- [test](test) Update to use `mlan/openldap:2`.

- [demo](demo) Update to use `mlan/openldap:2`.
2021-01-15 19:25:09 +01:00 · 2021-01-15 19:25:09 +01:00 · e0fc560dd3
parent 36cd823be8
commit e0fc560dd3
16 changed files with 451 additions and 265 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,8 @@
+# 1.2.8
+
+- [test](test) Update to use `mlan/openldap:2`.
+- [demo](demo) Update to use `mlan/openldap:2`.
+
 # 1.2.7

 - [kopano](src/kopano/plugin/movetopublicldap.py) Add LDAP support to the [Move to public](https://documentation.kopano.io/kopanocore_administrator_manual/special_kc_configurations.html#move-to-public ) kopano-dagent python plugin.
--- a/ROADMAP.md
+++ b/ROADMAP.md
@ -1,5 +1,9 @@
 # Road map

+## demo
+
+- check mta-test_imap
+
 ## kDAV

 Consider integrating support for kDAV which provides CalDAV and CardDAV.
--- a/demo/.env
+++ b/demo/.env
@ -1,28 +1,34 @@
 COMPOSE_PROJECT_NAME=demo
 SYSLOG_LEVEL=6
 LOG_LEVEL=6
+AD_DEBUG=stats
+AD_ADM_CN=admin
+AD_ADM_PW=admin
+AD_ADM_TEL=555-540-9637
+AD_ADM_TIT=System Admin
+AD_BASE=dc=example,dc=com
+AD_GRP_CN=team
+AD_GRP_OB=kopano-group
+AD_GRP_OU=groups
+AD_PUB_CN=public
+AD_ROOT_CN=admin
+AD_ROOT_PW=secret
+AD_SHR_CN=shared
+AD_USR_AS=trial
+AD_USR_CN=demo
+AD_USR_OB=kopano-user
+AD_USR_OU=users
+AD_USR_PW=demo
+AD_USR_TEL=555-439-2736
+AD_USR_TIT=First User
+DKIM_SELECTOR=default
 MAIL_DOMAIN=example.com
 MAIL_SRV=mx
-REGEX_ALIAS='/([^+]+)[+-].*@(.+)/ $1@$2'
-DKIM_SELECTOR=default
-SA_TAG_LEVEL_DEFLT=-999
-SA_DEBUG=0
-RAZOR_REGISTRATION=
-LDAP_BASE=dc=example,dc=com
-LDAP_USEROU=users
-LDAP_USEROBJ=kopano-user
-LDAP_USERFLT=
-LDAP_GROUPOU=groups
-LDAP_GROUPOBJ=kopano-group
-LDAP_TEST_USER=demo
-LDAP_TEST_USERPW=demo
-LDAP_TEST_USERAS=trial
-LDAP_TEST_ADMIN=admin
-LDAP_TEST_ADMINPW=admin
-LDAP_TEST_GROUP=team
-LDAP_TEST_PUB=public
-LDAP_TEST_SHR=shared
-MYSQL_ROOT_PASSWORD=secret
 MYSQL_DATABASE=kopano
-MYSQL_USER=kopano
 MYSQL_PASSWORD=secret
+MYSQL_ROOT_PASSWORD=secret
+MYSQL_USER=kopano
+RAZOR_REGISTRATION=
+REGEX_ALIAS='/([^+]+)[+-].*@(.+)/ $1@$2'
+SA_DEBUG=0
+SA_TAG_LEVEL_DEFLT=-999
--- a/demo/Makefile
+++ b/demo/Makefile
@ -1,19 +1,23 @@
 -include    *.mk .env .init.env

-srv_list ?= auth app db mta
-curl_dbg ?= -v -s
-_ip       = $(shell docker inspect -f \
-	'{{range .NetworkSettings.Networks}}{{println .IPAddress}}{{end}}' \
-	$(1) | head -n1)
+SRV_LIST ?= auth app db mta

-.PHONY:
+AD_DOM   ?= $(call ad_sub_dot, $(AD_BASE))
+AD_DC    ?= $(call ad_cut_dot, 1, 1, $(AD_DOM))
+
+SSL_O     = $(MAIL_DOMAIN)
+SSL_MAIL  = auto
+SSL_PASS  = $(AD_USR_PW)
+#SSL_TRST  = $(SSL_SMIME)
+
+CURL_DBG ?= -v -s

 variables:
 	make -pn | grep -A1 "^# makefile"| grep -v "^#\|^--" | sort | uniq

 test: all-test_quiet mta-test_smtp

-init: up auth-init db-init mta-init app-init
+init: up auth-init db-init app-down app-up mta-init app-init

 ps:
 	docker-compose ps
@ -36,49 +40,52 @@ logs:
 images:
 	docker-compose images

-$(addsuffix -up,$(srv_list)):
+$(addsuffix -up,$(SRV_LIST)):
 	docker-compose up -d $(patsubst %-up,%,$@)

-$(addsuffix -down,$(srv_list)):
-	docker-compose rm -s $(patsubst %-down,%,$@)
+$(addsuffix -down,$(SRV_LIST)):
+	docker-compose rm -sf $(patsubst %-down,%,$@)

-$(addsuffix -restart,$(srv_list)):
+$(addsuffix -restart,$(SRV_LIST)):
 	docker-compose restart $(patsubst %-restart,%,$@)

-$(addsuffix -renew,$(srv_list)):
+$(addsuffix -renew,$(SRV_LIST)):
 	docker-compose rm -s $(patsubst %-renew,%,$@)
 	docker-compose up -d $(patsubst %-renew,%,$@)

-$(addsuffix -top,$(srv_list)):
+$(addsuffix -top,$(SRV_LIST)):
 	docker-compose top $(patsubst %-top,%,$@)

-$(addsuffix -logs,$(srv_list)):
+$(addsuffix -logs,$(SRV_LIST)):
 	docker-compose logs $(patsubst %-logs,%,$@)

-$(addsuffix -pull,$(srv_list)):
+$(addsuffix -pull,$(SRV_LIST)):
 	docker-compose pull $(patsubst %-pull,%,$@)

-$(addsuffix -sh,$(srv_list)):
+$(addsuffix -sh,$(SRV_LIST)):
 	docker-compose exec $(patsubst %-sh,%,$@) sh -c 'exec $$(getent passwd root | sed "s/.*://g")'

-$(addsuffix -env,$(srv_list)):
+$(addsuffix -env,$(SRV_LIST)):
 	docker-compose exec $(patsubst %-env,%,$@) env

