Victor LABORIE
2 years ago
3 changed files with 265 additions and 141 deletions
-
6README.md
-
140docs/INSTALL.md
-
260docs/install.md
@ -1,140 +0,0 @@ |
|||
# Pré-requis |
|||
|
|||
* Apache |
|||
* PHP5 ou supérieur avec certains modules (MHASH, etc.) |
|||
* Si utilisé avec Samba, besoin du module PEAR Crypt/CHAP |
|||
* sudo |
|||
* LDAP |
|||
|
|||
php5-mhash |
|||
|
|||
# Instructions d'installation |
|||
|
|||
* Récupérer les sources Git et les rendre accessible via Apache |
|||
|
|||
* Copier config/connect.php et config/conf.php à partir de leur version "-dist" |
|||
et ajuster les paramètres |
|||
|
|||
* Ajouter le schéma suivant à LDAP : |
|||
http://www.gcolpart.com/hacks/evolix.schema |
|||
|
|||
* Si utilisation de "Samba", c'est plus compliqué... le schéma doit être découpé : |
|||
|
|||
evolix-inetorgperson.schema : |
|||
|
|||
--8<-- |
|||
attributetype ( 1.3.6.1.4.1.24331.22.1.3 NAME 'isActive' |
|||
DESC 'an account is active or not' |
|||
EQUALITY booleanMatch |
|||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) |
|||
|
|||
attributetype ( 1.3.6.1.4.1.24331.22.1.8 NAME 'isAdmin' |
|||
DESC 'boolean to verify if entry is admin for entry' |
|||
EQUALITY booleanMatch |
|||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) |
|||
--8<-- |
|||
|
|||
Puis ajouter au schéma "standard" inetorgperson.schema les attributs isActive |
|||
et isAdmin à la classe d'object inetOrgPerson, ce qui doit donner : |
|||
|
|||
--8<-- |
|||
# inetOrgPerson |
|||
# The inetOrgPerson represents people who are associated with an |
|||
# organization in some way. It is a structural class and is derived |
|||
# from the organizationalPerson which is defined in X.521 [X521]. |
|||
objectclass ( 2.16.840.1.113730.3.2.2 |
|||
NAME 'inetOrgPerson' |
|||
DESC 'RFC2798: Internet Organizational Person' |
|||
SUP organizationalPerson |
|||
STRUCTURAL |
|||
MAY ( |
|||
audio $ businessCategory $ carLicense $ departmentNumber $ |
|||
displayName $ employeeNumber $ employeeType $ givenName $ |
|||
homePhone $ homePostalAddress $ initials $ jpegPhoto $ |
|||
labeledURI $ mail $ manager $ mobile $ o $ pager $ |
|||
photo $ roomNumber $ secretary $ uid $ userCertificate $ |
|||
x500uniqueIdentifier $ preferredLanguage $ |
|||
userSMIMECertificate $ userPKCS12 $ isActive $ |
|||
isAdmin ) |
|||
) |
|||
--8<-- |
|||
|
|||
Il faut aussi ajouter smbActive au schéma samba.schema : |
|||
|
|||
--8<-- |
|||
objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY |
|||
DESC 'Samba 3.0 Auxilary SAM Account' |
|||
MUST ( uid $ sambaSID ) |
|||
MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ |
|||
sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ |
|||
sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ |
|||
displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ |
|||
sambaProfilePath $ description $ sambaUserWorkstations $ |
|||
sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ |
|||
sambaBadPasswordCount $ sambaBadPasswordTime $ |
|||
sambaPasswordHistory $ sambaLogonHours $ smbActive)) |
|||
--8<-- |
|||
|
|||
Et, enfin, les attributs isActive et isAdmin peuvent être commentés dans le schéma evolix.schema |
|||
