From 359f76e9d2886583b3a5ec4cfa3e51cea47ec8eb Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Mon, 26 Nov 2018 10:08:22 +0100 Subject: [PATCH] SSO + LDAP (global addressbook) --- plugins/kolab_sso/README | 8 +++++--- plugins/kolab_sso/config.inc.php.dist | 10 ++++++++-- plugins/kolab_sso/kolab_sso.php | 22 ++++++++++++++++++++-- 3 files changed, 33 insertions(+), 7 deletions(-) diff --git a/plugins/kolab_sso/README b/plugins/kolab_sso/README index 3f0ad560..0c130f3d 100644 --- a/plugins/kolab_sso/README +++ b/plugins/kolab_sso/README @@ -44,20 +44,22 @@ master user credentials in plugin's config. [SMTP] For the same reason and also because the same master user does not work in Postfix, you have to specify SMTP connection parameters/user+password. +[LDAP] Global addressbook (read-only) requires LDAP user/password. 'user_specific' option does +not work as well as proxy authentication. + [Freebusy] Authentication into kolab-freebusy service is not yet implemented. A solution for now is to add Roundcube host(s) into trustednetworks.allow option in kolab-freebusy service config. [Chwala] Authentication to Chwala will work if it uses the same (session) database as Roundcube. Additionally set $config['fileapi_plugins'] = array('kolab_sso', 'kolab_auth', 'kolab_folders'); Authenticating to Seafile/WebDAV storage is not supported (until it's custom user-defined -storage with saved password). +storage). TODO ---- -- LDAP addressbook -- kolab_delegation (LDAP auth) +- kolab_delegation (LDAP auth for write operation) - Chwala+Seafile - Chwala+WebDAV - Freebusy auth diff --git a/plugins/kolab_sso/config.inc.php.dist b/plugins/kolab_sso/config.inc.php.dist index 750919ec..fa5d59d9 100644 --- a/plugins/kolab_sso/config.inc.php.dist +++ b/plugins/kolab_sso/config.inc.php.dist @@ -4,10 +4,10 @@ $config['kolab_sso_debug'] = true; // IMAP (master) user -$config['kolab_sso_username'] = 'cyrus-admin'; +$config['kolab_sso_imap_user'] = 'cyrus-admin'; // IMAP (master) password -$config['kolab_sso_password'] = 'password'; +$config['kolab_sso_imap_pass'] = 'password'; // SMTP server host // To override the SMTP port or connection method, provide a full URL like 'tls://somehost:587' @@ -19,6 +19,12 @@ $config['kolab_sso_smtp_user'] = ''; // SMTP password $config['kolab_sso_smtp_pass'] = ''; +// LDAP user DN +$config['kolab_sso_ldap_user'] = 'uid=kolab-service,ou=Special Users,dc=example,dc=org'; + +// LDAP password +$config['kolab_sso_ldap_pass'] = 'password'; + // Require SSO logon by removing possibility to logon with user/password $config['kolab_sso_disable_login'] = false; diff --git a/plugins/kolab_sso/kolab_sso.php b/plugins/kolab_sso/kolab_sso.php index 22ed5ac8..8542f59c 100644 --- a/plugins/kolab_sso/kolab_sso.php +++ b/plugins/kolab_sso/kolab_sso.php @@ -162,6 +162,7 @@ class kolab_sso extends rcube_plugin $this->add_hook('storage_connect', array($this, 'storage_connect')); $this->add_hook('managesieve_connect', array($this, 'storage_connect')); $this->add_hook('smtp_connect', array($this, 'smtp_connect')); + $this->add_hook('ldap_connected', array($this, 'ldap_connected')); $this->add_hook('chwala_authenticate', array($this, 'chwala_authenticate')); } @@ -185,8 +186,8 @@ class kolab_sso extends rcube_plugin */ public function storage_connect($args) { - $user = $this->rc->config->get('kolab_sso_username'); - $pass = $this->rc->config->get('kolab_sso_password'); + $user = $this->rc->config->get('kolab_sso_imap_user'); + $pass = $this->rc->config->get('kolab_sso_imap_pass'); if ($user && $pass) { $args['auth_cid'] = $user; @@ -209,6 +210,23 @@ class kolab_sso extends rcube_plugin return $args; } + /** + * ldap_connected hook handler + */ + public function ldap_connected($args) + { + $user = $this->rc->config->get('kolab_sso_ldap_user'); + $pass = $this->rc->config->get('kolab_sso_ldap_pass'); + + if ($user && $pass && $args['user_specific']) { + $args['bind_dn'] = $user; + $args['bind_pass'] = $pass; + $args['search_filter'] = null; + } + + return $args; + } + /** * Chwala_authenticate hook handler */