Page Menu
Home
Phorge
Search
Configure Global Search
Log In
Files
F2571777
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Flag For Later
Award Token
Size
85 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/bin/quickstart.sh b/bin/quickstart.sh
index 499d1d11..5008cadb 100755
--- a/bin/quickstart.sh
+++ b/bin/quickstart.sh
@@ -1,131 +1,131 @@
#!/bin/bash
set -e
function die() {
echo "$1"
exit 1
}
rpm -qv docker-compose >/dev/null 2>&1 || \
test ! -z "$(which docker-compose 2>/dev/null)" || \
die "Is docker-compose installed?"
test ! -z "$(grep 'systemd.unified_cgroup_hierarchy=0' /proc/cmdline)" || \
die "systemd containers only work with cgroupv1 (use 'grubby --update-kernel=ALL --args=\"systemd.unified_cgroup_hierarchy=0\"' and a reboot to fix)"
base_dir=$(dirname $(dirname $0))
export DOCKER_BUILDKIT=0
docker-compose down -t 1 --remove-orphans
docker volume rm kolab_mariadb || :
docker volume rm kolab_imap || :
docker volume rm kolab_ldap || :
# We can't use the following artisan commands because it will just block if redis is unavailable:
# src/artisan octane:stop >/dev/null 2>&1 || :
# src/artisan horizon:terminate >/dev/null 2>&1 || :
# we therefore just kill all artisan processes running.
pkill -9 -f artisan || :
pkill -9 -f swoole || :
bin/regen-certs
-docker-compose build coturn kolab mariadb meet pdns proxy redis haproxy roundcube
-docker-compose up -d coturn kolab mariadb meet pdns redis roundcube
+docker-compose build coturn ldap kolab mariadb meet pdns proxy redis haproxy roundcube
+docker-compose up -d coturn ldap kolab mariadb meet pdns redis roundcube
# Workaround until we have docker-compose --wait (https://github.com/docker/compose/pull/8777)
function wait_for_container {
container_id="$1"
container_name="$(docker inspect "${container_id}" --format '{{ .Name }}')"
echo "Waiting for container: ${container_name} [${container_id}]"
waiting_done="false"
while [[ "${waiting_done}" != "true" ]]; do
container_state="$(docker inspect "${container_id}" --format '{{ .State.Status }}')"
if [[ "${container_state}" == "running" ]]; then
health_status="$(docker inspect "${container_id}" --format '{{ .State.Health.Status }}')"
echo "${container_name}: container_state=${container_state}, health_status=${health_status}"
if [[ ${health_status} == "healthy" ]]; then
waiting_done="true"
fi
else
echo "${container_name}: container_state=${container_state}"
waiting_done="true"
fi
sleep 1;
done;
}
if [ "$1" == "--nodev" ]; then
echo "starting everything in containers"
docker-compose -f docker-compose.build.yml build swoole
docker-compose build webapp
docker-compose up -d webapp proxy haproxy
wait_for_container 'kolab-webapp'
exit 0
fi
echo "Starting the development environment"
rpm -qv composer >/dev/null 2>&1 || \
test ! -z "$(which composer 2>/dev/null)" || \
die "Is composer installed?"
rpm -qv npm >/dev/null 2>&1 || \
test ! -z "$(which npm 2>/dev/null)" || \
die "Is npm installed?"
rpm -qv php >/dev/null 2>&1 || \
test ! -z "$(which php 2>/dev/null)" || \
die "Is php installed?"
rpm -qv php-ldap >/dev/null 2>&1 || \
test ! -z "$(php --ini | grep ldap)" || \
die "Is php-ldap installed?"
rpm -qv php-mysqlnd >/dev/null 2>&1 || \
test ! -z "$(php --ini | grep mysql)" || \
die "Is php-mysqlnd installed?"
test ! -z "$(php --modules | grep swoole)" || \
die "Is swoole installed?"
# Ensure the containers we depend on are fully started
wait_for_container 'kolab'
wait_for_container 'kolab-redis'
pushd ${base_dir}/src/
rm -rf vendor/ composer.lock
php -dmemory_limit=-1 $(which composer) install
npm install
find bootstrap/cache/ -type f ! -name ".gitignore" -delete
./artisan key:generate
./artisan clear-compiled
./artisan cache:clear
./artisan horizon:install
if rpm -qv chromium 2>/dev/null; then
chver=$(rpmquery --queryformat="%{VERSION}" chromium | awk -F'.' '{print $1}')
./artisan dusk:chrome-driver ${chver}
fi
if [ ! -f 'resources/countries.php' ]; then
./artisan data:countries
fi
npm run dev
popd
pushd ${base_dir}/src/
rm -rf database/database.sqlite
./artisan db:ping --wait
php -dmemory_limit=512M ./artisan migrate:refresh --seed
./artisan data:import || :
nohup ./artisan octane:start --host=$(grep OCTANE_HTTP_HOST .env | tail -n1 | sed "s/OCTANE_HTTP_HOST=//") > octane.out &
nohup ./artisan horizon > horizon.out &
popd
docker-compose up --no-deps -d proxy haproxy
diff --git a/config.demo/src/.env b/config.demo/src/.env
index 11181e48..9db561cb 100644
--- a/config.demo/src/.env
+++ b/config.demo/src/.env
@@ -1,196 +1,196 @@
APP_NAME=Kolab
APP_ENV=local
APP_KEY=
APP_DEBUG=true
APP_URL=https://{{ host }}
APP_PASSPHRASE=simple123
APP_PUBLIC_URL=https://{{ host }}
APP_DOMAIN={{ host }}
APP_WEBSITE_DOMAIN={{ host }}
APP_THEME=default
APP_TENANT_ID=5
APP_LOCALE=en
APP_LOCALES=
APP_WITH_ADMIN=1
APP_WITH_RESELLER=1
APP_WITH_SERVICES=1
APP_WITH_FILES=1
APP_LDAP=1
APP_IMAP=0
APP_HEADER_CSP="connect-src 'self'; child-src 'self'; font-src 'self'; form-action 'self' data:; frame-ancestors 'self'; img-src blob: data: 'self' *; media-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; default-src 'self';"
APP_HEADER_XFO=sameorigin
SIGNUP_LIMIT_EMAIL=0
SIGNUP_LIMIT_IP=0
ASSET_URL=https://{{ host }}
WEBMAIL_URL=/roundcubemail/
SUPPORT_URL=/support
SUPPORT_EMAIL=
LOG_CHANNEL=stdout
LOG_SLOW_REQUESTS=5
LOG_DEPRECATIONS_CHANNEL=null
LOG_LEVEL=debug
DB_CONNECTION=mysql
DB_DATABASE=kolabdev
DB_HOST=mariadb
DB_PASSWORD=kolab
DB_ROOT_PASSWORD=Welcome2KolabSystems
DB_PORT=3306
DB_USERNAME=kolabdev
BROADCAST_DRIVER=redis
CACHE_DRIVER=redis
QUEUE_CONNECTION=redis
SESSION_DRIVER=file
SESSION_LIFETIME=120
OPENEXCHANGERATES_API_KEY="from openexchangerates.org"
MFA_DSN=mysql://roundcube:kolab@mariadb/roundcube
MFA_TOTP_DIGITS=6
MFA_TOTP_INTERVAL=30
MFA_TOTP_DIGEST=sha1
IMAP_URI=ssl://kolab:11993
IMAP_HOST=172.18.0.5
IMAP_ADMIN_LOGIN=cyrus-admin
IMAP_ADMIN_PASSWORD=Welcome2KolabSystems
IMAP_VERIFY_HOST=false
IMAP_VERIFY_PEER=false
LDAP_BASE_DN="dc=mgmt,dc=com"
LDAP_DOMAIN_BASE_DN="ou=Domains,dc=mgmt,dc=com"
-LDAP_HOSTS=kolab
+LDAP_HOSTS=ldap
LDAP_PORT=389
LDAP_SERVICE_BIND_DN="uid=kolab-service,ou=Special Users,dc=mgmt,dc=com"
LDAP_SERVICE_BIND_PW="Welcome2KolabSystems"
LDAP_USE_SSL=false
LDAP_USE_TLS=false
# Administrative
LDAP_ADMIN_BIND_DN="cn=Directory Manager"
LDAP_ADMIN_BIND_PW="Welcome2KolabSystems"
LDAP_ADMIN_ROOT_DN="dc=mgmt,dc=com"
# Hosted (public registration)
LDAP_HOSTED_BIND_DN="uid=hosted-kolab-service,ou=Special Users,dc=mgmt,dc=com"
LDAP_HOSTED_BIND_PW="Welcome2KolabSystems"
LDAP_HOSTED_ROOT_DN="dc=hosted,dc=com"
COTURN_PUBLIC_IP='{{ public_ip }}'
COTURN_STATIC_SECRET="Welcome2KolabSystems"
MEET_WEBHOOK_TOKEN=Welcome2KolabSystems
MEET_SERVER_TOKEN=Welcome2KolabSystems
MEET_SERVER_URLS=https://{{ host }}/meetmedia/api/
MEET_SERVER_VERIFY_TLS=false
MEET_WEBRTC_LISTEN_IP='172.18.0.1'
MEET_PUBLIC_DOMAIN={{ host }}
MEET_TURN_SERVER='turn:172.18.0.1:3478'
MEET_LISTENING_HOST=172.18.0.1
PGP_ENABLE=true
PGP_BINARY=/usr/bin/gpg
PGP_AGENT=/usr/bin/gpg-agent
PGP_GPGCONF=/usr/bin/gpgconf
PGP_LENGTH=
# Set these to IP addresses you serve WOAT with.
# Have the domain owner point _woat.<hosted-domain> NS RRs refer to ns0{1,2}.<provider-domain>
WOAT_NS1=ns01.domain.tld
WOAT_NS2=ns02.domain.tld
REDIS_HOST=redis
REDIS_PASSWORD=null
REDIS_PORT=6379
OCTANE_HTTP_HOST=0.0.0.0
SWOOLE_PACKAGE_MAX_LENGTH=10485760
PAYMENT_PROVIDER=
MOLLIE_KEY=
STRIPE_KEY=
STRIPE_PUBLIC_KEY=
STRIPE_WEBHOOK_SECRET=
MAIL_DRIVER=log
MAIL_MAILER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
MAIL_FROM_ADDRESS="noreply@example.com"
MAIL_FROM_NAME="Example.com"
MAIL_REPLYTO_ADDRESS="replyto@example.com"
MAIL_REPLYTO_NAME=null
DNS_TTL=3600
DNS_SPF="v=spf1 mx -all"
DNS_STATIC="%s. MX 10 ext-mx01.mykolab.com."
