search

myOmikron / mailcow-ldap-sync

26 stars 2 forks source link

quick example on how to use and what's working? #1

Closed theoneandonly-vector closed 3 years ago

theoneandonly-vector commented 3 years ago

hey there this can be running on the host running the dockers, or do I need to integrate this -> one of the existing mailcow-docker-containers? Can you give me a quick example on how to start? Is SoGo / Dovecot working with this?

myOmikron commented 3 years ago

Hi, currently there are only few things that are working. These are:

Over the next weeks I'll extend these features so Domains, Aliases, etc. are working as well.

The project can be deployed on any server you want to deploy it on. It has not to be the server mailcow is running on, but it can be. The only requirements are Python >= 3.6 and python3-pip.

Install the requirements python3 -m pip install -r requirements.txt. Execute to generate config.json: python3 main.py. Add all necessary attributes to config.json. To do so, you have to give the script access to the Read/Write API from mailcow.

Every time you execute the script, it will look for changes between ldap and its last execution (local db) and if there are any, push them to mailcow. In general there should be all features of mailcow working. Only drawback is, that users are still allowed to change their password in mailcow. If they do so, the password is not transferred back to the ldap.

theoneandonly-vector commented 3 years ago

Hi, thx for the quick response :) do you have an idea on how to debug if the log tells me:

INFO:mailcow_ldap_sync:Successfully bind as (user)

but nothing happens thereafter.

myOmikron commented 3 years ago

You should start raising the Logging Level to debug:

Line 271:

    logging.basicConfig(filename='mailcow_ldap_sync.log', level=logging.DEBUG)

If the output stays the same after the bind, I'd say you won't receive results for the ldap search. I'll add some more logging to show the search results when on DEBUG level.

theoneandonly-vector commented 3 years ago

I just used the updated verison with DEBUG set

this is the error I get after it runs for about 9 minutes:

Traceback (most recent call last):
  File "./main.py", line 295, in <module>
    main(config, session)
  File "./main.py", line 35, in main
    first_name = user_params[conf['ldap']['user_mapping']['firstname']][0].decode('utf-8')
KeyError: 'givenName'

Inside my DEBUG-log (DEBUG:mailcow_ldap_sync:Search results:) I now see all my users. But I'm not sure on how to truncate this..

theoneandonly-vector commented 3 years ago

here is my first user from the debug log:

[b'noreply'], 'sAMAccountType': [b'805306368'], 'objectCategory': [b'CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=tld'], 'uidNumber': [b'2063'], 'loginShell': [b'/bin/bash'], 'unixHomeDirectory': [b'/home/noreply'], 'gidNumber': [b'5001'], 'mail': [b'noreply@domain.tld'], 'userPrincipalName': [b'noreply@DOMAIN.TLD'], 'pwdLastSet': [b'132240776190000000'], 'lockoutTime': [b'0'], 'whenChanged': [b'20200121105341.0Z'], 'uSNChanged': [b'4285'], 'distinguishedName': [b'CN=noreply,CN=Users,DC=domain,DC=tld']}), ('CN=test.user,CN=Users,DC=domain,DC=tld', {'objectClass': [b'top', b'person', b'organizationalPerson', b'user'], 'cn': [b'test.user'], 'sn': [b'user'], 'givenName': [b'test'], 'instanceType': [b'4'], 'whenCreated': [b'20200311175855.0Z'], 'displayName': [b'test user'], 'uSNCreated': [b'4585'], 'name': [b'test.user'], 'objectGUID': [b"'`\x9b\x9b\x1f6\xa1C\x9c@\x83\xaa\xd8[\xae\xd9"], 'userAccountControl': [b'512'], 'badPwdCount': [b'0'], 'codePage': [b'0'], 'countryCode': [b'0'], 'badPasswordTime': [b'0'], 'lastLogoff': [b'0'], 'primaryGroupID': [b'1124'], 'objectSid': [b'\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xfb\x8a{\xfa\xf5|\xf5#\xf43H-\xa2\x04\x00\x00'], 'accountExpires': [b'9223372036854775807'], 'sAMAccountName': [b'test.user'], 'sAMAccountType': [b'805306368'], 'objectCategory': [b'CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=tld'], 'mail': [b'test.user@domain.tld'], 'uidNumber': [b'2082'], 'loginShell': [b'/bin/bash'], 'unixHomeDirectory': [b'/home/test.user'], 'gidNumber': [b'5074'], 'homeDirectory': [b'%LOGONSERVER%\\%USERNAME%'], 'userPrincipalName': [b'test.user@DOMAIN.TLD'], 'lockoutTime': [b'0'], 'lastLogon': [b'132492207033336060'], 'logonCount': [b'4'], 'memberOf': [b'CN=Domain Users,CN=Groups,DC=domain,DC=tld', b'CN=Administrators,CN=Builtin,DC=domain,DC='], 'lastLogonTimestamp': [b'132580541773811840'], 'pwdLastSet': [b'132580542550000000'], 'whenChanged': [b'20210217165057.0Z'], 'uSNChanged': [b'9102'], 'distinguishedName':
myOmikron commented 3 years ago

Do all search results have the attribute givenName? If there's one without the attribute the script will break.

theoneandonly-vector commented 3 years ago

I just adjusted my filter, but my main problem will be that I don't have a "userPassword" or similar Entry.

theoneandonly-vector commented 3 years ago

i just found out.. my bind-user had insufficient permissions.

theoneandonly-vector commented 3 years ago

do you know if it's possible to use a hashed-password?

myOmikron commented 3 years ago

Yes, that's possible, but only if your hash starts with the {HashTyp} Tag.

theoneandonly-vector commented 3 years ago

it starts with {crypt} it doesn't tell me what kind of hash..

myOmikron commented 3 years ago

CRYPT is SSHA1 as far as I know. You have to try if mailcow accepts it as valid hash.

myOmikron commented 3 years ago

I close this issue as this is not project related anymore. If any other questions come up, feel free to open another issue.

theoneandonly-vector commented 3 years ago

If someone maybe needs this info: {crypt} = SHA-512 at least for my example.

domidodo commented 2 years ago

I had to install the following packages first: (Ubuntu 20.04)

sudo apt-get install -y python-dev libldap2-dev libsasl2-dev libssl-dev