Я исхожу из правила:
if колличество пользователей в организации или группы сервисов > 5
then использовать единую систему авторизации
fi
Зачем нам иметь 1++ сервиса и везде иметь свой пароль или везде одинаковый, если придётся руками создавать везде пользователя с атрибутами и если удалять\блокировать пользователя - тоже придётся везде бегать ручками.
FreeIPA меня устаивает интерфейсом и опенсурс. Не нужно покупать лицензии, конечно можно использовать и OpenLDAP
В данной статье я покажу пример как собрать в одно целое почту, календарь, адресную книгу и запулить это через microsoft activesync\caldav\carddav
Установка freeipa не входит в дануую статью, тут только конфиги как искать пользователей для postfix, dovecot и sogo
Для работы postfix с ldap нужно установить комоенет postfix-ldap и dovecot-ldap
sudo apt install postfix-ldap dovecot-ldap
В ldap каталоге создаем пользователя, которые имеет права на чтение этого каталога ( по факту создаём простого пользователя)
примеры конфигов postfix
ldap:/etc/postfix/ldap/mailgroups.cf
debuglevel = 0
server_host = ipa1, ipa2
server_port = 389
version = 3
bind = yes
start_tls = no
bind_dn = uid=system_mail_user,cn=users,cn=accounts,dc=example,dc=net
bind_pw = parol_ot_polzovatelya_vishe
search_base = cn=accounts,dc=example,dc=net
scope = sub
timeout = 3
query_filter = (&(cn=%u)(memberof=cn=mail_groups,cn=groups,cn=accounts,dc=example,dc=net))
result_filter = %u
result_attribute = krbprincipalname
special_result_attribute = member
virtual_mailbox_maps = ldap:/etc/postfix/ldap/virtual_mailbox_maps.cf
debuglevel = 0
server_host = ipa1, ipa2
server_port = 389
version = 3
bind = yes
start_tls = no
bind_dn = uid=system_mail_user,cn=users,cn=accounts,dc=example,dc=net
bind_pw = parol_ot_polzovatelya_vishe
search_base = cn=accounts,dc=example,dc=net
scope = sub
timeout = 3
query_filter = (&(objectClass=person)(|(krbprincipalname=%s)(mail=%s)))
result_attribute = mail
result_format = %d/%u/
C postfix закончили, переходим к dovecot
Предпочитаю что бы все конфиги в довекот разделялись по файлам, по модулям так сказать
В основком конфиге раскометируем подключение файла dovecot-ldap.conf.ext
hosts = ipa1, ipa2
ldap_version = 3
auth_bind = yes
dn = uid=system_mail_user,cn=users,cn=accounts,dc=example,dc=net
dnpass = parol_ot_polzovatelya_vishe
base = cn=accounts,dc=example,dc=net
scope = subtree
deref = searching
user_filter = (&(objectClass=person)(|(mail=%Lu)(uid=%Ln)))
user_attrs = uid=901,gid=901,mail=user
pass_filter = (&(objectClass=person)(|(mail=%Lu)(uid=%Ln)))
pass_attrs = mail=user
uid=901 - это уид пользователя от которого работает довекот, у меня это отдельный пользователь. Небольшое уточнее, у меня пользователи лежат в /path/domen/username до собачки SOGO - это наши календари, контакты и активсинк у меня стоит 5 версия ночная с базой данный в MySQL
в нем главное только конфиг sogo.conf
//
// - Official SOGo document: http://sogo.nu/support/index.html#/documentation
// - Mailing list: http://sogo.nu/support/index.html#/community
//
SOGoMailDomain = example.net;
SOGoHideSystemEmail = NO;
// Daemon address and port
WOPort = 127.0.0.1:20000;
// PID file
//WOPidFile = /var/run/sogo/sogo.pid;
// Log file
WOLogFile = /var/log/sogo/sogo.log;
SOGoCacheCleanupInterval = 36000;
// Enable verbose logging. Reference:
// http://www.sogo.nu/nc/support/faq/article/how-to-enable-more-verbose-logging-in-sogo.html
//SOGoDebugRequests = YES;
//SOGoEASDebugEnabled = YES;
//ImapDebugEnabled = YES;
// LDAPDebugEnabled = YES;
//MySQL4DebugEnabled = YES;
//PGDebugEnabled = YES;
// Define the URL to online help for SOGo. When set, an additional icon
// will appear near the logout button in SOGo's web interface. The URL
// will always be open in a blank target.