DNS_COPY_FROM=null
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=us-east-1
AWS_BUCKET=
AWS_USE_PATH_STYLE_ENDPOINT=false
PUSHER_APP_ID=
PUSHER_APP_KEY=
PUSHER_APP_SECRET=
PUSHER_APP_CLUSTER=mt1
MIX_ASSET_PATH='/'
MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
PASSWORD_POLICY=
COMPANY_NAME=
COMPANY_ADDRESS=
COMPANY_DETAILS=
COMPANY_EMAIL=
COMPANY_LOGO=
COMPANY_FOOTER=
VAT_COUNTRIES=CH,LI
VAT_RATE=7.7
KB_ACCOUNT_DELETE=
KB_ACCOUNT_SUSPENDED=
KB_PAYMENT_SYSTEM=
KOLAB_SSL_CERTIFICATE=/etc/pki/tls/certs/kolab.hosted.com.cert
KOLAB_SSL_CERTIFICATE_FULLCHAIN=/etc/pki/tls/certs/kolab.hosted.com.chain.pem
KOLAB_SSL_CERTIFICATE_KEY=/etc/pki/tls/certs/kolab.hosted.com.key
PROXY_SSL_CERTIFICATE=/etc/certs/imap.hosted.com.cert
PROXY_SSL_CERTIFICATE_KEY=/etc/certs/imap.hosted.com.key
APP_KEY=base64:FG6ECzyAMSmyX+eYwO/FW3bwnarbKkBhqtO65vlMb1E=
COTURN_STATIC_SECRET=uzYguvIl9tpZFMuQOE78DpOi6Jc7VFSD0UAnvgMsg5n4e74MgIf6vQvbc6LWzZjz
MOLLIE_KEY="from mollie"
STRIPE_KEY="from stripe"
STRIPE_PUBLIC_KEY="from stripe"
STRIPE_WEBHOOK_SECRET="from stripe"
OX_API_KEY="from openexchange"
FIREBASE_API_KEY="from firebase"
#Generated by php artisan passport:client --password, but can be left hardcoded (the seeder will pick it up)
PASSPORT_PROXY_OAUTH_CLIENT_ID=942edef5-3dbd-4a14-8e3e-d5d59b727bee
PASSPORT_PROXY_OAUTH_CLIENT_SECRET=L6L0n56ecvjjK0cJMjeeV1pPAeffUBO0YSSH63wf
diff --git a/config.dev/docker-compose.override.yml b/config.dev/docker-compose.override.yml
index ec0cd57d..2298a45b 100644
--- a/config.dev/docker-compose.override.yml
+++ b/config.dev/docker-compose.override.yml
@@ -1,56 +1,58 @@
version: '3'
services:
kolab:
ports:
- - "389:389"
- "8880:8880"
- "8443:8443"
- "10143:10143"
- "10587:10587"
- "11143:11143"
- "11993:11993"
- "12143:12143"
mariadb:
ports:
- "3306:3306"
+ ldap:
+ ports:
+ - "389:389"
redis:
ports:
- "6379:6379"
haproxy:
depends_on:
proxy:
condition: service_healthy
proxy:
depends_on:
kolab:
condition: service_healthy
webapp:
condition: service_healthy
build:
context: ./docker/proxy/
args:
APP_WEBSITE_DOMAIN: ${APP_WEBSITE_DOMAIN:?err}
SSL_CERTIFICATE: ${PROXY_SSL_CERTIFICATE:?err}
SSL_CERTIFICATE_KEY: ${PROXY_SSL_CERTIFICATE_KEY:?err}
healthcheck:
interval: 10s
test: "kill -0 $$(cat /run/nginx.pid)"
timeout: 5s
retries: 30
container_name: kolab-proxy
restart: on-failure
hostname: proxy
image: kolab-proxy
extra_hosts:
- "meet:${MEET_LISTENING_HOST}"
- "webapp:127.0.0.1"
network_mode: host
tmpfs:
- /run
- /tmp
- /var/run
- /var/tmp
tty: true
volumes:
- ./docker/certs/:/etc/certs/:ro
- /etc/letsencrypt/:/etc/letsencrypt/:ro
diff --git a/config.prod/src/.env b/config.prod/src/.env
index f52e0bda..d9bb71f2 100644
--- a/config.prod/src/.env
+++ b/config.prod/src/.env
@@ -1,155 +1,155 @@
APP_NAME=Kolab
APP_ENV=local
APP_KEY=
APP_DEBUG=true
APP_URL=https://{{ host }}
APP_PUBLIC_URL=https://{{ host }}
APP_DOMAIN={{ host }}
APP_WEBSITE_DOMAIN={{ host }}
APP_THEME=default
APP_TENANT_ID=5
APP_LOCALE=en
APP_LOCALES=
APP_WITH_ADMIN=1
APP_WITH_RESELLER=1
APP_WITH_SERVICES=1
APP_WITH_FILES=1
APP_LDAP=1
APP_IMAP=1
APP_HEADER_CSP="connect-src 'self'; child-src 'self'; font-src 'self'; form-action 'self' data:; frame-ancestors 'self'; img-src blob: data: 'self' *; media-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; default-src 'self';"
APP_HEADER_XFO=sameorigin
SIGNUP_LIMIT_EMAIL=0
SIGNUP_LIMIT_IP=0
ASSET_URL=https://{{ host }}
WEBMAIL_URL=/roundcubemail/
SUPPORT_URL=/support
SUPPORT_EMAIL=
LOG_CHANNEL=stdout
LOG_SLOW_REQUESTS=5
LOG_DEPRECATIONS_CHANNEL=null
LOG_LEVEL=debug
DB_CONNECTION=mysql
DB_DATABASE=kolabdev
DB_HOST=mariadb
DB_PASSWORD={{ admin_password }}
DB_ROOT_PASSWORD={{ admin_password }}
DB_PORT=3306
DB_USERNAME=kolabdev
BROADCAST_DRIVER=redis
CACHE_DRIVER=redis
QUEUE_CONNECTION=redis
SESSION_DRIVER=file
SESSION_LIFETIME=120
OPENEXCHANGERATES_API_KEY="from openexchangerates.org"
MFA_DSN=mysql://roundcube:{{ admin_password }}@mariadb/roundcube
MFA_TOTP_DIGITS=6
MFA_TOTP_INTERVAL=30
MFA_TOTP_DIGEST=sha1
IMAP_URI=ssl://kolab:11993
IMAP_HOST=172.18.0.5
IMAP_ADMIN_LOGIN=cyrus-admin
IMAP_ADMIN_PASSWORD={{ admin_password }}
IMAP_VERIFY_HOST=false
IMAP_VERIFY_PEER=false
LDAP_BASE_DN="dc=mgmt,dc=com"
LDAP_DOMAIN_BASE_DN="ou=Domains,dc=mgmt,dc=com"
-LDAP_HOSTS=kolab
+LDAP_HOSTS=ldap
LDAP_PORT=389
LDAP_SERVICE_BIND_DN="uid=kolab-service,ou=Special Users,dc=mgmt,dc=com"
LDAP_SERVICE_BIND_PW="{{ admin_password }}"
LDAP_USE_SSL=false
LDAP_USE_TLS=false
# Administrative
LDAP_ADMIN_BIND_DN="cn=Directory Manager"
LDAP_ADMIN_BIND_PW="{{ admin_password }}"
LDAP_ADMIN_ROOT_DN="dc=mgmt,dc=com"
# Hosted (public registration)
LDAP_HOSTED_BIND_DN="uid=hosted-kolab-service,ou=Special Users,dc=mgmt,dc=com"
LDAP_HOSTED_BIND_PW="{{ admin_password }}"
LDAP_HOSTED_ROOT_DN="dc=hosted,dc=com"
COTURN_PUBLIC_IP='{{ public_ip }}'
MEET_SERVER_URLS=https://{{ host }}/meetmedia/api/
MEET_SERVER_VERIFY_TLS=false
MEET_WEBRTC_LISTEN_IP='172.18.0.1'
MEET_PUBLIC_DOMAIN={{ host }}
MEET_TURN_SERVER='turn:172.18.0.1:3478'
MEET_LISTENING_HOST=172.18.0.1
PGP_ENABLE=true
PGP_BINARY=/usr/bin/gpg
PGP_AGENT=/usr/bin/gpg-agent
PGP_GPGCONF=/usr/bin/gpgconf
PGP_LENGTH=
REDIS_HOST=redis
REDIS_PASSWORD=null
REDIS_PORT=6379
OCTANE_HTTP_HOST={{ host }}
SWOOLE_PACKAGE_MAX_LENGTH=10485760
MAIL_DRIVER=log
MAIL_MAILER=smtp
MAIL_HOST=smtp.mailtrap.io
MAIL_PORT=2525
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null
MAIL_FROM_ADDRESS="noreply@example.com"
MAIL_FROM_NAME="Example.com"
MAIL_REPLYTO_ADDRESS="replyto@example.com"
MAIL_REPLYTO_NAME=null
DNS_TTL=3600
DNS_SPF="v=spf1 mx -all"
DNS_STATIC="%s. MX 10 ext-mx01.mykolab.com."
DNS_COPY_FROM=null
MIX_ASSET_PATH='/'
PASSWORD_POLICY=
COMPANY_NAME=
COMPANY_ADDRESS=
COMPANY_DETAILS=
COMPANY_EMAIL=
COMPANY_LOGO=
COMPANY_FOOTER=
VAT_COUNTRIES=CH,LI
VAT_RATE=7.7
KB_ACCOUNT_DELETE=
KB_ACCOUNT_SUSPENDED=
KB_PAYMENT_SYSTEM=
KOLAB_SSL_CERTIFICATE=/etc/pki/tls/certs/kolab.hosted.com.cert
KOLAB_SSL_CERTIFICATE_FULLCHAIN=/etc/pki/tls/certs/kolab.hosted.com.chain.pem
KOLAB_SSL_CERTIFICATE_KEY=/etc/pki/tls/certs/kolab.hosted.com.key
PROXY_SSL_CERTIFICATE=/etc/certs/imap.hosted.com.cert
PROXY_SSL_CERTIFICATE_KEY=/etc/certs/imap.hosted.com.key
OPENEXCHANGERATES_API_KEY={{ openexchangerates_api_key }}
FIREBASE_API_KEY={{ firebase_api_key }}
diff --git a/docker-compose.yml b/docker-compose.yml
index 6d0c3782..e5d1f81a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,308 +1,347 @@
version: '3'
services:
coturn:
build:
context: ./docker/coturn/
container_name: kolab-coturn
healthcheck:
interval: 10s
test: "kill -0 $$(cat /tmp/turnserver.pid)"
timeout: 5s
retries: 30
environment:
- TURN_PUBLIC_IP=${COTURN_PUBLIC_IP}
- TURN_LISTEN_PORT=3478
- TURN_STATIC_SECRET=${COTURN_STATIC_SECRET}
hostname: sturn.mgmt.com
image: kolab-coturn
network_mode: host
restart: on-failure
kolab:
build:
context: ./docker/kolab/
args:
DB_KOLAB_DATABASE: kolab
DB_KOLAB_USERNAME: kolab
DB_KOLAB_PASSWORD: ${DB_PASSWORD:?"DB_PASSWORD is missing"}
+ LDAP_HOST: ldap
+ LDAP_ADMIN_BIND_DN: ${LDAP_ADMIN_BIND_DN}
+ LDAP_ADMIN_BIND_PW: ${LDAP_ADMIN_BIND_PW}
+ LDAP_SERVICE_BIND_PW: ${LDAP_SERVICE_BIND_PW}
container_name: kolab
privileged: true
restart: on-failure
tty: true
depends_on:
mariadb:
condition: service_healthy
pdns:
condition: service_healthy
+ ldap:
+ condition: service_healthy
extra_hosts:
- "kolab.mgmt.com:127.0.0.1"
- "services.${APP_DOMAIN}:172.18.0.4"
environment:
- APP_DOMAIN=${APP_DOMAIN}
- - LDAP_HOST=127.0.0.1
+ - LDAP_HOST=ldap
- LDAP_ADMIN_BIND_DN=${LDAP_ADMIN_BIND_DN}
- LDAP_ADMIN_BIND_PW=${LDAP_ADMIN_BIND_PW}
- LDAP_SERVICE_BIND_PW=${LDAP_SERVICE_BIND_PW}
- - LDAP_HOSTED_BIND_PW=${LDAP_HOSTED_BIND_PW}
- DB_HOST=mariadb
- DB_ROOT_PASSWORD=${DB_ROOT_PASSWORD}
- DB_HKCCP_DATABASE=${DB_DATABASE}
- DB_HKCCP_USERNAME=${DB_USERNAME}
- DB_HKCCP_PASSWORD=${DB_PASSWORD:?"DB_PASSWORD is missing"}
- DB_KOLAB_DATABASE=kolab
- DB_KOLAB_USERNAME=kolab
- DB_KOLAB_PASSWORD=${DB_PASSWORD:?"DB_PASSWORD is missing"}
- SSL_CERTIFICATE=${KOLAB_SSL_CERTIFICATE:?"KOLAB_SSL_CERTIFICATE is missing"}
- SSL_CERTIFICATE_FULLCHAIN=${KOLAB_SSL_CERTIFICATE_FULLCHAIN:?"KOLAB_SSL_CERTIFICATE_FULLCHAIN is missing"}
- SSL_CERTIFICATE_KEY=${KOLAB_SSL_CERTIFICATE_KEY:?"KOLAB_SSL_CERTIFICATE_KEY is missing"}
- IMAP_HOST=127.0.0.1
- IMAP_PORT=11993
- IMAP_ADMIN_LOGIN=${IMAP_ADMIN_LOGIN}
- IMAP_ADMIN_PASSWORD=${IMAP_ADMIN_PASSWORD}
- MAIL_HOST=127.0.0.1
- MAIL_PORT=10587
healthcheck:
interval: 10s
test: "systemctl is-active kolab-init || exit 1"
