3 changed files with 265 additions and 127 deletions
Split View
Diff Options
-
+5 -1README.md
-
+0 -126docs/INSTALL.md
-
+260 -0docs/install.md
+ 5
- 1
README.md
View File
| @@ -4,7 +4,11 @@ Evoadmin mail is a Web Interface for manage an LDAP directory designed for mail | |||
| ## Install | |||
| See [INSTALL](docs/INSTALL.md). | |||
| Evoadmin-mail requirements are an LDAP server, a Web server and PHP. See [INSTALL](docs/install.md) for configure them. | |||
| Multiples services can be configured to use the LDAP directory managed by Evoadmin-mail : | |||
| - TODO | |||
| ## Test | |||
+ 0
- 126
docs/INSTALL.md
View File
| @@ -1,140 +0,0 @@ | |||
| # Pré-requis | |||
| * Apache | |||
| * PHP5 ou supérieur avec certains modules (MHASH, etc.) | |||
| * Si utilisé avec Samba, besoin du module PEAR Crypt/CHAP | |||
| * sudo | |||
| * LDAP | |||
| php5-mhash | |||
| # Instructions d'installation | |||
| * Récupérer les sources Git et les rendre accessible via Apache | |||
| * Copier config/connect.php et config/conf.php à partir de leur version "-dist" | |||
| et ajuster les paramètres | |||
| * Ajouter le schéma suivant à LDAP : | |||
| http://www.gcolpart.com/hacks/evolix.schema | |||
| * Si utilisation de "Samba", c'est plus compliqué... le schéma doit être découpé : | |||
| evolix-inetorgperson.schema : | |||
| attributetype ( 1.3.6.1.4.1.24331.22.1.3 NAME 'isActive' | |||
| DESC 'an account is active or not' | |||
| EQUALITY booleanMatch | |||
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
| attributetype ( 1.3.6.1.4.1.24331.22.1.8 NAME 'isAdmin' | |||
| DESC 'boolean to verify if entry is admin for entry' | |||
| EQUALITY booleanMatch | |||
| SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
| Puis ajouter au schéma "standard" inetorgperson.schema les attributs isActive | |||
| et isAdmin à la classe d'object inetOrgPerson, ce qui doit donner : | |||
| # inetOrgPerson | |||
| # The inetOrgPerson represents people who are associated with an | |||
| # organization in some way. It is a structural class and is derived | |||
| # from the organizationalPerson which is defined in X.521 [X521]. | |||
| objectclass ( 2.16.840.1.113730.3.2.2 | |||
| NAME 'inetOrgPerson' | |||
| DESC 'RFC2798: Internet Organizational Person' | |||
| SUP organizationalPerson | |||
| STRUCTURAL | |||
| MAY ( | |||
| audio $ businessCategory $ carLicense $ departmentNumber $ | |||
| displayName $ employeeNumber $ employeeType $ givenName $ | |||
| homePhone $ homePostalAddress $ initials $ jpegPhoto $ | |||
| labeledURI $ mail $ manager $ mobile $ o $ pager $ | |||
| photo $ roomNumber $ secretary $ uid $ userCertificate $ | |||
| x500uniqueIdentifier $ preferredLanguage $ | |||
| userSMIMECertificate $ userPKCS12 $ isActive $ | |||
| isAdmin ) | |||
| ) | |||
| Il faut aussi ajouter smbActive au schéma samba.schema : | |||
| objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY | |||
| DESC 'Samba 3.0 Auxilary SAM Account' | |||
| MUST ( uid $ sambaSID ) | |||
| MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ | |||
| sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ | |||
| sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ | |||
| displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ | |||
| sambaProfilePath $ description $ sambaUserWorkstations $ | |||
| sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ | |||
| sambaBadPasswordCount $ sambaBadPasswordTime $ | |||
| sambaPasswordHistory $ sambaLogonHours $ smbActive)) | |||
| Et, enfin, les attributs isActive et isAdmin peuvent être commentés dans le schéma evolix.schema | |||
| et retirer de la classe d'objet mailAccount, ce qui doit donner : | |||
| # now in evolix-inetorgperson | |||
| #attributetype ( 1.3.6.1.4.1.24331.22.1.3 NAME 'isActive' | |||
| # DESC 'an account is active or not' | |||
| # EQUALITY booleanMatch | |||
| # SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
| # now in evolix-inetorgperson | |||
| #attributetype ( 1.3.6.1.4.1.24331.22.1.8 NAME 'isAdmin' | |||
| # DESC 'boolean to verify if entry is admin for entry' | |||
| # EQUALITY booleanMatch | |||
| # SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
| # doit egalement etre posixAccount + { person ou organizationalRole } | |||
| objectclass ( 1.3.6.1.4.1.24331.22.2.1 NAME 'mailAccount' SUP top AUXILIARY | |||
| DESC 'LDAP/Unix mail account or virtual account' | |||
| MUST ( uid $ mailacceptinggeneralid ) | |||
| MAY ( accountActive $ authsmtpActive $ quota | |||
| $ courierActive $ webmailActive | |||
| $ vacationActive $ vacationInfo $ vacationStart $ vacationEnd | |||
| $ vacationForward $ maildrop ) ) | |||
| Reste à réordonner l'inclusion des schémas dans le "slapd.conf" : | |||
| # Schema and objectClass definitions | |||
| include /etc/ldap/schema/core.schema | |||
| include /etc/ldap/schema/cosine.schema | |||
| include /etc/ldap/schema/nis.schema | |||
| include /etc/ldap/schema/evolix-inetorgperson.schema | |||
| include /etc/ldap/schema/inetorgperson.schema | |||
| include /etc/ldap/schema/evolix.schema | |||
| include /etc/ldap/schema/samba.schema | |||
| * À l'exception du cas "mail virtuel", il est nécessaire de mettre en place un script | |||
| de création : | |||
| mkdir -p /usr/share/scripts | |||
| cp scripts/evoadmin.sh /usr/share/scripts/ | |||
| chmod +x /usr/share/scripts/evoadmin.sh | |||
| Il faut ensuite générer un mot de passe aléatoire à placer | |||
| dans /usr/share/scripts/evoadmin.sh et config/connect.php | |||
| Et, enfin, permettre son lancement via sudo en ajustant le sudoers : | |||
| User_Alias WWW = www-data | |||
| Cmnd_Alias EVOADMIN = /usr/share/scripts/evoadmin.sh | |||
| WWW ALL= NOPASSWD: EVOADMIN | |||
| * Configurer les applications (Postfix, Courier, Samba, etc.) pour utiliser les | |||
| paramètres en place (principalement LDAP). | |||
+ 260
- 0
docs/install.md
View File
| @@ -0,0 +1,260 @@ | |||
| # Install | |||
| Evoadmin-mail need an LDAP server, a Web server and PHP. This documentation explain how to configure OpenLDAP and Apache with mod_php. | |||
| Following files extract are [Jinja2](http://jinja.pocoo.org) templates, **{{ varname }}** must be replaced by custom value, eg. | |||
| ~~~ | |||
| ldap_hostname: "mailserver" | |||
| ldap_domain: "example.com" | |||
| ldap_suffix: "dc=mailserver,dc=example,dc=com" | |||
| ldap_admin_password: "password_for_ldap_admin_account" | |||
| evoadminmail_admin_password: "password_for_web_interface" | |||
| evoadminmail_host: "evoadmin-mail.mailserver.example.com" | |||
| ~~~ | |||
| ## LDAP | |||
| ~~~ | |||
