[helper] App users ldap

[Josue-T]

The problem

• App can't authenticate in LDAP for extended search request. Some app need this. By example mastodon and synapse
• App can't cleanly send and receive email.

Solution

• Create a user and group in LDAP in a specific place. Note that we will put the app user in ou=users,ou=apps,dc=yunohost,dc=org and the app group in ou=groups,ou=apps,dc=yunohost,dc=org

PR Status

Linked to YunoHost/test_apps#9
Tested locally and it work. The unit test fail because YunoHost/test_apps#9 need to be merged.

How to test

Run:

yunohost tools migrations migrate
yunohost tools regen-conf dovecot
yunohost tools regen-conf postfix

Install the ldap user app

After you can test the LDAP authentication with a simple LDAP research:

ldapsearch -b dc=yunohost,dc=org -x -D uid=ldap_user_app,ou=users,ou=apps,dc=yunohost,dc=org -w RAND0MP4sSw0RO

You can also try the authentication in Postfix:

# Calculate the base64 for authentication
$ echo -ne '\[email protected]\0RAND0MP4sSw0RO' | base64
AGxkYXBfdXNlcl9hcHBAeW5oLWRldjEubGFuAFJBTkQwTVA0c1N3MFJP
$ openssl s_client -connect localhost:25 -starttls smtp
> helo localhost
> auth plain AGxkYXBfdXNlcl9hcHBAeW5oLWRldjEubGFuAFJBTkQwTVA0c1N3MFJP

You can also try the authentication in Dovecot:

openssl s_client -connect localhost:993 -crlf
> a login  ldap_user_app RAND0MP4sSw0RO

Validation

• Principle agreement 0/2 :
• Quick review 0/1 :
• Simple test 0/1 :
• Deep review 0/1 :

[zamentur]

Aleks says me yesterday that it may be possible to change dovecot config to allow system user to send mail and may be to have some inbox.

Are we sure we want to create ldap users for this ?

[alexAubin]

(c.f. #815 )

Josue explains in this comment why LDAP user might be better

[Gredin67]

up @zamentur @alexAubin see YunoHost-Apps/synapse_ynh#362

[Gredin67]

@tituspijean maybe?

[alexAubin]

Superseded by #815 :|

[Josue-T]

Superseded by #815 :|

Well not completly because, by example synapse need a LDAP user to authenticate to ldap to use ldap filters. So no it will not completly fix the issue.

[alexAubin]

I don't understand why synapse needs a LDAP user to bind with, basically any anonymous users has read access, and there are dozens of other apps that do implement LDAP searches without being authenticated ... has it been doubled checked that synapse does really need a LDAP user+password for this, and why ? x_x

[Josue-T]

It look like a know issue here: matrix-org/matrix-synapse-ldap3#169 (comment)

But I would say I didn't tested on the last release if the issue still be here.