et retirer de la classe d'objet mailAccount, ce qui doit donner : |
|||
|
|||
--8<-- |
|||
# now in evolix-inetorgperson |
|||
#attributetype ( 1.3.6.1.4.1.24331.22.1.3 NAME 'isActive' |
|||
# DESC 'an account is active or not' |
|||
# EQUALITY booleanMatch |
|||
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) |
|||
|
|||
# now in evolix-inetorgperson |
|||
#attributetype ( 1.3.6.1.4.1.24331.22.1.8 NAME 'isAdmin' |
|||
# DESC 'boolean to verify if entry is admin for entry' |
|||
# EQUALITY booleanMatch |
|||
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) |
|||
|
|||
# doit egalement etre posixAccount + { person ou organizationalRole } |
|||
objectclass ( 1.3.6.1.4.1.24331.22.2.1 NAME 'mailAccount' SUP top AUXILIARY |
|||
DESC 'LDAP/Unix mail account or virtual account' |
|||
MUST ( uid $ mailacceptinggeneralid ) |
|||
MAY ( accountActive $ authsmtpActive $ quota |
|||
$ courierActive $ webmailActive |
|||
$ vacationActive $ vacationInfo $ vacationStart $ vacationEnd |
|||
$ vacationForward $ maildrop ) ) |
|||
--8<-- |
|||
|
|||
Reste à réordonner l'inclusion des schémas dans le "slapd.conf" : |
|||
|
|||
--8<-- |
|||
# Schema and objectClass definitions |
|||
include /etc/ldap/schema/core.schema |
|||
include /etc/ldap/schema/cosine.schema |
|||
include /etc/ldap/schema/nis.schema |
|||
|
|||
include /etc/ldap/schema/evolix-inetorgperson.schema |
|||
include /etc/ldap/schema/inetorgperson.schema |
|||
|
|||
include /etc/ldap/schema/evolix.schema |
|||
include /etc/ldap/schema/samba.schema |
|||
--8<-- |
|||
|
|||
* À l'exception du cas "mail virtuel", il est nécessaire de mettre en place un script |
|||
de création : |
|||
|
|||
--8<-- |
|||
mkdir -p /usr/share/scripts |
|||
cp scripts/evoadmin.sh /usr/share/scripts/ |
|||
chmod +x /usr/share/scripts/evoadmin.sh |
|||
--8<-- |
|||
|
|||
Il faut ensuite générer un mot de passe aléatoire à placer |
|||
dans /usr/share/scripts/evoadmin.sh et config/connect.php |
|||
|
|||
Et, enfin, permettre son lancement via sudo en ajustant le sudoers : |
|||
|
|||
--8<-- |
|||
User_Alias WWW = www-data |
|||
Cmnd_Alias EVOADMIN = /usr/share/scripts/evoadmin.sh |
|||
WWW ALL= NOPASSWD: EVOADMIN |
|||
--8<-- |
|||
|
|||
* Configurer les applications (Postfix, Courier, Samba, etc.) pour utiliser les |
|||
paramètres en place (principalement LDAP). |
|||
@ -0,0 +1,260 @@ |
|||
# Install |
|||
|
|||
Evoadmin-mail need an LDAP server, a Web server and PHP. This documentation explain how to configure OpenLDAP and Apache with mod_php. |
|||
|
|||
Following files extract are [Jinja2](http://jinja.pocoo.org) templates, **{{ varname }}** must be replaced by custom value, eg. |
|||
|
|||
~~~ |
|||
ldap_hostname: "mailserver" |
|||
ldap_domain: "example.com" |
|||
ldap_suffix: "dc=mailserver,dc=example,dc=com" |
|||
ldap_admin_password: "password_for_ldap_admin_account" |
|||
evoadminmail_admin_password: "password_for_web_interface" |
|||
evoadminmail_host: "evoadmin-mail.mailserver.example.com" |
|||
~~~ |
|||
|
|||
## LDAP |
|||
|
|||
~~~ |
|||
apt install slapd ldap-utils ldapvi shelldap |
|||
~~~ |
|||
|
|||
~~~ |
|||
# /root/evolinux_ldap_config.ldapvi |
|||
modify: olcDatabase={1}mdb,cn=config |
|||
