Issue #1340 - LDAP backend for accounts

This commit will:

1. Change the user account database from sqlite to OpenLDAP
2. Add policyd-spf to postfix for SPF validation
3. Add a test runner with some automated test suites

Notes:

User account password hashes are preserved.

There is a new Roundcube contact list called "Directory" that lists the users in LDAP (MiaB users), similar to what Google Suite does.

Users can still change their password in Roundcube.

OpenLDAP is configured with TLS, but all remote access is blocked by firewall rules. Manual changes are required to open it for remote access (eg. "ufw allow proto tcp from <HOST> to any port ldaps").

The test runner is started by executing tests/runner.sh. Be aware that it will make changes to your system, including adding new users, domains, mailboxes, start/stop services, etc. It is highly unadvised to run it on a production system!

The LDAP schema that supports mail delivery with postfix and dovecot is located in conf/postfix.schema. This file is copied verbatim from the LdapAdmin project (GPL, ldapadmin.org). Instead of including the file in git, it could be referenced by URL and downloaded by the setup script if GPL is an issue or apply for a PEN from IANA.

Mangement console and other services should not appear or behave any differently than before.

setup/webmail.sh

@@ -4,6 +4,7 @@
 
 source setup/functions.sh # load our functions
 source /etc/mailinabox.conf # load global vars
+source ${STORAGE_ROOT}/ldap/miab_ldap.conf
 
 # ### Installing Roundcube
 
@@ -131,6 +132,33 @@ cat > $RCM_CONFIG <<EOF;
 \$config['login_autocomplete'] = 2;
 \$config['password_charset'] = 'UTF-8';
 \$config['junk_mbox'] = 'Spam';
+\$config['ldap_public']['public'] = array(
+    'name'              => 'Directory',
+    'hosts'             => array('${LDAP_SERVER}'),
+    'port'              => ${LDAP_SERVER_PORT},
+    'user_specific'     => false,
+    'scope'             => 'sub',
+    'base_dn'           => '${LDAP_USERS_BASE}',
+    'bind_dn'           => '${LDAP_WEBMAIL_DN}',
+    'bind_pass'         => '${LDAP_WEBMAIL_PASSWORD}',
+    'writable'          => false,
+    'ldap_version'      => 3,
+    'search_fields'     => array( 'mail' ),
+    'name_field'        => 'mail',
+    'email_field'       => 'mail',
+    'sort'              => 'mail',
+    'filter'            => '(objectClass=mailUser)',
+    'fuzzy_search'      => false,
+    'global_search'     => true,
+    # 'groups'            => array(
+    #     'base_dn'         => '${LDAP_ALIASES_BASE}',
+    #     'filter'          => '(objectClass=mailGroup)',
+    # 	'member_attr'     => 'member',
+    # 	'scope'           => 'sub',
+    # 	'name_attr'       => 'mail',
+    # 	'member_filter'   => '(|(objectClass=mailGroup)(objectClass=mailUser))',
+    # )
+);
 ?>
 EOF
 
@@ -169,22 +197,21 @@ cp ${RCM_PLUGIN_DIR}/password/config.inc.php.dist \
 	${RCM_PLUGIN_DIR}/password/config.inc.php
 
 tools/editconf.py ${RCM_PLUGIN_DIR}/password/config.inc.php \
-	"\$config['password_minimum_length']=8;" \
-	"\$config['password_db_dsn']='sqlite:///$STORAGE_ROOT/mail/users.sqlite';" \
-	"\$config['password_query']='UPDATE users SET password=%D WHERE email=%u';" \
-	"\$config['password_dovecotpw']='/usr/bin/doveadm pw';" \
-	"\$config['password_dovecotpw_method']='SHA512-CRYPT';" \
-	"\$config['password_dovecotpw_with_method']=true;"
-
-# so PHP can use doveadm, for the password changing plugin
-usermod -a -G dovecot www-data
-
-# set permissions so that PHP can use users.sqlite
-# could use dovecot instead of www-data, but not sure it matters
-chown root.www-data $STORAGE_ROOT/mail
-chmod 775 $STORAGE_ROOT/mail
-chown root.www-data $STORAGE_ROOT/mail/users.sqlite
-chmod 664 $STORAGE_ROOT/mail/users.sqlite
+	"\$config['password_driver']='ldap';" \
+	"\$config['password_ldap_host']='${LDAP_SERVER}';" \
+	"\$config['password_ldap_port']=${LDAP_SERVER_PORT};" \
+	"\$config['password_ldap_starttls']=$([ ${LDAP_SERVER_STARTTLS} == yes ] && echo true || echo false);" \
+	"\$config['password_ldap_basedn']='${LDAP_BASE}';" \
+	"\$config['password_ldap_userDN_mask']=null;" \
+	"\$config['password_ldap_searchDN']='${LDAP_WEBMAIL_DN}';" \
+	"\$config['password_ldap_searchPW']='${LDAP_WEBMAIL_PASSWORD}';" \
+	"\$config['password_ldap_search_base']='${LDAP_USERS_BASE}';" \
+	"\$config['password_ldap_search_filter']='(&(objectClass=mailUser)(mail=%login))';" \
+	"\$config['password_ldap_encodage']='default';" \
+	"\$config['password_ldap_lchattr']='shadowLastChange';" \
+	"\$config['password_algorithm']='sha512-crypt';" \
+	"\$config['password_algorithm_prefix']='{CRYPT}';" \
+	"\$config['password_minimum_length']=8;"
 
 # Fix Carddav permissions:
 chown -f -R root.www-data ${RCM_PLUGIN_DIR}/carddav
@@ -197,5 +224,5 @@ chown www-data:www-data $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
 chmod 664 $STORAGE_ROOT/mail/roundcube/roundcube.sqlite
 
 # Enable PHP modules.
-phpenmod -v php mcrypt imap
+phpenmod -v php mcrypt imap ldap
 restart_service php7.2-fpm