-$(addsuffix -sv,$(srv_list)):
+$(addsuffix -sv,$(SRV_LIST)):
 	docker-compose exec $(patsubst %-sv,%,$@) sh -c 'sv status $$SVDIR/*'

-$(addsuffix -diff,$(srv_list)):
+$(addsuffix -diff,$(SRV_LIST)):
 	docker container diff $(COMPOSE_PROJECT_NAME)_$(patsubst %-diff,%,$@)_1

+$(addsuffix -hostaddr,$(SRV_LIST)):
+	$(eval myhost := $(call dkr_srv_ip,$(patsubst %-hostaddr,%,$@)))
+
 wait_%:
 	sleep $*

 web:
-	firefox localhost:8008 &
+	browse http://localhost:8008 &

-auth-init: wait_11 auth-mod_conf auth-add_schema auth-add_data auth-add_sto
+auth-init: wait_3 auth-mod_conf auth-add_schema auth-add_data

-define LDIF_MOD_CONF
+export define LDIF_MOD_CONF
 dn: olcDatabase={-1}frontend,cn=config
 changetype: modify
 add: olcPasswordHash
@ -94,117 +101,102 @@ changetype: modify
 add: olcDbIndex
 olcDbIndex: cn,ou,uid,mail eq
 endef
-export LDIF_MOD_CONF

-define LDIF_ADD_DATA
-dn: ou=$(LDAP_USEROU),$(LDAP_BASE)
-changetype: add
-ou: $(LDAP_USEROU)
-objectClass: top
+export define LDIF_ADD_DATA
+dn: $(AD_BASE)
+objectClass: organization
+objectClass: dcObject
+dc: $(AD_DC)
+o: $(AD_DOM)
+
+dn: ou=$(AD_USR_OU),$(AD_BASE)
+ou: $(AD_USR_OU)
 objectClass: organizationalUnit

-dn: ou=$(LDAP_GROUPOU),$(LDAP_BASE)
-changetype: add
-ou: $(LDAP_GROUPOU)
-objectClass: top
+dn: ou=$(AD_GRP_OU),$(AD_BASE)
+ou: $(AD_GRP_OU)
 objectClass: organizationalUnit

-dn: cn=$(LDAP_TEST_GROUP),ou=$(LDAP_GROUPOU),$(LDAP_BASE)
-changetype: add
-cn: $(LDAP_TEST_GROUP)
-objectClass: top
+dn: cn=$(AD_GRP_CN),ou=$(AD_GRP_OU),$(AD_BASE)
+cn: $(AD_GRP_CN)
 objectClass: groupOfNames
 objectClass: kopano-group
-member: uid=$(LDAP_TEST_ADMIN),ou=$(LDAP_USEROU),$(LDAP_BASE)
-member: uid=$(LDAP_TEST_USER),ou=$(LDAP_USEROU),$(LDAP_BASE)
-mail: $(LDAP_TEST_GROUP)@$(MAIL_DOMAIN)
+member: uid=$(AD_ADM_CN),ou=$(AD_USR_OU),$(AD_BASE)
+member: uid=$(AD_USR_CN),ou=$(AD_USR_OU),$(AD_BASE)
+mail: $(AD_GRP_CN)@$(MAIL_DOMAIN)

-dn: uid=$(LDAP_TEST_ADMIN),ou=$(LDAP_USEROU),$(LDAP_BASE)
+dn: uid=$(AD_ADM_CN),ou=$(AD_USR_OU),$(AD_BASE)
 changetype: add
-cn: $(LDAP_TEST_ADMIN)
-objectClass: top
+cn: $(AD_ADM_CN)
 objectClass: inetOrgPerson
 objectClass: kopano-user
-sn: $(LDAP_TEST_ADMIN)
-uid: $(LDAP_TEST_ADMIN)
-mail: $(LDAP_TEST_ADMIN)@$(MAIL_DOMAIN)
-userPassword: $(LDAP_TEST_ADMINPW)
-telephoneNumber: 0123 987654321
-title: System Admin
+sn: $(AD_ADM_CN)
+uid: $(AD_ADM_CN)
+mail: $(AD_ADM_CN)@$(MAIL_DOMAIN)
+userPassword: $(AD_ADM_PW)
+telephoneNumber: $(AD_ADM_TEL)
+title: $(AD_ADM_TIT)
 kopanoAccount: 1
 kopanoAdmin: 1
 kopanoEnabledFeatures: imap
 kopanoEnabledFeatures: pop3

-dn: uid=$(LDAP_TEST_USER),ou=$(LDAP_USEROU),$(LDAP_BASE)
+dn: uid=$(AD_USR_CN),ou=$(AD_USR_OU),$(AD_BASE)
 changetype: add
-cn: $(LDAP_TEST_USER)
-objectClass: top
+cn: $(AD_USR_CN)
 objectClass: inetOrgPerson
 objectClass: kopano-user
-sn: $(LDAP_TEST_USER)
-uid: $(LDAP_TEST_USER)
-mail: $(LDAP_TEST_USER)@$(MAIL_DOMAIN)
-userPassword: $(LDAP_TEST_USERPW)
-telephoneNumber: 0123 123456789
-title: First User
+sn: $(AD_USR_CN)
+uid: $(AD_USR_CN)
+mail: $(AD_USR_CN)@$(MAIL_DOMAIN)
+userPassword: $(AD_USR_PW)
+telephoneNumber: $(AD_USR_TEL)
+title: $(AD_USR_TIT)
 kopanoAccount: 1
-kopanoAliases: $(LDAP_TEST_USERAS)@$(MAIL_DOMAIN)
+kopanoAliases: $(AD_USR_AS)@$(MAIL_DOMAIN)
 kopanoEnabledFeatures: imap
 kopanoEnabledFeatures: pop3
-endef
-export LDIF_ADD_DATA

-define LDIF_ADD_STO
-dn: uid=$(LDAP_TEST_SHR),ou=$(LDAP_USEROU),$(LDAP_BASE)
-changetype: add
-cn: $(LDAP_TEST_SHR)
-objectClass: top
+dn: uid=$(AD_SHR_CN),ou=$(AD_USR_OU),$(AD_BASE)
+cn: $(AD_SHR_CN)
 objectClass: inetOrgPerson
 objectClass: kopano-user
-sn: $(LDAP_TEST_SHR)
-uid: $(LDAP_TEST_SHR)
-mail: $(LDAP_TEST_SHR)@$(MAIL_DOMAIN)
+sn: $(AD_SHR_CN)
+uid: $(AD_SHR_CN)
+mail: $(AD_SHR_CN)@$(MAIL_DOMAIN)
 kopanoAccount: 1
 kopanoSharedStoreOnly: 1