timeout: 5s
retries: 30
start_period: 5m
# This makes docker's dns, resolve via pdns for this container.
# Please note it does not affect /etc/resolv.conf
dns: 172.18.0.11
hostname: kolab.mgmt.com
image: kolab
networks:
kolab:
ipv4_address: 172.18.0.5
ports:
- "12143:12143"
tmpfs:
- /run
- /tmp
- /var/run
- /var/tmp
volumes:
- ./ext/:/src/:ro
- /etc/letsencrypt/:/etc/letsencrypt/:ro
- ./docker/certs/ca.cert:/etc/pki/tls/certs/ca.cert:ro
- ./docker/certs/ca.cert:/etc/pki/ca-trust/source/anchors/ca.cert:ro
- ./docker/certs/kolab.hosted.com.cert:${KOLAB_SSL_CERTIFICATE:?err}
- ./docker/certs/kolab.hosted.com.chain.pem:${KOLAB_SSL_CERTIFICATE_FULLCHAIN:?err}
- ./docker/certs/kolab.hosted.com.key:${KOLAB_SSL_CERTIFICATE_KEY:?err}
- ./docker/kolab/utils:/root/utils:ro
- /sys/fs/cgroup:/sys/fs/cgroup:ro
- imap:/imapdata
+
+ ldap:
+ build:
+ context: ./docker/ldap/
+ container_name: kolab-ldap
+ restart: on-failure
+ tty: true
+ hostname: ldap
+ privileged: true
+ environment:
+ - APP_DOMAIN=${APP_DOMAIN}
+ - LDAP_ADMIN_ROOT_DN=${LDAP_ADMIN_ROOT_DN}
+ - LDAP_ADMIN_BIND_DN=${LDAP_ADMIN_BIND_DN}
+ - LDAP_ADMIN_BIND_PW=${LDAP_ADMIN_BIND_PW}
+ - LDAP_SERVICE_BIND_PW=${LDAP_SERVICE_BIND_PW}
+ - LDAP_HOSTED_BIND_PW=${LDAP_HOSTED_BIND_PW}
+ - IMAP_ADMIN_PASSWORD=${IMAP_ADMIN_PASSWORD}
+ healthcheck:
+ interval: 10s
+ test: "systemctl status dirsrv@kolab || exit 1"
+ timeout: 5s
+ retries: 30
+ start_period: 5m
+ image: kolab-ldap
+ networks:
+ kolab:
+ ipv4_address: 172.18.0.12
+ tmpfs:
+ - /run
+ - /tmp
+ - /var/run
+ - /var/tmp
+ volumes:
+ - /sys/fs/cgroup:/sys/fs/cgroup:ro
- ldap:/ldapdata
roundcube:
build:
context: ./docker/roundcube/
container_name: kolab-roundcube
hostname: roundcube.hosted.com
restart: on-failure
depends_on:
mariadb:
condition: service_healthy
pdns:
condition: service_healthy
kolab:
condition: service_healthy
environment:
- APP_DOMAIN=${APP_DOMAIN}
- - LDAP_HOST=kolab
+ - LDAP_HOST=ldap
- LDAP_ADMIN_BIND_DN=${LDAP_ADMIN_BIND_DN}
- LDAP_ADMIN_BIND_PW=${LDAP_ADMIN_BIND_PW}
- LDAP_SERVICE_BIND_PW=${LDAP_SERVICE_BIND_PW}
- LDAP_HOSTED_BIND_PW=${LDAP_HOSTED_BIND_PW}
- DB_HOST=mariadb
- DB_ROOT_PASSWORD=${DB_ROOT_PASSWORD}
- DB_RC_DATABASE=roundcube
- DB_RC_USERNAME=roundcube
- DB_RC_PASSWORD=${DB_PASSWORD:?"DB_PASSWORD is missing"}
- IMAP_HOST=tls://haproxy
- IMAP_PORT=145
- IMAP_ADMIN_LOGIN=${IMAP_ADMIN_LOGIN}
- IMAP_ADMIN_PASSWORD=${IMAP_ADMIN_PASSWORD}
- MAIL_HOST=tls://kolab
- MAIL_PORT=10587
healthcheck:
interval: 10s
test: "kill -0 $$(cat /run/httpd/httpd.pid)"
timeout: 5s
retries: 30
# This makes docker's dns, resolve via pdns for this container.
# Please note it does not affect /etc/resolv.conf
dns: 172.18.0.11
image: roundcube
networks:
kolab:
ipv4_address: 172.18.0.9
ports:
- "8001:80"
tmpfs:
- /run
- /tmp
- /var/run
- /var/tmp
volumes:
- ./ext/:/src.orig/:ro
mariadb:
container_name: kolab-mariadb
restart: on-failure
environment:
- MARIADB_ROOT_PASSWORD=${DB_ROOT_PASSWORD}
- TZ="+02:00"
- DB_HKCCP_DATABASE=${DB_DATABASE}
- DB_HKCCP_USERNAME=${DB_USERNAME}
- DB_HKCCP_PASSWORD=${DB_PASSWORD}
healthcheck:
interval: 10s
test: test -e /var/run/mysqld/mysqld.sock
timeout: 5s
retries: 30
image: mariadb:latest
networks:
kolab:
ipv4_address: 172.18.0.3
volumes:
- ./docker/mariadb/mysql-init/:/docker-entrypoint-initdb.d/
- mariadb:/var/lib/mysql
haproxy:
build:
context: ./docker/haproxy/
healthcheck:
interval: 10s
test: "kill -0 $$(cat /var/run/haproxy.pid)"
timeout: 5s
retries: 30
container_name: kolab-haproxy
restart: on-failure
hostname: haproxy.hosted.com
image: kolab-haproxy
networks:
kolab:
ipv4_address: 172.18.0.6
tmpfs:
- /run
- /tmp
- /var/run
- /var/tmp
volumes:
- ./docker/certs/:/etc/certs/:ro
- /etc/letsencrypt/:/etc/letsencrypt/:ro
pdns:
build:
context: ./docker/pdns/
args:
DB_HOST: mariadb
DB_DATABASE: ${DB_DATABASE:?DB_DATABASE}
DB_USERNAME: ${DB_USERNAME:?DB_USERNAME}
DB_PASSWORD: ${DB_PASSWORD:?DB_PASSWORD}
container_name: kolab-pdns
restart: on-failure
tty: true
hostname: pdns
depends_on:
mariadb:
condition: service_healthy
healthcheck:
interval: 10s
test: "systemctl status pdns || exit 1"
timeout: 5s
retries: 30
image: kolab-pdns
networks:
kolab:
ipv4_address: 172.18.0.11
tmpfs:
- /run
- /tmp
- /var/run
- /var/tmp
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
redis:
build:
context: ./docker/redis/
healthcheck:
interval: 10s
test: "redis-cli ping || exit 1"
timeout: 5s
retries: 30
container_name: kolab-redis
restart: on-failure
hostname: redis
image: redis
networks:
- kolab
volumes:
- ./docker/redis/redis.conf:/usr/local/etc/redis/redis.conf:ro
webapp:
build:
context: ./docker/webapp/
args:
GIT_REF: ${KOLAB_GIT_REF:-master}
container_name: kolab-webapp
restart: on-failure
image: kolab-webapp
healthcheck:
interval: 10s
test: "/src/kolabsrc/artisan octane:status || exit 1"
timeout: 5s
retries: 30
start_period: 5m
depends_on:
kolab:
condition: service_healthy
redis:
condition: service_healthy
roundcube:
condition: service_healthy
networks:
kolab:
ipv4_address: 172.18.0.4
volumes:
- ./src:/src/kolabsrc.orig:ro
ports:
- "8000:8000"
meet:
build:
context: ./docker/meet/
args:
GIT_REF: ${KOLAB_GIT_REF:-master}
container_name: kolab-meet
restart: on-failure
healthcheck:
interval: 10s
test: "curl --insecure -H 'X-AUTH-TOKEN: ${MEET_SERVER_TOKEN}' --fail https://${MEET_LISTENING_HOST}:12443/meetmedia/api/health || exit 1"
timeout: 5s
retries: 30
start_period: 5m
environment:
- WEBRTC_LISTEN_IP=${MEET_WEBRTC_LISTEN_IP:?err}
- PUBLIC_DOMAIN=${MEET_PUBLIC_DOMAIN:?err}
- LISTENING_HOST=${MEET_LISTENING_HOST:?err}
- LISTENING_PORT=12443
- TURN_SERVER=${MEET_TURN_SERVER}
- TURN_STATIC_SECRET=${COTURN_STATIC_SECRET}
- AUTH_TOKEN=${MEET_SERVER_TOKEN:?err}
- WEBHOOK_TOKEN=${MEET_WEBHOOK_TOKEN:?err}
- WEBHOOK_URL=${APP_PUBLIC_URL:?err}/api/webhooks/meet
- SSL_CERT=/etc/pki/tls/certs/meet.${APP_WEBSITE_DOMAIN:?err}.cert
- SSL_KEY=/etc/pki/tls/private/meet.${APP_WEBSITE_DOMAIN:?err}.key
network_mode: host
container_name: kolab-meet
image: kolab-meet
volumes:
- ./meet/server:/src/meet/:ro
- ./docker/certs/meet.${APP_WEBSITE_DOMAIN}.cert:/etc/pki/tls/certs/meet.${APP_WEBSITE_DOMAIN}.cert
- ./docker/certs/meet.${APP_WEBSITE_DOMAIN}.key:/etc/pki/tls/private/meet.${APP_WEBSITE_DOMAIN}.key
networks:
kolab:
driver: bridge
ipam:
config:
- subnet: "172.18.0.0/24"
volumes:
mariadb:
imap:
ldap:
diff --git a/docker/kolab/Dockerfile b/docker/kolab/Dockerfile
index c37e4d58..7dd2f502 100644
--- a/docker/kolab/Dockerfile
+++ b/docker/kolab/Dockerfile
@@ -1,83 +1,84 @@
FROM quay.io/centos/centos:stream8
LABEL maintainer="contact@apheleia-it.ch"
LABEL dist=centos8
LABEL tier=${TIER}
ENV SYSTEMD_PAGER=''
