Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[helper] App users ldap #977

Open
wants to merge 7 commits into
base: dev
Choose a base branch
from
Open

[helper] App users ldap #977

wants to merge 7 commits into from

Conversation

Josue-T
Copy link
Contributor

@Josue-T Josue-T commented May 5, 2020

The problem

  • App can't authenticate in LDAP for extended search request. Some app need this. By example mastodon and synapse
  • App can't cleanly send and receive email.

Solution

  • Create a user and group in LDAP in a specific place. Note that we will put the app user in ou=users,ou=apps,dc=yunohost,dc=org and the app group in ou=groups,ou=apps,dc=yunohost,dc=org

PR Status

Linked to YunoHost/test_apps#9
Tested locally and it work. The unit test fail because YunoHost/test_apps#9 need to be merged.

How to test

Run:

yunohost tools migrations migrate
yunohost tools regen-conf dovecot
yunohost tools regen-conf postfix

Install the ldap user app

After you can test the LDAP authentication with a simple LDAP research:

ldapsearch -b dc=yunohost,dc=org -x -D uid=ldap_user_app,ou=users,ou=apps,dc=yunohost,dc=org -w RAND0MP4sSw0RO

You can also try the authentication in Postfix:

# Calculate the base64 for authentication
$ echo -ne '\0ldap_user_app@domain.tld\0RAND0MP4sSw0RO' | base64
AGxkYXBfdXNlcl9hcHBAeW5oLWRldjEubGFuAFJBTkQwTVA0c1N3MFJP
$ openssl s_client -connect localhost:25 -starttls smtp
> helo localhost
> auth plain AGxkYXBfdXNlcl9hcHBAeW5oLWRldjEubGFuAFJBTkQwTVA0c1N3MFJP

You can also try the authentication in Dovecot:

openssl s_client -connect localhost:993 -crlf
> a login  ldap_user_app RAND0MP4sSw0RO

Validation

  • Principle agreement 0/2 :
  • Quick review 0/1 :
  • Simple test 0/1 :
  • Deep review 0/1 :

@Josue-T Josue-T marked this pull request as ready for review May 6, 2020
@Josue-T Josue-T requested review from alexAubin, kay0u, zamentur and May 6, 2020
@zamentur
Copy link
Member

@zamentur zamentur commented May 6, 2020

Aleks says me yesterday that it may be possible to change dovecot config to allow system user to send mail and may be to have some inbox.

Are we sure we want to create ldap users for this ?

@alexAubin
Copy link
Member

@alexAubin alexAubin commented May 6, 2020

(c.f. #815 )

Josue explains in this comment why LDAP user might be better

@yalh76 yalh76 mentioned this pull request May 6, 2020
4 tasks
@Josue-T Josue-T changed the base branch from stretch-unstable to dev Aug 18, 2020
@zamentur zamentur added this to the Horizon milestone Jan 3, 2021
@zamentur zamentur added this to Technical / political choice needed in Pending Jan 4, 2021
@zamentur zamentur removed this from the Horizon milestone Jan 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Pending
Divergence of opinion
3 participants