// SOGoHelpURL = 'https://wiki.example.net/blablablabla';
// set the maximum allowed size for content being sent to SOGo, this can
// also limit the file attachment size being uploaded to SOGo when
// composing a mail.
// The value is in kilobyte. Default is 0 or disabled (unlimit).
WOMaxUploadSize = 150360;
// Parameter used to set the maximum allowed email message size when
// composing a mail.
// The value is in kilobytes. By default, the value is 0, or disabled so
// no limit will be set.
SOGoMaximumMessageSizeLimit = 150360;
// Performance Tuning
//
// The amount of instances of SOGo that will be spawned to handle multiple
// requests simultaneously. When started from the init script, that amount
// is overriden by the `PREFORK=` setting in /etc/sysconfig/sogo or
// /etc/default/sogo. A value of 3 is a reasonable default for low usage.
// The maximum value depends on the CPU and IO power provided by your
// machine: a value set too high will actually decrease performances under
// high load.
//
// You should have at least one child per EAS device configured to use
// "push". You must also have more children than you have EAS devices
// configured to use "push" - in order to handle normal SOGo requests to
// its Web or DAV interfaces.
//
// Defaults to 1 when unset, increase it if you see below error message in
// sogo log file: 'No child available to handle incoming request'
//
// WARNING:
// - on RHEL/CentOS, this setting is controlled by parameter
// 'PREFORK=' defined in /etc/sysconfig/sogo.
// - on Debian/Ubuntu, this setting is controlled by parameter
// 'PREFORK=' defined in /etc/default/sogo.
WOWorkersCount = 200;
// Parameter used to set the maximum amount of time, in seconds, SOGo will
// wait before replying to a Ping command.
// If not set, it defaults to 10 seconds.
SOGoMaximumPingInterval = 3540;
// Parameter used to set the maximum amount of time, in seconds, SOGo will
// wait before replying to a Sync command.
// If not set, it defaults to 30 seconds.
SOGoMaximumSyncInterval = 3540;
// Parameter used to set the maximum amount of time, in seconds, SOGo will
// wait before doing an internal check for data changes (add, delete, and
// update). This parameter must be lower than SOGoMaximumSyncInterval and
// SOGoMaximumPingInterval.
// If not set, it defaults to 10 seconds.
SOGoInternalSyncInterval = 30;
// Specifies the number of minutes after which a busy child process will be
// killed by the parent process.
// Defaults to 10 (minutes).
WOWatchDogRequestTimeout = 10;
// Overwrite the maximum number of items returned during a Sync operation.
// Defaults to 0, which means no overwrite is performed.
// Setting this parameter to a value greater than 512 will have unexpected
// behaviour with various ActiveSync clients.
//SOGoMaximumSyncWindowSize = 100;
// Overwrite the maximum response size during a Sync operation.
// The value is in kilobytes. Setting this to 512 means the response size
// will be of 524288 bytes or less (or a bit greater if needed for syncing
// one item). Note that if you set the value too low and a mail message
// (or any other object like calendar events, tasks and contacts) surpasses
// it, it will still be synced but only this item will be.
// Defaults to 0, which means no overwrite is performed.
//
// Say you have these five mails and you set the limit to 512KB:
// 1. 250 KB
// 2. 250 KB
// 3. 25 KB
// 4. 750 KB
// 5. 10 KB
// Sync iteration no. 1 will pick message 1, 2 and 3.
// Sync iteration no. 2 will pick message 4.
// Sync iteration no. 3 will pick message 5.
SOGoMaximumSyncResponseSize = 2048;
// The maximum amount of memory (in megabytes) that a child can use.
// Reaching that value will force children processes to restart, in order
// to preserve system memory.
//
// Error message when it reaches the value:
// "terminating app, vMem size limit (xxx MB) has been reached (currently xxx MB)"
//
// Defaults to 384.
SxVMemLimit = 2048;
// Enable XSRF (also known as CSRF) protection.
SOGoXSRFValidationEnabled = YES;
// IMAP connection pool.