ENV DISTRO=centos8
ENV LANG=en_US.utf8
ENV LC_ALL=en_US.utf8
# Add EPEL.
RUN dnf config-manager --set-enabled powertools && \
dnf -y install \
epel-release epel-next-release && \
dnf -y module enable 389-directory-server:stable/default && \
dnf -y module enable mariadb:10.3 && \
dnf -y install iputils vim-enhanced bind-utils && \
dnf clean all
RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
# Install kolab
RUN rpm --import https://mirror.apheleia-it.ch/repos/Kolab:/16/key.asc && \
rpm -Uvh https://mirror.apheleia-it.ch/repos/Kolab:/16/kolab-16-for-el8stream.rpm
RUN sed -i -e '/^ssl/d' /etc/yum.repos.d/kolab*.repo && \
dnf config-manager --enable kolab-16-testing &&\
dnf -y --setopt tsflags= install kolab patch &&\
dnf clean all
COPY kolab-init.service /etc/systemd/system/kolab-init.service
COPY kolab-setenv.service /etc/systemd/system/kolab-setenv.service
COPY utils /root/utils
RUN rm -rf /etc/systemd/system/multi-user.target.wants/{avahi-daemon,sshd}.* && \
ln -s /etc/systemd/system/kolab-init.service \
/etc/systemd/system/multi-user.target.wants/kolab-init.service && \
ln -s /etc/systemd/system/kolab-setenv.service \
/etc/systemd/system/multi-user.target.wants/kolab-setenv.service
RUN sed -i -r -e 's/^SELINUX=.*$/SELINUX=permissive/g' /etc/selinux/config 2>/dev/null || :
COPY /rootfs /
COPY kolab-init.sh /usr/local/sbin/
RUN chmod 750 /usr/local/sbin/kolab-init.sh
COPY kolab.conf /etc/kolab/kolab.conf
COPY cyrus.conf /etc/cyrus.conf
COPY imapd.conf /etc/imapd.conf
COPY imapd.annotations.conf /etc/imapd.annotations.conf
COPY guam.conf /etc/guam/sys.config
ARG DB_KOLAB_DATABASE
ARG DB_KOLAB_USERNAME
ARG DB_KOLAB_PASSWORD
+ARG LDAP_HOST
+ARG LDAP_ADMIN_BIND_DN
+ARG LDAP_ADMIN_BIND_PW
+ARG LDAP_SERVICE_BIND_PW
RUN sed -i -r \
-e "s|DB_KOLAB_DATABASE|$DB_KOLAB_DATABASE|g" \
-e "s|DB_KOLAB_USERNAME|$DB_KOLAB_USERNAME|g" \
-e "s|DB_KOLAB_PASSWORD|$DB_KOLAB_PASSWORD|g" \
+ -e "s|LDAP_HOST|$LDAP_HOST|g" \
+ -e "s|LDAP_ADMIN_BIND_DN|$LDAP_ADMIN_BIND_DN|g" \
+ -e "s|LDAP_ADMIN_BIND_PW|$LDAP_ADMIN_BIND_PW|g" \
+ -e "s|LDAP_SERVICE_BIND_PW|$LDAP_SERVICE_BIND_PW|g" \
/etc/kolab/kolab.conf
RUN mkdir -p /imapdata/{spool,lib} && \
rm -rf /var/spool/imap && ln -s /imapdata/spool /var/spool/imap && \
mv /var/lib/imap /var/lib/imap-bak && ln -s /imapdata/lib /var/lib/imap && \
chmod -R 777 /imapdata && \
chown cyrus:mail /var/spool/imap /var/lib/imap
-RUN mkdir -p /ldapdata/{config,ssca,run} /var/run/dirsrv && \
- ln -s /ldapdata/config /etc/dirsrv/slapd-kolab && \
- ln -s /ldapdata/ssca /etc/dirsrv/ssca && \
- ln -s /ldapdata/run /var/run/dirsrv && \
- chmod -R 777 /ldapdata /etc/dirsrv
-
VOLUME [ "/sys/fs/cgroup" ]
VOLUME [ "/imapdata" ]
-VOLUME [ "/ldapdata" ]
WORKDIR /root/
CMD ["/lib/systemd/systemd"]
EXPOSE 10143/tcp 10465/tcp 10587/tcp 11143/tcp 11993/tcp
diff --git a/docker/kolab/kolab-init.sh b/docker/kolab/kolab-init.sh
index 8587e294..eef32663 100755
--- a/docker/kolab/kolab-init.sh
+++ b/docker/kolab/kolab-init.sh
@@ -1,15 +1,14 @@
#!/bin/bash
pushd /root/utils/
./01-reverse-etc-hosts.sh && echo "01 done"
./02-write-my.cnf.sh && echo "02 done"
-./03-setup-ldap.sh && echo "03 ldap done"
./03-setup-kolab.sh && echo "03 kolab done"
./04-reset-mysql-kolab-password.sh && echo "04 done"
./05-adjust-configs.sh && echo "05 done"
./10-reset-kolab-service-password.sh && echo "10 done"
./11-reset-cyrus-admin-password.sh && echo "11 done"
./23-patch-system.sh && echo "23 done"
touch /tmp/kolab-init.done
diff --git a/docker/kolab/kolab.conf b/docker/kolab/kolab.conf
index fd72fb3c..24782436 100644
--- a/docker/kolab/kolab.conf
+++ b/docker/kolab/kolab.conf
@@ -1,90 +1,90 @@
[kolab]
primary_domain = mgmt.com
auth_mechanism = ldap
imap_backend = cyrus-imap
default_locale = en_US
sync_interval = 300
domain_sync_interval = 600
policy_uid = %(surname)s.lower()
daemon_rcpt_policy = False
[imap]
virtual_domains = userid
[ldap]
-ldap_uri = ldap://127.0.0.1:389
+ldap_uri = ldap://LDAP_HOST:389
timeout = 10
supported_controls = 0,2,3
base_dn = dc=mgmt,dc=com
-bind_dn = cn=Directory Manager
-bind_pw =
+bind_dn = LDAP_ADMIN_BIND_DN
+bind_pw = LDAP_ADMIN_BIND_PW
service_bind_dn = uid=kolab-service,ou=Special Users,dc=mgmt,dc=com
-service_bind_pw =
+service_bind_pw = LDAP_SERVICE_BIND_PW
user_base_dn = dc=hosted,dc=com
user_scope = sub
user_filter = (objectclass=inetorgperson)
kolab_user_base_dn = dc=hosted,dc=com
kolab_user_filter = (objectclass=kolabinetorgperson)
group_base_dn = dc=hosted,dc=com
group_filter = (|(objectclass=groupofuniquenames)(objectclass=groupofurls))
group_scope = sub
kolab_group_filter = (|(objectclass=kolabgroupofuniquenames)(objectclass=kolabgroupofurls))
sharedfolder_base_dn = dc=hosted,dc=com
sharedfolder_filter = (objectclass=kolabsharedfolder)
sharedfolder_acl_entry_attribute = acl
resource_base_dn = dc=hosted,dc=com
resource_filter = (|%(group_filter)s(objectclass=kolabsharedfolder))
domain_base_dn = ou=Domains,dc=mgmt,dc=com
domain_filter = (&(associatedDomain=*))
domain_name_attribute = associateddomain
domain_rootdn_attribute = inetdomainbasedn
quota_attribute = mailquota
modifytimestamp_format = %Y%m%d%H%M%SZ
unique_attribute = nsuniqueid
mail_attributes = mail, alias
mailserver_attribute = mailhost
auth_attributes = mail, uid
[kolab_smtp_access_policy]
cache_uri = mysql://DB_KOLAB_USERNAME:DB_KOLAB_PASSWORD@mariadb/DB_KOLAB_DATABASE
cache_retention = 86400
address_search_attrs = mail, alias
delegate_sender_header = True
alias_sender_header = True
sender_header = True
xsender_header = True
empty_sender_hosts = 3.2.1.0/24, 6.6.6.0/24
[kolab_wap]
mgmt_root_dn = dc=mgmt,dc=com
hosted_root_dn = dc=hosted,dc=com
api_url = http://127.0.0.1:9080/kolab-webadmin/api
skin = default
sql_uri = mysql://DB_KOLAB_USERNAME:DB_KOLAB_PASSWORD@mariadb/DB_KOLAB_DATABASE
ssl_verify_peer = false
ssl_verify_host = false
[cyrus-imap]
uri = imaps://127.0.0.1:11993
admin_login = cyrus-admin
admin_password =
[cyrus-sasl]
result_attribute = mail
[wallace]
webmail_url = https://%(domain)s/roundcubemail
modules = resources, invitationpolicy
kolab_invitation_policy = ACT_ACCEPT_IF_NO_CONFLICT:example.org, ACT_MANUAL
invitationpolicy_autoupdate_other_attendees_on_reply = false
resource_calendar_expire_days = 100
[mgmt.com]
default_quota = 1048576
daemon_rcpt_policy = False
[autodiscover]
;debug_mode = trace
activesync = %d
imap = ssl://%d:993
smtp = ssl://%d:465
diff --git a/docker/kolab/utils/03-setup-ldap.sh b/docker/kolab/utils/03-setup-ldap.sh
deleted file mode 100755
index 8d7293fb..00000000
--- a/docker/kolab/utils/03-setup-ldap.sh
+++ /dev/null
@@ -1,260 +0,0 @@
-#!/bin/bash
-
-. ./settings.sh
-
-cp -av /bin/true /usr/sbin/ds_systemd_ask_password_acl
-
-if [ -f "/etc/dirsrv/slapd-kolab/dse.ldif" ]; then
- echo "LDAP directory exists, nothing to do"
-
- mkdir -p /var/log/dirsrv/slapd-kolab/
- chmod 777 /var/log/dirsrv/slapd-kolab/
- systemctl start dirsrv@kolab
- mkdir /run/dirsrv
- chmod 777 /run/dirsrv
- mkdir -p /run/lock/dirsrv/slapd-kolab/
- chown dirsrv:dirsrv /run/lock/dirsrv/slapd-kolab/
- chmod 777 /run/lock/dirsrv/slapd-kolab/
- mkdir -p /var/lib/dirsrv/slapd-kolab
- chown dirsrv:dirsrv /var/lib/dirsrv/slapd-kolab
-
- systemctl start dirsrv@kolab
-else
- sed -i -e 's/sys.exit/print("exit") #sys.exit/' /usr/lib/python3.6/site-packages/pykolab/setup/setup_ldap.py
-
- echo "LDAP directory does not exist, setting it up."
- CMD="$(which setup-kolab) ldap \
- --default ${LDAP_HOST} \
- --fqdn=kolab.${domain} \
- --directory-manager-pwd=${LDAP_ADMIN_BIND_PW}"
- ${CMD} 2>&1 | tee -a /root/setup-kolab.log
-
-
- # Create hosted kolab service
- (
- echo "dn: uid=hosted-kolab-service,ou=Special Users,${rootdn}"
- echo "objectclass: top"
- echo "objectclass: inetorgperson"
- echo "objectclass: person"
- echo "uid: hosted-kolab-service"
- echo "cn: Hosted Kolab Service Account"
- echo "sn: Service Account"
- echo "givenname: Hosted Kolab"
- echo "userpassword: ${hosted_kolab_service_pw}"
- echo ""
- ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
-
- # Create ou domain
- (
- echo "dn: ou=Domains,${rootdn}"
- echo "ou: Domains"
- echo "objectClass: top"
- echo "objectClass: organizationalunit"
- echo ""
- ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
-
- # Create management domain
- (
- echo "dn: associateddomain=${domain},${domain_base_dn}"
- echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///${rootdn}??sub?(objectclass=*)\");)"
- echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
- echo "inetDomainStatus: active"
- echo "objectClass: top"
- echo "objectClass: domainrelatedobject"
- echo "objectClass: inetdomain"
- echo "associatedDomain: ${domain}"
- echo ""
- ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
-
-
- # Create hosted domains
- (
- echo "dn: associateddomain=${hosted_domain},${domain_base_dn}"
- echo "objectclass: top"
- echo "objectclass: domainrelatedobject"
- echo "objectclass: inetdomain"
- echo "inetdomainstatus: active"
- echo "associateddomain: ${hosted_domain}"
- echo "inetdomainbasedn: ${hosted_domain_rootdn}"
- echo ""
- ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
-
- (
- echo "dn: cn=$(echo ${hosted_domain} | sed -e 's/\./_/g'),cn=ldbm database,cn=plugins,cn=config"
- echo "objectClass: top"
- echo "objectClass: extensibleobject"
- echo "objectClass: nsbackendinstance"
- echo "cn: $(echo ${hosted_domain} | sed -e 's/\./_/g')"
- echo "nsslapd-suffix: ${hosted_domain_rootdn}"
- echo "nsslapd-cachesize: -1"
- echo "nsslapd-cachememsize: 10485760"
- echo "nsslapd-readonly: off"
- echo "nsslapd-require-index: off"
- echo "nsslapd-directory: /var/lib/dirsrv/slapd-${DS_INSTANCE_NAME:-$(hostname -s)}/db/$(echo ${hosted_domain} | sed -e 's/\./_/g')"
- echo "nsslapd-dncachememsize: 10485760"
- echo ""
- ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
-
- (
- #On centos7
- #echo "dn: cn=$(echo ${hosted_domain_rootdn} | sed -e 's/=/\\3D/g' -e 's/,/\\2D/g'),cn=mapping tree,cn=config"
- #On centos8
- echo "dn: cn=\"${hosted_domain_rootdn}\",cn=mapping tree,cn=config"
- echo "objectClass: top"
- echo "objectClass: extensibleObject"
- echo "objectClass: nsMappingTree"
- echo "nsslapd-state: backend"
- echo "cn: ${hosted_domain_rootdn}"
- echo "nsslapd-backend: $(echo ${hosted_domain} | sed -e 's/\./_/g')"
- echo ""
- ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
-
- (
- echo "dn: ${hosted_domain_rootdn}"
- echo "aci: (targetattr=\"carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier\")(version 3.0; acl \"Enable self write for common attributes\"; allow (write) userdn=\"ldap:///self\";)"
- echo "aci: (targetattr =\"*\")(version 3.0;acl \"Directory Administrators Group\";allow (all) (groupdn=\"ldap:///cn=Directory Administrators,${hosted_domain_rootdn}\" or roledn=\"ldap:///cn=kolab-admin,${hosted_domain_rootdn}\");)"
- echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)"
- echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)"
- echo "aci: (targetattr = \"*\")(version 3.0; acl \"SIE Group\"; allow (all) groupdn = \"ldap:///cn=slapd-$(hostname -s),cn=389 Directory Server,cn=Server Group,cn=$(hostname -f),ou=${domain},o=NetscapeRoot\";)"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///${hosted_domain_rootdn}??sub?(objectclass=*)\");)"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Service Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn}\");)"
- echo "objectClass: top"
- echo "objectClass: domain"
- echo "dc: $(echo ${hosted_domain} | cut -d'.' -f 1)"
- echo ""
- ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
-
- (
- for role in "2fa-user" "activesync-user" "imap-user"; do
- echo "dn: cn=${role},${hosted_domain_rootdn}"
- echo "cn: ${role}"
- echo "description: ${role} role"
- echo "objectclass: top"
- echo "objectclass: ldapsubentry"
- echo "objectclass: nsmanagedroledefinition"
- echo "objectclass: nsroledefinition"
- echo "objectclass: nssimpleroledefinition"
- echo ""
- done
-
- echo "dn: ou=Groups,${hosted_domain_rootdn}"
- echo "ou: Groups"
- echo "objectClass: top"
- echo "objectClass: organizationalunit"
- echo ""
-
- echo "dn: ou=People,${hosted_domain_rootdn}"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Hosted Kolab Services\";allow (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
- echo "ou: People"
- echo "objectClass: top"
- echo "objectClass: organizationalunit"
- echo ""
-
- echo "dn: ou=Special Users,${hosted_domain_rootdn}"
- echo "ou: Special Users"
- echo "objectClass: top"
- echo "objectClass: organizationalunit"
- echo ""
-
- echo "dn: ou=Resources,${hosted_domain_rootdn}"
- echo "ou: Resources"
- echo "objectClass: top"
- echo "objectClass: organizationalunit"
- echo ""
-
- echo "dn: ou=Shared Folders,${hosted_domain_rootdn}"
- echo "ou: Shared Folders"
- echo "objectClass: top"
- echo "objectClass: organizationalunit"
- echo ""
-
- echo "dn: uid=cyrus-admin,ou=Special Users,${hosted_domain_rootdn}"
- echo "sn: Administrator"
- echo "uid: cyrus-admin"
- echo "objectClass: top"
- echo "objectClass: person"
- echo "objectClass: inetorgperson"
- echo "objectClass: organizationalperson"
- echo "givenName: Cyrus"
- echo "cn: Cyrus Administrator"
- echo ""
-
- ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
-
-
- # Remove cn kolab cn config
- (
- echo "associateddomain=${domain},cn=kolab,cn=config"
- echo "cn=kolab,cn=config"
- ) | ldapdelete -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
-
-
- # Remove hosted service access from mgmt domain
- (
- echo "dn: associateddomain=${domain},ou=Domains,${rootdn}"
- echo "changetype: modify"
- echo "replace: aci"
- echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///${rootdn}??sub?(objectclass=*)\");)"
- echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
- echo ""
- ) | ldapmodify -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
-
-
- # Add alias attribute index
- #
- export index_attr=alias
-
- (
- echo "dn: cn=${index_attr},cn=index,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config"
- echo "objectclass: top"
- echo "objectclass: nsindex"
- echo "cn: ${index_attr}"
- echo "nsSystemIndex: false"
- echo "nsindextype: pres"
- echo "nsindextype: eq"
- echo "nsindextype: sub"
-
- ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
-
-
- (
- echo "dn: cn=${hosted_domain_db} ${index_attr} index,cn=index,cn=tasks,cn=config"
- echo "objectclass: top"
- echo "objectclass: extensibleObject"
- echo "cn: ${hosted_domain_db} ${index_attr} index"
- echo "nsinstance: ${hosted_domain_db}"
- echo "nsIndexAttribute: ${index_attr}:pres"
- echo "nsIndexAttribute: ${index_attr}:eq"
- echo "nsIndexAttribute: ${index_attr}:sub"
- echo ""
- ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
-
- ldap_complete=0
-
- while [ ${ldap_complete} -ne 1 ]; do
- result=$(
- ldapsearch \
- -x \
- -h "${ldap_host}" \
- -D "${ldap_binddn}" \
- -w "${ldap_bindpw}" \
- -c \
- -LLL \
- -b "cn=${hosted_domain_db} ${index_attr} index,cn=index,cn=tasks,cn=config" \
- '(!(nstaskexitcode=0))' \
- -s base 2>/dev/null
- )
- if [ -z "$result" ]; then
- ldap_complete=1
- echo ""
- else
- echo -n "."
