feat(open-xchange): Enable ACLs and support logins different from local part

Enable the Mail Login Resolver to properly resolve UUIDs to OX users and vice versa. Switch IMAP auth from emails to login names, since that's the only field present in authentication tokens. Due to an issue with retrieving operationsl LDAP attributes (see OX issue /appsuite/platform/core#251), entryUUID does not work currently. As a work-around, users need to have their UUIDs in the field departmentNumber. Migrating to UUIDs (WP#1236) would also work. Maybe we should just make that field configurable.
2025-12-07 16:01:37 +01:00 · 2025-04-13 17:17:23 +02:00
parent a5f9b01ca0
commit f7e28b064e
1 changed files with 14 additions and 1 deletions
--- a/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
+++ b/helmfile/apps/open-xchange/values-openxchange.yaml.gotmpl
@@ -237,12 +237,25 @@ appsuite:
      com.openexchange.authentication.oauth.clientSecret: {{ .Values.secrets.keycloak.clientSecret.as8oidc | quote }}
      # MAIL
      com.openexchange.mail.authType: "xoauth2"
-      com.openexchange.mail.loginSource: "mail"
+      com.openexchange.mail.loginSource: "name"
      com.openexchange.mail.mailServer: "dovecot"
      com.openexchange.mail.mailServerSource: "global"
      com.openexchange.mail.transport.authType: "xoauth2"
      com.openexchange.mail.transportServer: "postfix-ox"
      com.openexchange.mail.transportServerSource: "global"
+      # Mail Login Resolver
+      com.openexchange.mail.login.resolver.enabled: "true"
+      com.openexchange.mail.login.resolver.ldap.enabled: "true"
+      com.openexchange.mail.login.resolver.ldap.clientId: contactsLdapClient
+      com.openexchange.mail.login.resolver.ldap.mailLoginSearchFilter: "(&(univentionObjectType=users/user)(isOxUser=OK)(mailPrimaryAddress=[mailLogin]))"
+      com.openexchange.mail.login.resolver.ldap.userNameAttribute: uid
+      com.openexchange.mail.login.resolver.ldap.contextIdAttribute: oxContextIDNum
+      com.openexchange.mail.login.resolver.ldap.entitySearchFilter: "(&(univentionObjectType=users/user)(isOxUser=OK)(oxContextIDNum=[cid])(uid=[uname]))"
+      #com.openexchange.mail.login.resolver.ldap.mailLoginAttribute: entryUUID
+      # Workaround until either OX issue /appsuite/platform/core#251 is fixed
+      # or entryUUIDs are replaced by a different field.
+      com.openexchange.mail.login.resolver.ldap.mailLoginAttribute: departmentName
+      #com.openexchange.mail.login.resolver.ldap.cacheExpire: "1"
      # Requirements for OX-Connector
      com.openexchange.user.enforceUniqueDisplayName: "false"
      com.openexchange.folderstorage.database.preferDisplayName: "false"