-dn: uid=$(LDAP_TEST_PUB),ou=$(LDAP_USEROU),$(LDAP_BASE)
-changetype: add
-cn: $(LDAP_TEST_PUB)
-objectClass: top
+dn: uid=$(AD_PUB_CN),ou=$(AD_USR_OU),$(AD_BASE)
+cn: $(AD_PUB_CN)
 objectClass: inetOrgPerson
 objectClass: kopano-user
-sn: $(LDAP_TEST_PUB)
-uid: $(LDAP_TEST_PUB)
-mail: $(LDAP_TEST_PUB)@$(MAIL_DOMAIN)
+sn: $(AD_PUB_CN)
+uid: $(AD_PUB_CN)
+mail: $(AD_PUB_CN)@$(MAIL_DOMAIN)
 kopanoAccount: 1
 kopanoHidden: 1
 kopanoSharedStoreOnly: 1
 kopanoResourceType: publicFolder:Public Stores/public
-
 endef
-export LDIF_ADD_STO

 auth-mod_conf:
-	echo "$$LDIF_MOD_CONF" | docker-compose exec -T auth ldap modify
+	echo "$$LDIF_MOD_CONF" | docker-compose exec -T auth ldapmodify -Q

 auth-add_data:
-	echo "$$LDIF_ADD_DATA" | docker-compose exec -T auth ldap modify
-
-auth-add_sto:
-	echo "$$LDIF_ADD_STO" | docker-compose exec -T auth ldap modify
+	echo "$$LDIF_ADD_DATA" | docker-compose exec -T auth ldapadd -Q

 auth-add_schema:
 	docker-compose exec app zcat /usr/share/doc/kopano/kopano.ldif.gz \
-	| docker-compose exec -T auth ldapadd -H ldapi://%2Fvar%2Frun%2Fopenldap%2Fldapi/ -Y EXTERNAL
+	| docker-compose exec -T auth ldapadd -Q

 auth-show_conf:
-	docker-compose exec auth ldap search -b cn=config "(cn=config)"
-	docker-compose exec auth ldap search -b cn=config olcDatabase={-1}frontend
-	docker-compose exec auth ldap search -b cn=config olcDatabase={1}mdb
+	docker-compose exec auth ldapsearch -QLLLb cn=config "(cn=config)"
+	docker-compose exec auth ldapsearch -QLLLb cn=config olcDatabase={-1}frontend
+	docker-compose exec auth ldapsearch -QLLLb cn=config olcDatabase={1}mdb

 auth-show_data:
-	docker-compose exec auth ldap search -b "$(LDAP_BASE)"
+	docker-compose exec auth ldapsearch -QLLL

 auth-show_cat0:
 	docker-compose exec auth slapcat -n0
@ -228,30 +220,30 @@ mta-bayes:
 	docker-compose exec mta sh -c 'rm -f bayesian.database.gz && wget http://artinvoice.hu/spams/bayesian.database.gz && gunzip bayesian.database.gz && sa-learn --restore bayesian.database && chown -R amavis: /var/amavis/.spamassassin && rm -rf bayesian.database'

 mta-test_smtp:
-	printf "From: A tester <test@example.biz>\nTo: <$(LDAP_TEST_USER)@$(MAIL_DOMAIN)>\nDate: $$(date)\nSubject: A SMTP test message\n\nGreat news! You can receive email.\n" \
+	printf "From: A tester <test@example.biz>\nTo: <$(AD_USR_CN)@$(MAIL_DOMAIN)>\nDate: $$(date)\nSubject: A SMTP test message\n\nGreat news! You can receive email.\n" \
 	| curl smtp://localhost -T - --mail-from test@example.biz \
-	--mail-rcpt $(LDAP_TEST_USER)@$(MAIL_DOMAIN) $(curl_dbg)
+	--mail-rcpt $(AD_USR_CN)@$(MAIL_DOMAIN) $(CURL_DBG)

 mta-test_smtps:
-	printf "From: A tester <test@example.biz>\nTo: <$(LDAP_TEST_USER)@$(MAIL_DOMAIN)>\nDate: $$(date)\nSubject: A SMTPS test message\n\nGreat news! You can receive secure email.\n" \
+	printf "From: A tester <test@example.biz>\nTo: <$(AD_USR_CN)@$(MAIL_DOMAIN)>\nDate: $$(date)\nSubject: A SMTPS test message\n\nGreat news! You can receive secure email.\n" \
 	| curl smtps://localhost -T - --mail-from test@example.biz -k \
-	-u $(LDAP_TEST_USER):$(LDAP_TEST_USERPW) \
-	--mail-rcpt $(LDAP_TEST_USER)@$(MAIL_DOMAIN) $(curl_dbg)
+	-u $(AD_USR_CN):$(AD_USR_PW) \
+	--mail-rcpt $(AD_USR_CN)@$(MAIL_DOMAIN) $(CURL_DBG)

 mta-test_smtp2:
-	printf "From: A info tester <test-info@example.biz>\nTo: <$(LDAP_TEST_USER)-info@$(MAIL_DOMAIN)>\nDate: $$(date)\nSubject: A SMTP test message \n\nGreat news! $(LDAP_TEST_USER)-info@$(MAIL_DOMAIN) can also receive email.\n" \
+	printf "From: A info tester <test-info@example.biz>\nTo: <$(AD_USR_CN)-info@$(MAIL_DOMAIN)>\nDate: $$(date)\nSubject: A SMTP test message \n\nGreat news! $(AD_USR_CN)-info@$(MAIL_DOMAIN) can also receive email.\n" \
 	| curl smtp://localhost -T - --mail-from test@example.biz \
-	--mail-rcpt $(LDAP_TEST_USER)@$(MAIL_DOMAIN) $(curl_dbg)
+	--mail-rcpt $(AD_USR_CN)@$(MAIL_DOMAIN) $(CURL_DBG)