- sleep 1
- fi
- done
-
- ./50-add-vlv-searches.sh
- ./51-add-vlv-indexes.sh
- ./52-run-vlv-index-tasks.sh
-fi
-
diff --git a/docker/kolab/utils/50-add-vlv-searches.sh b/docker/kolab/utils/50-add-vlv-searches.sh
deleted file mode 100755
index c6e24bcb..00000000
--- a/docker/kolab/utils/50-add-vlv-searches.sh
+++ /dev/null
@@ -1,53 +0,0 @@
-#!/bin/bash
-
- . ./settings.sh
-
-(
- echo "dn: cn=PVS,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config"
- echo "objectClass: top"
- echo "objectClass: vlvSearch"
- echo "cn: PVS"
- echo "vlvBase: ${hosted_domain_rootdn}"
- echo "vlvScope: 2"
- echo "vlvFilter: (objectclass=inetorgperson)"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Read Access\";allow (read,compare,search)(userdn = \"ldap:///anyone\");)"
- echo ""
-) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
-
-(
- echo "dn: cn=RVS,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config"
- echo "objectClass: top"
- echo "objectClass: vlvSearch"
- echo "cn: RVS"
- echo "vlvBase: ${hosted_domain_rootdn}"
- echo "vlvScope: 2"
- echo "vlvFilter: (|(&(objectclass=kolabsharedfolder)(kolabfoldertype=event)(mail=*))(objectclass=groupofuniquenames)(objectclass=groupofurls))"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Read Access\";allow (read,compare,search)(userdn = \"ldap:///anyone\");)"
- echo ""
-) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
-
-(
- echo "dn: cn=GVS,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config"
- echo "objectClass: top"
- echo "objectClass: vlvSearch"
- echo "cn: GVS"
- echo "vlvBase: ${hosted_domain_rootdn}"
- echo "vlvScope: 2"
- echo "vlvFilter: (|(objectclass=groupofuniquenames)(objectclass=groupofurls))"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Read Access\";allow (read,compare,search)(userdn = \"ldap:///anyone\");)"
- echo ""
-) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
-
-if [ "${domain_base_dn}" != "cn=kolab,cn=config" ]; then
- (
- echo "dn: cn=DVS,cn=${domain_db},cn=ldbm database,cn=plugins,cn=config"
- echo "objectClass: top"
- echo "objectClass: vlvSearch"
- echo "cn: DVS"
- echo "vlvBase: ${domain_base_dn}"
- echo "vlvScope: 2"
- echo "vlvFilter: (objectclass=domainrelatedobject)"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Read Access\";allow (read,compare,search)(userdn = \"ldap:///anyone\");)"
- echo ""
- ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
-fi
diff --git a/docker/kolab/utils/51-add-vlv-indexes.sh b/docker/kolab/utils/51-add-vlv-indexes.sh
deleted file mode 100755
index 1f2afc6d..00000000
--- a/docker/kolab/utils/51-add-vlv-indexes.sh
+++ /dev/null
@@ -1,45 +0,0 @@
-#!/bin/bash
-
- . ./settings.sh
-
-(
- echo "dn: cn=PVI,cn=PVS,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config"
- echo "objectClass: top"
- echo "objectClass: vlvIndex"
- echo "cn: PVI"
- echo "vlvSort: displayname sn givenname cn"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Read Access\";allow (read,compare,search)(userdn = \"ldap:///anyone\");)"
- echo ""
-) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
-
-(
- echo "dn: cn=RVI,cn=RVS,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config"
- echo "objectClass: top"
- echo "objectClass: vlvIndex"
- echo "cn: RVI"
- echo "vlvSort: cn"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Read Access\";allow (read,compare,search)(userdn = \"ldap:///anyone\");)"
- echo ""
-) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
-
-(
- echo "dn: cn=GVI,cn=GVS,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config"
- echo "objectClass: top"
- echo "objectClass: vlvIndex"
- echo "cn: GVI"
- echo "vlvSort: cn"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Read Access\";allow (read,compare,search)(userdn = \"ldap:///anyone\");)"
- echo ""
-) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
-
-if [ "${domain_base_dn}" != "cn=kolab,cn=config" ]; then
- (
- echo "dn: cn=DVI,cn=DVS,cn=${domain_db},cn=ldbm database,cn=plugins,cn=config"
- echo "objectClass: top"
- echo "objectClass: vlvIndex"
- echo "cn: DVI"
- echo "vlvSort: associatedDomain"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Read Access\";allow (read,compare,search)(userdn = \"ldap:///anyone\");)"
- echo ""
- ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
-fi
diff --git a/docker/kolab/utils/52-run-vlv-index-tasks.sh b/docker/kolab/utils/52-run-vlv-index-tasks.sh
deleted file mode 100755
index b449e04c..00000000
--- a/docker/kolab/utils/52-run-vlv-index-tasks.sh
+++ /dev/null
@@ -1,143 +0,0 @@
-#!/bin/bash
-
- . ./settings.sh
-
-(
- echo "dn: cn=PVI,cn=index,cn=tasks,cn=config"
- echo "objectclass: top"
- echo "objectclass: extensibleObject"
- echo "cn: PVI"
- echo "nsinstance: ${hosted_domain_db}"
- echo "nsIndexVLVAttribute: PVI"
- echo ""
-) | ldapmodify -a -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
-
-ldap_complete=0
-
-while [ ${ldap_complete} -ne 1 ]; do
- result=$(
- ldapsearch \
- -x \
- -h ${ldap_host} \
- -D "${ldap_binddn}" \
- -w "${ldap_bindpw}" \
- -c \
- -LLL \
- -b "cn=PVI,cn=index,cn=tasks,cn=config" \
- '(!(nstaskexitcode=0))' \
- -s base 2>/dev/null
- )
- if [ -z "$result" ]; then
- ldap_complete=1
- echo ""
- else
- echo -n "."
- sleep 1
- fi
-done
-
-(
- echo "dn: cn=RVI,cn=index,cn=tasks,cn=config"
- echo "objectclass: top"
- echo "objectclass: extensibleObject"
- echo "cn: RVI"
- echo "nsinstance: ${hosted_domain_db}"
- echo "nsIndexVLVAttribute: RVI"
- echo ""
-) | ldapmodify -a -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
-
-ldap_complete=0
-
-while [ ${ldap_complete} -ne 1 ]; do
- result=$(
- ldapsearch \
- -x \
- -h ${ldap_host} \
- -D "${ldap_binddn}" \
- -w "${ldap_bindpw}" \
- -c \
- -LLL \
- -b "cn=RVI,cn=index,cn=tasks,cn=config" \
- '(!(nstaskexitcode=0))' \
- -s base 2>/dev/null
- )
- if [ -z "$result" ]; then
- ldap_complete=1
- echo ""
- else
- echo -n "."
- sleep 1
- fi
-done
-
-
-
-(
- echo "dn: cn=GVI,cn=index,cn=tasks,cn=config"
- echo "objectclass: top"
- echo "objectclass: extensibleObject"
- echo "cn: GVI"
- echo "nsinstance: ${hosted_domain_db}"
- echo "nsIndexVLVAttribute: GVI"
- echo ""
-) | ldapmodify -a -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
-
-ldap_complete=0
-
-while [ ${ldap_complete} -ne 1 ]; do
- result=$(
- ldapsearch \
- -x \
- -h ${ldap_host} \
- -D "${ldap_binddn}" \
- -w "${ldap_bindpw}" \
- -c \
- -LLL \
- -b "cn=GVI,cn=index,cn=tasks,cn=config" \
- '(!(nstaskexitcode=0))' \
- -s base 2>/dev/null
- )
- if [ -z "$result" ]; then
- ldap_complete=1
- echo ""
- else
- echo -n "."
- sleep 1
- fi
-done
-
-if [ "${domain_base_dn}" != "cn=kolab,cn=config" ]; then
- (
- echo "dn: cn=DVI,cn=index,cn=tasks,cn=config"
- echo "objectclass: top"
- echo "objectclass: extensibleObject"
- echo "cn: DVI"
- echo "nsinstance: ${domain_db}"
- echo "nsIndexVLVAttribute: DVI"
- echo ""
- ) | ldapmodify -a -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
-
- ldap_complete=0
-
- while [ ${ldap_complete} -ne 1 ]; do
- result=$(
- ldapsearch \
- -x \
- -h ${ldap_host} \
- -D "${ldap_binddn}" \
- -w "${ldap_bindpw}" \
- -c \
- -LLL \
- -b "cn=DVI,cn=index,cn=tasks,cn=config" \
- '(!(nstaskexitcode=0))' \
- -s base 2>/dev/null
- )
- if [ -z "$result" ]; then
- ldap_complete=1
- echo ""
- else
- echo -n "."