| apt install slapd ldap-utils ldapvi shelldap | |||
| ~~~ | |||
| ~~~ | |||
| # /root/evolinux_ldap_config.ldapvi | |||
| modify: olcDatabase={1}mdb,cn=config | |||
| olcSuffix: {{ ldap_suffix }} | |||
| olcRootDN: cn=admin,{{ ldap_suffix }} | |||
| olcRootPW: {{ ldap_admin_password }} | |||
| olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break | |||
| olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * none | |||
| olcAccess: {2}to attrs=shadowLastChange by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read | |||
| olcAccess: {3}to * by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read | |||
| ~~~ | |||
| ~~~ | |||
| ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi | |||
| ~~~ | |||
| ~~~ | |||
| # /root/evolinux_ldap_first-entries.ldif | |||
| dn: {{ ldap_suffix }} | |||
| objectClass: top | |||
| objectClass: dcObject | |||
| objectClass: organization | |||
| o: {{ ldap_domain }} | |||
| dc: {{ ldap_hostname }} | |||
| dn: cn=admin,{{ ldap_suffix }} | |||
| objectClass: simpleSecurityObject | |||
| objectClass: organizationalRole | |||
| cn: admin | |||
| description: LDAP administrator | |||
| userPassword: {{ ldap_admin_password }} | |||
| dn: ou=ldapusers,{{ ldap_suffix }} | |||
| objectClass: top | |||
| objectClass: organizationalUnit | |||
| ou: ldapusers | |||
| dn: cn=perl,ou=ldapusers,{{ ldap_suffix }} | |||
| objectClass: simpleSecurityObject | |||
| objectClass: organizationalRole | |||
| cn: perl | |||
| userPassword: {{ ldap_admin_password }} | |||
| dn: uid=evoadmin,{{ ldap_suffix }} | |||
| uid: evoadmin | |||
| cn: Evoadmin ADM | |||
| uidNumber: 4242 | |||
| gidNumber: 4242 | |||
| homeDirectory: /dev/null | |||
| isAdmin: TRUE | |||
| mailacceptinggeneralid: evoadmin@{{ ldap_domain }} | |||
| objectClass: mailAccount | |||
| objectClass: organizationalRole | |||
| objectClass: posixAccount | |||
| userPassword: {{ evoadminmail_admin_password }} | |||
| ~~~ | |||
| ~~~ | |||
| slapadd -l /root/evolinux_ldap_first-entries.ldif | |||
| ~~~ | |||
| ~~~ | |||
| # /root/ldap_schema.ldif | |||
| dn: cn={4}evolix,cn=schema,cn=config | |||
| objectClass: olcSchemaConfig | |||
| cn: {4}evolix | |||
| olcAttributeTypes: {0}( 1.3.6.1.4.1.24331.22.1.1 NAME 'maildrop' DESC 'mail fo | |||
| rward' SUP mail ) | |||
| olcAttributeTypes: {1}( 1.3.6.1.4.1.24331.22.1.2 NAME 'mailacceptinggeneralid' | |||
| DESC 'mail alias' SUP mail ) | |||
| olcAttributeTypes: {2}( 1.3.6.1.4.1.24331.22.1.3 NAME 'isActive' DESC 'boolean | |||
| to verify an global account is active or not' EQUALITY booleanMatch SYNTAX 1 | |||
| .3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
| olcAttributeTypes: {3}( 1.3.6.1.4.1.24331.22.1.4 NAME 'accountActive' DESC 'bo | |||
| olean to verify if an mail account is active' EQUALITY booleanMatch SYNTAX 1. | |||
| 3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
| olcAttributeTypes: {4}( 1.3.6.1.4.1.24331.22.1.5 NAME 'authsmtpActive' DESC 'b | |||
| oolean to verify if SMTP-AUTH is enabled for entry' EQUALITY booleanMatch SYN | |||
| TAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
| olcAttributeTypes: {5}( 1.3.6.1.4.1.24331.22.1.6 NAME 'courierActive' DESC 'bo | |||
| olean to verify if Courier POP/IMAP is enabled for entry' EQUALITY booleanMat | |||
| ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
| olcAttributeTypes: {6}( 1.3.6.1.4.1.24331.22.1.7 NAME 'webmailActive' DESC 'bo | |||
| olean to verify if webmail is enabled for entry' EQUALITY booleanMatch SYNTAX | |||
| 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
| olcAttributeTypes: {7}( 1.3.6.1.4.1.24331.22.1.8 NAME 'isAdmin' DESC 'boolean | |||
| to verify if entry is admin for entry' EQUALITY booleanMatch SYNTAX 1.3.6.1.4 | |||
| .1.1466.115.121.1.7 SINGLE-VALUE ) | |||
| olcAttributeTypes: {8}( 1.3.6.1.4.1.24331.22.1.9 NAME 'postfixTransport' DESC | |||
| 'transport for Postfix' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.11 | |||
| 5.121.1.26{20} SINGLE-VALUE ) | |||
| olcAttributeTypes: {9}( 1.3.6.1.4.1.24331.22.1.10 NAME 'domain' DESC 'Postfix | |||
| domain' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTA | |||
| X 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
| olcAttributeTypes: {10}( 1.3.6.1.4.1.24331.22.1.11 NAME 'quota' DESC 'Courier | |||
| maildir quota' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1. | |||
| 26 SINGLE-VALUE ) | |||
| olcAttributeTypes: {11}( 1.3.6.1.4.1.24331.22.1.16 NAME 'vacationActive' DESC | |||
| 'A flag, for marking the user as being away' EQUALITY booleanMatch SYNTAX 1.3 | |||
| .6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
| olcAttributeTypes: {12}( 1.3.6.1.4.1.24331.22.1.17 NAME 'vacationInfo' DESC 'A | |||
| bsentee note to leave behind, while on vacation' EQUALITY octetStringMatch SY | |||
| NTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) | |||
| olcAttributeTypes: {13}( 1.3.6.1.4.1.24331.22.1.18 NAME 'vacationStart' DESC ' | |||
| Beginning of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115. | |||
| 121.1.40 SINGLE-VALUE ) | |||
| olcAttributeTypes: {14}( 1.3.6.1.4.1.24331.22.1.19 NAME 'vacationEnd' DESC 'En | |||
| d of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 | |||
| SINGLE-VALUE ) | |||
| olcAttributeTypes: {15}( 1.3.6.1.4.1.24331.22.1.20 NAME 'vacationForward' DESC | |||
| 'Where to forward mails to, while on vacation' EQUALITY caseIgnoreIA5Match S | |||
| UBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} | |||
| ) | |||
| olcAttributeTypes: {16}( 1.3.6.1.4.1.24331.22.1.21 NAME 'smbActive' DESC 'bool | |||
| ean to verify if an Samba account is active' EQUALITY booleanMatch SYNTAX 1.3 | |||
| .6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
| olcObjectClasses: {0}( 1.3.6.1.4.1.24331.22.2.1 NAME 'mailAccount' DESC 'LDAP/ | |||
| Unix mail account or virtual account' SUP top AUXILIARY MUST ( uid $ mailacce | |||
| ptinggeneralid ) MAY ( accountActive $ authsmtpActive $ quota $ isActive $ co | |||
| urierActive $ webmailActive $ isAdmin $ vacationActive $ vacationInfo $ vacat | |||
| ionStart $ vacationEnd $ vacationForward $ maildrop ) ) | |||
| olcObjectClasses: {1}( 1.3.6.1.4.1.24331.22.2.2 NAME 'mailAlias' DESC 'Mail al | |||
| iasing/forwarding entry' SUP top STRUCTURAL MUST ( mailacceptinggeneralid $ m | |||
| aildrop ) MAY ( cn $ isActive ) ) | |||
| olcObjectClasses: {2}( 1.3.6.1.4.1.24331.22.2.4 NAME 'postfixDomain' DESC 'Pos | |||
| tfix domain' SUP posixGroup STRUCTURAL MAY ( postfixTransport $ isActive ) ) | |||
| ~~~ | |||
| ~~~ | |||
| ldapadd -Y EXTERNAL -H ldapi:/// -f /root/ldap_schema.ldif | |||
