Update to 2022-03-07 14:00

roles/unmaintained/wh_zimbra/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+- name: start zmldapsync-wh
+  service: name=zmldapsync-wh state=started

roles/unmaintained/wh_zimbra/meta/main.yml

@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: wh_common
+  - role: zimbra

roles/unmaintained/wh_zimbra/tasks/cas.yml

@@ -0,0 +1,116 @@
+---
+- name: Get or generate a pre authentication key
+  shell: |
+    KEY=$(/opt/zimbra/bin/zmprov getDomain {{ item }} zimbrapreauthkey | perl -ne '/^(?:zimbraP|p)reAuthKey: (.*)/ && print $1')
+    [ -z $KEY ] && KEY=$(/opt/zimbra/bin/zmprov generateDomainPreAuthKey {{ item }} | perl -ne '/^(?:zimbraP|p)reAuthKey: (.*)/ && print $1')
+    echo $KEY
+  become_user: zimbra
+  register: zcs_preauthkeys
+  changed_when: False
+  loop: "{{ wh_mail_domains }}"
+  tags: mail
+
+- name: Install preauth pages
+  template: src=../zimbra/templates/cas_preauth.jsp.j2 dest=/opt/zimbra/jetty/webapps/zimbra/public/preauth_{{ item.item }}.jsp owner=zimbra group=zimbra
+  loop: "{{ zcs_preauthkeys.results }}"
+  notify: restart zmmailboxd
+  tags: mail
+
+- name: Install admin preauth pages
+  template: src=../zimbra/templates/cas_preauth_admin.jsp.j2 dest=/opt/zimbra/jetty/webapps/zimbraAdmin/public/preauth_{{ item.item }}.jsp owner=zimbra group=zimbra
+  loop: "{{ zcs_preauthkeys.results }}"
+  notify: restart zmmailboxd
+  tags: mail
+
+- name: Configure CAS filters
+  blockinfile:
+    path: /opt/zimbra/jetty/etc/zimbra.web.xml.in
+    block: |2
+
+      <filter>
+        <filter-name>CasSingleSignOutFilter</filter-name>
+        <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
+        <init-param>
+          <param-name>casServerUrlPrefix</param-name>
+          <param-value>https://sso-cl.fws.fr/cas</param-value>
+        </init-param>
+      </filter>
+
+      <filter-mapping>
+        <filter-name>CasSingleSignOutFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+      </filter-mapping>
+
+      <listener>
+        <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
+      </listener>
+
+      {% for item in wh_clients | default([]) %}
+      {% if item.mail is defined and item.mail.enabled is defined and item.mail.enabled and item.mail.domain is defined %}
+      <!-- filters for {{ item.name }} -->
+      <filter>
+        <filter-name>CasAuthenticationFilter{{ item.name }}</filter-name>
+        <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
+        <init-param>
+          <param-name>casServerLoginUrl</param-name>
+          <param-value>https://sso-cl.fws.fr/cas/login</param-value>
+        </init-param>
+        <init-param>
+          <param-name>serverName</param-name>
+          <param-value>{{ item.mail.vhosts | first }}</param-value>
+        </init-param>
+      </filter>
+
+      <filter-mapping>
+        <filter-name>CasAuthenticationFilter{{ item.name }}</filter-name>
+        <url-pattern>/public/preauth_{{ item.mail.domain }}.jsp</url-pattern>
+      </filter-mapping>
+
+      <filter>
+        <filter-name>CasValidationFilter{{ item.name }}</filter-name>
+        <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
+        <init-param>
+          <param-name>casServerUrlPrefix</param-name>
+          <param-value>https://sso-cl.fws.fr/cas</param-value>
+        </init-param>
+        <init-param>
+          <param-name>serverName</param-name>
+          <param-value>{{ item.mail.vhosts | first }}</param-value>
+        </init-param>
+        <init-param>
+          <param-name>redirectAfterValidation</param-name>
+          <param-value>true</param-value>
+        </init-param>
+      </filter>
+
+      <filter-mapping>
+        <filter-name>CasValidationFilter{{ item.name }}</filter-name>
+        <url-pattern>/*</url-pattern>
+      </filter-mapping>
+      <!-- End filter configuration for {{ item.name }} -->
+      {% else %}
+      <!-- Email not enabled for client {{ item.name }} -->
+      {% endif %}
+      {% endfor %}
+
+      <filter>
+        <filter-name>CasHttpServletRequestWrapperFilter</filter-name>
+        <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
+      </filter>
+
+      <filter-mapping>
+        <filter-name>CasHttpServletRequestWrapperFilter</filter-name>
+        <url-pattern>/public/*</url-pattern>
+      </filter-mapping>
+
+      <!-- prevent Zimbra from adding ;jsessionid=XXXX in the URL, which the CAS server could reject
+           as it doesn't match the initial service anymore -->
+      <session-config>
+        <tracking-mode>COOKIE</tracking-mode>
+      </session-config>
+    marker: '<!-- "# {mark} ANSIBLE MANAGED BLOCK (wh Zimbra CAS Auth)" -->'
+    insertafter: '</error-page>'
+    validate: xmllint %s
+  notify: restart zmmailboxd
+  tags: zcs
+

roles/unmaintained/wh_zimbra/tasks/dkim.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Ensure every domain has a dkim key
+  shell: /opt/zimbra/libexec/zmdkimkeyutil -q -d {{ item }} || /opt/zimbra/libexec/zmdkimkeyutil -a -d {{ item }}
+  become_user: zimbra
+  loop: "{{ wh_mail_domains + wh_mail_aliases }}"
+  changed_when: False
+  tags: mail
+