 mta-test_shared: all-test_quiet
-	printf "From: A tester <test@example.biz>\nTo: <$(LDAP_TEST_SHR)@$(MAIL_DOMAIN)>\nDate: $$(date)\nSubject: A SMTP test message\n\nGreat news! A shared store can receive email.\n" \
+	printf "From: A tester <test@example.biz>\nTo: <$(AD_SHR_CN)@$(MAIL_DOMAIN)>\nDate: $$(date)\nSubject: A SMTP test message\n\nGreat news! A shared store can receive email.\n" \
 	| curl smtp://localhost -T - --mail-from test@example.biz \
-	--mail-rcpt $(LDAP_TEST_SHR)@$(MAIL_DOMAIN) $(curl_dbg)
+	--mail-rcpt $(AD_SHR_CN)@$(MAIL_DOMAIN) $(CURL_DBG)

 mta-test_public: all-test_quiet
-	printf "From: A tester <test@example.biz>\nTo: <$(LDAP_TEST_PUB)@$(MAIL_DOMAIN)>\nDate: $$(date)\nSubject: A SMTP test message\n\nGreat news! A public store can receive email.\n" \
+	printf "From: A tester <test@example.biz>\nTo: <$(AD_PUB_CN)@$(MAIL_DOMAIN)>\nDate: $$(date)\nSubject: A SMTP test message\n\nGreat news! A public store can receive email.\n" \
 	| curl smtp://localhost -T - --mail-from test@example.biz \
-	--mail-rcpt $(LDAP_TEST_PUB)@$(MAIL_DOMAIN) $(curl_dbg)
+	--mail-rcpt $(AD_PUB_CN)@$(MAIL_DOMAIN) $(CURL_DBG)

 mta-razor:
 	docker-compose exec mta run amavis_register_razor
@ -291,19 +283,16 @@ mta-show_mailq:
 mta-flush_mailq:
 	docker-compose exec mta postqueue -f

-mta-hostaddr:
-	$(eval myhost := $(call _ip,$(COMPOSE_PROJECT_NAME)_mta_1))
-
 mta-test_auth:
-	docker-compose exec mta doveadm auth test $(LDAP_TEST_USER) $(LDAP_TEST_USERPW)
+	docker-compose exec mta doveadm auth test $(AD_USR_CN) $(AD_USR_PW)

 mta-test_imap: mta-hostaddr
-	curl imap://$(myhost) -X CAPABILITY
-	curl imap://$(myhost) -u $(LDAP_TEST_USER):$(LDAP_TEST_USERPW)
+	curl imap://$(myhost) -X CAPABILITY $(CURL_DBG)
+	curl imap://$(myhost) -u $(AD_USR_CN):$(AD_USR_PW) $(CURL_DBG)

 mta-test_rimap:
 	docker-compose exec mta curl imap://app -X CAPABILITY
-	docker-compose exec mta curl imap://app -u $(LDAP_TEST_USER):$(LDAP_TEST_USERPW)
+	docker-compose exec mta curl imap://app -u $(AD_USR_CN):$(AD_USR_PW)

 mta-test_ldap: mta-debugtools
 	docker-compose exec mta ldapsearch -H ldap://auth:389 -xLLL -s base namingContexts
@ -323,7 +312,7 @@ db-gui-up:
 db-gui-down:
 	docker rm -f db-gui || true

-app-init: #wait_92 app-public_store
+app-init: app-public_store app-create_smime

 app-debugtools:
 	docker-compose exec app apt-get update
@ -333,54 +322,51 @@ app-debugtools:
 app-htop: app-debugtools
 	docker-compose exec app htop

-app-man_server:
-	docker-compose exec app man kopano-server.cfg
-
-app-man_ldap:
-	docker-compose exec app man kopano-ldap.cfg
-
-app-hostaddr:
-	$(eval myhost := $(call _ip,$(COMPOSE_PROJECT_NAME)_app_1))
-
 app-test_smtp: mta-test_smtp

 app-test_lmtp: app-hostaddr
-	printf "LHLO mx\nMAIL FROM: <test@example.biz>\nRCPT TO: <$(LDAP_TEST_USER)@$(MAIL_DOMAIN)>\nDATA\nFrom: A tester <test@example.biz>\nTo: <$(LDAP_TEST_USER)@$(MAIL_DOMAIN)>\nDate: $$(date)\nSubject: A LMTP test message from me to you\n\nDelete me, please \n.\nQUIT\n" | nc -C $(myhost) 2003
+	printf "LHLO mx\nMAIL FROM: <test@example.biz>\nRCPT TO: <$(AD_USR_CN)@$(MAIL_DOMAIN)>\nDATA\nFrom: A tester <test@example.biz>\nTo: <$(AD_USR_CN)@$(MAIL_DOMAIN)>\nDate: $$(date)\nSubject: A LMTP test message from me to you\n\nDelete me, please \n.\nQUIT\n" | nc -C $(myhost) 2003

 app-test_all: all-test_muted app-test_imap app-test_pop3 app-test_ical app-test_imaps app-test_pop3s app-test_icals

 app-test_imap: app-hostaddr
-	curl imap://$(myhost) -u $(LDAP_TEST_USER):$(LDAP_TEST_USERPW) $(curl_dbg)
+	curl imap://$(myhost) -u $(AD_USR_CN):$(AD_USR_PW) $(CURL_DBG)

 app-test_imaps: app-hostaddr
-	curl imaps://$(myhost) -k -u $(LDAP_TEST_USER):$(LDAP_TEST_USERPW) $(curl_dbg)
+	curl imaps://$(myhost) -k -u $(AD_USR_CN):$(AD_USR_PW) $(CURL_DBG)

 app-test_pop3: app-hostaddr
-	curl pop3://$(myhost) -u $(LDAP_TEST_USER):$(LDAP_TEST_USERPW) $(curl_dbg)
+	curl pop3://$(myhost) -u $(AD_USR_CN):$(AD_USR_PW) $(CURL_DBG)

 app-test_pop3s: app-hostaddr
-	curl pop3s://$(myhost) -k -u $(LDAP_TEST_USER):$(LDAP_TEST_USERPW) $(curl_dbg)
+	curl pop3s://$(myhost) -k -u $(AD_USR_CN):$(AD_USR_PW) $(CURL_DBG)

 app-test_ical: app-hostaddr
-	curl http://$(myhost):8080 -u $(LDAP_TEST_USER):$(LDAP_TEST_USERPW) $(curl_dbg)
+	curl http://$(myhost):8080 -u $(AD_USR_CN):$(AD_USR_PW) $(CURL_DBG)

 app-test_icals: app-hostaddr
-	curl https://$(myhost):8443 -k -u $(LDAP_TEST_USER):$(LDAP_TEST_USERPW) $(curl_dbg)
+	curl https://$(myhost):8443 -k -u $(AD_USR_CN):$(AD_USR_PW) $(CURL_DBG)

 app-test_tls: app-hostaddr
 	docker run --rm -it --network demo_backend drwetter/testssl.sh app:993 || true