- sleep 1
- fi
- done
-fi
diff --git a/docker/kolab/utils/settings.sh b/docker/kolab/utils/settings.sh
index 1b7e5e0d..f0008c2a 100755
--- a/docker/kolab/utils/settings.sh
+++ b/docker/kolab/utils/settings.sh
@@ -1,20 +1,19 @@
#!/bin/bash
export rootdn=${LDAP_ADMIN_ROOT_DN:-"dc=mgmt,dc=com"}
export domain=${DOMAIN:-"mgmt.com"}
export domain_db=${DOMAIN_DB:-"mgmt_com"}
export ldap_host=${LDAP_HOST}
export ldap_binddn=${LDAP_ADMIN_BIND_DN}
export ldap_bindpw=${LDAP_ADMIN_BIND_PW}
export cyrus_admin=${IMAP_ADMIN_LOGIN}
export cyrus_admin_pw=${IMAP_ADMIN_PASSWORD}
export kolab_service_pw=${LDAP_SERVICE_BIND_PW}
-export hosted_kolab_service_pw=${LDAP_HOSTED_BIND_PW}
export hosted_domain=${HOSTED_DOMAIN:-"hosted.com"}
export hosted_domain_db=${HOSTED_DOMAIN_DB:-"hosted_com"}
export hosted_domain_rootdn=${LDAP_HOSTED_ROOT_DN:-"dc=hosted,dc=com"}
export domain_base_dn=${LDAP_DOMAIN_BASE_DN:-"ou=Domains,dc=mgmt,dc=com"}
diff --git a/docker/kolab/Dockerfile b/docker/ldap/Dockerfile
similarity index 52%
copy from docker/kolab/Dockerfile
copy to docker/ldap/Dockerfile
index c37e4d58..043323c4 100644
--- a/docker/kolab/Dockerfile
+++ b/docker/ldap/Dockerfile
@@ -1,83 +1,51 @@
FROM quay.io/centos/centos:stream8
LABEL maintainer="contact@apheleia-it.ch"
LABEL dist=centos8
LABEL tier=${TIER}
ENV SYSTEMD_PAGER=''
ENV DISTRO=centos8
ENV LANG=en_US.utf8
ENV LC_ALL=en_US.utf8
# Add EPEL.
RUN dnf config-manager --set-enabled powertools && \
dnf -y install \
epel-release epel-next-release && \
dnf -y module enable 389-directory-server:stable/default && \
dnf -y module enable mariadb:10.3 && \
dnf -y install iputils vim-enhanced bind-utils && \
dnf clean all
RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
# Install kolab
RUN rpm --import https://mirror.apheleia-it.ch/repos/Kolab:/16/key.asc && \
rpm -Uvh https://mirror.apheleia-it.ch/repos/Kolab:/16/kolab-16-for-el8stream.rpm
RUN sed -i -e '/^ssl/d' /etc/yum.repos.d/kolab*.repo && \
dnf config-manager --enable kolab-16-testing &&\
- dnf -y --setopt tsflags= install kolab patch &&\
+ dnf -y --setopt tsflags= install kolab-schema 389-ds-base &&\
dnf clean all
+COPY init.sh /init.sh
COPY kolab-init.service /etc/systemd/system/kolab-init.service
COPY kolab-setenv.service /etc/systemd/system/kolab-setenv.service
-COPY utils /root/utils
-
-RUN rm -rf /etc/systemd/system/multi-user.target.wants/{avahi-daemon,sshd}.* && \
- ln -s /etc/systemd/system/kolab-init.service \
- /etc/systemd/system/multi-user.target.wants/kolab-init.service && \
- ln -s /etc/systemd/system/kolab-setenv.service \
- /etc/systemd/system/multi-user.target.wants/kolab-setenv.service
+RUN systemctl disable avahi-daemon sshd; systemctl enable kolab-setenv kolab-init
RUN sed -i -r -e 's/^SELINUX=.*$/SELINUX=permissive/g' /etc/selinux/config 2>/dev/null || :
-COPY /rootfs /
-
-COPY kolab-init.sh /usr/local/sbin/
-RUN chmod 750 /usr/local/sbin/kolab-init.sh
-
-COPY kolab.conf /etc/kolab/kolab.conf
-COPY cyrus.conf /etc/cyrus.conf
-COPY imapd.conf /etc/imapd.conf
-COPY imapd.annotations.conf /etc/imapd.annotations.conf
-COPY guam.conf /etc/guam/sys.config
-
-ARG DB_KOLAB_DATABASE
-ARG DB_KOLAB_USERNAME
-ARG DB_KOLAB_PASSWORD
-RUN sed -i -r \
- -e "s|DB_KOLAB_DATABASE|$DB_KOLAB_DATABASE|g" \
- -e "s|DB_KOLAB_USERNAME|$DB_KOLAB_USERNAME|g" \
- -e "s|DB_KOLAB_PASSWORD|$DB_KOLAB_PASSWORD|g" \
- /etc/kolab/kolab.conf
-
-RUN mkdir -p /imapdata/{spool,lib} && \
- rm -rf /var/spool/imap && ln -s /imapdata/spool /var/spool/imap && \
- mv /var/lib/imap /var/lib/imap-bak && ln -s /imapdata/lib /var/lib/imap && \
- chmod -R 777 /imapdata && \
- chown cyrus:mail /var/spool/imap /var/lib/imap
-
RUN mkdir -p /ldapdata/{config,ssca,run} /var/run/dirsrv && \
ln -s /ldapdata/config /etc/dirsrv/slapd-kolab && \
ln -s /ldapdata/ssca /etc/dirsrv/ssca && \
ln -s /ldapdata/run /var/run/dirsrv && \
chmod -R 777 /ldapdata /etc/dirsrv
VOLUME [ "/sys/fs/cgroup" ]
-VOLUME [ "/imapdata" ]
VOLUME [ "/ldapdata" ]
WORKDIR /root/
CMD ["/lib/systemd/systemd"]
-EXPOSE 10143/tcp 10465/tcp 10587/tcp 11143/tcp 11993/tcp
+EXPOSE 389/tcp
diff --git a/docker/ldap/init.sh b/docker/ldap/init.sh
new file mode 100755
index 00000000..d9ff2bc6
--- /dev/null
+++ b/docker/ldap/init.sh
@@ -0,0 +1,809 @@
+#!/bin/bash
+
+# Disable password checking
+cp -av /bin/true /usr/sbin/ds_systemd_ask_password_acl
+
+# Make sure all the relvant folders exist in /ldapdata
+mkdir -p /ldapdata/{config,ssca,run}
+chmod -R 777 /ldapdata
+
+mkdir -p /var/log/dirsrv/slapd-kolab/
+chmod 777 /var/log/dirsrv/slapd-kolab/
+
+mkdir -p /run/dirsrv
+chmod 777 /run/dirsrv
+
+mkdir -p /run/lock/dirsrv/slapd-kolab/
+chown dirsrv:dirsrv /run/lock/dirsrv/slapd-kolab/
+chmod 777 /run/lock/dirsrv/slapd-kolab/
+
+mkdir -p /var/lib/dirsrv/slapd-kolab
+chown dirsrv:dirsrv /var/lib/dirsrv/slapd-kolab
+
+
+if [ -f "/etc/dirsrv/slapd-kolab/dse.ldif" ]; then
+ echo "LDAP directory exists, nothing to do"
+
+ # mkdir -p /var/log/dirsrv/slapd-kolab/
+ # chmod 777 /var/log/dirsrv/slapd-kolab/
+ # systemctl start dirsrv@kolab
+ # mkdir /run/dirsrv
+ # chmod 777 /run/dirsrv
+ # mkdir -p /run/lock/dirsrv/slapd-kolab/
+ # chown dirsrv:dirsrv /run/lock/dirsrv/slapd-kolab/
+ # chmod 777 /run/lock/dirsrv/slapd-kolab/
+ # mkdir -p /var/lib/dirsrv/slapd-kolab
+ # chown dirsrv:dirsrv /var/lib/dirsrv/slapd-kolab
+
+ systemctl start dirsrv@kolab
+ exit 0
+fi
+
+# Used for the graphical console only.
+GRAPHICAL_ADMIN_PASSWORD="-22F_EjHut5JCcd"
+DS_INSTANCE_NAME="kolab"
+DOMAIN="mgmt.com"
+FQDN="ldap.mgmt.com"
+
+cat << EOF > /tmp/dscreateinput
+[general]
+FullMachineName = ldap.mgmt.com
+SuiteSpotUserID = dirsrv
+SuiteSpotGroup = dirsrv
+AdminDomain = mgmt.com
+ConfigDirectoryLdapURL = ldap://ldap.mgmt.com:389/o=NetscapeRoot
+ConfigDirectoryAdminID = admin
+ConfigDirectoryAdminPwd = $GRAPHICAL_ADMIN_PASSWORD
+full_machine_name = ldap.mgmt.com
+
+[slapd]
+SlapdConfigForMC = Yes
+UseExistingMC = 0
+ServerPort = 389
+ServerIdentifier = kolab
+Suffix = $LDAP_ADMIN_ROOT_DN
+RootDN = cn=Directory Manager
+RootDNPwd = $LDAP_ADMIN_BIND_PW
+ds_bename = mgmt_com
+AddSampleEntries = No
+instance_name = $DS_INSTANCE_NAME
+root_password = $LDAP_ADMIN_BIND_PW
+create_suffix_entry = True
+
+[backend-userroot]
+suffix = $LDAP_ADMIN_ROOT_DN
+create_suffix_entry = True
+
+[admin]
+Port = 9830
+ServerAdminID = admin
+ServerAdminPwd = $GRAPHICAL_ADMIN_PASSWORD
+
+EOF
+dscreate -v from-file /tmp/dscreateinput
+
+cp /usr/share/dirsrv/data/template.ldif /tmp/templatedata.ldif
+sed -i "s/%ds_suffix%/$LDAP_BASE_DN/" /tmp/templatedata.ldif
+sed -i "s/%rootdn%/cn=Directory Manager/" /tmp/templatedata.ldif
+ldapadd -x -H 'ldap://127.0.0.1:389/' -D "cn=Directory Manager" -w "$LDAP_ADMIN_BIND_PW" -f /tmp/templatedata.ldif
+
+
+#FIXME in kolab container setup kolab.conf entries
+
+
+cp /usr/share/doc/kolab-schema/kolab3.ldif /etc/dirsrv/slapd-kolab/schema/99kolab3.ldif
+
+systemctl restart dirsrv.target
+systemctl restart dirsrv@kolab
+systemctl enable dirsrv.target
+systemctl enable dirsrv@kolab
+
+
+
+# I'm not sure why we need to create those manually
+cat << EOF > /tmp/ldapadd
+
+# Directory Administrators, mgmt.com
+dn: cn=Directory Administrators,dc=mgmt,dc=com
+objectClass: top
+objectClass: groupofuniquenames
+cn: Directory Administrators
+uniqueMember: cn=Directory Manager
+
+# Groups, mgmt.com
+dn: ou=Groups,dc=mgmt,dc=com
+objectClass: top
+objectClass: organizationalunit
+ou: Groups
+
+# People, mgmt.com
+dn: ou=People,dc=mgmt,dc=com
+objectClass: top
+objectClass: organizationalunit
+ou: People
+
+# Special Users, mgmt.com
+dn: ou=Special Users,dc=mgmt,dc=com
+objectClass: top
+objectClass: organizationalUnit
+ou: Special Users
+description: Special Administrative Accounts
+
+# Accounting Managers, Groups, mgmt.com
+dn: cn=Accounting Managers,ou=Groups,dc=mgmt,dc=com
+objectClass: top
+objectClass: groupOfUniqueNames
+cn: Accounting Managers
+ou: groups
+description: People who can manage accounting entries
+uniqueMember: cn=Directory Manager
+
+# HR Managers, Groups, mgmt.com
+dn: cn=HR Managers,ou=Groups,dc=mgmt,dc=com
+objectClass: top
+objectClass: groupOfUniqueNames
+cn: HR Managers
+ou: groups
+description: People who can manage HR entries
+uniqueMember: cn=Directory Manager
+
+# QA Managers, Groups, mgmt.com
+dn: cn=QA Managers,ou=Groups,dc=mgmt,dc=com
+objectClass: top
+objectClass: groupOfUniqueNames
+cn: QA Managers
+ou: groups
+description: People who can manage QA entries
+uniqueMember: cn=Directory Manager
+
+# PD Managers, Groups, mgmt.com
+dn: cn=PD Managers,ou=Groups,dc=mgmt,dc=com
+objectClass: top
+objectClass: groupOfUniqueNames
+cn: PD Managers
+ou: groups
+description: People who can manage engineer entries
+uniqueMember: cn=Directory Manager
+
+EOF
+ldapadd -x -h 127.0.0.1 -D "cn=Directory Manager" -w "$LDAP_ADMIN_BIND_PW" -f /tmp/ldapadd
+
+
+## =========== Start of pykolab changes
+# Work that pykolab used to do
+#
+cat << EOF > /tmp/ldapadd
+# cyrus-admin, Special Users, mgmt.com
+dn: uid=cyrus-admin,ou=Special Users,dc=mgmt,dc=com
+objectClass: top
+objectClass: person
+objectClass: inetorgperson
+objectClass: organizationalperson
+uid: cyrus-admin
+givenName: Cyrus
+sn: Administrator
+cn: Cyrus Administrator
+userPassword: ${IMAP_ADMIN_PW}
+
+# kolab-service, Special Users, mgmt.com
+dn: uid=kolab-service,ou=Special Users,dc=mgmt,dc=com
+objectClass: top
+objectClass: person
+objectClass: inetorgperson
+objectClass: organizationalperson
+uid: kolab-service
+givenName: Kolab
+sn: Service
+cn: Kolab Service
+userPassword: ${LDAP_SERVICE_BIND_PW}
+
+# Resources, mgmt.com
+dn: ou=Resources,dc=mgmt,dc=com
+objectClass: top
+objectClass: organizationalunit
+ou: Resources
+
+# Shared Folders, mgmt.com
+dn: ou=Shared Folders,dc=mgmt,dc=com
+objectClass: top
+objectClass: organizationalunit
+ou: Shared Folders
+
+EOF
+ldapadd -x -h 127.0.0.1 -D "cn=Directory Manager" -w "$LDAP_ADMIN_BIND_PW" -f /tmp/ldapadd
+
+
+cat << EOF > /tmp/ldapadd
+dn: cn=kolab,cn=config
+cn: kolab
+aci: (targetattr = "*") (version 3.0;acl "Kolab Services";allow (read,compare,search)(userdn = "ldap:///uid=kolab-service,ou=Special Users,$LDAP_ADMIN_ROOT_DN");)
+objectClass: top
+objectClass: extensibleobject
+EOF
+ldapadd -x -h 127.0.0.1 -D "cn=Directory Manager" -w "$LDAP_ADMIN_BIND_PW" -f /tmp/ldapadd
+
+echo "Adding domain $DOMAIN to list of domains for this deployment"
+cat << EOF > /tmp/ldapadd
+dn: associateddomain=$DOMAIN,cn=kolab,cn=config
+objectClass: top
+objectClass: domainrelatedobject
+associatedDomain: $DOMAIN, $FQDN, localhost.localdomain, localhost
+aci: (targetattr = "*") (version 3.0;acl "Read Access for $DOMAIN Users";allow (read,compare,search)(userdn = "ldap:///$LDAP_ADMIN_ROOT_DN??sub?(objectclass=*)");)
+EOF
+ldapadd -x -h 127.0.0.1 -D "cn=Directory Manager" -w "$LDAP_ADMIN_BIND_PW" -f /tmp/ldapadd
+##TODO
+ ## Add inetdomainbasedn in case the configured root dn is not the same as the
+ ## standard root dn for the domain name configured
+ #if not _input['rootdn'] == utils.standard_root_dn(_input['domain']):
+ # attrs['objectclass'].append('inetdomain')
+ # attrs['inetdomainbasedn'] = _input['rootdn']
+
+echo "Disabling anonymous binds"
+cat << EOF > /tmp/ldapadd
+dn: cn=config
+changetype: modify
