Browse Source

Rewrite install documentation

tags/1.0.0
Victor Laborie 5 months ago
parent
commit
0aeb74d63d
3 changed files with 265 additions and 141 deletions
  1. 5
    1
      README.md
  2. 0
    140
      docs/INSTALL.md
  3. 260
    0
      docs/install.md

+ 5
- 1
README.md View File

@@ -4,7 +4,11 @@ Evoadmin mail is a Web Interface for manage an LDAP directory designed for mail
4 4
 
5 5
 ## Install
6 6
 
7
-See [INSTALL](docs/INSTALL.md).
7
+Evoadmin-mail requirements are an LDAP server, a Web server and PHP. See [INSTALL](docs/install.md) for configure them.
8
+
9
+Multiples services can be configured to use the LDAP directory managed by Evoadmin-mail :
10
+
11
+- TODO
8 12
 
9 13
 ## Test
10 14
 

+ 0
- 140
docs/INSTALL.md View File

@@ -1,140 +0,0 @@
1
-# Pré-requis
2
-
3
-* Apache
4
-* PHP5 ou supérieur avec certains modules (MHASH, etc.)
5
-* Si utilisé avec Samba, besoin du module PEAR Crypt/CHAP
6
-* sudo
7
-* LDAP
8
-
9
-php5-mhash
10
-
11
-# Instructions d'installation
12
-
13
-* Récupérer les sources Git et les rendre accessible via Apache
14
-
15
-* Copier config/connect.php et config/conf.php à partir de leur version "-dist"
16
-  et ajuster les paramètres
17
-
18
-* Ajouter le schéma suivant à LDAP :
19
-  http://www.gcolpart.com/hacks/evolix.schema
20
-
21
-* Si utilisation de "Samba", c'est plus compliqué... le schéma doit être découpé :
22
-
23
-  evolix-inetorgperson.schema :
24
-
25
---8<--
26
-attributetype ( 1.3.6.1.4.1.24331.22.1.3 NAME 'isActive'
27
-        DESC 'an account is active or not'
28
-        EQUALITY booleanMatch
29
-        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
30
-
31
-attributetype ( 1.3.6.1.4.1.24331.22.1.8 NAME 'isAdmin'
32
-        DESC 'boolean to verify if entry is admin for entry'
33
-        EQUALITY booleanMatch
34
-        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
35
---8<--
36
-
37
-  Puis ajouter au schéma "standard" inetorgperson.schema les attributs isActive
38
-  et isAdmin à la classe d'object inetOrgPerson, ce qui doit donner :
39
-
40
---8<--
41
-# inetOrgPerson
42
-# The inetOrgPerson represents people who are associated with an
43
-# organization in some way.  It is a structural class and is derived
44
-# from the organizationalPerson which is defined in X.521 [X521].
45
-objectclass ( 2.16.840.1.113730.3.2.2
46
-    NAME 'inetOrgPerson'
47
-    DESC 'RFC2798: Internet Organizational Person'
48
-    SUP organizationalPerson
49
-    STRUCTURAL
50
-    MAY (
51
-        audio $ businessCategory $ carLicense $ departmentNumber $
52
-        displayName $ employeeNumber $ employeeType $ givenName $
53
-        homePhone $ homePostalAddress $ initials $ jpegPhoto $
54
-        labeledURI $ mail $ manager $ mobile $ o $ pager $
55
-        photo $ roomNumber $ secretary $ uid $ userCertificate $
56
-        x500uniqueIdentifier $ preferredLanguage $
57
-        userSMIMECertificate $ userPKCS12 $ isActive $
58
-        isAdmin )
59
-    )
60
---8<--
61
-
62
-  Il faut aussi ajouter smbActive au schéma samba.schema :
63
-
64
---8<--
65
-objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
66
-    DESC 'Samba 3.0 Auxilary SAM Account'