roles/unmaintained/wh_zimbra/tasks/facts.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Build a list of Zimbra domains
+  set_fact: wh_mail_domains={{ wh_clients | selectattr('mail', 'defined') | selectattr('mail.enabled', 'equalto', True) | selectattr('mail.domain', 'defined') | map(attribute='mail.domain') | list }}
+  tags: mail

roles/unmaintained/wh_zimbra/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+
+- include: facts.yml
+
+- include: zmldapsync.yml
+  when: zcs_i_am_primary_ldap == True
+
+- include: cas.yml
+  when: "'mailbox' in zcs_enabled_components"

roles/unmaintained/wh_zimbra/tasks/zmldapsync.yml

@@ -0,0 +1,22 @@
+---
+- name: Deploy LDAP sync configuration
+  template: src=zmldapsync-wh.yml.j2 dest=/opt/zimbra/conf/zmldapsync-wh.yml mode=600
+  notify: start zmldapsync-wh
+  tags: mail
+
+- name: Deploy LDAP sync systemd units
+  template: src=zmldapsync-wh.{{ item }}.j2 dest=/etc/systemd/system/zmldapsync-wh.{{ item }}
+  loop:
+    - service
+    - timer
+  register: wh_zimbra_systemd_unit
+  tags: mail
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: wh_zimbra_systemd_unit.results | selectattr('changed','equalto',True) | list | length > 0
+  tags: mail
+
+- name: Enable LDAP sync services
+  systemd: name=zmldapsync-wh.timer state=started enabled=True
+  tags: mail

roles/unmaintained/wh_zimbra/templates/zmldapsync-wh.service.j2

@@ -0,0 +1,7 @@
+[Unit]
+Description=Sync LDAP accounts into Zimbra for hosted clients
+
+[Service]
+Type=oneshot
+ExecStart=/opt/zimbra/bin/zmldapsync --config /opt/zimbra/conf/zmldapsync-wh.yml
+TimeoutSec=300

roles/unmaintained/wh_zimbra/templates/zmldapsync-wh.timer.j2

@@ -0,0 +1,8 @@
+[Unit]
+Description=Sync LDAP Users with Zimbra for hosted clients
+
+[Timer]
+OnCalendar=*:0/15
+
+[Install]
+WantedBy=timers.target

roles/unmaintained/wh_zimbra/templates/zmldapsync-wh.yml.j2

@@ -0,0 +1,58 @@
+---
+general:
+  notify:
+    from: zimbra@{{ ansible_domain }}
+    to: dani@fws.fr
+
+domains:
+{% for client in wh_clients | default([]) %}
+{% if client.mail is defined and client.mail.enabled and client.mail.enabled and client.mail.domain is defined %}
+  {{ client.mail.domain }}:
+    public_url: https://{{ client.mail.vhosts | first }}
+    admin_url: https://{{ client.mail.vhosts | first }}:9071/
+    cas:
+      enabled: True
+      server_url: https://sso-cl.fws.fr/cas
+    ldap:
+      servers:
+        - ldap://dc3.fws.fr:389
+        - ldap://dc1.fws.fr:389
+        - ldap://dc2.fws.fr:389
+      schema: ad
+      bind_dn: CN=Zimbra,OU=Apps,DC=fws,DC=fr
+      bind_pass: {{ vault_zimbra_ldap_bind_pass | quote }}
+    users:
+      base: OU={{ client.name }},OU=Clients,DC=fws,DC=fr
+      filter: "(&(objectClass=user)(mail=*))"
+    groups:
+      base: OU={{ client.name }},OU=Clients,DC=fws,DC=fr
+    zimbra:
+      create_if_missing: True
+      setup_ldap_auth: True
+{% if client.mail.domain_aliases is defined and client.mail.domain_aliases | length > 0 %}
+      domain_aliases:
+{% for alias in client.mail.domain_aliases %}
+        - {{ alias }}
+{% endfor %}
+{% endif %}
+      additional_domain_attrs:
+{% if client.mail.vhosts is defined and client.mail.vhosts | length > 0 %}
+        zimbraVirtualHostname:
+{% for vhost in client.mail.vhosts %}
+          - {{ vhost }}
+{% endfor %}
+        zimbraPublicServiceHostname: {{ client.mail.vhosts | first }}
+        zimbraAdminConsoleLoginURL: https://{{ client.mail.vhosts | first }}:9071//zimbraAdmin/public/preauth_{{ client.mail.domain }}.jsp
+        zimbraWebClientLoginURL: https://{{ client.mail.vhosts | first }}/public/preauth_{{ client.mail.domain }}.jsp
+{% else %}
+        zimbraPublicServiceHostname: zm-cl.fws.fr
+        zimbraAdminConsoleLoginURL: https://zm-cl.fws.fr:9071//zimbraAdmin/public/preauth_{{ client.mail.domain }}.jsp
+        zimbraWebClientLoginURL: https://zm-cl.fws.fr}/public/preauth_{{ client.mail.domain }}.jsp
+{% endif %}
+        zimbraPublicServicePort: 443
+        zimbraPublicServiceProtocol: https
+        zimbraAdminConsoleLogoutURL: https://sso-cl.fws.fr/cas/logout
+        zimbraWebClientLogoutURL: https://sso-cl.fws.fr/cas/logout
+
+{% endif %}
+{% endfor %}