From 807a226d62ec5aeb4f645198997d539a53535283 Mon Sep 17 00:00:00 2001 From: frank Date: Mon, 16 Jan 2012 14:17:28 +0100 Subject: [PATCH] committing changes in /etc after emerge run Package changes: +net-libs/courier-authlib-0.63.0-r1 --- .etckeeper | 27 ++ .../authlib/.keep_net-libs_courier-authlib-0 | 0 courier/authlib/authdaemonrc | 103 +++++++ courier/authlib/authdaemonrc.dist | 103 +++++++ courier/authlib/authldaprc | 273 +++++++++++++++++ courier/authlib/authldaprc.dist | 273 +++++++++++++++++ courier/authlib/authmysqlrc | 288 ++++++++++++++++++ courier/authlib/authmysqlrc.dist | 288 ++++++++++++++++++ init.d/courier-authlib | 41 +++ openldap/schema/authldap.schema | 103 +++++++ 10 files changed, 1499 insertions(+) create mode 100644 courier/authlib/.keep_net-libs_courier-authlib-0 create mode 100644 courier/authlib/authdaemonrc create mode 100644 courier/authlib/authdaemonrc.dist create mode 100644 courier/authlib/authldaprc create mode 100644 courier/authlib/authldaprc.dist create mode 100644 courier/authlib/authmysqlrc create mode 100644 courier/authlib/authmysqlrc.dist create mode 100755 init.d/courier-authlib create mode 100644 openldap/schema/authldap.schema diff --git a/.etckeeper b/.etckeeper index c79ad578..1400d2b7 100755 --- a/.etckeeper +++ b/.etckeeper @@ -134,6 +134,31 @@ maybe chmod 0644 './config-archive/etc/syslog-ng/syslog-ng.conf' maybe chmod 0644 './config-archive/etc/syslog-ng/syslog-ng.conf.dist.new' maybe chmod 0600 './config-archive/etc/ulogd.conf' maybe chmod 0600 './config-archive/etc/ulogd.conf.dist.new' +maybe chown mail './courier' +maybe chgrp mail './courier' +maybe chmod 0755 './courier' +maybe chown mail './courier/authlib' +maybe chgrp mail './courier/authlib' +maybe chmod 0755 './courier/authlib' +maybe chmod 0644 './courier/authlib/.keep_net-libs_courier-authlib-0' +maybe chown mail './courier/authlib/authdaemonrc' +maybe chgrp mail './courier/authlib/authdaemonrc' +maybe chmod 0660 './courier/authlib/authdaemonrc' +maybe chown mail './courier/authlib/authdaemonrc.dist' +maybe chgrp mail './courier/authlib/authdaemonrc.dist' +maybe chmod 0660 './courier/authlib/authdaemonrc.dist' +maybe chown mail './courier/authlib/authldaprc' +maybe chgrp mail './courier/authlib/authldaprc' +maybe chmod 0660 './courier/authlib/authldaprc' +maybe chown mail './courier/authlib/authldaprc.dist' +maybe chgrp mail './courier/authlib/authldaprc.dist' +maybe chmod 0660 './courier/authlib/authldaprc.dist' +maybe chown mail './courier/authlib/authmysqlrc' +maybe chgrp mail './courier/authlib/authmysqlrc' +maybe chmod 0660 './courier/authlib/authmysqlrc' +maybe chown mail './courier/authlib/authmysqlrc.dist' +maybe chgrp mail './courier/authlib/authmysqlrc.dist' +maybe chmod 0660 './courier/authlib/authmysqlrc.dist' maybe chmod 0755 './cron.d' maybe chmod 0644 './cron.d/.keep_sys-process_vixie-cron-0' maybe chmod 0750 './cron.daily' @@ -395,6 +420,7 @@ maybe chmod 0755 './init.d/bluetooth' maybe chmod 0755 './init.d/bootmisc' maybe chmod 0755 './init.d/consolefont' maybe chmod 0755 './init.d/consolekit' +maybe chmod 0755 './init.d/courier-authlib' maybe chmod 0755 './init.d/crypto-loop' maybe chmod 0755 './init.d/cupsd' maybe chmod 0755 './init.d/dbus' @@ -556,6 +582,7 @@ maybe chmod 0644 './openldap/ldap.conf' maybe chmod 0644 './openldap/ldap.conf.default' maybe chmod 0755 './openldap/schema' maybe chmod 0444 './openldap/schema/README' +maybe chmod 0644 './openldap/schema/authldap.schema' maybe chmod 0444 './openldap/schema/collective.schema' maybe chmod 0444 './openldap/schema/corba.schema' maybe chmod 0444 './openldap/schema/core.ldif' diff --git a/courier/authlib/.keep_net-libs_courier-authlib-0 b/courier/authlib/.keep_net-libs_courier-authlib-0 new file mode 100644 index 00000000..e69de29b diff --git a/courier/authlib/authdaemonrc b/courier/authlib/authdaemonrc new file mode 100644 index 00000000..9dba818d --- /dev/null +++ b/courier/authlib/authdaemonrc @@ -0,0 +1,103 @@ +##VERSION: $Id: authdaemonrc.in,v 1.13 2005/10/05 00:07:32 mrsam Exp $ +# +# Copyright 2000-2005 Double Precision, Inc. See COPYING for +# distribution information. +# +# authdaemonrc created from authdaemonrc.dist by sysconftool +# +# Do not alter lines that begin with ##, they are used when upgrading +# this configuration. +# +# This file configures authdaemond, the resident authentication daemon. +# +# Comments in this file are ignored. Although this file is intended to +# be sourced as a shell script, authdaemond parses it manually, so +# the acceptable syntax is a bit limited. Multiline variable contents, +# with the \ continuation character, are not allowed. Everything must +# fit on one line. Do not use any additional whitespace for indentation, +# or anything else. + +##NAME: authmodulelist:2 +# +# The authentication modules that are linked into authdaemond. The +# default list is installed. You may selectively disable modules simply +# by removing them from the following list. The available modules you +# can use are: authuserdb authpam authshadow authldap authmysql authcustom authpipe + +authmodulelist="authmysql " + +##NAME: authmodulelistorig:3 +# +# This setting is used by Courier's webadmin module, and should be left +# alone + +authmodulelistorig="authuserdb authpam authshadow authldap authmysql authcustom authpipe" + +##NAME: daemons:0 +# +# The number of daemon processes that are started. authdaemon is typically +# installed where authentication modules are relatively expensive: such +# as authldap, or authmysql, so it's better to have a number of them running. +# PLEASE NOTE: Some platforms may experience a problem if there's more than +# one daemon. Specifically, SystemV derived platforms that use TLI with +# socket emulation. I'm suspicious of TLI's ability to handle multiple +# processes accepting connections on the same filesystem domain socket. +# +# You may need to increase daemons if as your system load increases. Symptoms +# include sporadic authentication failures. If you start getting +# authentication failures, increase daemons. However, the default of 5 +# SHOULD be sufficient. Bumping up daemon count is only a short-term +# solution. The permanent solution is to add more resources: RAM, faster +# disks, faster CPUs... + +daemons=5 + +##NAME: authdaemonvar:2 +# +# authdaemonvar is here, but is not used directly by authdaemond. It's +# used by various configuration and build scripts, so don't touch