// Your performance will slightly increase, as you won't open a new
// connection for every access to your IMAP server.
// But you will get a lot of simultaneous open connections to your IMAP
// server, so make sure he can handle them.
// For debugging it is reasonable to turn pooling off.
NGImap4DisableIMAP4Pooling = NO;
SOGoProfileURL = "mysql://sogo:parol_sql_dlya_user_sogo@localhost:3306/sogo/sogo_folder_info";
OCSFolderInfoURL = "mysql://sogo:parol_sql_dlya_user_sogo@localhost:3306/sogo/sogo_user_profile";
OCSStoreURL = "mysql://sogo:parol_sql_dlya_user_sogo@localhost:3306/sogo/sogo_store";
OCSAclURL = "mysql://sogo:parol_sql_dlya_user_sogo@localhost:3306/sogo/sogo_acl";
OCSCacheFolderURL = "mysql://sogo:parol_sql_dlya_user_sogo@localhost:3306/sogo/sogo_cache_folder";
OCSSessionsFolderURL = "mysql://sogo:parol_sql_dlya_user_sogo@localhost:3306/sogo/sogo_sessions_folder";
OCSEMailAlarmsFolderURL = "mysql://sogo:parol_sql_dlya_user_sogo@localhost:3306/sogo/sogo_alarms_folder";
// Default language in the web interface
SOGoLanguage = English;
// Specify which module to show after login: Calendar, Mail, Contacts.
SOGoLoginModule = Mail;
// Must login with full email address
SOGoForceExternalLoginWithEmail = NO;
// Allow user to change full name and email address.
SOGoMailCustomFromEnabled = NO;
// IMAP server
// Local connection is considered as secure by Dovecot, so 'imap://' is fine.
// With remote IMAP server, use 'imaps://127.0.0.1:143/?tls=YES' instead;
SOGoIMAPServer = "imap://127.0.0.1:143/?tls=YES&tlsVerifyMode=allowInsecureLocalhost";
// Allow user to add other IMAP accounts that will be visible from the SOGo
// Webmail interface.
// Default is NO.
SOGoMailAuxiliaryUserAccountsEnabled = NO;
// SMTP server
// SOGoSMTPServer = "smtp://127.0.0.1:587/?tls=YES&tlsVerifyMode=allowInsecureLocalhost";
SOGoSMTPServer = "smtp://127.0.0.1:25";
//?tls=YES&tlsVerifyMode=allowInsecureLocalhost";
SOGoMailingMechanism = smtp;
SOGoSMTPAuthenticationType = PLAIN;
// Enable managesieve service
//
// WARNING: Sieve scripts generated by SOGo is not compatible with Roundcube
// webmail, don't use sieve service in both webmails, otherwise
// it will be messy.
// FYI: https://docs.iredmail.org/why.no.sieve.support.in.sogo.html
//
SOGoSieveServer = "sieve://127.0.0.1:4190/?tls=YES&tlsVerifyMode=allowInsecureLocalhost";
SOGoSieveScriptsEnabled = YES;
SOGoVacationEnabled = YES;
SOGoForwardEnabled = YES;
SOGoSieveFolderEncoding = UTF-8;
// Memcached
SOGoMemcachedHost = 127.0.0.1;
// Parameter used to set which usernames require administrative privileges
// over all the users tables. For example, this could be used to post
// events in the users calendar without requiring the user to configure
// his/her ACLs. In this case you will need to specify those superuser's
// usernames like this :
// SOGoSuperUsernames = (<username1>[,<username2>, ...]);
SOGoSuperUsernames = (system_mail@example.net);
SOGoTimeZone = "Europe/Moscow";
SOGoFirstDayOfWeek = 1;
SOGoRefreshViewCheck = every_5_minutes;
SOGoMailReplyPlacement = below;
// Disable gravatar
SOGoExternalAvatarsEnabled = NO;
SOGoGravatarEnabled = NO;
// Control WebDAV access to the Calendar / Contacts collections.
// This can be used to deny access to these resources from Thunderbird
// Lightning for example.
// Defaults to YES when unset.
//SOGoCalendarDAVAccessEnabled = NO;
//SOGoAddressBookDAVAccessEnabled = NO;
// Allow users to share publicly (ie., requiring not authentication) their
// calendars and address books.