olcSuffix: {{ ldap_suffix }} |
|||
olcRootDN: cn=admin,{{ ldap_suffix }} |
|||
olcRootPW: {{ ldap_admin_password }} |
|||
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break |
|||
olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * none |
|||
olcAccess: {2}to attrs=shadowLastChange by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read |
|||
olcAccess: {3}to * by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read |
|||
~~~ |
|||
|
|||
~~~ |
|||
ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi |
|||
~~~ |
|||
|
|||
~~~ |
|||
# /root/evolinux_ldap_first-entries.ldif |
|||
dn: {{ ldap_suffix }} |
|||
objectClass: top |
|||
objectClass: dcObject |
|||
objectClass: organization |
|||
o: {{ ldap_domain }} |
|||
dc: {{ ldap_hostname }} |
|||
|
|||
dn: cn=admin,{{ ldap_suffix }} |
|||
objectClass: simpleSecurityObject |
|||
objectClass: organizationalRole |
|||
cn: admin |
|||
description: LDAP administrator |
|||
userPassword: {{ ldap_admin_password }} |
|||
|
|||
dn: ou=ldapusers,{{ ldap_suffix }} |
|||
objectClass: top |
|||
objectClass: organizationalUnit |
|||
ou: ldapusers |
|||
|
|||
dn: cn=perl,ou=ldapusers,{{ ldap_suffix }} |
|||
objectClass: simpleSecurityObject |
|||
objectClass: organizationalRole |
|||
cn: perl |
|||
userPassword: {{ ldap_admin_password }} |
|||
|
|||
dn: uid=evoadmin,{{ ldap_suffix }} |
|||
uid: evoadmin |
|||
cn: Evoadmin ADM |
|||
uidNumber: 4242 |
|||
gidNumber: 4242 |
|||
homeDirectory: /dev/null |
|||
isAdmin: TRUE |
|||
mailacceptinggeneralid: evoadmin@{{ ldap_domain }} |
|||
objectClass: mailAccount |
|||
objectClass: organizationalRole |
|||
objectClass: posixAccount |
|||
userPassword: {{ evoadminmail_admin_password }} |
|||
~~~ |
|||
|
|||
~~~ |
|||
slapadd -l /root/evolinux_ldap_first-entries.ldif |
|||
~~~ |
|||
|
|||
~~~ |
|||
# /root/ldap_schema.ldif |
|||
dn: cn={4}evolix,cn=schema,cn=config |
|||
objectClass: olcSchemaConfig |
|||
cn: {4}evolix |
|||
olcAttributeTypes: {0}( 1.3.6.1.4.1.24331.22.1.1 NAME 'maildrop' DESC 'mail fo |
|||
rward' SUP mail ) |
|||
olcAttributeTypes: {1}( 1.3.6.1.4.1.24331.22.1.2 NAME 'mailacceptinggeneralid' |
|||
DESC 'mail alias' SUP mail ) |
|||
olcAttributeTypes: {2}( 1.3.6.1.4.1.24331.22.1.3 NAME 'isActive' DESC 'boolean |
|||
to verify an global account is active or not' EQUALITY booleanMatch SYNTAX 1 |
|||
.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) |
|||
olcAttributeTypes: {3}( 1.3.6.1.4.1.24331.22.1.4 NAME 'accountActive' DESC 'bo |
|||
olean to verify if an mail account is active' EQUALITY booleanMatch SYNTAX 1. |
|||
3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) |
|||
olcAttributeTypes: {4}( 1.3.6.1.4.1.24331.22.1.5 NAME 'authsmtpActive' DESC 'b |
|||
oolean to verify if SMTP-AUTH is enabled for entry' EQUALITY booleanMatch SYN |
|||
TAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) |
|||
olcAttributeTypes: {5}( 1.3.6.1.4.1.24331.22.1.6 NAME 'courierActive' DESC 'bo |
|||
olean to verify if Courier POP/IMAP is enabled for entry' EQUALITY booleanMat |
|||
ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) |
|||
olcAttributeTypes: {6}( 1.3.6.1.4.1.24331.22.1.7 NAME 'webmailActive' DESC 'bo |
|||