it! + +authdaemonvar=/var/lib/courier/authdaemon + +##NAME: DEBUG_LOGIN:0 +# +# Dump additional diagnostics to syslog +# +# DEBUG_LOGIN=0 - turn off debugging +# DEBUG_LOGIN=1 - turn on debugging +# DEBUG_LOGIN=2 - turn on debugging + log passwords too +# +# ** YES ** - DEBUG_LOGIN=2 places passwords into syslog. +# +# Note that most information is sent to syslog at level 'debug', so +# you may need to modify your /etc/syslog.conf to be able to see it. + +DEBUG_LOGIN=0 + +##NAME: DEFAULTOPTIONS:0 +# +# A comma-separated list of option=value pairs. Each option is applied +# to an account if the account does not have its own specific value for +# that option. So for example, you can set +# DEFAULTOPTIONS="disablewebmail=1,disableimap=1" +# and then enable webmail and/or imap on individual accounts by setting +# disablewebmail=0 and/or disableimap=0 on the account. + +DEFAULTOPTIONS="" + +##NAME: LOGGEROPTS:0 +# +# courierlogger(1) options, e.g. to set syslog facility +# + +LOGGEROPTS="" + +##NAME: LDAP_TLS_OPTIONS:0 +# +# Options documented in ldap.conf(5) can be set here, prefixed with 'LDAP'. +# Examples: +# +#LDAPTLS_CACERT=/path/to/cacert.pem +#LDAPTLS_REQCERT=demand +#LDAPTLS_CERT=/path/to/clientcert.pem +#LDAPTLS_KEY=/path/to/clientkey.pem diff --git a/courier/authlib/authdaemonrc.dist b/courier/authlib/authdaemonrc.dist new file mode 100644 index 00000000..63cc6b1d --- /dev/null +++ b/courier/authlib/authdaemonrc.dist @@ -0,0 +1,103 @@ +##VERSION: $Id: authdaemonrc.in,v 1.13 2005/10/05 00:07:32 mrsam Exp $ +# +# Copyright 2000-2005 Double Precision, Inc. See COPYING for +# distribution information. +# +# authdaemonrc created from authdaemonrc.dist by sysconftool +# +# Do not alter lines that begin with ##, they are used when upgrading +# this configuration. +# +# This file configures authdaemond, the resident authentication daemon. +# +# Comments in this file are ignored. Although this file is intended to +# be sourced as a shell script, authdaemond parses it manually, so +# the acceptable syntax is a bit limited. Multiline variable contents, +# with the \ continuation character, are not allowed. Everything must +# fit on one line. Do not use any additional whitespace for indentation, +# or anything else. + +##NAME: authmodulelist:2 +# +# The authentication modules that are linked into authdaemond. The +# default list is installed. You may selectively disable modules simply +# by removing them from the following list. The available modules you +# can use are: authuserdb authpam authshadow authldap authmysql authcustom authpipe + +authmodulelist="authuserdb authpam authshadow authldap authmysql authcustom authpipe" + +##NAME: authmodulelistorig:3 +# +# This setting is used by Courier's webadmin module, and should be left +# alone + +authmodulelistorig="authuserdb authpam authshadow authldap authmysql authcustom authpipe" + +##NAME: daemons:0 +# +# The number of daemon processes that are started. authdaemon is typically +# installed where authentication modules are relatively expensive: such +# as authldap, or authmysql, so it's better to have a number of them running. +# PLEASE NOTE: Some platforms may experience a problem if there's more than +# one daemon. Specifically, SystemV derived platforms that use TLI with +# socket emulation. I'm suspicious of TLI's ability to handle multiple +# processes accepting connections on the same filesystem domain socket. +# +# You may need to increase daemons if as your system load increases. Symptoms +# include sporadic authentication failures. If you start getting +# authentication failures, increase daemons. However, the default of 5 +# SHOULD be sufficient. Bumping up daemon count is only a short-term +# solution. The permanent solution is to add more resources: RAM, faster +# disks, faster CPUs... + +daemons=5 + +##NAME: authdaemonvar:2 +# +# authdaemonvar is here, but is not used directly by authdaemond. It's +# used by various configuration and build scripts, so don't touch it! + +authdaemonvar=/var/lib/courier/authdaemon + +##NAME: DEBUG_LOGIN:0 +# +# Dump additional diagnostics to syslog +# +# DEBUG_LOGIN=0 - turn off debugging +# DEBUG_LOGIN=1 - turn on debugging +# DEBUG_LOGIN=2 - turn on debugging + log passwords too +# +# ** YES ** - DEBUG_LOGIN=2 places passwords into syslog. +# +# Note that most information is sent to syslog at level 'debug', so +# you may need to modify your /etc/syslog.conf to be able to see it. + +DEBUG_LOGIN=0 + +##NAME: DEFAULTOPTIONS:0 +# +# A comma-separated list of option=value pairs. Each option is applied +# to an account if the account does not have its own specific value for +# that option. So for example, you can set +# DEFAULTOPTIONS="disablewebmail=1,disableimap=1" +# and then enable webmail and/or imap on individual accounts by setting +# disablewebmail=0 and/or disableimap=0 on the account. + +DEFAULTOPTIONS="" + +##NAME: LOGGEROPTS:0 +# +# courierlogger(1) options, e.g. to set syslog facility +# + +LOGGEROPTS="" + +##NAME: LDAP_TLS_OPTIONS:0 +# +# Options documented in ldap.conf(5) can be set here, prefixed with 'LDAP'. +# Examples: +# +#LDAPTLS_CACERT=/path/to/cacert.pem +#LDAPTLS_REQCERT=demand +#LDAPTLS_CERT=/path/to/clientcert.pem +#LDAPTLS_KEY=/path/to/clientkey.pem diff --git a/courier/authlib/authldaprc b/courier/authlib/authldaprc new file mode 100644 index 00000000..79bfa94b --- /dev/null +++ b/courier/authlib/authldaprc @@ -0,0 +1,273 @@ +##VERSION: $Id: authldaprc,v 1.25 2005/10/05 00:07:32 mrsam Exp $ +# +# Copyright 2000-2004 Double Precision, Inc. See COPYING for +# distribution information. +# +# Do not alter lines that begin with ##, they are used when upgrading +# this configuration. +# +# authldaprc created from authldaprc.dist by sysconftool +# +# DO NOT INSTALL THIS FILE with world read permissions. This file +# might contain the LDAP admin password! +# +# This configuration file specifies LDAP authentication parameters +# +# The format of this file must be as follows: +# +# field[spaces|tabs]value +# +# That is, the name of the field, followed by spaces or tabs, followed by +# field value. No trailing spaces. +# +# Here are the fields: + +##NAME: LOCATION:1 +# +# Location of your LDAP server(s). If you have multiple LDAP servers, +# you can list them separated by commas and spaces, and they will be tried in +# turn. + +LDAP_URI ldaps://ldap.example.com, ldaps://backup.example.com + +##NAME: LDAP_PROTOCOL_VERSION:0 +# +# Which version of LDAP protocol to use + +LDAP_PROTOCOL_VERSION 3 + +##NAME: LDAP_BASEDN:0 +# +# Look for authentication here: + +LDAP_BASEDN o=example, c=com + +##NAME: LDAP_BINDDN:0 +# +# You may or may not need to specify the following. Because you've got +# a password here, authldaprc should not be world-readable!!! + +LDAP_BINDDN cn=administrator, o=example, c=com +LDAP_BINDPW toto + +##NAME: LDAP_TIMEOUT:0 +# +# Timeout for LDAP search and connection + +LDAP_TIMEOUT 5 + +##NAME: LDAP_AUTHBIND:0 +# +# Define this to have the ldap server authenticate passwords. If LDAP_AUTHBIND +# the password is validated by rebinding with the supplied userid and password. +# If rebind succeeds, this is considered to be an authenticated request. This +# does not support CRAM-MD5 authentication, which requires clearPassword. +# Additionally, if LDAP_AUTHBIND is 1 then password changes are done under +# the credentials of the user themselves, not LDAP_BINDDN/BINDPW +# +# LDAP_AUTHBIND 1 + +##NAME: LDAP_MAIL:0 +# +# Here's the field on which we query + +LDAP_MAIL mail + +##NAME: LDAP_FILTER:0 +# +# This LDAP filter will be ANDed with the query for the field defined above +# in LDAP_MAIL. So if you are querying for mail, and you have LDAP_FILTER +# defined to be "(objectClass=CourierMailAccount)" the query that is performed +# will be "(&(objectClass=CourierMailAccount)(mail=))" +# +# LDAP_FILTER (objectClass=CourierMailAccount) + +##NAME: LDAP_DOMAIN:0 +# +# The following default domain will be appended, if not explicitly specified. +# +# LDAP_DOMAIN example.com + +##NAME: LDAP_GLOB_IDS:0 +# +# The following two variables can be used to set everybody's uid and gid. +# This is convenient if your LDAP specifies a bunch of virtual mail accounts +# The values can be usernames or userids: +# +# LDAP_GLOB_UID vmail +# LDAP_GLOB_GID vmail + +##NAME: LDAP_HOMEDIR:0 +# +# We will retrieve the following attributes +# +# The HOMEDIR attribute MUST exist, and we MUST be able to chdir to it + +LDAP_HOMEDIR homeDirectory + +##NAME: LDAP_MAILROOT:0 +# +# If homeDirectory is not an absolute path, define the root of the +# relative paths in LDAP_MAILROOT +# +# LDAP_MAILROOT /var/mail + + +##NAME: LDAP_MAILDIR:0 +# +# The MAILDIR attribute is OPTIONAL, and specifies the location of the +# mail directory. If not specified, ./Maildir will be used + +LDAP_MAILDIR mailbox + +##NAME: LDAP_DEFAULTDELIVERY:0 +# +# Courier mail server only: optional attribute specifies custom mail delivery +# instructions for this account (if defined) -- essentially overrides +# DEFAULTDELIVERY from ${sysconfdir}/courierd + +LDAP_DEFAULTDELIVERY defaultDelivery + +##NAME: LDAP_MAILDIRQUOTA:0 +# +# The following variable, if defined, specifies the field containing the +# maildir quota, see README.maildirquota for more information +# +# LDAP_MAILDIRQUOTA quota + + +##NAME: LDAP_FULLNAME:0 +# +# FULLNAME is optional, specifies the user's full name + +LDAP_FULLNAME cn + +##NAME: LDAP_PW:0 +# +# CLEARPW is the clear text password. CRYPT is the crypted password. +# ONE OF THESE TWO ATTRIBUTES IS REQUIRED. If CLEARPW is provided, and +# libhmac.a is available, CRAM authentication will be possible! + +LDAP_CLEARPW clearPassword +LDAP_CRYPTPW userPassword + +##NAME: LDAP_IDS:0 +# +# Uncomment the following, and modify as appropriate, if your LDAP database +# stores individual userids and groupids. Otherwise, you must uncomment +# LDAP_GLOB_UID and LDAP_GLOB_GID above. LDAP_GLOB_UID and LDAP_GLOB_GID +# specify a uid/gid for everyone. Otherwise, LDAP_UID and LDAP_GID must +# be defined as attributes for everyone. +# +# LDAP_UID uidNumber +# LDAP_GID gidNumber + + +##NAME: LDAP_AUXOPTIONS:0 +# +# Auxiliary options. The LDAP_AUXOPTIONS setting should contain a list of +# comma-separated "ATTRIBUTE=NAME" pairs. These names are additional +# attributes that define various per-account "options", as given in +# INSTALL's description of the OPTIONS setting. +# +# Each ATTRIBUTE specifies an LDAP attribute name. If it is present, +# the attribute value gets placed in the OPTIONS variable, with the name +# NAME. For example: +# +# LDAP_AUXOPTIONS shared=sharedgroup,disableimap=disableimap +# +# Then, if an LDAP record contains the following attributes: +# +# shared: domain1 +# disableimap: 0 +# +# Then authldap will initialize OPTIONS to "sharedgroup=domain1,disableimap=0" +# +# NOTE: ** no spaces in this setting **, the above example has exactly +# one tab character after LDAP_AUXOPTIONS + + +##NAME: LDAP_ENUMERATE_FILTER:0 +# +# {EXPERIMENTAL} +# Optional custom filter used when enumerating accounts for authenumerate, +# in order to compile a list of accounts for shared folders. If present, +# this filter will be used instead of LDAP_FILTER. +# +# LDAP_ENUMERATE_FILTER (&(objectClass=CourierMailAccount)(!(disableshared=1))) + + +##NAME: LDAP_DEREF:0 +# +# Determines how aliases are handled during a search. This option is available +# only with OpenLDAP 2.0 +# +# LDAP_DEREF can be one of the following values: +# never, searching, finding, always. If not specified, aliases are +# never dereferenced. + +LDAP_DEREF never + +##NAME: LDAP_TLS:0 +# +# Set LDAP_TLS to 1 to use the Start TLS extension (RFC 2830). This is +# when the server accepts a normal LDAP connection on port 389 which +# the client then requests 'upgrading' to TLS, and is equivalent to the +# -ZZ flag to ldapsearch. If you are using an ldaps:// URI then do not +# set this option. +# +# For additional LDAP-related options, see the authdaemonrc config file. + +LDAP_TLS 0 + +##NAME: LDAP_EMAILMAP:0 +# +# The following optional settings, if enabled, result in an extra LDAP +# lookup to first locate a handle for an E-mail address, then a second lookup +# on that handle to get the actual authentication record. You'll need +# to uncomment these settings to enable an email handle lookup. +# +# The E-mail address must be of the form user@realm, and this is plugged +# into the following search string. "@user@" and "@realm@" are placeholders +# for the user and the realm portions of the login ID. +# +# LDAP_EMAILMAP (&(userid=@user@)(realm=@realm@)) + +##NAME: LDAP_EMAILMAP_BASEDN:0 +# +# Specify the basedn for the email lookup. The default is LDAP_BASEDN. +# +# LDAP_EMAILMAP_BASEDN o=emailmap, c=com + + +##NAME: LDAP_EMAILMAP_ATTRIBUTE:0 +# +# The attribute which holds the handle. The contents of this attribute +# are then plugged into the regular