+app-test_oof1:
+	docker-compose exec app kopano-oof -u $(AD_USR_CN) -m 1 -t "Dunno when I return"
+
+app-test_oof0:
+	docker-compose exec app kopano-oof -u $(AD_USR_CN) -m 0
+
 app-show_user1:
-	docker-compose exec app kopano-admin --details $(LDAP_TEST_USER)
+	docker-compose exec app kopano-admin --details $(AD_USR_CN)

 app-show_user2: app-debugtools
-	docker-compose exec app ldapsearch -H ldap://auth:389 -xLLL -b $(LDAP_BASE) '*'
+	docker-compose exec app ldapsearch -H ldap://auth:389 -xLLL -b $(AD_BASE) '*'

 app-show_sync:
 	docker-compose exec app z-push-top

 app-create_store:
-	docker-compose exec app kopano-admin --create-store $(LDAP_TEST_USER)
+	docker-compose exec app kopano-admin --create-store $(AD_USR_CN)

 app-public_store:
 	docker-compose exec app kopano-storeadm -P
@ -388,44 +374,16 @@ app-public_store:
 $(addprefix app-parms_,archiver dagent gateway ical ldap search server spamd spooler):
 	docker-compose exec app run list_parms $(patsubst app-parms_%,%,$@)

-app-create_smime: all-create_smime ssl/ca.crt
+app-create_smime: all-create_smime
 	docker cp ssl/ca.crt $$(docker-compose ps -q app):/usr/local/share/ca-certificates/$(MAIL_DOMAIN)_CA.crt
 	docker-compose exec app update-ca-certificates

 all-test_quiet:
-	$(eval curl_dbg := -s -S )
+	$(eval CURL_DBG := -s -S )

 all-test_muted:
-	$(eval curl_dbg := -s -S >/dev/null || true)
+	$(eval CURL_DBG := -s -S >/dev/null || true)

-all-create_smime: ssl/$(LDAP_TEST_USER).smime.p12
+all-create_smime: ssl/$(AD_USR_CN).p12

-all-destroy_smime:
-	rm -rf ssl
-
-#.PRECIOUS: %.key %.crt %.smime.crt
-
-%.p12: %.crt
-	openssl pkcs12 -export -in $< -inkey $*.key -out $@ \
-	-passout pass:$(LDAP_TEST_USERPW)
-
-%.csr: %.key
-	openssl req -new -key $< -out $@ \
-	-subj "/O=$(MAIL_DOMAIN)/CN=$(LDAP_TEST_USER)/emailAddress=$(LDAP_TEST_USER)@$(MAIL_DOMAIN)"
-
-%.smime.crt: %.smime.csr ssl/ca.crt
-	openssl x509 -req -in $< -CA $(@D)/ca.crt -CAkey $(@D)/ca.key -out $@ \
-	-setalias "Self Signed SMIME" -addtrust emailProtection \
-	-addreject clientAuth -addreject serverAuth -trustout \
-	-CAcreateserial
-
-%.crt: %.key
-	openssl req -x509 -batch -key $< -out $@ \
-	-subj "/O=$(MAIL_DOMAIN)"
-
-%.key: ssl
-	openssl genrsa -out $@
-	chmod a+r $@
-
-ssl:
-	mkdir -p $@
+all-destroy_smime: ssl-destroy
--- a/demo/ad.mk
+++ b/demo/ad.mk
@ -0,0 +1 @@
+../test/ad.mk
--- a/demo/dkr.mk
+++ b/demo/dkr.mk
@ -0,0 +1 @@
+../test/dkr.mk
--- a/demo/docker-compose.yml
+++ b/demo/docker-compose.yml
@ -22,9 +22,9 @@ services:
      - LDAP_URI=ldap://auth:389/
      - MYSQL_HOST=db
      - SMTP_SERVER=mta
-      - LDAP_SEARCH_BASE=${LDAP_BASE-dc=example,dc=com}
-      - LDAP_USER_TYPE_ATTRIBUTE_VALUE=${LDAP_USEROBJ-posixAccount}
-      - LDAP_GROUP_TYPE_ATTRIBUTE_VALUE=${LDAP_GROUPOBJ-posixGroup}
+      - LDAP_SEARCH_BASE=${AD_BASE-dc=example,dc=com}
+      - LDAP_USER_TYPE_ATTRIBUTE_VALUE=${AD_USR_OB-kopano-user}
+      - LDAP_GROUP_TYPE_ATTRIBUTE_VALUE=${AD_GRP_OB-kopano-group}
      - LDAP_GROUPMEMBERS_ATTRIBUTE_TYPE=dn
      - LDAP_PROPMAP=
      - DAGENT_PLUGINS=movetopublicldap
@ -67,8 +67,8 @@ services:
      - SMTP_TLS_SECURITY_LEVEL=${SMTP_TLS_SECURITY_LEVEL-}
      - SMTP_TLS_WRAPPERMODE=${SMTP_TLS_WRAPPERMODE-no}
      - SMTPD_USE_TLS=yes
-      - LDAP_USER_BASE=ou=${LDAP_USEROU-users},${LDAP_BASE-dc=example,dc=com}
-      - LDAP_QUERY_FILTER_USER=(&(objectclass=${LDAP_USEROBJ-posixAccount})(mail=%s))
+      - LDAP_USER_BASE=ou=${AD_USR_OU-users},${AD_BASE-dc=example,dc=com}
+      - LDAP_QUERY_FILTER_USER=(&(objectclass=${AD_USR_OB-kopano-user})(mail=%s))
      - LDAP_QUERY_ATTRS_PASS=uid=user
      - REGEX_ALIAS=${REGEX_ALIAS-}
      - DKIM_SELECTOR=${DKIM_SELECTOR-default}
@ -100,11 +100,13 @@ services:
      - /etc/localtime:/etc/localtime:ro        # Use host timezone