+replace: nsslapd-allow-anonymous-access
+nsslapd-allow-anonymous-access: off
+EOF
+ldapmodify -x -h 127.0.0.1 -D "cn=Directory Manager" -w "$LDAP_ADMIN_BIND_PW" -f /tmp/ldapadd
+
+
+## TODO: Ensure the uid attribute is unique
+## TODO^2: Consider renaming the general "attribute uniqueness to "uid attribute uniqueness"
+echo "Enabling attribute uniqueness plugin"
+cat << EOF > /tmp/ldapadd
+dn: cn=attribute uniqueness,cn=plugins,cn=config
+changetype: modify
+replace: nsslapd-pluginEnabled
+nsslapd-pluginEnabled: on
+EOF
+ldapmodify -x -h 127.0.0.1 -D "cn=Directory Manager" -w "$LDAP_ADMIN_BIND_PW" -f /tmp/ldapadd
+
+echo "Enabling referential integrity plugin"
+cat << EOF > /tmp/ldapadd
+dn: cn=referential integrity postoperation,cn=plugins,cn=config
+changetype: modify
+replace: nsslapd-pluginEnabled
+nsslapd-pluginEnabled: on
+EOF
+ldapmodify -x -h 127.0.0.1 -D "cn=Directory Manager" -w "$LDAP_ADMIN_BIND_PW" -f /tmp/ldapadd
+
+echo "Enabling referential integrity plugin"
+cat << EOF > /tmp/ldapadd
+dn: cn=referential integrity postoperation,cn=plugins,cn=config
+changetype: modify
+replace: nsslapd-pluginEnabled
+nsslapd-pluginEnabled: on
+EOF
+ldapmodify -x -h 127.0.0.1 -D "cn=Directory Manager" -w "$LDAP_ADMIN_BIND_PW" -f /tmp/ldapadd
+
+echo "Enabling and configuring account policy plugin"
+cat << EOF > /tmp/ldapadd
+dn: cn=Account Policy Plugin,cn=plugins,cn=config
+changetype: modify
+replace: nsslapd-pluginEnabled
+nsslapd-pluginEnabled: on
+
+dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
+changetype: modify
+replace: alwaysrecordlogin
+alwaysrecordlogin: yes
+-
+add: stateattrname
+stateattrname: lastLoginTime
+-
+add: altstateattrname
+altstateattrname: createTimestamp
+EOF
+ldapmodify -x -h 127.0.0.1 -D "cn=Directory Manager" -w "$LDAP_ADMIN_BIND_PW" -f /tmp/ldapadd
+
+echo "Adding the kolab-admin role"
+cat << EOF > /tmp/ldapadd
+dn: cn=kolab-admin,$LDAP_ADMIN_ROOT_DN
+description: Kolab Administrator
+objectClass: top
+objectClass: ldapsubentry
+objectClass: nsroledefinition
+objectClass: nssimpleroledefinition
+objectClass: nsmanagedroledefinition
+cn = kolab-admin
+EOF
+ldapadd -x -h 127.0.0.1 -D "cn=Directory Manager" -w "$LDAP_ADMIN_BIND_PW" -f /tmp/ldapadd
+
+echo "Setting access control to $LDAP_ADMIN_ROOT_DN"
+cat << EOF > /tmp/ldapadd
+dn: $LDAP_ADMIN_ROOT_DN
+changetype: modify
+replace: aci
+aci: (targetattr = "carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || l || labeledURI || mobile || o || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier || kolabDelegate || kolabInvitationPolicy || kolabAllowSMTPSender")(version 3.0; acl "Enable self write for common attributes"; allow (read,compare,search,write)(userdn = "ldap:///self");)
+aci: (targetattr = "*")(version 3.0;acl "Directory Administrators Group";allow (all)(groupdn = "ldap:///cn=Directory Administrators,$LDAP_ADMIN_ROOT_DN" or roledn = "ldap:///cn=kolab-admin,$LDAP_ADMIN_ROOT_DN");)
+aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot";)
+aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";)
+aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///cn=slapd-$DS_INSTANCE_NAME,cn=389 Directory Server,cn=Server Group,cn=$FQDN,ou=$DOMAIN,o=NetscapeRoot";)
+aci: (targetattr != "userPassword") (version 3.0;acl "Search Access";allow (read,compare,search)(userdn = "ldap:///all");)')
+EOF
+ldapadd -x -h 127.0.0.1 -D "cn=Directory Manager" -w "$LDAP_ADMIN_BIND_PW" -f /tmp/ldapadd
+
+## =========== End of pykolab code
+
+# Create hosted kolab service
+cat << EOF > /tmp/ldapadd
+dn: uid=hosted-kolab-service,ou=Special Users,${LDAP_ADMIN_ROOT_DN}
+objectclass: top
+objectclass: inetorgperson
+objectclass: person
+uid: hosted-kolab-service
+cn: Hosted Kolab Service Account
+sn: Service Account
+givenname: Hosted Kolab
+userpassword: ${LDAP_HOSTED_BIND_PW}
+
+EOF
+ldapadd -x -h 127.0.0.1 -D "cn=Directory Manager" -w "$LDAP_ADMIN_BIND_PW" -f /tmp/ldapadd
+
+export rootdn=$LDAP_ADMIN_ROOT_DN
+export domain=$DOMAIN
+export domain_db="mgmt_com"
+export ldap_host=127.0.0.1
+export ldap_binddn=${LDAP_ADMIN_BIND_DN}
+export ldap_bindpw=${LDAP_ADMIN_BIND_PW}
+
+export cyrus_admin=${IMAP_ADMIN_LOGIN}
+export cyrus_admin_pw=${IMAP_ADMIN_PASSWORD}
+
+export kolab_service_pw=${LDAP_SERVICE_BIND_PW}
+export hosted_kolab_service_pw=${LDAP_HOSTED_BIND_PW}
+
+export hosted_domain=${HOSTED_DOMAIN:-"hosted.com"}
+export hosted_domain_db=${HOSTED_DOMAIN_DB:-"hosted_com"}
+export hosted_domain_rootdn=${LDAP_HOSTED_ROOT_DN:-"dc=hosted,dc=com"}
+
+export domain_base_dn=${LDAP_DOMAIN_BASE_DN:-"ou=Domains,dc=mgmt,dc=com"}
+
+
+# Create ou domain
+(
+ echo "dn: ou=Domains,${rootdn}"
+ echo "ou: Domains"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+# Create management domain
+(
+ echo "dn: associateddomain=${domain},${domain_base_dn}"
+ echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///${rootdn}??sub?(objectclass=*)\");)"
+ echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "inetDomainStatus: active"
+ echo "objectClass: top"
+ echo "objectClass: domainrelatedobject"
+ echo "objectClass: inetdomain"
+ echo "associatedDomain: ${domain}"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+
+# Create hosted domains
+(
+ echo "dn: associateddomain=${hosted_domain},${domain_base_dn}"
+ echo "objectclass: top"
+ echo "objectclass: domainrelatedobject"
+ echo "objectclass: inetdomain"
+ echo "inetdomainstatus: active"
+ echo "associateddomain: ${hosted_domain}"
+ echo "inetdomainbasedn: ${hosted_domain_rootdn}"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+(
+ echo "dn: cn=$(echo ${hosted_domain} | sed -e 's/\./_/g'),cn=ldbm database,cn=plugins,cn=config"
+ echo "objectClass: top"
+ echo "objectClass: extensibleobject"
+ echo "objectClass: nsbackendinstance"
+ echo "cn: $(echo ${hosted_domain} | sed -e 's/\./_/g')"
+ echo "nsslapd-suffix: ${hosted_domain_rootdn}"
+ echo "nsslapd-cachesize: -1"
+ echo "nsslapd-cachememsize: 10485760"
+ echo "nsslapd-readonly: off"
+ echo "nsslapd-require-index: off"
+ echo "nsslapd-directory: /var/lib/dirsrv/slapd-${DS_INSTANCE_NAME}/db/$(echo ${hosted_domain} | sed -e 's/\./_/g')"
+ echo "nsslapd-dncachememsize: 10485760"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+(
+ #On centos7
+ #echo "dn: cn=$(echo ${hosted_domain_rootdn} | sed -e 's/=/\\3D/g' -e 's/,/\\2D/g'),cn=mapping tree,cn=config"
+ #On centos8
+ echo "dn: cn=\"${hosted_domain_rootdn}\",cn=mapping tree,cn=config"
+ echo "objectClass: top"
+ echo "objectClass: extensibleObject"
+ echo "objectClass: nsMappingTree"
+ echo "nsslapd-state: backend"
+ echo "cn: ${hosted_domain_rootdn}"
+ echo "nsslapd-backend: $(echo ${hosted_domain} | sed -e 's/\./_/g')"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+(
+ echo "dn: ${hosted_domain_rootdn}"
+ echo "aci: (targetattr=\"carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier\")(version 3.0; acl \"Enable self write for common attributes\"; allow (write) userdn=\"ldap:///self\";)"
+ echo "aci: (targetattr =\"*\")(version 3.0;acl \"Directory Administrators Group\";allow (all) (groupdn=\"ldap:///cn=Directory Administrators,${hosted_domain_rootdn}\" or roledn=\"ldap:///cn=kolab-admin,${hosted_domain_rootdn}\");)"
+ echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)"
+ echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)"
+ echo "aci: (targetattr = \"*\")(version 3.0; acl \"SIE Group\"; allow (all) groupdn = \"ldap:///cn=slapd-${DS_INSTANCE_NAME},cn=389 Directory Server,cn=Server Group,cn=$FQDN,ou=${domain},o=NetscapeRoot\";)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///${hosted_domain_rootdn}??sub?(objectclass=*)\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Service Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "objectClass: top"
+ echo "objectClass: domain"
+ echo "dc: $(echo ${hosted_domain} | cut -d'.' -f 1)"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+(
+ for role in "2fa-user" "activesync-user" "imap-user"; do
+ echo "dn: cn=${role},${hosted_domain_rootdn}"
+ echo "cn: ${role}"
+ echo "description: ${role} role"
+ echo "objectclass: top"
+ echo "objectclass: ldapsubentry"
+ echo "objectclass: nsmanagedroledefinition"
+ echo "objectclass: nsroledefinition"
+ echo "objectclass: nssimpleroledefinition"
+ echo ""
+ done
+
+ echo "dn: ou=Groups,${hosted_domain_rootdn}"
+ echo "ou: Groups"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+
+ echo "dn: ou=People,${hosted_domain_rootdn}"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Hosted Kolab Services\";allow (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "ou: People"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+
+ echo "dn: ou=Special Users,${hosted_domain_rootdn}"
+ echo "ou: Special Users"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+
+ echo "dn: ou=Resources,${hosted_domain_rootdn}"
+ echo "ou: Resources"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+
+ echo "dn: ou=Shared Folders,${hosted_domain_rootdn}"
+ echo "ou: Shared Folders"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+
+ echo "dn: uid=cyrus-admin,ou=Special Users,${hosted_domain_rootdn}"
+ echo "sn: Administrator"
+ echo "uid: cyrus-admin"
+ echo "objectClass: top"
+ echo "objectClass: person"
+ echo "objectClass: inetorgperson"
+ echo "objectClass: organizationalperson"
+ echo "givenName: Cyrus"
+ echo "cn: Cyrus Administrator"
+ echo ""
+
+) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+
+# Remove cn kolab cn config
+(
+ echo "associateddomain=${domain},cn=kolab,cn=config"
+ echo "cn=kolab,cn=config"
+) | ldapdelete -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+
+# Remove hosted service access from mgmt domain
+(
+ echo "dn: associateddomain=${domain},ou=Domains,${rootdn}"
+ echo "changetype: modify"
+ echo "replace: aci"
+ echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///${rootdn}??sub?(objectclass=*)\");)"
+ echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo ""
+) | ldapmodify -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+
+# Add alias attribute index
+#
+export index_attr=alias
+
+(
+ echo "dn: cn=${index_attr},cn=index,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config"
+ echo "objectclass: top"
+ echo "objectclass: nsindex"
+ echo "cn: ${index_attr}"
+ echo "nsSystemIndex: false"
+ echo "nsindextype: pres"
+ echo "nsindextype: eq"
+ echo "nsindextype: sub"
+
+) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+
+(
+ echo "dn: cn=${hosted_domain_db} ${index_attr} index,cn=index,cn=tasks,cn=config"
+ echo "objectclass: top"
+ echo "objectclass: extensibleObject"
+ echo "cn: ${hosted_domain_db} ${index_attr} index"
+ echo "nsinstance: ${hosted_domain_db}"
+ echo "nsIndexAttribute: ${index_attr}:pres"
+ echo "nsIndexAttribute: ${index_attr}:eq"
+ echo "nsIndexAttribute: ${index_attr}:sub"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+ldap_complete=0
+
+while [ ${ldap_complete} -ne 1 ]; do
+ result=$(
+ ldapsearch \
+ -x \
+ -h "${ldap_host}" \
+ -D "${ldap_binddn}" \
+ -w "${ldap_bindpw}" \
+ -c \
+ -LLL \
+ -b "cn=${hosted_domain_db} ${index_attr} index,cn=index,cn=tasks,cn=config" \
+ '(!(nstaskexitcode=0))' \
+ -s base 2>/dev/null
+ )
+ if [ -z "$result" ]; then
+ ldap_complete=1
+ echo ""
+ else
+ echo -n "."
