Closed theoneandonly-vector closed 3 years ago
Hi, currently there are only few things that are working. These are:
Over the next weeks I'll extend these features so Domains, Aliases, etc. are working as well.
The project can be deployed on any server you want to deploy it on. It has not to be the server mailcow is running on, but it can be. The only requirements are Python >= 3.6 and python3-pip.
Install the requirements python3 -m pip install -r requirements.txt
.
Execute to generate config.json
: python3 main.py
.
Add all necessary attributes to config.json
.
To do so, you have to give the script access to the Read/Write API from mailcow.
Every time you execute the script, it will look for changes between ldap and its last execution (local db) and if there are any, push them to mailcow. In general there should be all features of mailcow working. Only drawback is, that users are still allowed to change their password in mailcow. If they do so, the password is not transferred back to the ldap.
Hi, thx for the quick response :) do you have an idea on how to debug if the log tells me:
INFO:mailcow_ldap_sync:Successfully bind as (user)
but nothing happens thereafter.
You should start raising the Logging Level to debug:
Line 271:
logging.basicConfig(filename='mailcow_ldap_sync.log', level=logging.DEBUG)
If the output stays the same after the bind, I'd say you won't receive results for the ldap search. I'll add some more logging to show the search results when on DEBUG level.
I just used the updated verison with DEBUG set
this is the error I get after it runs for about 9 minutes:
Traceback (most recent call last):
File "./main.py", line 295, in <module>
main(config, session)
File "./main.py", line 35, in main
first_name = user_params[conf['ldap']['user_mapping']['firstname']][0].decode('utf-8')
KeyError: 'givenName'
Inside my DEBUG-log (DEBUG:mailcow_ldap_sync:Search results:) I now see all my users. But I'm not sure on how to truncate this..
here is my first user from the debug log:
[b'noreply'], 'sAMAccountType': [b'805306368'], 'objectCategory': [b'CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=tld'], 'uidNumber': [b'2063'], 'loginShell': [b'/bin/bash'], 'unixHomeDirectory': [b'/home/noreply'], 'gidNumber': [b'5001'], 'mail': [b'noreply@domain.tld'], 'userPrincipalName': [b'noreply@DOMAIN.TLD'], 'pwdLastSet': [b'132240776190000000'], 'lockoutTime': [b'0'], 'whenChanged': [b'20200121105341.0Z'], 'uSNChanged': [b'4285'], 'distinguishedName': [b'CN=noreply,CN=Users,DC=domain,DC=tld']}), ('CN=test.user,CN=Users,DC=domain,DC=tld', {'objectClass': [b'top', b'person', b'organizationalPerson', b'user'], 'cn': [b'test.user'], 'sn': [b'user'], 'givenName': [b'test'], 'instanceType': [b'4'], 'whenCreated': [b'20200311175855.0Z'], 'displayName': [b'test user'], 'uSNCreated': [b'4585'], 'name': [b'test.user'], 'objectGUID': [b"'`\x9b\x9b\x1f6\xa1C\x9c@\x83\xaa\xd8[\xae\xd9"], 'userAccountControl': [b'512'], 'badPwdCount': [b'0'], 'codePage': [b'0'], 'countryCode': [b'0'], 'badPasswordTime': [b'0'], 'lastLogoff': [b'0'], 'primaryGroupID': [b'1124'], 'objectSid': [b'\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xfb\x8a{\xfa\xf5|\xf5#\xf43H-\xa2\x04\x00\x00'], 'accountExpires': [b'9223372036854775807'], 'sAMAccountName': [b'test.user'], 'sAMAccountType': [b'805306368'], 'objectCategory': [b'CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=tld'], 'mail': [b'test.user@domain.tld'], 'uidNumber': [b'2082'], 'loginShell': [b'/bin/bash'], 'unixHomeDirectory': [b'/home/test.user'], 'gidNumber': [b'5074'], 'homeDirectory': [b'%LOGONSERVER%\\%USERNAME%'], 'userPrincipalName': [b'test.user@DOMAIN.TLD'], 'lockoutTime': [b'0'], 'lastLogon': [b'132492207033336060'], 'logonCount': [b'4'], 'memberOf': [b'CN=Domain Users,CN=Groups,DC=domain,DC=tld', b'CN=Administrators,CN=Builtin,DC=domain,DC='], 'lastLogonTimestamp': [b'132580541773811840'], 'pwdLastSet': [b'132580542550000000'], 'whenChanged': [b'20210217165057.0Z'], 'uSNChanged': [b'9102'], 'distinguishedName':
Do all search results have the attribute givenName
? If there's one without the attribute the script will break.
I just adjusted my filter, but my main problem will be that I don't have a "userPassword" or similar Entry.
i just found out.. my bind-user had insufficient permissions.
do you know if it's possible to use a hashed-password?
Yes, that's possible, but only if your hash starts with the {HashTyp} Tag.
it starts with {crypt} it doesn't tell me what kind of hash..
CRYPT is SSHA1 as far as I know. You have to try if mailcow accepts it as valid hash.
I close this issue as this is not project related anymore. If any other questions come up, feel free to open another issue.
If someone maybe needs this info: {crypt} = SHA-512 at least for my example.
I had to install the following packages first: (Ubuntu 20.04)
sudo apt-get install -y python-dev libldap2-dev libsasl2-dev libssl-dev
hey there this can be running on the host running the dockers, or do I need to integrate this -> one of the existing mailcow-docker-containers? Can you give me a quick example on how to start? Is SoGo / Dovecot working with this?