-mgmt-domain.sh index 5460d8e1..3f930c81 100755 --- a/docker/kolab/utils/17-remove-hosted-service-access-from-mgmt-domain.sh +++ b/docker/kolab/utils/17-remove-hosted-service-access-from-mgmt-domain.sh @@ -1,11 +1,12 @@ #!/bin/bash - . ./settings.sh +. ./settings.sh + ( echo "dn: associateddomain=${domain},ou=Domains,${rootdn}" echo "changetype: modify" echo "replace: aci" echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///${rootdn}??sub?(objectclass=*)\");)" echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" echo "" ) | ldapmodify -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" diff --git a/docker/kolab/utils/20-add-alias-attribute-index.sh b/docker/kolab/utils/20-add-alias-attribute-index.sh index 6f0e1d50..a43c582c 100755 --- a/docker/kolab/utils/20-add-alias-attribute-index.sh +++ b/docker/kolab/utils/20-add-alias-attribute-index.sh @@ -1,55 +1,55 @@ #!/bin/bash - . ./settings.sh +. ./settings.sh export index_attr=alias ( echo "dn: cn=${index_attr},cn=index,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config" echo "objectclass: top" echo "objectclass: nsindex" echo "cn: ${index_attr}" echo "nsSystemIndex: false" echo "nsindextype: pres" echo "nsindextype: eq" echo "nsindextype: sub" ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c ( echo "dn: cn=${hosted_domain_db} ${index_attr} index,cn=index,cn=tasks,cn=config" echo "objectclass: top" echo "objectclass: extensibleObject" echo "cn: ${hosted_domain_db} ${index_attr} index" echo "nsinstance: ${hosted_domain_db}" echo "nsIndexAttribute: ${index_attr}:pres" echo "nsIndexAttribute: ${index_attr}:eq" echo "nsIndexAttribute: ${index_attr}:sub" echo "" ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c ldap_complete=0 while [ ${ldap_complete} -ne 1 ]; do result=$( ldapsearch \ -x \ -h ${ldap_host} \ -D "${ldap_binddn}" \ -w "${ldap_bindpw}" \ -c \ -LLL \ -b "cn=${hosted_domain_db} ${index_attr} index,cn=index,cn=tasks,cn=config" \ '(!(nstaskexitcode=0))' \ -s base 2>/dev/null ) if [ -z "$result" ]; then ldap_complete=1 echo "" else echo -n "." sleep 1 fi done diff --git a/docker/kolab/utils/settings.sh b/docker/kolab/utils/settings.sh index b164c4f4..503f39e8 100755 --- a/docker/kolab/utils/settings.sh +++ b/docker/kolab/utils/settings.sh @@ -1,23 +1,23 @@ #!/bin/bash -export rootdn="dc=mgmt,dc=com" -export domain="mgmt.com" -export domain_db="mgmt_com" -export ldap_host="127.0.0.1" -export ldap_binddn="cn=Directory Manager" -export ldap_bindpw="Welcome2KolabSystems" +export rootdn=${LDAP_ADMIN_ROOT_DN:-"dc=mgmt,dc=com"} +export domain=${DOMAIN:-"mgmt.com"} +export domain_db=${DOMAIN_DB:-"mgmt_com"} +export ldap_host=${LDAP_HOST:-"127.0.0.1"} +export ldap_binddn=${LDAP_ADMIN_BIND_DN:-"cn=Directory Manager"} +export ldap_bindpw=${LDAP_ADMIN_BIND_PW:-"Welcome2KolabSystems"} -export cyrus_admin="cyrus-admin" +export cyrus_admin=${IMAP_ADMIN_LOGIN:-"cyrus-admin"} -export imap_host="127.0.0.1" -export cyrus_admin_pw="Welcome2KolabSystems" +export imap_host=${IMAP_HOST:-"127.0.0.1"} +export cyrus_admin_pw=${IMAP_ADMIN_PASSWORD:-"Welcome2KolabSystems"} -export hosted_kolab_service_pw="Welcome2KolabSystems" +export hosted_kolab_service_pw=${LDAP_HOSTED_BIND_PW:-"Welcome2KolabSystems"} -export hosted_domain="hosted.com" -export hosted_domain_db="hosted_com" -export hosted_domain_rootdn="dc=hosted,dc=com" +export hosted_domain=${HOSTED_DOMAIN:-"hosted.com"} +export hosted_domain_db=${HOSTED_DOMAIN_DB:-"hosted_com"} +export hosted_domain_rootdn=${LDAP_HOSTED_ROOT_DN:-"dc=hosted,dc=com"} -export domain_base_dn="ou=Domains,dc=mgmt,dc=com" +export domain_base_dn=${LDAP_DOMAIN_BASE_DN:-"ou=Domains,dc=mgmt,dc=com"} -export default_user_password="Welcome2KolabSystems" +export default_user_password=${DEFAULT_USER_PASSWORD:-"Welcome2KolabSystems"} diff --git a/src/.s2i/bin/assemble b/src/.s2i/bin/assemble new file mode 100755 index 00000000..824ac58f --- /dev/null +++ b/src/.s2i/bin/assemble @@ -0,0 +1,24 @@ +#!/bin/bash + +set -e + +shopt -s dotglob +echo "--->> $(rm -vrf vendor/ composer.lock)" + +cp -v /tmp/src/.env.example .env + +if [ -f ".env.local" ]; then + # Ensure there's a line ending + echo "----> Apend .env.local" + echo "" >> .env + cat .env.local >> .env +fi + +/usr/libexec/s2i/assemble + +pushd /opt/app-root/src + +echo "----> Run npm run dev" +npm install cross-env +npm run dev + diff --git a/src/.s2i/bin/run b/src/.s2i/bin/run new file mode 100755 index 00000000..b1ce2ecf --- /dev/null +++ b/src/.s2i/bin/run @@ -0,0 +1,55 @@ +#!/bin/bash + +shopt -s dotglob + +pushd /opt/app-root/src + +echo "----> Remove bootstrap cache" +find bootstrap/cache/ -type f ! -name ".gitignore" -delete + +if [ -z ${APP_KEY} ]; then + echo "----> Run artisan key:generate" + ./artisan key:generate +fi + +if [ -z ${JWT_SECRET} ]; then + echo "----> Run artisan jwt:secret" + ./artisan jwt:secret --always-no +fi + +echo "----> Run artisan clear-compiled" +./artisan clear-compiled + +echo "----> Run artisan cache:clear" +./artisan ${ARTISAN_VERBOSITY} cache:clear || true + +# rpm -qv chromium +# if [ ! -z "$(rpm -qv chromium 2>/dev/null)" ]; then +# echo "---- Run artisan dusk:chrome-driver" +# chver=$(rpmquery --queryformat="%{VERSION}" chromium | awk -F'.' '{print $1}') +# ./artisan dusk:chrome-driver ${chver} +# fi + +if [ ! -f 'resources/countries.php' ]; then + echo "----> Run artisan data:countries" + ./artisan data:countries +fi + +rm -rvf bootstrap/cache/ +mkdir -vp bootstrap/cache/ +chown default bootstrap/cache + +case ${HKCCP_APP} in + worker|WORKER ) + echo "----> Running worker " + ./artisan queue:work;; + server|SERVER ) + echo "----> Running server " + ./artisan serve;; + apache|APACHE|httpd|HTTPD ) + echo "----> Starting httpd " + /usr/libexec/s2i/run;; + * ) + echo "----> Sleeping" + sleep 10000;; +esac