67
-    MUST ( uid $ sambaSID )
68
-    MAY  ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
69
-           sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
70
-           sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
71
-               displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
72
-           sambaProfilePath $ description $ sambaUserWorkstations $
73
-           sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $
74
-           sambaBadPasswordCount $ sambaBadPasswordTime $
75
-           sambaPasswordHistory $ sambaLogonHours $ smbActive))
76
---8<--
77
-
78
-  Et, enfin, les attributs isActive et isAdmin peuvent être commentés dans le schéma evolix.schema
79
-  et retirer de la classe d'objet mailAccount, ce qui doit donner :
80
-
81
---8<--
82
-# now in evolix-inetorgperson
83
-#attributetype ( 1.3.6.1.4.1.24331.22.1.3 NAME 'isActive'
84
-#        DESC 'an account is active or not'
85
-#        EQUALITY booleanMatch
86
-#        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
87
-
88
-# now in evolix-inetorgperson
89
-#attributetype ( 1.3.6.1.4.1.24331.22.1.8 NAME 'isAdmin'
90
-#        DESC 'boolean to verify if entry is admin for entry'
91
-#        EQUALITY booleanMatch
92
-#        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
93
-
94
-# doit egalement etre posixAccount + { person ou organizationalRole }
95
-objectclass ( 1.3.6.1.4.1.24331.22.2.1 NAME 'mailAccount' SUP top AUXILIARY
96
-        DESC 'LDAP/Unix mail account or virtual account'
97
-        MUST ( uid $ mailacceptinggeneralid )
98
-        MAY ( accountActive $ authsmtpActive $ quota 
99
-            $ courierActive $ webmailActive 
100
-            $ vacationActive $ vacationInfo $ vacationStart $ vacationEnd
101
-            $ vacationForward $ maildrop ) )
102
---8<--
103
- 
104
-Reste à réordonner l'inclusion des schémas dans le "slapd.conf" :
105
-
106
---8<--
107
-# Schema and objectClass definitions
108
-include         /etc/ldap/schema/core.schema
109
-include         /etc/ldap/schema/cosine.schema
110
-include         /etc/ldap/schema/nis.schema
111
-
112
-include         /etc/ldap/schema/evolix-inetorgperson.schema
113
-include         /etc/ldap/schema/inetorgperson.schema
114
-
115
-include         /etc/ldap/schema/evolix.schema
116
-include         /etc/ldap/schema/samba.schema
117
---8<--
118
-
119
-* À l'exception du cas "mail virtuel", il est nécessaire de mettre en place un script
120
-  de création :
121
-
122
---8<--
123
-mkdir -p /usr/share/scripts
124
-cp scripts/evoadmin.sh /usr/share/scripts/
125
-chmod +x /usr/share/scripts/evoadmin.sh
126
---8<--
127
-
128
-  Il faut ensuite générer un mot de passe aléatoire à placer
129
-  dans /usr/share/scripts/evoadmin.sh et config/connect.php
130
-
131
-  Et, enfin, permettre son lancement via sudo en ajustant le sudoers :
132
-
133
---8<--
134
-User_Alias WWW = www-data
135
-Cmnd_Alias EVOADMIN = /usr/share/scripts/evoadmin.sh
136
-WWW ALL= NOPASSWD: EVOADMIN
137
---8<--
138
-
139
-* Configurer les applications (Postfix, Courier, Samba, etc.) pour utiliser les
140
-  paramètres en place (principalement LDAP).