authentication lookup, and you must set +# LDAP_EMAILMAP_MAIL to the name of this attribute in the authentication +# records (which may be the same as LDAP_MAIL). +# You MUST also leave LDAP_DOMAIN undefined. This enables authenticating +# by handles only. +# +# Here's an example: +# +# dn: userid=john, realm=example.com, o=emailmap, c=com # LDAP_EMAILMAP_BASEDN +# userid: john # LDAP_EMAILMAP search +# realm: example.com # LDAP_EMAILMAP search +# handle: cc223344 # LDAP_EMAILMAP_ATTRIBUTE +# +# +# dn: controlHandle=cc223344, o=example, c=com # LDAP_BASEDN +# controlHandle: cc223344 # LDAP_EMAILMAP_MAIL set to "controlHandle" +# uid: ... +# gid: ... +# [ etc... ] +# +# LDAP_EMAILMAP_ATTRIBUTE handle + +##NAME: LDAP_EMAILMAP_MAIL:0 +# +# After reading LDAP_EMAIL_ATTRIBUTE, the second query will go against +# LDAP_BASEDN, but will key against LDAP_EMAILMAP_MAIL instead of LDAP_MAIL. +# +# LDAP_EMAILMAP_MAIL mail diff --git a/courier/authlib/authldaprc.dist b/courier/authlib/authldaprc.dist new file mode 100644 index 00000000..79bfa94b --- /dev/null +++ b/courier/authlib/authldaprc.dist @@ -0,0 +1,273 @@ +##VERSION: $Id: authldaprc,v 1.25 2005/10/05 00:07:32 mrsam Exp $ +# +# Copyright 2000-2004 Double Precision, Inc. See COPYING for +# distribution information. +# +# Do not alter lines that begin with ##, they are used when upgrading +# this configuration. +# +# authldaprc created from authldaprc.dist by sysconftool +# +# DO NOT INSTALL THIS FILE with world read permissions. This file +# might contain the LDAP admin password! +# +# This configuration file specifies LDAP authentication parameters +# +# The format of this file must be as follows: +# +# field[spaces|tabs]value +# +# That is, the name of the field, followed by spaces or tabs, followed by +# field value. No trailing spaces. +# +# Here are the fields: + +##NAME: LOCATION:1 +# +# Location of your LDAP server(s). If you have multiple LDAP servers, +# you can list them separated by commas and spaces, and they will be tried in +# turn. + +LDAP_URI ldaps://ldap.example.com, ldaps://backup.example.com + +##NAME: LDAP_PROTOCOL_VERSION:0 +# +# Which version of LDAP protocol to use + +LDAP_PROTOCOL_VERSION 3 + +##NAME: LDAP_BASEDN:0 +# +# Look for authentication here: + +LDAP_BASEDN o=example, c=com + +##NAME: LDAP_BINDDN:0 +# +# You may or may not need to specify the following. Because you've got +# a password here, authldaprc should not be world-readable!!! + +LDAP_BINDDN cn=administrator, o=example, c=com +LDAP_BINDPW toto + +##NAME: LDAP_TIMEOUT:0 +# +# Timeout for LDAP search and connection + +LDAP_TIMEOUT 5 + +##NAME: LDAP_AUTHBIND:0 +# +# Define this to have the ldap server authenticate passwords. If LDAP_AUTHBIND +# the password is validated by rebinding with the supplied userid and password. +# If rebind succeeds, this is considered to be an authenticated request. This +# does not support CRAM-MD5 authentication, which requires clearPassword. +# Additionally, if LDAP_AUTHBIND is 1 then password changes are done under +# the credentials of the user themselves, not LDAP_BINDDN/BINDPW +# +# LDAP_AUTHBIND 1 + +##NAME: LDAP_MAIL:0 +# +# Here's the field on which we query + +LDAP_MAIL mail + +##NAME: LDAP_FILTER:0 +# +# This LDAP filter will be ANDed with the query for the field defined above +# in LDAP_MAIL. So if you are querying for mail, and you have LDAP_FILTER +# defined to be "(objectClass=CourierMailAccount)" the query that is performed +# will be "(&(objectClass=CourierMailAccount)(mail=))" +# +# LDAP_FILTER (objectClass=CourierMailAccount) + +##NAME: LDAP_DOMAIN:0 +# +# The following default domain will be appended, if not explicitly specified. +# +# LDAP_DOMAIN example.com + +##NAME: LDAP_GLOB_IDS:0 +# +# The following two variables can be used to set everybody's uid and gid. +# This is convenient if your LDAP specifies a bunch of virtual mail accounts +# The values can be usernames or userids: +# +# LDAP_GLOB_UID vmail +# LDAP_GLOB_GID vmail + +##NAME: LDAP_HOMEDIR:0 +# +# We will retrieve the following attributes +# +# The HOMEDIR attribute MUST exist, and we MUST be able to chdir to it + +LDAP_HOMEDIR homeDirectory + +##NAME: LDAP_MAILROOT:0 +# +# If homeDirectory is not an absolute path, define the root of the +# relative paths in LDAP_MAILROOT +# +# LDAP_MAILROOT /var/mail + + +##NAME: LDAP_MAILDIR:0 +# +# The MAILDIR attribute is OPTIONAL, and specifies the location of the +# mail directory. If not specified, ./Maildir will be used + +LDAP_MAILDIR mailbox + +##NAME: LDAP_DEFAULTDELIVERY:0 +# +# Courier mail server only: optional attribute specifies custom mail delivery +# instructions for this account (if defined) -- essentially overrides +# DEFAULTDELIVERY from ${sysconfdir}/courierd + +LDAP_DEFAULTDELIVERY defaultDelivery + +##NAME: LDAP_MAILDIRQUOTA:0 +# +# The following variable, if defined, specifies the field containing the +# maildir quota, see README.maildirquota for more information +# +# LDAP_MAILDIRQUOTA quota + + +##NAME: LDAP_FULLNAME:0 +# +# FULLNAME is optional, specifies the user's full name + +LDAP_FULLNAME cn + +##NAME: LDAP_PW:0 +# +# CLEARPW is the clear text password. CRYPT is the crypted password. +# ONE OF THESE TWO ATTRIBUTES IS REQUIRED. If CLEARPW is provided, and +# libhmac.a is available, CRAM authentication will be possible! + +LDAP_CLEARPW clearPassword +LDAP_CRYPTPW userPassword + +##NAME: LDAP_IDS:0 +# +# Uncomment the following, and modify as appropriate, if your LDAP database +# stores individual userids and groupids. Otherwise, you must uncomment +# LDAP_GLOB_UID and LDAP_GLOB_GID above. LDAP_GLOB_UID and LDAP_GLOB_GID +# specify a uid/gid for everyone. Otherwise, LDAP_UID and LDAP_GID must +# be defined as attributes for everyone. +# +# LDAP_UID uidNumber +# LDAP_GID gidNumber + + +##NAME: LDAP_AUXOPTIONS:0 +# +# Auxiliary options. The LDAP_AUXOPTIONS setting should contain a list of +# comma-separated "ATTRIBUTE=NAME" pairs. These names are additional +# attributes that define various per-account "options", as given in +# INSTALL's description of the OPTIONS setting. +# +# Each ATTRIBUTE specifies an LDAP attribute name. If it is present, +# the attribute value gets placed in the OPTIONS variable, with the name +# NAME. For example: +# +# LDAP_AUXOPTIONS shared=sharedgroup,disableimap=disableimap +# +# Then, if an LDAP record contains the following attributes: +# +# shared: domain1 +# disableimap: 0 +# +# Then authldap will initialize OPTIONS to "sharedgroup=domain1,disableimap=0" +# +# NOTE: ** no spaces in this setting **, the above example has exactly +# one tab character after LDAP_AUXOPTIONS + + +##NAME: LDAP_ENUMERATE_FILTER:0 +# +# {EXPERIMENTAL} +# Optional custom filter used when enumerating accounts for authenumerate, +# in order to compile a list of accounts for shared folders. If present, +# this filter will be used instead of LDAP_FILTER. +# +# LDAP_ENUMERATE_FILTER (&(objectClass=CourierMailAccount)(!