| ~~~ | |||
| ## Apache / PHP | |||
| ~~~ | |||
| apt install apache2 libapache2-mod-php php php-cli php-ldap php-log php-twig | |||
| ~~~ | |||
| ~~~ | |||
| # /etc/apache2/sites-available/evoadmin-mail.conf | |||
| <VirtualHost *:80> | |||
| ServerName {{ evoadminmail_host }} | |||
| Redirect permanent / https://{{ evoadminmail_host }}/ | |||
| </VirtualHost> | |||
| <VirtualHost *:443> | |||
| # FQDN principal | |||
| ServerName {{ evoadminmail_host }} | |||
| #ServerAlias {{ evoadminmail_host }} | |||
| # Repertoire principal | |||
| DocumentRoot /home/evoadmin-mail/www/htdocs/ | |||
| # SSL | |||
| SSLEngine on | |||
| SSLCertificateFile /etc/ssl/certs/{{ evoadminmail_host }}.crt | |||
| SSLCertificateKeyFile /etc/ssl/private/{{ evoadminmail_host }}.key | |||
| SSLProtocol all -SSLv2 -SSLv3 | |||
| # Propriete du repertoire | |||
| <Directory /home/evoadmin-mail/www/htdocs/> | |||
| #Options Indexes SymLinksIfOwnerMatch | |||
| Options SymLinksIfOwnerMatch | |||
| AllowOverride AuthConfig Limit FileInfo Indexes | |||
| Require all granted | |||
| </Directory> | |||
| # user - group (thanks to sesse@debian.org) | |||
| AssignUserID www-evoadmin-mail evoadmin-mail | |||
| # LOG | |||
| CustomLog /var/log/apache2/access.log combined | |||
| CustomLog /home/evoadmin-mail/log/access.log combined | |||
| ErrorLog /home/evoadmin-mail/log/error.log | |||
| # AWSTATS | |||
| SetEnv AWSTATS_FORCE_CONFIG evoadmin-mail | |||
| # REWRITE | |||
| UseCanonicalName On | |||
| RewriteEngine On | |||
| RewriteCond %{HTTP_HOST} !^{{ evoadminmail_host }}$ | |||
| RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R] | |||
| # PHP | |||
| #php_admin_flag engine off | |||
| #AddType text/html .html | |||
| #php_admin_flag display_errors On | |||
| #php_flag short_open_tag On | |||
| #php_flag register_globals On | |||
| #php_admin_value memory_limit 256M | |||
| #php_admin_value max_execution_time 60 | |||
| #php_admin_value upload_max_filesize 8M | |||
| #php_admin_flag allow_url_fopen Off | |||
| php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-evoadmin-mail" | |||
| php_admin_value open_basedir "none" | |||
| </VirtualHost> | |||
| ~~~ | |||
| ~~~ | |||
| a2ensite evoadmin-mail | |||
| service apache2 reload | |||
| ~~~ | |||
| ## Evoadmin-mail | |||
| ~~~ | |||
| useradd --create-home evoadmin-mail | |||
| git clone https://forge.evolix.org/evoadmin-mail.git /home/evoadmin-mail/www | |||
| ~~~ | |||
| ~~~ | |||
| # /home/evoadmin-mail/www/config/config.ini | |||
| ; The configuration for evoadmin-mail | |||
| ; | |||
| ; You need to copy and edit config-sample.ini to config.ini. | |||
| ; This INI file is loaded by evoadmin-mail and contains the | |||
| ; following configurations : | |||
| ; | |||
| ; * Global settings | |||
| ; * LDAP settings | |||
| ; | |||
| [global] | |||
| name = "Evoadmin Mail"; | |||
| mail = "evoadmin-mail@example.com" | |||
| log_level = error | |||
| [ldap] | |||
| host = "127.0.0.1" | |||
| port = 389 | |||
| base = "{{ ldap_suffix }}" | |||
| admin_dn = "cn=admin,{{ ldap_suffix }}" | |||
| admin_pass = "{{ ldap_admin_password }}" | |||
| superadmin[] = "evoadmin" | |||
| ~~~ | |||
| You can now connect to your Evoadmin-mail with **evoadmin** user and your precedently defined password ! | |||