// Defaults to NO when unset.
SOGoEnablePublicAccess = YES;
//SOGoFreeBusyDefaultInterval = (7, 365);
SOGoCalendarDefaultRoles = ("PublicDAndTViewer");
//
// Notifications
//
// Enable email-based alarms on events and tasks.
SOGoEnableEMailAlarms = YES;
// Notify meeting participants
SOGoAppointmentSendEMailNotifications = YES;
// Notify if a calendar or an address book has been created.
SOGoFoldersSendEMailNotifications = YES;
// Notify involved users of a calendar or address book's ACLs.
SOGoACLsSendEMailNotifications = YES;
// Notify when a modification is being done to his/her own calendar by someone else.
SOGoNotifyOnExternalModifications = YES;
// NOTE: PostgreSQL cannot update view in iRedMail
SOGoPasswordChangeEnabled = NO;
// Authentication using LDAP
SOGoUserSources = (
{
// Used for user authentication
type = ldap;
id = users;
canAuthenticate = YES;
isAddressBook = NO;
displayName = "LDAP Authentication";
hostname = "ldap://ipa:389";
baseDN = "cn=users,cn=accounts,dc=example,dc=net";
bindDN = "uid=system_mail_user,cn=users,cn=accounts,dc=example,dc=net";
bindPassword = parol_kak_v_postfixe;
filter = "objectClass=person";
scope = SUB;
// always keep binding to the LDAP server using the DN of the
// currently authenticated user. bindDN and bindPassword are still
// required to find DN of the user.
// Note: with default LDAP acl configured by iRedMail, user doesn't
// have privilege to query o=domains,dc=simply-easy,dc=ru.
// so this doesn't work.
bindAsCurrentUser = YES;
// The algorithm used for password encryption when changing
// passwords without Password Policies enabled.
// Possible values are: plain, crypt, md5-crypt, ssha, ssha512.
// userPasswordAlgorithm = plain;
CNFieldName = cn;
IDFieldName = cn;
// value of UIDFieldName must be unique on entire server
// UIDFieldName = krbCanonicalName;
UIDFieldName = mail;
IMAPLoginFieldName = uid;
// MailFieldNames = (krbCanonicalName);
MailFieldNames = (mail);
bindFields = (uid);
//ModulesConstraints = {
// Mail = { enabledService = sogowebmail; };
// Calendar = { enabledService = sogocalendar; };
// ActiveSync = { enabledService = sogoactivesync; };
//};
GroupObjectClasses = (
"mailList",
"group",
"groupOfNames",
"groupOfUniqueNames",
"posixgroup"
);
},
{
// Used for global address book
type = ldap;
id = global_addressbook;
canAuthenticate = NO;
isAddressBook = YES;
displayName = "Global Address Book";
bindAsCurrentUser = YES;
// Listing of this LDAP source is only possible when performing a
// search (respecting the SOGoSearchMinimumWordLength parameter)
// or when explicitely typing a single dot.
// Defaults to YES when unset.
//
// WARNING: if you have many accounts in this address book, it may
// reach server-side query size limit, or cause
// performance issue.
listRequiresDot = NO;
hostname = "ldap://ipa:389";
baseDN = "cn=users,cn=accounts,dc=example,dc=net";
bindDN = "uid=system_mail_user,cn=users,cn=accounts,dc=example,dc=net";
bindPassword = parol_kak_v_postfixe;
filter = "((memberOf='cn=staff,cn=groups,cn=accounts,dc=example,dc=net') OR (memberOf='cn=external,cn=groups,cn=accounts,dc=example,dc=net'))";
scope = SUB;
IDFieldName = uid;
bindFields = (uid);
// value of UID field must be unique on whole server.
UIDFieldName = uid;
IMAPLoginFieldName = uid;
CNFieldName = cn;
//SearchFieldNames = (cn, sn, displayName, telephoneNumber, mail, shadowAddress, departmentNumber);
SsarchFieldNames = (cn, mail);
// Resources management (Free/Busy)
// Reference: https://docs.iredmail.org/sogo.manage.resources.html
KindFieldName = "Kind";
MultipleBookingsFieldName = "MultipleBookings";
}
);
}