From d00fe96128af9a96a3d8854a5ab079915f603742 Mon Sep 17 00:00:00 2001 From: Pascal Bleser Date: Wed, 4 Jun 2025 11:43:36 +0200 Subject: [PATCH] Use password policy overlay in LDAP and configure Stalwart to use it --- .../config/ldap/ldif/11_ppolicy.ldif | 26 +++++++++++++++++++ .../config/stalwart/config.toml | 7 ++--- devtools/deployments/opencloud_full/ldap.yml | 3 +++ 3 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 devtools/deployments/opencloud_full/config/ldap/ldif/11_ppolicy.ldif diff --git a/devtools/deployments/opencloud_full/config/ldap/ldif/11_ppolicy.ldif b/devtools/deployments/opencloud_full/config/ldap/ldif/11_ppolicy.ldif new file mode 100644 index 0000000000..a9ce3f875c --- /dev/null +++ b/devtools/deployments/opencloud_full/config/ldap/ldif/11_ppolicy.ldif @@ -0,0 +1,26 @@ +dn: ou=policies,dc=opencloud,dc=eu +objectClass: organizationalUnit +objectClass: top +ou: policies + +dn: cn=default,ou=policies,dc=opencloud,dc=eu +cn: default +objectClass: pwdPolicy +objectClass: person +objectClass: top +pwdAllowUserChange: TRUE +pwdAttribute: userPassword +pwdCheckQuality: 0 +pwdExpireWarning: 600 +pwdFailureCountInterval: 30 +pwdGraceAuthNLimit: 5 +pwdInHistory: 5 +pwdLockout: FALSE +pwdLockoutDuration: 0 +pwdMaxAge: 0 +pwdMaxFailure: 5 +pwdMinAge: 0 +pwdMinLength: 1 +pwdMustChange: FALSE +pwdSafeModify: FALSE +sn: default diff --git a/devtools/deployments/opencloud_full/config/stalwart/config.toml b/devtools/deployments/opencloud_full/config/stalwart/config.toml index 0abb40b5af..76e82f412a 100644 --- a/devtools/deployments/opencloud_full/config/stalwart/config.toml +++ b/devtools/deployments/opencloud_full/config/stalwart/config.toml @@ -19,6 +19,7 @@ directory.ldap.attributes.email-alias = "mailAlias" directory.ldap.attributes.groups = "memberOf" directory.ldap.attributes.name = "uid" directory.ldap.attributes.secret = "userPassword" +directory.ldap.attributes.secret-changed = "pwdChangedTime" directory.ldap.base-dn = "dc=opencloud,dc=eu" directory.ldap.bind.auth.dn = "uid=?,ou=users,dc=opencloud,dc=eu" directory.ldap.bind.auth.enable = true @@ -29,9 +30,9 @@ directory.ldap.cache.ttl.negative = "10m" directory.ldap.cache.ttl.positive = "1h" directory.ldap.filter.email = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(|(mail=?)(mailAlias=?)(mailList=?)))" directory.ldap.filter.name = "(&(|(objectClass=posixAccount)(objectClass=posixGroup))(uid=?))" -directory.ldap.timeout = "3s" -directory.ldap.tls.allow-invalid-certs = false -directory.ldap.tls.enable = false +directory.ldap.timeout = "5s" +directory.ldap.tls.allow-invalid-certs = true +directory.ldap.tls.enable = true directory.ldap.type = "ldap" directory.ldap.url = "ldap://ldap-server:1389" metrics.prometheus.auth.secret = "secret" diff --git a/devtools/deployments/opencloud_full/ldap.yml b/devtools/deployments/opencloud_full/ldap.yml index bd30d758d4..52b3f83e06 100644 --- a/devtools/deployments/opencloud_full/ldap.yml +++ b/devtools/deployments/opencloud_full/ldap.yml @@ -39,6 +39,9 @@ services: LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key LDAP_ROOT: "dc=opencloud,dc=eu" LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin} + LDAP_CONFIGURE_PPOLICY: "yes" + LDAP_PPOLICY_USE_LOCKOUT: "no" + LDAP_PPOLICY_HASH_CLEARTEXT: "no" ports: - "127.0.0.1:389:1389" - "127.0.0.1:636:1636"