(disableshared=1))) + + +##NAME: LDAP_DEREF:0 +# +# Determines how aliases are handled during a search. This option is available +# only with OpenLDAP 2.0 +# +# LDAP_DEREF can be one of the following values: +# never, searching, finding, always. If not specified, aliases are +# never dereferenced. + +LDAP_DEREF never + +##NAME: LDAP_TLS:0 +# +# Set LDAP_TLS to 1 to use the Start TLS extension (RFC 2830). This is +# when the server accepts a normal LDAP connection on port 389 which +# the client then requests 'upgrading' to TLS, and is equivalent to the +# -ZZ flag to ldapsearch. If you are using an ldaps:// URI then do not +# set this option. +# +# For additional LDAP-related options, see the authdaemonrc config file. + +LDAP_TLS 0 + +##NAME: LDAP_EMAILMAP:0 +# +# The following optional settings, if enabled, result in an extra LDAP +# lookup to first locate a handle for an E-mail address, then a second lookup +# on that handle to get the actual authentication record. You'll need +# to uncomment these settings to enable an email handle lookup. +# +# The E-mail address must be of the form user@realm, and this is plugged +# into the following search string. "@user@" and "@realm@" are placeholders +# for the user and the realm portions of the login ID. +# +# LDAP_EMAILMAP (&(userid=@user@)(realm=@realm@)) + +##NAME: LDAP_EMAILMAP_BASEDN:0 +# +# Specify the basedn for the email lookup. The default is LDAP_BASEDN. +# +# LDAP_EMAILMAP_BASEDN o=emailmap, c=com + + +##NAME: LDAP_EMAILMAP_ATTRIBUTE:0 +# +# The attribute which holds the handle. The contents of this attribute +# are then plugged into the regular authentication lookup, and you must set +# LDAP_EMAILMAP_MAIL to the name of this attribute in the authentication +# records (which may be the same as LDAP_MAIL). +# You MUST also leave LDAP_DOMAIN undefined. This enables authenticating +# by handles only. +# +# Here's an example: +# +# dn: userid=john, realm=example.com, o=emailmap, c=com # LDAP_EMAILMAP_BASEDN +# userid: john # LDAP_EMAILMAP search +# realm: example.com # LDAP_EMAILMAP search +# handle: cc223344 # LDAP_EMAILMAP_ATTRIBUTE +# +# +# dn: controlHandle=cc223344, o=example, c=com # LDAP_BASEDN +# controlHandle: cc223344 # LDAP_EMAILMAP_MAIL set to "controlHandle" +# uid: ... +# gid: ... +# [ etc... ] +# +# LDAP_EMAILMAP_ATTRIBUTE handle + +##NAME: LDAP_EMAILMAP_MAIL:0 +# +# After reading LDAP_EMAIL_ATTRIBUTE, the second query will go against +# LDAP_BASEDN, but will key against LDAP_EMAILMAP_MAIL instead of LDAP_MAIL. +# +# LDAP_EMAILMAP_MAIL mail diff --git a/courier/authlib/authmysqlrc b/courier/authlib/authmysqlrc new file mode 100644 index 00000000..dd645e11 --- /dev/null +++ b/courier/authlib/authmysqlrc @@ -0,0 +1,288 @@ +##VERSION: $Id: authmysqlrc,v 1.20 2007/10/07 02:50:45 mrsam Exp $ +# +# Copyright 2000-2007 Double Precision, Inc. See COPYING for +# distribution information. +# +# Do not alter lines that begin with ##, they are used when upgrading +# this configuration. +# +# authmysqlrc created from authmysqlrc.dist by sysconftool +# +# DO NOT INSTALL THIS FILE with world read permissions. This file +# might contain the MySQL admin password! +# +# Each line in this file must follow the following format: +# +# field[spaces|tabs]value +# +# That is, the name of the field, followed by spaces or tabs, followed by +# field value. Trailing spaces are prohibited. + + +##NAME: LOCATION:0 +# +# The server name, userid, and password used to log in. + +MYSQL_SERVER mysql.example.com +MYSQL_USERNAME admin +MYSQL_PASSWORD admin + +##NAME: SSLINFO:0 +# +# The SSL information. +# +# To use SSL-encrypted connections, define the following variables (available +# in MySQL 4.0, or higher): +# +# +# MYSQL_SSL_KEY /path/to/file +# MYSQL_SSL_CERT /path/to/file +# MYSQL_SSL_CACERT /path/to/file +# MYSQL_SSL_CAPATH /path/to/file +# MYSQL_SSL_CIPHERS ALL:!DES + +##NAME: MYSQL_SOCKET:0 +# +# MYSQL_SOCKET can be used with MySQL version 3.22 or later, it specifies the +# filesystem pipe used for the connection +# +# MYSQL_SOCKET /var/mysql/mysql.sock + +##NAME: MYSQL_PORT:0 +# +# MYSQL_PORT can be used with MySQL version 3.22 or later to specify a port to +# connect to. + +MYSQL_PORT 0 + +##NAME: MYSQL_OPT:0 +# +# Leave MYSQL_OPT as 0, unless you know what you're doing. + +MYSQL_OPT 0 + +##NAME: MYSQL_DATABASE:0 +# +# The name of the MySQL database we will open: + +MYSQL_DATABASE mysql + +#NAME: MYSQL_CHARACTER_SET:0 +# +# This is optional. MYSQL_CHARACTER_SET installs a character set. This option +# can be used with MySQL version 4.1 or later. MySQL supports 70+ collations +# for 30+ character sets. See MySQL documentations for more detalis. +# +# MYSQL_CHARACTER_SET latin1 + +##NAME: MYSQL_USER_TABLE:0 +# +# The name of the table containing your user data. See README.authmysqlrc +# for the required fields in this table. + +MYSQL_USER_TABLE passwd + +##NAME: MYSQL_CRYPT_PWFIELD:0 +# +# Either MYSQL_CRYPT_PWFIELD or MYSQL_CLEAR_PWFIELD must be defined. Both +# are OK too. crypted passwords go into MYSQL_CRYPT_PWFIELD, cleartext +# passwords go into MYSQL_CLEAR_PWFIELD. Cleartext passwords allow +# CRAM-MD5 authentication to be implemented. + +MYSQL_CRYPT_PWFIELD crypt + +##NAME: MYSQL_CLEAR_PWFIELD:0 +# +# +# MYSQL_CLEAR_PWFIELD clear + +##NAME: MYSQL_DEFAULT_DOMAIN:0 +# +# If DEFAULT_DOMAIN is defined, and someone tries to log in as 'user', +# we will look up 'user@DEFAULT_DOMAIN' instead. +# +# +# DEFAULT_DOMAIN example.com + +##NAME: MYSQL_UID_FIELD:0 +# +# Other fields in the mysql table: +# +# MYSQL_UID_FIELD - contains the numerical userid of the account +# +MYSQL_UID_FIELD uid + +##NAME: MYSQL_GID_FIELD:0 +# +# Numerical groupid of the account + +MYSQL_GID_FIELD gid + +##NAME: MYSQL_LOGIN_FIELD:0 +# +# The login id, default is id. Basically the query is: +# +# SELECT MYSQL_UID_FIELD, MYSQL_GID_FIELD, ... WHERE id='loginid' +# + +MYSQL_LOGIN_FIELD id + +##NAME: MYSQL_HOME_FIELD:0 +# + +MYSQL_HOME_FIELD home + +##NAME: MYSQL_NAME_FIELD:0 +# +# The user's name (optional) + +MYSQL_NAME_FIELD name + +##NAME: MYSQL_MAILDIR_FIELD:0 +# +# This is an optional field, and can be used to specify an arbitrary +# location of the maildir for the account, which normally defaults to +# $HOME/Maildir (where $HOME is read from MYSQL_HOME_FIELD). +# +# You still need to provide a MYSQL_HOME_FIELD, even if you uncomment this +# out. +# +# MYSQL_MAILDIR_FIELD maildir + +##NAME: MYSQL_DEFAULTDELIVERY:0 +# +# Courier mail server only: optional field specifies custom mail delivery +# instructions for this account (if defined) -- essentially overrides +# DEFAULTDELIVERY from ${sysconfdir}/courierd +# +# MYSQL_DEFAULTDELIVERY defaultdelivery + +##NAME: MYSQL_QUOTA_FIELD:0 +# +# Define MYSQL_QUOTA_FIELD to be the name of the field that can optionally +# specify a maildir quota. See README.maildirquota for more information +# +# MYSQL_QUOTA_FIELD quota + +##NAME: MYSQL_AUXOPTIONS:0 +# +# Auxiliary options. The MYSQL_AUXOPTIONS field should be a char field that +# contains a single string consisting of comma-separated "ATTRIBUTE=NAME" +# pairs. These names are additional attributes that define various per-account +# "options", as given in INSTALL's description of the "Account OPTIONS" +# setting. +# +# MYSQL_AUXOPTIONS_FIELD auxoptions +# +# You might want to try something like this, if you'd like to use a bunch +# of individual fields, instead of a single text blob: +# +# MYSQL_AUXOPTIONS_FIELD CONCAT("disableimap=",disableimap,",disablepop3=",disablepop3,",disablewebmail=",disablewebmail,",sharedgroup=",sharedgroup) +# +# This will let you define fields called "disableimap", etc, with the end result +# being something that the OPTIONS parser understands. + + +##NAME: MYSQL_WHERE_CLAUSE:0 +# +# This is optional, MYSQL_WHERE_CLAUSE can be basically set to an arbitrary +# fixed string that is appended to the WHERE clause of our query +# +# MYSQL_WHERE_CLAUSE server='mailhost.example.com' + +##NAME: MYSQL_SELECT_CLAUSE:0 +# +# (EXPERIMENTAL) +# This is optional, MYSQL_SELECT_CLAUSE can be set when you have a database, +# which is structuraly different from proposed. The fixed string will +# be used to do a SELECT operation on database, which should return fields +# in order specified bellow: +# +# username, cryptpw, clearpw, uid, gid, home, maildir, quota, fullname, options +# +# The username field should include the domain (see example below). +# +# Enabling this option causes ignorance of any other field-related +# options, excluding default domain. +# +# There are two variables, which you can use. Substitution will be made +# for them, so you can put entered username (local part) and domain name +# in the right place of your query. These variables are: +# $(local_part), $(domain), $(service) +# +# If a $(domain) is empty (not given by the remote user) the default domain +# name is used in its place. +# +# $(service) will expand out to the service being authenticated: imap, imaps, +# pop3 or pop3s. Courier mail server only: service will also expand out to +# "courier", when searching for local mail account's location. In this case, +# if the "maildir" field is not empty it will be used in place of +# DEFAULTDELIVERY. Courier mail server will also use esmtp when doing +# authenticated ESMTP. +# +# This example is a little bit modified adaptation of vmail-sql +# database scheme: +# +# MYSQL_SELECT_CLAUSE SELECT CONCAT(popbox.local_part, '@', popbox.domain_name), \ +# CONCAT('{MD5}', popbox.password_hash), \ +# popbox.clearpw, \ +# domain.uid, \ +# domain.gid, \ +# CONCAT(domain.path, '/', popbox.mbox_name), \ +# '', \ +# domain.quota, \ +# '', \ +# CONCAT("disableimap=",disableimap,",disablepop3=", \ +# disablepop3,",disablewebmail=",disablewebmail, \ +# ",sharedgroup=",sharedgroup) \ +# FROM popbox, domain \ +# WHERE popbox.local_part = '$(local_part)' \ +# AND popbox.domain_name = '$(domain)' \ +# AND popbox.domain_name = domain.domain_name + + +##NAME: MYSQL_ENUMERATE_CLAUSE:1 +# +# {EXPERIMENTAL} +# Optional custom SQL query used to enumerate accounts for authenumerate, +# in order to compile a list of accounts for shared folders. The query +# should return the following fields: name, uid, gid, homedir, maildir, options +# +# Example: +# MYSQL_ENUMERATE_CLAUSE SELECT CONCAT(popbox.local_part, '@', popbox.domain_name), \ +# domain.uid, \ +# domain.gid, \ +# CONCAT(domain.path, '/', popbox.mbox_name), \ +# '', \ +# CONCAT('sharedgroup=', sharedgroup) \ +# FROM popbox, domain \ +# WHERE popbox.local_part = '$(local_part)' \ +# AND popbox.domain_name = '$(domain)' \ +# AND popbox.domain_name = domain.domain_name + + + +##NAME: MYSQL_CHPASS_CLAUSE:0 +# +# (EXPERIMENTAL) +# This is optional, MYSQL_CHPASS_CLAUSE can be set when you have a database, +# which is structuraly different from proposed. The fixed string will +# be used to do an UPDATE operation on database. In other words, it is +# used, when changing password. +# +# There are four variables, which you can use. Substitution will be made +# for them, so you can put entered username (local part) and domain name +# in the right place of your query. There variables are: +# $(local_part) , $(domain) , $(newpass) , $(newpass_crypt) +# +# If a $(domain) is empty (not given by the remote user) the default domain +# name is used in its place. +# $(newpass) contains plain password +# $(newpass_crypt) contains its crypted form +# +# MYSQL_CHPASS_CLAUSE UPDATE popbox \ +# SET clearpw='$(newpass)', \ +# password_hash='$(newpass_crypt)' \ +# WHERE local_part='$(local_part)' \ +# AND domain_name='$(domain)' +# diff --git a/courier/authlib/authmysqlrc.dist b/courier/authlib/authmysqlrc.dist new file mode 100644 index 00000000..dd645e11 --- /dev/null +++ b/courier/authlib/authmysqlrc.dist @@ -0,0 +1,288 @@ +##VERSION: $Id: authmysqlrc,v 1.20 2007/10/07 02:50:45 mrsam Exp $ +# +# Copyright 2000-2007 Double Precision, Inc. See COPYING for +# distribution information. +# +# Do not alter lines that begin with ##, they are used when upgrading +# this configuration. +# +# authmysqlrc created from authmysqlrc.dist by sysconftool +# +# DO NOT INSTALL THIS FILE with world read permissions. This file +# might contain the MySQL admin password! +# +# Each line in this file must follow the following format: +# +# field[spaces|tabs]value +# +# That is, the name of the field, followed by spaces or