olean to verify if webmail is enabled for entry' EQUALITY booleanMatch SYNTAX |
|||
1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) |
|||
olcAttributeTypes: {7}( 1.3.6.1.4.1.24331.22.1.8 NAME 'isAdmin' DESC 'boolean |
|||
to verify if entry is admin for entry' EQUALITY booleanMatch SYNTAX 1.3.6.1.4 |
|||
.1.1466.115.121.1.7 SINGLE-VALUE ) |
|||
olcAttributeTypes: {8}( 1.3.6.1.4.1.24331.22.1.9 NAME 'postfixTransport' DESC |
|||
'transport for Postfix' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.11 |
|||
5.121.1.26{20} SINGLE-VALUE ) |
|||
olcAttributeTypes: {9}( 1.3.6.1.4.1.24331.22.1.10 NAME 'domain' DESC 'Postfix |
|||
domain' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTA |
|||
X 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) |
|||
olcAttributeTypes: {10}( 1.3.6.1.4.1.24331.22.1.11 NAME 'quota' DESC 'Courier |
|||
maildir quota' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. |
|||
26 SINGLE-VALUE ) |
|||
olcAttributeTypes: {11}( 1.3.6.1.4.1.24331.22.1.16 NAME 'vacationActive' DESC |
|||
'A flag, for marking the user as being away' EQUALITY booleanMatch SYNTAX 1.3 |
|||
.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) |
|||
olcAttributeTypes: {12}( 1.3.6.1.4.1.24331.22.1.17 NAME 'vacationInfo' DESC 'A |
|||
bsentee note to leave behind, while on vacation' EQUALITY octetStringMatch SY |
|||
NTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) |
|||
olcAttributeTypes: {13}( 1.3.6.1.4.1.24331.22.1.18 NAME 'vacationStart' DESC ' |
|||
Beginning of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115. |
|||
121.1.40 SINGLE-VALUE ) |
|||
olcAttributeTypes: {14}( 1.3.6.1.4.1.24331.22.1.19 NAME 'vacationEnd' DESC 'En |
|||
d of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 |
|||
SINGLE-VALUE ) |
|||
olcAttributeTypes: {15}( 1.3.6.1.4.1.24331.22.1.20 NAME 'vacationForward' DESC |
|||
'Where to forward mails to, while on vacation' EQUALITY caseIgnoreIA5Match S |
|||
UBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} |
|||
) |
|||
olcAttributeTypes: {16}( 1.3.6.1.4.1.24331.22.1.21 NAME 'smbActive' DESC 'bool |
|||
ean to verify if an Samba account is active' EQUALITY booleanMatch SYNTAX 1.3 |
|||
.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) |
|||
olcObjectClasses: {0}( 1.3.6.1.4.1.24331.22.2.1 NAME 'mailAccount' DESC 'LDAP/ |
|||
Unix mail account or virtual account' SUP top AUXILIARY MUST ( uid $ mailacce |
|||
ptinggeneralid ) MAY ( accountActive $ authsmtpActive $ quota $ isActive $ co |
|||
urierActive $ webmailActive $ isAdmin $ vacationActive $ vacationInfo $ vacat |
|||
ionStart $ vacationEnd $ vacationForward $ maildrop ) ) |
|||
olcObjectClasses: {1}( 1.3.6.1.4.1.24331.22.2.2 NAME 'mailAlias' DESC 'Mail al |
|||
iasing/forwarding entry' SUP top STRUCTURAL MUST ( mailacceptinggeneralid $ m |
|||
aildrop ) MAY ( cn $ isActive ) ) |
|||
olcObjectClasses: {2}( 1.3.6.1.4.1.24331.22.2.4 NAME 'postfixDomain' DESC 'Pos |
|||
tfix domain' SUP posixGroup STRUCTURAL MAY ( postfixTransport $ isActive ) ) |
|||
~~~ |
|||
|
|||
~~~ |
|||
ldapadd -Y EXTERNAL -H ldapi:/// -f /root/ldap_schema.ldif |
|||
~~~ |
|||
|
|||
## Apache / PHP |
|||
|
|||
~~~ |
|||