  auth:
-    image: mlan/openldap
+    image: mlan/openldap:2
    networks:
      - backend
+    command: --root-cn ${AD_ROOT_CN-admin} --root-pw ${AD_ROOT_PW-secret}
    environment:
-      - LDAP_LOGLEVEL=parse
+      - LDAPBASE=${AD_BASE-dc=example,dc=com}
+      - LDAPDEBUG=${AD_DEBUG-parse}
    volumes:
      - auth:/srv
      - /etc/localtime:/etc/localtime:ro        # Use host timezone
--- a/demo/ssl.mk
+++ b/demo/ssl.mk
@ -0,0 +1 @@
+../test/ssl.mk
--- a/test/.gitignore
+++ b/test/.gitignore
@ -1,3 +1 @@
 local.*
-ssl
-acme
--- a/test/Makefile
+++ b/test/Makefile
@ -3,35 +3,19 @@
 IMG_REPO ?= mlan/kopano
 IMG_VER  ?= latest
 _ver      = $(if $(findstring latest,$(1)),$(2),$(1)-$(2))
-_ip       = $(shell docker inspect -f \
-	'{{range .NetworkSettings.Networks}}{{println .IPAddress}}{{end}}' \
-	$(1) | head -n1)
-
-TST_NAME ?= test
-SSL_KEYF ?= priv_key.pem
-SSL_CRTF ?= cert.pem
-SSL_CRTD ?= 30
-SSL_ACMF ?= acme.json
-TST_SSLD ?= ssl
-TST_ACMD ?= acme
-TST_KEY  ?= $(TST_SSLD)/$(SSL_KEYF)
-TST_CERT ?= $(TST_SSLD)/$(SSL_CRTF)
-TST_ACME ?= $(TST_ACMD)/$(SSL_ACMF)

 NET_NAME ?= test-net
 NET_ENV  ?= --network $(NET_NAME)

-LDAP_BAS ?= dc=example,dc=com
-LDAP_UOU ?= users
-LDAP_UOB ?= posixAccount
-LDAP_GOU ?= groups
-LDAP_FOU ?= "(&(objectclass=$(LDAP_UOB))(mail=%s))"
-LDAP_FPW ?= "(&(objectclass=$(LDAP_UOB))(uid=%u))"
-LDAP_APW ?= uid=user
+AD_BASE  ?= dc=example,dc=com
+AD_DOM   ?= $(call ad_sub_dot, $(AD_BASE))
+AD_DC    ?= $(call ad_cut_dot, 1, 1, $(AD_DOM))
+AD_GRP_OU ?= groups
+AD_USR_OB ?= kopano-user
+AD_USR_OU ?= users
+AD_USR_CN ?= hero
+AD_USR_PW ?= enigma

-MAIL_DOM ?= example.com
-MAIL_US1 ?= hero
-MAIL_PW1 ?= enigma
 MAIL_SUB ?= ~~~test~message~~~
 MAIL_MSG ?= Enjoy!

@ -46,10 +30,10 @@ SQL_ENV  ?= \
 -e MYSQL_PASSWORD=$(SQL_PASS) \

 APP_NAME ?= app
-APP_IMG  ?=
-APP_FQDN ?= $(APP_NAME).$(MAIL_DOM)
+APP_FQDN ?= $(APP_NAME).$(AD_DOM)
+APP_CERT ?= ssl/$(APP_FQDN).crt
+APP_KEY  ?= ssl/$(APP_FQDN).key
 APP_VOL  ?=
-APP_SSLD ?= /etc/kopano/ssl
 APP_SLOG ?= 7
 APP_ALOG ?= 6
 APP_ENV  ?= $(NET_ENV) $(SQL_ENV) \
@ -58,9 +42,9 @@ APP_ENV  ?= $(NET_ENV) $(SQL_ENV) \
 -e MYSQL_HOST=$(DB_NAME) \
 -e USER_PLUGIN=ldap \
 -e LDAP_URI=ldap://$(AUT_NAME):389/ \
-e LDAP_SEARCH_BASE=$(LDAP_BAS) \
-e LDAP_USER_TYPE_ATTRIBUTE_VALUE=$(LDAP_UOB) \
-e LDAP_GROUP_TYPE_ATTRIBUTE_VALUE=$(LDAP_GOU) \
+-e LDAP_SEARCH_BASE=$(AD_BASE) \
+-e LDAP_USER_TYPE_ATTRIBUTE_VALUE=$(AD_USR_OB) \
+-e LDAP_GROUP_TYPE_ATTRIBUTE_VALUE=$(AD_GRP_OU) \
 -e LDAP_PROPMAP= \
 -e IMAP_LISTEN=*:143 \
 -e POP3_LISTEN=*:110 \
@ -73,21 +57,22 @@ APPS_ENV ?= $(APP_ENV) \
 -e IMAPS_LISTEN=*:993 \
 -e POP3S_LISTEN=*:995 \
 -e ICALS_LISTEN=*:8443
-APPF_ENV ?= $(APPS_ENV) \
-v $(shell pwd)/$(TST_SSLD):/$(APP_SSLD)
 APPA_ENV ?= $(APPS_ENV) \
-v $(shell pwd)/$(TST_ACMD):/$(TST_ACMD)
-
-#-p "127.0.0.1:2003:2003"
+-v $(shell pwd)/acme:/acme

 AUT_NAME ?= auth
 AUT_IMG  ?= mlan/openldap
-AUT_FQDN ?= $(AUT_NAME).$(MAIL_DOM)
+AUT_FQDN ?= $(AUT_NAME).$(AD_DOM)
 AUT_VOL  ?=
 AUT_ENV  ?= $(NET_ENV) \
 --name $(AUT_NAME) \
 --hostname $(AUT_FQDN)

+TAW_NAME ?= throwaway
+TAW_ENV  ?= --entrypoint /bin/bash \
+--name $(TAW_NAME) \
+--rm
+
 CURL_OPT ?= -s -v
 CURL_IMG ?= curlimages/curl
 CURL_ENV ?= $(NET_ENV) \
@ -95,7 +80,7 @@ CURL_ENV ?= $(NET_ENV) \

 DB_NAME  ?= db
 DB_IMG   ?= mariadb
-DB_FQDN  ?= $(DB_NAME).$(MAIL_DOM)
+DB_FQDN  ?= $(DB_NAME).$(AD_DOM)
 DB_VOL   ?=
 DB_CMD   ?= --log_warnings=1
 DB_ENV   ?= $(NET_ENV) $(SQL_ENV) \
@ -110,6 +95,33 @@ TST_W8S2 ?= 20
 TST_W8L1 ?= 20
 TST_W8L2 ?= 120