tabs, followed by +# field value. Trailing spaces are prohibited. + + +##NAME: LOCATION:0 +# +# The server name, userid, and password used to log in. + +MYSQL_SERVER mysql.example.com +MYSQL_USERNAME admin +MYSQL_PASSWORD admin + +##NAME: SSLINFO:0 +# +# The SSL information. +# +# To use SSL-encrypted connections, define the following variables (available +# in MySQL 4.0, or higher): +# +# +# MYSQL_SSL_KEY /path/to/file +# MYSQL_SSL_CERT /path/to/file +# MYSQL_SSL_CACERT /path/to/file +# MYSQL_SSL_CAPATH /path/to/file +# MYSQL_SSL_CIPHERS ALL:!DES + +##NAME: MYSQL_SOCKET:0 +# +# MYSQL_SOCKET can be used with MySQL version 3.22 or later, it specifies the +# filesystem pipe used for the connection +# +# MYSQL_SOCKET /var/mysql/mysql.sock + +##NAME: MYSQL_PORT:0 +# +# MYSQL_PORT can be used with MySQL version 3.22 or later to specify a port to +# connect to. + +MYSQL_PORT 0 + +##NAME: MYSQL_OPT:0 +# +# Leave MYSQL_OPT as 0, unless you know what you're doing. + +MYSQL_OPT 0 + +##NAME: MYSQL_DATABASE:0 +# +# The name of the MySQL database we will open: + +MYSQL_DATABASE mysql + +#NAME: MYSQL_CHARACTER_SET:0 +# +# This is optional. MYSQL_CHARACTER_SET installs a character set. This option +# can be used with MySQL version 4.1 or later. MySQL supports 70+ collations +# for 30+ character sets. See MySQL documentations for more detalis. +# +# MYSQL_CHARACTER_SET latin1 + +##NAME: MYSQL_USER_TABLE:0 +# +# The name of the table containing your user data. See README.authmysqlrc +# for the required fields in this table. + +MYSQL_USER_TABLE passwd + +##NAME: MYSQL_CRYPT_PWFIELD:0 +# +# Either MYSQL_CRYPT_PWFIELD or MYSQL_CLEAR_PWFIELD must be defined. Both +# are OK too. crypted passwords go into MYSQL_CRYPT_PWFIELD, cleartext +# passwords go into MYSQL_CLEAR_PWFIELD. Cleartext passwords allow +# CRAM-MD5 authentication to be implemented. + +MYSQL_CRYPT_PWFIELD crypt + +##NAME: MYSQL_CLEAR_PWFIELD:0 +# +# +# MYSQL_CLEAR_PWFIELD clear + +##NAME: MYSQL_DEFAULT_DOMAIN:0 +# +# If DEFAULT_DOMAIN is defined, and someone tries to log in as 'user', +# we will look up 'user@DEFAULT_DOMAIN' instead. +# +# +# DEFAULT_DOMAIN example.com + +##NAME: MYSQL_UID_FIELD:0 +# +# Other fields in the mysql table: +# +# MYSQL_UID_FIELD - contains the numerical userid of the account +# +MYSQL_UID_FIELD uid + +##NAME: MYSQL_GID_FIELD:0 +# +# Numerical groupid of the account + +MYSQL_GID_FIELD gid + +##NAME: MYSQL_LOGIN_FIELD:0 +# +# The login id, default is id. Basically the query is: +# +# SELECT MYSQL_UID_FIELD, MYSQL_GID_FIELD, ... WHERE id='loginid' +# + +MYSQL_LOGIN_FIELD id + +##NAME: MYSQL_HOME_FIELD:0 +# + +MYSQL_HOME_FIELD home + +##NAME: MYSQL_NAME_FIELD:0 +# +# The user's name (optional) + +MYSQL_NAME_FIELD name + +##NAME: MYSQL_MAILDIR_FIELD:0 +# +# This is an optional field, and can be used to specify an arbitrary +# location of the maildir for the account, which normally defaults to +# $HOME/Maildir (where $HOME is read from MYSQL_HOME_FIELD). +# +# You still need to provide a MYSQL_HOME_FIELD, even if you uncomment this +# out. +# +# MYSQL_MAILDIR_FIELD maildir + +##NAME: MYSQL_DEFAULTDELIVERY:0 +# +# Courier mail server only: optional field specifies custom mail delivery +# instructions for this account (if defined) -- essentially overrides +# DEFAULTDELIVERY from ${sysconfdir}/courierd +# +# MYSQL_DEFAULTDELIVERY defaultdelivery + +##NAME: MYSQL_QUOTA_FIELD:0 +# +# Define MYSQL_QUOTA_FIELD to be the name of the field that can optionally +# specify a maildir quota. See README.maildirquota for more information +# +# MYSQL_QUOTA_FIELD quota + +##NAME: MYSQL_AUXOPTIONS:0 +# +# Auxiliary options. The MYSQL_AUXOPTIONS field should be a char field that +# contains a single string consisting of comma-separated "ATTRIBUTE=NAME" +# pairs. These names are additional attributes that define various per-account +# "options", as given in INSTALL's description of the "Account OPTIONS" +# setting. +# +# MYSQL_AUXOPTIONS_FIELD auxoptions +# +# You might want to try something like this, if you'd like to use a bunch +# of individual fields, instead of a single text blob: +# +# MYSQL_AUXOPTIONS_FIELD CONCAT("disableimap=",disableimap,",disablepop3=",disablepop3,",disablewebmail=",disablewebmail,",sharedgroup=",sharedgroup) +# +# This will let you define fields called "disableimap", etc, with the end result +# being something that the OPTIONS parser understands. + + +##NAME: MYSQL_WHERE_CLAUSE:0 +# +# This is optional, MYSQL_WHERE_CLAUSE can be basically set to an arbitrary +# fixed string that is appended to the WHERE clause of our query +# +# MYSQL_WHERE_CLAUSE server='mailhost.example.com' + +##NAME: MYSQL_SELECT_CLAUSE:0 +# +# (EXPERIMENTAL) +# This is optional, MYSQL_SELECT_CLAUSE can be set when you have a database, +# which is structuraly different from proposed. The fixed string will +# be used to do a SELECT operation on database, which should return fields +# in order specified bellow: +# +# username, cryptpw, clearpw, uid, gid, home, maildir, quota, fullname, options +# +# The username field should include the domain (see example below). +# +# Enabling this option causes ignorance of any other field-related +# options, excluding default domain. +# +# There are two variables, which you can use. Substitution will be made +# for them, so you can put entered username (local part) and domain name +# in the right place of your query. These variables are: +# $(local_part), $(domain), $(service) +# +# If a $(domain) is empty (not given by the remote user) the default domain +# name is used in its place. +# +# $(service) will expand out to the service being authenticated: imap, imaps, +# pop3 or pop3s. Courier mail server only: service will also expand out to +# "courier", when searching for local mail account's location. In this case, +# if the "maildir" field is not empty it will be used in place of +# DEFAULTDELIVERY. Courier mail server will also use esmtp when doing +# authenticated ESMTP. +# +# This example is a little bit modified adaptation of vmail-sql +# database scheme: +# +# MYSQL_SELECT_CLAUSE SELECT CONCAT(popbox.local_part, '@', popbox.domain_name), \ +# CONCAT('{MD5}', popbox.password_hash), \ +# popbox.clearpw, \ +# domain.uid, \ +# domain.gid, \ +# CONCAT(domain.path, '/', popbox.mbox_name), \ +# '', \ +# domain.quota, \ +# '', \ +# CONCAT("disableimap=",disableimap,",disablepop3=", \ +# disablepop3,",disablewebmail=",disablewebmail, \ +# ",sharedgroup=",sharedgroup) \ +# FROM popbox, domain \ +# WHERE popbox.local_part = '$(local_part)' \ +# AND popbox.domain_name = '$(domain)' \ +# AND popbox.domain_name = domain.domain_name + + +##NAME: MYSQL_ENUMERATE_CLAUSE:1 +# +# {EXPERIMENTAL} +# Optional custom SQL query used to enumerate accounts for authenumerate, +# in order to compile a list of accounts for shared folders. The query +# should return the following fields: name, uid, gid, homedir, maildir, options +# +# Example: +# MYSQL_ENUMERATE_CLAUSE SELECT CONCAT(popbox.local_part, '@', popbox.domain_name), \ +# domain.uid, \ +# domain.gid, \ +# CONCAT(domain.path, '/', popbox.mbox_name), \ +# '', \ +# CONCAT('sharedgroup=', sharedgroup) \ +# FROM popbox, domain \ +# WHERE popbox.local_part = '$(local_part)' \ +# AND popbox.domain_name = '$(domain)' \ +# AND popbox.domain_name = domain.domain_name + + + +##NAME: MYSQL_CHPASS_CLAUSE:0 +# +# (EXPERIMENTAL) +# This is optional, MYSQL_CHPASS_CLAUSE can be set when you have a database, +# which is structuraly different from proposed. The fixed string will +# be used to do an UPDATE operation on database. In other words, it is +# used, when changing password. +# +# There are four variables, which you can use. Substitution will be made +# for them, so you can put entered username (local part) and domain name +# in the right place of your query. There variables are: +# $(local_part) , $(domain) , $(newpass) , $(newpass_crypt) +# +# If a $(domain) is empty (not given by the remote user) the default domain +# name is used in its place. +# $(newpass) contains plain password +# $(newpass_crypt) contains its crypted form +# +# MYSQL_CHPASS_CLAUSE UPDATE popbox \ +# SET clearpw='$(newpass)', \ +# password_hash='$(newpass_crypt)' \ +# WHERE local_part='$(local_part)' \ +# AND domain_name='$(domain)' +# diff --git a/init.d/courier-authlib b/init.d/courier-authlib new file mode 100755 index 00000000..10bb8b62 --- /dev/null +++ b/init.d/courier-authlib @@ -0,0 +1,41 @@ +#!/sbin/runscript +# Copyright 1999-2010 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-libs/courier-authlib/files/courier-authlib-r1,v 1.1 2010/10/10 18:35:37 hanno Exp $ + +depend() { + need net + provide authdaemond +} + +checkconfig() { + if [ ! -e /etc/courier/authlib/authdaemonrc ] ; then + eerror "You need an /etc/courier/authlib/authdaemonrc file to run authdaemon" + return 1 + fi +} + +setauth() { + . /etc/courier/authlib/authdaemonrc + AUTHLIB="/usr/lib/courier/courier-authlib" + AUTHDAEMOND="authdaemond" + pidfile="/var/run/authdaemon.pid" + logger="/usr/sbin/courierlogger" + export DEBUG_LOGIN DEFAULTOPTIONS LOGGEROPTS +} + +start() { + checkconfig || return 1 + setauth + ebegin "Starting courier-authlib: ${AUTHDAEMOND}" + start-stop-daemon --quiet --start --pidfile "${pidfile}" --exec \ + /usr/bin/env ${logger} -- ${LOGGEROPTS} -pid="${pidfile}" -start "${AUTHLIB}/${AUTHDAEMOND}" + eend $? +} + +stop() { + setauth + ebegin "Stopping courier-authlib: ${AUTHDAEMOND}" + start-stop-daemon --quiet --stop --pidfile "${pidfile}" + eend $? +} diff --git a/openldap/schema/authldap.schema b/openldap/schema/authldap.schema new file mode 100644 index 00000000..802b18c8 --- /dev/null +++ b/openldap/schema/authldap.schema @@ -0,0 +1,103 @@ +#$Id: authldap.schema,v 1.9 2009/12/18 04:24:20 mrsam Exp $ +# +# OID prefix: 1.3.6.1.4.1.10018 +# +# Attributes: 1.3.6.1.4.1.10018.1.1 +# +# Depends on: nis.schema, which depends on cosine.schema + +attributetype ( 1.3.6.1.4.1.10018.1.1.1 NAME 'mailbox' + DESC 'The absolute path to the mailbox for a mail account in a non-default location' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.10018.1.1.2 NAME 'quota' + DESC 'A string that represents the quota on a mailbox' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.10018.1.1.3 NAME 'clearPassword' + DESC 'A separate text that stores the mail account password in clear text' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) + +attributetype ( 1.3.6.1.4.1.10018.1.1.4 NAME 'maildrop' + DESC 'RFC822 Mailbox - mail alias' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) + +attributetype ( 1.3.6.1.4.1.10018.1.1.5 NAME 'mailsource' + DESC 'Message source' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.10018.1.1.6 NAME 'virtualdomain' + DESC 'A mail domain that is mapped to a single mail account' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.10018.1.1.7 NAME 'virtualdomainuser' + DESC 'Mailbox that receives mail for a mail domain' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.10018.1.1.8 NAME 'defaultdelivery' + DESC 'Default mail delivery instructions' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.10018.1.1.9 NAME 'disableimap' + DESC 'Set this attribute to 1 to disable IMAP access' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.10018.1.1.10 NAME 'disablepop3' + DESC 'Set this attribute to 1 to disable POP3 access' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.10018.1.1.11 NAME 'disablewebmail' + DESC 'Set this attribute to 1 to disable IMAP access' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.10018.1.1.12 NAME 'sharedgroup' + DESC 'Virtual shared group' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.10018.1.1.13 NAME 'disableshared' + DESC 'Set this attribute to 1 to disable shared mailbox usage' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +#attributetype ( 1.3.6.1.4.1.10018.1.1.14 NAME 'mailhost' +# DESC 'Host to which incoming POP/IMAP connections should be proxied' +# EQUALITY caseIgnoreIA5Match +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +# +# +# Objects: 1.3.6.1.4.1.10018.1.2 +# + +objectclass ( 1.3.6.1.4.1.10018.1.2.1 NAME 'CourierMailAccount' + DESC 'Mail account object as used by the Courier mail server' + SUP top AUXILIARY + MUST ( mail $ homeDirectory ) + MAY ( uidNumber $ gidNumber $ mailbox $ uid $ cn $ gecos $ description $ loginShell $ quota $ userPassword $ clearPassword $ defaultdelivery $ disableimap $ disablepop3 $ disablewebmail $ sharedgroup $ disableshared $ mailhost ) ) + +objectclass ( 1.3.6.1.4.1.10018.1.2.2 NAME 'CourierMailAlias' + DESC 'Mail aliasing/forwarding entry' + SUP top AUXILIARY + MUST ( mail $ maildrop ) + MAY ( mailsource $ description ) ) + +objectclass ( 1.3.6.1.4.1.10018.1.2.3 NAME 'CourierDomainAlias' + DESC 'Domain mail aliasing/forwarding entry' + SUP top AUXILIARY + MUST ( virtualdomain $ virtualdomainuser ) + MAY ( mailsource $ description ) ) -- 2.39.5