+ 260
- 0
docs/install.md View File

@@ -0,0 +1,260 @@
1
+# Install
2
+
3
+Evoadmin-mail need an LDAP server, a Web server and PHP. This documentation explain how to configure OpenLDAP and Apache with mod_php.
4
+
5
+Following files extract are [Jinja2](http://jinja.pocoo.org) templates, **{{ varname }}** must be replaced by custom value, eg.
6
+
7
+~~~
8
+ldap_hostname: "mailserver"
9
+ldap_domain: "example.com"
10
+ldap_suffix: "dc=mailserver,dc=example,dc=com"
11
+ldap_admin_password: "password_for_ldap_admin_account"
12
+evoadminmail_admin_password: "password_for_web_interface"
13
+evoadminmail_host: "evoadmin-mail.mailserver.example.com"
14
+~~~
15
+
16
+## LDAP
17
+
18
+~~~
19
+apt install slapd ldap-utils ldapvi shelldap
20
+~~~
21
+
22
+~~~
23
+# /root/evolinux_ldap_config.ldapvi
24
+modify: olcDatabase={1}mdb,cn=config
25
+olcSuffix: {{ ldap_suffix }}
26
+olcRootDN: cn=admin,{{ ldap_suffix }}
27
+olcRootPW: {{ ldap_admin_password }}
28
+olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
29
+olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * none
30
+olcAccess: {2}to attrs=shadowLastChange by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read
31
+olcAccess: {3}to * by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read
32
+~~~
33
+
34
+~~~
35
+ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi
36
+~~~
37
+
38
+~~~
39
+# /root/evolinux_ldap_first-entries.ldif
40
+dn: {{ ldap_suffix }}
41
+objectClass: top
42
+objectClass: dcObject
43
+objectClass: organization
44
+o: {{ ldap_domain }}
45
+dc: {{ ldap_hostname }}
46
+
47
+dn: cn=admin,{{ ldap_suffix }}
48
+objectClass: simpleSecurityObject
49
+objectClass: organizationalRole
50
+cn: admin
51
+description: LDAP administrator
52
+userPassword: {{ ldap_admin_password }}
53
+
54
+dn: ou=ldapusers,{{ ldap_suffix }}
55
+objectClass: top
56
+objectClass: organizationalUnit
57
+ou: ldapusers
58
+
59
+dn: cn=perl,ou=ldapusers,{{ ldap_suffix }}
60
+objectClass: simpleSecurityObject
61
+objectClass: organizationalRole
62
+cn: perl
63
+userPassword: {{ ldap_admin_password }}
64
+
65
+dn: uid=evoadmin,{{ ldap_suffix }}
66
+uid: evoadmin
67
+cn: Evoadmin ADM
68
+uidNumber: 4242
69
+gidNumber: 4242
70
+homeDirectory: /dev/null
71
+isAdmin: TRUE
72
+mailacceptinggeneralid: evoadmin@{{ ldap_domain }}
73
+objectClass: mailAccount
74
+objectClass: organizationalRole
75
+objectClass: posixAccount
76
+userPassword: {{ evoadminmail_admin_password }}
77
+~~~
78
+
79
+~~~
80
+slapadd -l /root/evolinux_ldap_first-entries.ldif
81
+~~~
82
+
83
+~~~
84
+# /root/ldap_schema.ldif
85
+dn: cn={4}evolix,cn=schema,cn=config
86
+objectClass: olcSchemaConfig
87
+cn: {4}evolix
88
+olcAttributeTypes: {0}( 1.3.6.1.4.1.24331.22.1.1 NAME 'maildrop' DESC 'mail fo
89
+ rward' SUP mail )
90
+olcAttributeTypes: {1}( 1.3.6.1.4.1.24331.22.1.2 NAME 'mailacceptinggeneralid'
91
+  DESC 'mail alias' SUP mail )
92
+olcAttributeTypes: {2}( 1.3.6.1.4.1.24331.22.1.3 NAME 'isActive' DESC 'boolean
93
+  to verify an global account is active or not' EQUALITY booleanMatch SYNTAX 1
94
+ .3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
95
+olcAttributeTypes: {3}( 1.3.6.1.4.1.24331.22.1.4 NAME 'accountActive' DESC 'bo
96
+ olean to verify if an mail account is active' EQUALITY booleanMatch SYNTAX 1.
97
+ 3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
98
+olcAttributeTypes: {4}( 1.3.6.1.4.1.24331.22.1.5 NAME 'authsmtpActive' DESC 'b
99