+export define LDIF_ADD_DATA
+dn: $(AD_BASE)
+objectClass: organization
+objectClass: dcObject
+dc: $(AD_DC)
+o: $(AD_DOM)
+
+dn: ou=$(AD_USR_OU),$(AD_BASE)
+objectClass: organizationalUnit
+ou: $(AD_USR_OU)
+
+dn: ou=$(AD_GRP_OU),$(AD_BASE)
+objectClass: organizationalUnit
+ou: $(AD_GRP_OU)
+
+dn: uid=$(AD_USR_CN),ou=$(AD_USR_OU),$(AD_BASE)
+objectClass: inetOrgPerson
+objectClass: $(AD_USR_OB)
+cn: $(AD_USR_CN)
+sn: $(AD_USR_CN)
+uid: $(AD_USR_CN)
+mail: $(AD_USR_CN)@$(AD_DOM)
+kopanoAccount: 1
+userPassword: $(AD_USR_PW)
+endef
+
+
 variables:
 	make -pn | grep -A1 "^# makefile"| grep -v "^#\|^--" | sort | uniq

@ -121,6 +133,7 @@ test-all: test-up_0 test_1 test_2 test_3

 test_%: test-up_% test-waitl_% test-logs_% test-service_% test-down_%
 	
+
 test-pull:
 	$(addprefix docker pull ,$(CURL_IMG); $(AUT_IMG); $(DB_IMG))

@ -145,12 +158,12 @@ test-up_0: test-up-net
 	sleep $(TST_W8S1)
 	#
 	#
-	# test (0) successful
+	# test (0) success ☺
 	#
 	#
 	#

-test-up_1: test-up-net test-up-auth_1
+test-up_1: test-up-net test-up-deps_1 test-up-auth_1
 	#
 	#
 	#
@ -161,11 +174,9 @@ test-up_1: test-up-net test-up-auth_1
 	# recv: curl imap://app
 	#
 	#
-	docker run -d $(DB_ENV) $(DB_VOL) $(DB_IMG) $(DB_CMD)
-	sleep $(TST_W8L1)
 	docker run -d $(APP_ENV) $(APP_VOL) $(IMG_REPO):$(call _ver,$(IMG_VER),core)

-test-up_2: test-up-net test-up-auth_2 $(TST_CERT)
+test-up_2: test-up-net test-up-deps_2 test-up-auth_2
 	#
 	#
 	#
@ -176,11 +187,9 @@ test-up_2: test-up-net test-up-auth_2 $(TST_CERT)
 	# recv: curl imaps://app
 	#
 	#
-	docker run -d $(DB_ENV) $(DB_VOL) $(DB_IMG) $(DB_CMD)
-	sleep $(TST_W8L1)
-	docker run -d $(APPF_ENV) $(APP_VOL) $(IMG_REPO):$(call _ver,$(IMG_VER),core)
+	docker run -d $(APPS_ENV) $(APP_VOL) $(IMG_REPO):$(call _ver,$(IMG_VER),core)

-test-up_3: test-up-net test-up-auth_3 $(TST_ACME)
+test-up_3: test-up-net test-up-deps_3 test-up-auth_3 acme/acme.json
 	#
 	#
 	#
@ -192,8 +201,6 @@ test-up_3: test-up-net test-up-auth_3 $(TST_ACME)
 	# web: curl http://app
 	#
 	#
-	docker run -d $(DB_ENV) $(DB_VOL) $(DB_IMG) $(DB_CMD)
-	sleep $(TST_W8L1)
 	docker run -d $(APPA_ENV) $(APP_VOL) $(IMG_REPO):$(call _ver,$(IMG_VER),full)

 test-up: test-up_1
@ -203,7 +210,7 @@ test-service: test-service_0
 test-service_%: test-pop3_% test-imap_% test-http_%
 	#
 	#
-	# test ($*) successful
+	# test ($*) success ☺
 	#
 	#
 	#
@ -230,19 +237,24 @@ test-down: test-down_0
 	docker network rm $(NET_NAME) 2>/dev/null || true

 test-down_%:
-	docker rm -fv $(APP_NAME) $(DB_NAME) $(AUT_NAME) 2>/dev/null || true
-	if [ $* -ge 0 ]; then sleep $(TST_W8S1); fi
+	@docker rm -fv $(APP_NAME) $(DB_NAME) $(AUT_NAME) $(TAW_NAME)  2>/dev/null || true
+	@if [ $* -ge 0 ]; then sleep $(TST_W8S1); fi
+
+test-up-deps_%:
+	docker run -d $(DB_ENV) $(DB_VOL) $(DB_IMG) $(DB_CMD)
+	docker run -d $(AUT_ENV) $(AUT_VOL) $(AUT_IMG)

 test-up-auth_%:
-	docker run -d $(AUT_ENV) $(AUT_VOL) $(AUT_IMG)
 	sleep $(TST_W8L1)
-	printf "dn: ou=$(LDAP_UOU),$(LDAP_BAS)\nchangetype: add\nobjectClass: organizationalUnit\nobjectClass: top\nou: $(LDAP_UOU)\n\ndn: ou=$(LDAP_GOU),$(LDAP_BAS)\nchangetype: add\nobjectClass: organizationalUnit\nobjectClass: top\nou: $(LDAP_GOU)\n\ndn: uid=$(MAIL_US1),ou=$(LDAP_UOU),$(LDAP_BAS)\nchangetype: add\nobjectClass: top\nobjectClass: inetOrgPerson\nobjectClass: $(LDAP_UOB)\ncn: $(MAIL_US1)\nsn: $(MAIL_US1)\nuid: $(MAIL_US1)\nmail: $(MAIL_US1)@$(MAIL_DOM)\nuidNumber: 1234\ngidNumber: 1234\nhomeDirectory: /home/$(MAIL_US1)\nuserPassword: $(MAIL_PW1)\n" \
-	| docker exec -i $(AUT_NAME) ldap modify
+	docker run $(TAW_ENV) $(IMG_REPO):$(call _ver,$(IMG_VER),core) \
+	zcat /usr/share/doc/kopano/kopano.ldif.gz \
+	| docker exec -i $(AUT_NAME) ldapadd -Q
+	echo "$$LDIF_ADD_DATA" | docker exec -i $(AUT_NAME) ldapadd -Q