+ sleep 1
+ fi
+done
+
+
+# Add VLV searches
+(
+ echo "dn: cn=PVS,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config"
+ echo "objectClass: top"
+ echo "objectClass: vlvSearch"
+ echo "cn: PVS"
+ echo "vlvBase: ${hosted_domain_rootdn}"
+ echo "vlvScope: 2"
+ echo "vlvFilter: (objectclass=inetorgperson)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Read Access\";allow (read,compare,search)(userdn = \"ldap:///anyone\");)"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+(
+ echo "dn: cn=RVS,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config"
+ echo "objectClass: top"
+ echo "objectClass: vlvSearch"
+ echo "cn: RVS"
+ echo "vlvBase: ${hosted_domain_rootdn}"
+ echo "vlvScope: 2"
+ echo "vlvFilter: (|(&(objectclass=kolabsharedfolder)(kolabfoldertype=event)(mail=*))(objectclass=groupofuniquenames)(objectclass=groupofurls))"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Read Access\";allow (read,compare,search)(userdn = \"ldap:///anyone\");)"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+(
+ echo "dn: cn=GVS,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config"
+ echo "objectClass: top"
+ echo "objectClass: vlvSearch"
+ echo "cn: GVS"
+ echo "vlvBase: ${hosted_domain_rootdn}"
+ echo "vlvScope: 2"
+ echo "vlvFilter: (|(objectclass=groupofuniquenames)(objectclass=groupofurls))"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Read Access\";allow (read,compare,search)(userdn = \"ldap:///anyone\");)"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+if [ "${domain_base_dn}" != "cn=kolab,cn=config" ]; then
+ (
+ echo "dn: cn=DVS,cn=${domain_db},cn=ldbm database,cn=plugins,cn=config"
+ echo "objectClass: top"
+ echo "objectClass: vlvSearch"
+ echo "cn: DVS"
+ echo "vlvBase: ${domain_base_dn}"
+ echo "vlvScope: 2"
+ echo "vlvFilter: (objectclass=domainrelatedobject)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Read Access\";allow (read,compare,search)(userdn = \"ldap:///anyone\");)"
+ echo ""
+ ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+fi
+
+
+
+# Add vlv indexes
+(
+ echo "dn: cn=PVI,cn=PVS,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config"
+ echo "objectClass: top"
+ echo "objectClass: vlvIndex"
+ echo "cn: PVI"
+ echo "vlvSort: displayname sn givenname cn"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Read Access\";allow (read,compare,search)(userdn = \"ldap:///anyone\");)"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+(
+ echo "dn: cn=RVI,cn=RVS,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config"
+ echo "objectClass: top"
+ echo "objectClass: vlvIndex"
+ echo "cn: RVI"
+ echo "vlvSort: cn"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Read Access\";allow (read,compare,search)(userdn = \"ldap:///anyone\");)"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+(
+ echo "dn: cn=GVI,cn=GVS,cn=${hosted_domain_db},cn=ldbm database,cn=plugins,cn=config"
+ echo "objectClass: top"
+ echo "objectClass: vlvIndex"
+ echo "cn: GVI"
+ echo "vlvSort: cn"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Read Access\";allow (read,compare,search)(userdn = \"ldap:///anyone\");)"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+if [ "${domain_base_dn}" != "cn=kolab,cn=config" ]; then
+ (
+ echo "dn: cn=DVI,cn=DVS,cn=${domain_db},cn=ldbm database,cn=plugins,cn=config"
+ echo "objectClass: top"
+ echo "objectClass: vlvIndex"
+ echo "cn: DVI"
+ echo "vlvSort: associatedDomain"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Read Access\";allow (read,compare,search)(userdn = \"ldap:///anyone\");)"
+ echo ""
+ ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+fi
+
+# Run vlv index tasks
+(
+ echo "dn: cn=PVI,cn=index,cn=tasks,cn=config"
+ echo "objectclass: top"
+ echo "objectclass: extensibleObject"
+ echo "cn: PVI"
+ echo "nsinstance: ${hosted_domain_db}"
+ echo "nsIndexVLVAttribute: PVI"
+ echo ""
+) | ldapmodify -a -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+ldap_complete=0
+
+while [ ${ldap_complete} -ne 1 ]; do
+ result=$(
+ ldapsearch \
+ -x \
+ -h ${ldap_host} \
+ -D "${ldap_binddn}" \
+ -w "${ldap_bindpw}" \
+ -c \
+ -LLL \
+ -b "cn=PVI,cn=index,cn=tasks,cn=config" \
+ '(!(nstaskexitcode=0))' \
+ -s base 2>/dev/null
+ )
+ if [ -z "$result" ]; then
+ ldap_complete=1
+ echo ""
+ else
+ echo -n "."
+ sleep 1
+ fi
+done
+
+(
+ echo "dn: cn=RVI,cn=index,cn=tasks,cn=config"
+ echo "objectclass: top"
+ echo "objectclass: extensibleObject"
+ echo "cn: RVI"
+ echo "nsinstance: ${hosted_domain_db}"
+ echo "nsIndexVLVAttribute: RVI"
+ echo ""
+) | ldapmodify -a -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+ldap_complete=0
+
+while [ ${ldap_complete} -ne 1 ]; do
+ result=$(
+ ldapsearch \
+ -x \
+ -h ${ldap_host} \
+ -D "${ldap_binddn}" \
+ -w "${ldap_bindpw}" \
+ -c \
+ -LLL \
+ -b "cn=RVI,cn=index,cn=tasks,cn=config" \
+ '(!(nstaskexitcode=0))' \
+ -s base 2>/dev/null
+ )
+ if [ -z "$result" ]; then
+ ldap_complete=1
+ echo ""
+ else
+ echo -n "."
+ sleep 1
+ fi
+done
+
+
+
+(
+ echo "dn: cn=GVI,cn=index,cn=tasks,cn=config"
+ echo "objectclass: top"
+ echo "objectclass: extensibleObject"
+ echo "cn: GVI"
+ echo "nsinstance: ${hosted_domain_db}"
+ echo "nsIndexVLVAttribute: GVI"
+ echo ""
+) | ldapmodify -a -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+ldap_complete=0
+
+while [ ${ldap_complete} -ne 1 ]; do
+ result=$(
+ ldapsearch \
+ -x \
+ -h ${ldap_host} \
+ -D "${ldap_binddn}" \
+ -w "${ldap_bindpw}" \
+ -c \
+ -LLL \
+ -b "cn=GVI,cn=index,cn=tasks,cn=config" \
+ '(!(nstaskexitcode=0))' \
+ -s base 2>/dev/null
+ )
+ if [ -z "$result" ]; then
+ ldap_complete=1
+ echo ""
+ else
+ echo -n "."
+ sleep 1
+ fi
+done
+
+if [ "${domain_base_dn}" != "cn=kolab,cn=config" ]; then
+ (
+ echo "dn: cn=DVI,cn=index,cn=tasks,cn=config"
+ echo "objectclass: top"
+ echo "objectclass: extensibleObject"
+ echo "cn: DVI"
+ echo "nsinstance: ${domain_db}"
+ echo "nsIndexVLVAttribute: DVI"
+ echo ""
+ ) | ldapmodify -a -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+ ldap_complete=0
+
+ while [ ${ldap_complete} -ne 1 ]; do
+ result=$(
+ ldapsearch \
+ -x \
+ -h ${ldap_host} \
+ -D "${ldap_binddn}" \
+ -w "${ldap_bindpw}" \
+ -c \
+ -LLL \
+ -b "cn=DVI,cn=index,cn=tasks,cn=config" \
+ '(!(nstaskexitcode=0))' \
+ -s base 2>/dev/null
+ )
+ if [ -z "$result" ]; then
+ ldap_complete=1
+ echo ""
+ else
+ echo -n "."
+ sleep 1
+ fi
+ done
+fi
diff --git a/docker/ldap/kolab-init.service b/docker/ldap/kolab-init.service
new file mode 100644
index 00000000..dac3ac35
--- /dev/null
+++ b/docker/ldap/kolab-init.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Kolab Setup Service
+Requires=kolab-setenv.service
+After=kolab-setenv.service ldapdata.mount
+
+[Service]
+Type=oneshot
+EnvironmentFile=/etc/openshift-environment
+ExecStart=/init.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/docker/ldap/kolab-setenv.service b/docker/ldap/kolab-setenv.service
new file mode 100644
index 00000000..d460888c
--- /dev/null
+++ b/docker/ldap/kolab-setenv.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Kolab Set Environment
+
+[Service]
+Type=oneshot
+ExecStart=/bin/bash -c "cat /proc/1/environ | tr '\0' '\n' > /etc/openshift-environment"
+
+[Install]
+WantedBy=multi-user.target
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Thu, Mar 19, 9:00 AM (1 d, 3 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
457668
Default Alt Text
(85 KB)
Attached To
Mode
R2 kolab
Attached
Detach File
Event Timeline
Log In to Comment