+ oolean to verify if SMTP-AUTH is enabled for entry' EQUALITY booleanMatch SYN
100
+ TAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
101
+olcAttributeTypes: {5}( 1.3.6.1.4.1.24331.22.1.6 NAME 'courierActive' DESC 'bo
102
+ olean to verify if Courier POP/IMAP is enabled for entry' EQUALITY booleanMat
103
+ ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
104
+olcAttributeTypes: {6}( 1.3.6.1.4.1.24331.22.1.7 NAME 'webmailActive' DESC 'bo
105
+ olean to verify if webmail is enabled for entry' EQUALITY booleanMatch SYNTAX
106
+  1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
107
+olcAttributeTypes: {7}( 1.3.6.1.4.1.24331.22.1.8 NAME 'isAdmin' DESC 'boolean
108
+ to verify if entry is admin for entry' EQUALITY booleanMatch SYNTAX 1.3.6.1.4
109
+ .1.1466.115.121.1.7 SINGLE-VALUE )
110
+olcAttributeTypes: {8}( 1.3.6.1.4.1.24331.22.1.9 NAME 'postfixTransport' DESC
111
+ 'transport for Postfix' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.11
112
+ 5.121.1.26{20} SINGLE-VALUE )
113
+olcAttributeTypes: {9}( 1.3.6.1.4.1.24331.22.1.10 NAME 'domain' DESC 'Postfix
114
+ domain' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTA
115
+ X 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
116
+olcAttributeTypes: {10}( 1.3.6.1.4.1.24331.22.1.11 NAME 'quota' DESC 'Courier
117
+ maildir quota' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
118
+ 26 SINGLE-VALUE )
119
+olcAttributeTypes: {11}( 1.3.6.1.4.1.24331.22.1.16 NAME 'vacationActive' DESC
120
+ 'A flag, for marking the user as being away' EQUALITY booleanMatch SYNTAX 1.3
121
+ .6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
122
+olcAttributeTypes: {12}( 1.3.6.1.4.1.24331.22.1.17 NAME 'vacationInfo' DESC 'A
123
+ bsentee note to leave behind, while on vacation' EQUALITY octetStringMatch SY
124
+ NTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
125
+olcAttributeTypes: {13}( 1.3.6.1.4.1.24331.22.1.18 NAME 'vacationStart' DESC '
126
+ Beginning of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.
127
+ 121.1.40 SINGLE-VALUE )
128
+olcAttributeTypes: {14}( 1.3.6.1.4.1.24331.22.1.19 NAME 'vacationEnd' DESC 'En
129
+ d of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
130
+  SINGLE-VALUE )
131
+olcAttributeTypes: {15}( 1.3.6.1.4.1.24331.22.1.20 NAME 'vacationForward' DESC
132
+  'Where to forward mails to, while on vacation' EQUALITY caseIgnoreIA5Match S
133
+ UBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256}
134
+ )
135
+olcAttributeTypes: {16}( 1.3.6.1.4.1.24331.22.1.21 NAME 'smbActive' DESC 'bool
136
+ ean to verify if an Samba account is active' EQUALITY booleanMatch SYNTAX 1.3
137
+ .6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
138
+olcObjectClasses: {0}( 1.3.6.1.4.1.24331.22.2.1 NAME 'mailAccount' DESC 'LDAP/
139
+ Unix mail account or virtual account' SUP top AUXILIARY MUST ( uid $ mailacce
140
+ ptinggeneralid ) MAY ( accountActive $ authsmtpActive $ quota $ isActive $ co
141
+ urierActive $ webmailActive $ isAdmin $ vacationActive $ vacationInfo $ vacat
142
+ ionStart $ vacationEnd $ vacationForward $ maildrop ) )
143
+olcObjectClasses: {1}( 1.3.6.1.4.1.24331.22.2.2 NAME 'mailAlias' DESC 'Mail al
144
+ iasing/forwarding entry' SUP top STRUCTURAL MUST ( mailacceptinggeneralid $ m
145
+ aildrop ) MAY ( cn $ isActive ) )
146
+olcObjectClasses: {2}( 1.3.6.1.4.1.24331.22.2.4 NAME 'postfixDomain' DESC 'Pos
147
+ tfix domain' SUP posixGroup STRUCTURAL MAY ( postfixTransport $ isActive ) )
