Make the ldap test working

- The smtp/imap user name is now user@domain.tld
- Make the test_lookup function much more robust: it was now getting
  the correct file from the store.

default.nix

@@ -280,8 +280,8 @@ in
 
         userFilter = mkOption {
           type = types.str;
-          default = "cn=%u";
+          default = "mail=%u";
-          example = "(&(objectClass=inetOrgPerson)(cn=%u))";
+          example = "(&(objectClass=inetOrgPerson)(mail=%u))";
           description = ''
             Filter for user lookups in Dovecot.
 
@@ -304,9 +304,9 @@ in
         };
 
         passFilter = mkOption {
-          type = types.str;
+          type = types.nullOr types.str;
-          default = "cn=%u";
+          default = "mail=%u";
-          example = "(&(objectClass=inetOrgPerson)(cn=%u))";
+          example = "(&(objectClass=inetOrgPerson)(mail=%u))";
           description = ''
             Filter for password lookups in Dovecot.
 
@@ -331,7 +331,7 @@ in
 
         uidAttribute = mkOption {
           type = types.str;
-          default = "cn";
+          default = "mail";
           example = "uid";
           description = ''
             The LDAP attribute referencing the account name for a user.

mail-server/postfix.nix

@@ -158,7 +158,7 @@ let
     (pkgs.writeText "ldap-sender-login-map.cf" ''
       ${commonLdapConfig}
       query_filter = ${cfg.ldap.postfix.filter}
-      result_attribute = ${cfg.ldap.postfix.uidAttribute}
+      result_attribute = ${cfg.ldap.postfix.mailAttribute}
     '');
 
   ldapVirtualMailboxMap = lib.optionalString (cfg.ldap.enable)

tests/ldap.nix

@@ -18,6 +18,11 @@ pkgs.nixosTest {
 
       virtualisation.memorySize = 1024;
 
+      services.openssh = {
+        enable = true;
+        permitRootLogin = "yes";
+      };
+
       environment.systemPackages = [
         (pkgs.writeScriptBin "mail-check" ''
           ${pkgs.python3}/bin/python ${../scripts/mail-check.py} $@
@@ -106,35 +111,35 @@ pkgs.nixosTest {
   };
   testScript = ''
     import sys
-
+    import re
-    from glob import glob
 
     machine.start()
     machine.wait_for_unit("multi-user.target")
 
-    def test_lookup(map, key, expected):
+    # This function retrieves the ldap table file from a postconf
-      path = glob(f"/nix/store/*-{map}")[0]
+    # command.
-      value = machine.succeed(f"postmap -q alice@example.com ldap:{path}").rstrip()
+    # A key lookup is achived and the returned value is compared
+    # to the expected value.
+    def test_lookup(postconf_cmdline, key, expected):
+      conf = machine.succeed(postconf_cmdline).rstrip()
+      ldap_table_path = re.match('.* =.*ldap:(.*)', conf).group(1)
+      value = machine.succeed(f"postmap -q {key} ldap:{ldap_table_path}").rstrip()
       try:
         assert value == expected
       except AssertionError:
-        print(f"Expected {map} lookup for key '{key}' to return '{expected}, but got '{value}'", file=sys.stderr)
+        print(f"Expected {conf} lookup for key '{key}' to return '{expected}, but got '{value}'", file=sys.stderr)
         raise
 
-
     with subtest("Test postmap lookups"):
-      test_lookup("ldap-virtual-mailbox-map.cf", "alice@example.com", "alice")
+      test_lookup("postconf virtual_mailbox_maps", "alice@example.com", "alice@example.com")
-      test_lookup("ldap-sender-login-map.cf", "alice", "alice")
+      test_lookup("postconf -P submission/inet/smtpd_sender_login_maps", "alice@example.com", "alice@example.com")
 
-      test_lookup("ldap-virtual-mailbox-map.cf", "bob@example.com", "alice")
+      test_lookup("postconf virtual_mailbox_maps", "bob@example.com", "bob@example.com")
-      test_lookup("ldap-sender-login-map.cf", "bob", "alice")
+      test_lookup("postconf -P submission/inet/smtpd_sender_login_maps", "bob@example.com", "bob@example.com")
 
     with subtest("Test doveadm lookups"):
-      out = machine.succeed("doveadm user -u alice")
+      machine.succeed("doveadm user -u alice@example.com")
-      machine.log(out)
+      machine.succeed("doveadm user -u bob@example.com")
-
-      out = machine.succeed("doveadm user -u bob")
-      machine.log(out)
 
     with subtest("Test account/mail address binding"):
       machine.fail(" ".join([
@@ -142,16 +147,16 @@ pkgs.nixosTest {
         "--smtp-port 587",
         "--smtp-starttls",
         "--smtp-host localhost",
-        "--smtp-username alice",
+        "--smtp-username alice@example.com",
         "--imap-host localhost",
-        "--imap-username bob",
+        "--imap-username bob@example.com",
         "--from-addr bob@example.com",
         "--to-addr aliceb@example.com",
         "--src-password-file <(echo '${alicePassword}')",
         "--dst-password-file <(echo '${bobPassword}')",
         "--ignore-dkim-spf"
       ]))
-      machine.succeed("journalctl -u postfix | grep -q 'Sender address rejected: not owned by user alice'")
+      machine.succeed("journalctl -u postfix | grep -q 'Sender address rejected: not owned by user alice@example.com'")
 
     with subtest("Test mail delivery"):
       machine.succeed(" ".join([
@@ -159,9 +164,9 @@ pkgs.nixosTest {
         "--smtp-port 587",
         "--smtp-starttls",
         "--smtp-host localhost",
-        "--smtp-username alice",
+        "--smtp-username alice@example.com",
         "--imap-host localhost",
-        "--imap-username bob",
+        "--imap-username bob@example.com",
         "--from-addr alice@example.com",
         "--to-addr bob@example.com",
         "--src-password-file <(echo '${alicePassword}')",