apt install apache2 libapache2-mod-php php php-cli php-ldap php-log php-twig |
|||
~~~ |
|||
|
|||
~~~ |
|||
# /etc/apache2/sites-available/evoadmin-mail.conf |
|||
<VirtualHost *:80> |
|||
ServerName {{ evoadminmail_host }} |
|||
Redirect permanent / https://{{ evoadminmail_host }}/ |
|||
</VirtualHost> |
|||
|
|||
<VirtualHost *:443> |
|||
|
|||
# FQDN principal |
|||
ServerName {{ evoadminmail_host }} |
|||
#ServerAlias {{ evoadminmail_host }} |
|||
|
|||
# Repertoire principal |
|||
DocumentRoot /home/evoadmin-mail/www/htdocs/ |
|||
|
|||
# SSL |
|||
SSLEngine on |
|||
SSLCertificateFile /etc/ssl/certs/{{ evoadminmail_host }}.crt |
|||
SSLCertificateKeyFile /etc/ssl/private/{{ evoadminmail_host }}.key |
|||
SSLProtocol all -SSLv2 -SSLv3 |
|||
|
|||
# Propriete du repertoire |
|||
<Directory /home/evoadmin-mail/www/htdocs/> |
|||
#Options Indexes SymLinksIfOwnerMatch |
|||
Options SymLinksIfOwnerMatch |
|||
AllowOverride AuthConfig Limit FileInfo Indexes |
|||
Require all granted |
|||
</Directory> |
|||
|
|||
# user - group (thanks to sesse@debian.org) |
|||
AssignUserID www-evoadmin-mail evoadmin-mail |
|||
|
|||
# LOG |
|||
CustomLog /var/log/apache2/access.log combined |
|||
CustomLog /home/evoadmin-mail/log/access.log combined |
|||
ErrorLog /home/evoadmin-mail/log/error.log |
|||
|
|||
# AWSTATS |
|||
SetEnv AWSTATS_FORCE_CONFIG evoadmin-mail |
|||
|
|||
# REWRITE |
|||
UseCanonicalName On |
|||
RewriteEngine On |
|||
RewriteCond %{HTTP_HOST} !^{{ evoadminmail_host }}$ |
|||
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R] |
|||
|
|||
# PHP |
|||
#php_admin_flag engine off |
|||
#AddType text/html .html |
|||
#php_admin_flag display_errors On |
|||
#php_flag short_open_tag On |
|||
#php_flag register_globals On |
|||
#php_admin_value memory_limit 256M |
|||
#php_admin_value max_execution_time 60 |
|||
#php_admin_value upload_max_filesize 8M |
|||
#php_admin_flag allow_url_fopen Off |
|||
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-evoadmin-mail" |
|||
php_admin_value open_basedir "none" |
|||
</VirtualHost> |
|||
~~~ |
|||
|
|||
~~~ |
|||
a2ensite evoadmin-mail |
|||
service apache2 reload |
|||
~~~ |
|||
|
|||
## Evoadmin-mail |
|||
|
|||
~~~ |
|||
useradd --create-home evoadmin-mail |
|||
git clone https://forge.evolix.org/evoadmin-mail.git /home/evoadmin-mail/www |
|||
~~~ |
|||
|
|||
~~~ |
|||
# /home/evoadmin-mail/www/config/config.ini |
|||
; The configuration for evoadmin-mail |
|||
; |
|||
; You need to copy and edit config-sample.ini to config.ini. |
|||
; This INI file is loaded by evoadmin-mail and contains the |
|||
; following configurations : |
|||
; |
|||
; * Global settings |
|||
; * LDAP settings |
|||
; |
|||
|
|||
[global] |
|||
name = "Evoadmin Mail"; |
|||
mail = "evoadmin-mail@example.com" |
|||
log_level = error |
|||
|
|||
[ldap] |
|||
host = "127.0.0.1" |
|||
port = 389 |
|||
base = "{{ ldap_suffix }}" |
|||
admin_dn = "cn=admin,{{ ldap_suffix }}" |
|||
admin_pass = "{{ ldap_admin_password }}" |
|||
superadmin[] = "evoadmin" |
|||
~~~ |
|||
|
|||
You can now connect to your Evoadmin-mail with **evoadmin** user and your precedently defined password ! |
|||
Write
Preview
Loading…
Cancel
Save
Reference in new issue