From 15f8edf3621160004c2857137a0e889621413508 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Denis=20Krienb=C3=BChl?= <denis.krienbuehl@cloudscale.ch>
Date: Thu, 14 Mar 2024 09:16:24 +0100
Subject: [PATCH] [dovecot] Add ability to list users using doveadm

Before this change, dovecot could only check if users existed, but it
could not iterate over them. That is, the following would not work

    doveadm user '*'

Nor any command that takes `-A` (all-users), like so:

    doveadm purge -A

With this change, a new default query is added that works like the
existing default queries. Instead of searching for a user, it lists
them however.
---
 CHANGELOG.rst                                 |  8 ++++++++
 ansible/roles/dovecot/defaults/main.yml       | 20 +++++++++++++++++++
 .../etc/dovecot/dovecot-ldap-userdb.conf.j2   |  2 ++
 3 files changed, 30 insertions(+)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 2cd111ef1b..4b7c3d5955 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -212,6 +212,14 @@ General
   DNS support is disabled to avoid conflict with the :command:`avahi-daemon`
   service.
 
+:ref:`debops.dovecot` role
+''''''''''''''''''''''''''
+
+- The role now supports `iterate_filter` for its LDAP configuration, allowing
+  :command:`doveadm` commands to iterate over all users. Note that you might
+  have to adjust the defaults for `dovecot__ldap_user_list_filter` if you use 
+  `dovecot__ldap_user_filter`.
+
 :ref:`debops.ferm` role
 '''''''''''''''''''''''
 
diff --git a/ansible/roles/dovecot/defaults/main.yml b/ansible/roles/dovecot/defaults/main.yml
index a0fdeb74c1..21a1be7fcf 100644
--- a/ansible/roles/dovecot/defaults/main.yml
+++ b/ansible/roles/dovecot/defaults/main.yml
@@ -1217,6 +1217,26 @@ dovecot__ldap_user_filter: '(&
                               )
                             )'
 
+# .. envvar:: dovecot__ldap_user_list_filter [[[
+#
+# The LDAP filter used to look list user accounts in the directory. This allows
+# commands like :command:`doveadm users '*'` or :command:`doveadm purge -A` to
+# work.
+# See :ref:`ldap__ref_admin` for more information.
+dovecot__ldap_user_list_filter: '(&
+                              (objectClass=mailRecipient)
+                              (|
+                                (authorizedService=all)
+                                (authorizedService=mail:access)
+                              )
+                            )'
+
+# .. envvar:: dovecot__ldap_user_list_filter_attribute [[[
+#
+# The attribute used by :ref:`dovecot__ldap_user_list_filter_attribute` as
+# the identifier of the user.
+# See :ref:`ldap__ref_admin` for more information.
+dovecot__ldap_user_list_filter_attribute: 'mail'
                                                                    # ]]]
 # .. envvar:: dovecot__ldap_quota_attribute [[[
 #
diff --git a/ansible/roles/dovecot/templates/etc/dovecot/dovecot-ldap-userdb.conf.j2 b/ansible/roles/dovecot/templates/etc/dovecot/dovecot-ldap-userdb.conf.j2
index 2e4a712809..361f16d155 100644
--- a/ansible/roles/dovecot/templates/etc/dovecot/dovecot-ldap-userdb.conf.j2
+++ b/ansible/roles/dovecot/templates/etc/dovecot/dovecot-ldap-userdb.conf.j2
@@ -36,3 +36,5 @@ user_attrs = \
     mailExpungeTrash={{ dovecot__ldap_trash_field }}
 
 user_filter = {{ dovecot__ldap_user_filter }}
+iterate_filter= {{ dovecot__ldap_user_list_filter }}
+iterate_attrs= {{ dovecot__ldap_user_list_filter_attribute }}=user