148
+~~~
149
+
150
+~~~
151
+ldapadd -Y EXTERNAL -H ldapi:/// -f /root/ldap_schema.ldif
152
+~~~
153
+
154
+## Apache / PHP
155
+
156
+~~~
157
+apt install apache2 libapache2-mod-php php php-cli php-ldap php-log php-twig
158
+~~~
159
+
160
+~~~
161
+# /etc/apache2/sites-available/evoadmin-mail.conf
162
+<VirtualHost *:80>
163
+    ServerName {{ evoadminmail_host }}
164
+    Redirect permanent / https://{{ evoadminmail_host }}/
165
+</VirtualHost>
166
+
167
+<VirtualHost *:443>
168
+
169
+    # FQDN principal
170
+    ServerName {{ evoadminmail_host }}
171
+    #ServerAlias {{ evoadminmail_host }}
172
+
173
+    # Repertoire principal
174
+    DocumentRoot /home/evoadmin-mail/www/htdocs/
175
+
176
+    # SSL
177
+    SSLEngine on
178
+    SSLCertificateFile    /etc/ssl/certs/{{ evoadminmail_host }}.crt
179
+    SSLCertificateKeyFile /etc/ssl/private/{{ evoadminmail_host }}.key
180
+    SSLProtocol all -SSLv2 -SSLv3
181
+
182
+    # Propriete du repertoire
183
+    <Directory /home/evoadmin-mail/www/htdocs/>
184
+        #Options Indexes SymLinksIfOwnerMatch
185
+        Options SymLinksIfOwnerMatch
186
+        AllowOverride AuthConfig Limit FileInfo Indexes
187
+        Require all granted
188
+    </Directory>
189
+
190
+    # user - group (thanks to sesse@debian.org)
191
+    AssignUserID www-evoadmin-mail evoadmin-mail
192
+
193
+    # LOG
194
+    CustomLog /var/log/apache2/access.log combined
195
+    CustomLog /home/evoadmin-mail/log/access.log combined
196
+    ErrorLog  /home/evoadmin-mail/log/error.log
197
+
198
+    # AWSTATS
199
+    SetEnv AWSTATS_FORCE_CONFIG evoadmin-mail
200
+
201
+    # REWRITE
202
+    UseCanonicalName On
203
+    RewriteEngine On
204
+    RewriteCond %{HTTP_HOST} !^{{ evoadminmail_host }}$
205
+    RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]
206
+
207
+    # PHP
208
+    #php_admin_flag engine off
209
+    #AddType text/html .html
210
+    #php_admin_flag display_errors On
211
+    #php_flag short_open_tag On
212
+    #php_flag register_globals On
213
+    #php_admin_value memory_limit 256M
214
+    #php_admin_value max_execution_time 60
215
+    #php_admin_value upload_max_filesize 8M
216
+    #php_admin_flag allow_url_fopen Off
217
+    php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f www-evoadmin-mail"
218
+    php_admin_value open_basedir "none"
219
+</VirtualHost>
220
+~~~
221
+
222
+~~~
223
+a2ensite evoadmin-mail
224
+service apache2 reload
225
+~~~
226
+
227
+## Evoadmin-mail
228
+
229
+~~~
230
+useradd --create-home evoadmin-mail
231
+git clone https://forge.evolix.org/evoadmin-mail.git /home/evoadmin-mail/www
232
+~~~
233
+
234
+~~~
235
+# /home/evoadmin-mail/www/config/config.ini
236
+; The configuration for evoadmin-mail
237
+;
238
+; You need to copy and edit config-sample.ini to config.ini.
239
+; This INI file is loaded by evoadmin-mail and contains the
240
+; following configurations :
241
+;
242
+; * Global settings
243
+; * LDAP settings
244
+;
245
+
246
+[global]
247
+name = "Evoadmin Mail";
248
+mail = "evoadmin-mail@example.com"
249
+log_level = error
250
+
251
+[ldap]
252
+host = "127.0.0.1"
253
+port = 389
254
+base = "{{ ldap_suffix }}"
255
+admin_dn = "cn=admin,{{ ldap_suffix }}"
256
+admin_pass = "{{ ldap_admin_password }}"
257
+superadmin[] = "evoadmin"
258
+~~~
259
+
260
+You can now connect to your Evoadmin-mail with **evoadmin** user and your precedently defined password !

Loading…
Cancel
Save