 test-lmtp: test-lmtp_0
 test-lmtp_%:
-	printf "LHLO mx\nMAIL FROM: <test@example.biz>\nRCPT TO: <$(MAIL_US1)@$(MAIL_DOM)>\nDATA\nFrom: A tester <test@example.biz>\nTo: <$(MAIL_US1)@$(MAIL_DOM)>\nDate: $$(date)\nSubject: $(MAIL_SUB)$*\n$(MAIL_MSG)$*\n.\nQUIT\n"\
-	| nc -C $(call _ip,$(APP_NAME)) 2003 # > /dev/null
+	printf "LHLO mx\nMAIL FROM: <test@example.biz>\nRCPT TO: <$(AD_USR_CN)@$(AD_DOM)>\nDATA\nFrom: A tester <test@example.biz>\nTo: <$(AD_USR_CN)@$(AD_DOM)>\nDate: $$(date)\nSubject: $(MAIL_SUB)$*\n$(MAIL_MSG)$*\n.\nQUIT\n"\
+	| nc -C $(call dkr_cnt_ip,$(APP_NAME)) 2003 # > /dev/null
 #	| nc -C localhost 2003 # > /dev/null
 	case $* in [1-3]) sleep $(TST_W8S1);; [4-9]) sleep $(TST_W8S2);; esac

@ -255,13 +267,13 @@ test-imap: test-imap_0
 test-imaps: test-imap_9
 test-imap_%: test-cfg_% test-lmtp_%
 	docker run $(CURL_ENV) $(CURL_IMG) $(CURL_OPT) imap$(cfg_s)://$(APP_NAME)/inbox \
-	--ssl --anyauth -k -X "fetch 1 all" -u $(MAIL_US1):$(MAIL_PW1) | grep $(GREP_ENV) $(MAIL_SUB)$*
+	--ssl --anyauth -k -X "fetch 1 all" -u $(AD_USR_CN):$(AD_USR_PW) | grep $(GREP_ENV) $(MAIL_SUB)$*

 test-pop3: test-pop3_0
 test-pop3s: test-pop3_9
 test-pop3_%: test-cfg_% test-lmtp_%
 	docker run $(CURL_ENV) $(CURL_IMG) $(CURL_OPT) pop3$(cfg_s)://$(APP_NAME)/1 \
-	--ssl --anyauth -k -u $(MAIL_US1):$(MAIL_PW1) | grep $(GREP_ENV) $(MAIL_SUB)$*
+	--ssl --anyauth -k -u $(AD_USR_CN):$(AD_USR_PW) | grep $(GREP_ENV) $(MAIL_SUB)$*

 test-http: test-http_9
 test-http_%: test-cfg_%
@ -295,22 +307,8 @@ test-htop: test-debugtools
 test-tls: #--starttls imap
 	docker run --rm -it $(NET_ENV) drwetter/testssl.sh $(APP_NAME):993 || true

-test-ssl-gen: $(TST_ACME)
+acme-destroy: ssl-destroy
+	rm -f acme/*

-test-ssl-rm:
-	rm -rf $(TST_SSLD) $(TST_ACMD)
-#	rm $(TST_KEY) $(TST_CRT) $(TST_ACME)
-
-$(TST_ACME): $(TST_ACMD) $(TST_CERT)
-	bin/gen-acme-json.sh $(MAIL_US1)@$(MAIL_DOM) $(APP_FQDN) $(TST_KEY) $(TST_CERT) > $(TST_ACME)
-
-$(TST_CERT): $(TST_KEY)
-	openssl req -x509 -utf8 -new -batch -days $(SSL_CRTD) \
-	-subj "/CN=$(APP_FQDN)" -key $(TST_KEY) -out $@
-
-$(TST_KEY): $(TST_SSLD)
-	openssl genrsa -out $@
-	chmod a+r $@
-
-$(TST_SSLD) $(TST_ACMD):
-	mkdir -p $@
+acme/acme.json: $(APP_CERT)
+	bin/gen-acme-json.sh $(AD_USR_CN)@$(AD_DOM) $(APP_FQDN) $(APP_KEY) $(APP_CERT) > $@
--- a/test/acme/.gitignore
+++ b/test/acme/.gitignore
@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore
--- a/test/ad.mk
+++ b/test/ad.mk
@ -0,0 +1,38 @@
+# ad.mk
+#
+# AD and LDAP   make-functions
+#
+
+#
+# chars
+#
+char_null  :=
+char_space := $(char_null) #
+char_comma := ,
+char_dot   := .
+char_colon := :
+
+#
+# $(call ad_sub_dc,example.com) -> dc=example,dc=com
+#
+ad_sub_dc   = $(subst $(char_space),$(char_comma),$(addprefix dc=, $(subst ., ,$(1))))
+#
+# $(call ad_sub_dot,dc=example,dc=com) -> example.com
+#
+ad_sub_dot  = $(subst $(char_comma)dc=,$(char_dot),$(patsubst dc=%,%,$(1)))
+#
+# $(call ad_cat_dn,admin,dc=example,dc=com) -> cn=admin,dc=example,dc=com
+#
+ad_cat_dn   = cn=$(1),$(2)
+#
+# $(call ad_cut_dot,1,1,example.com) -> example
+#
+ad_cut_dot  = $(subst $(char_space),$(char_dot),$(wordlist $(1), $(2), $(subst $(char_dot),$(char_space),$(3))))
+#
+# $(call ad_rootdc,2,9,adm.dom.org:secret) -> dom.org
+#
+ad_rootdc   = $(subst $(char_space),$(char_dot),$(wordlist $(1), $(2), $(subst $(char_dot),$(char_space),$(firstword $(subst $(char_colon),$(char_space),$(3))))))
+#
+# $(call ad_rootpw,adm.dom.org:secret) -> secret
+#
+ad_rootpw   = $(lastword $(subst $(char_colon),$(char_space),$(1)))
--- a/test/bin/gen-acme-json.sh
+++ b/test/bin/gen-acme-json.sh
@ -5,6 +5,13 @@ host=$2
 keyfile=$3
 certfile=$4

+#
+# The "PrivateKey": attribute needs a PKCS#1 key without tags and line breaks
+# "openssl req -newkey rsa" generates a key stored in PKCS#8 so needs conversion
+#
+#acme_strip_tag() { openssl rsa -in $1 | sed '/^-----/d' | sed ':a;N;$!ba;s/\n//g' ;}
+acme_strip_tag() { sed '/^-----/d' $1 | sed ':a;N;$!ba;s/\n//g' ;}
+
 cat <<-!cat
 {
  "Account": {
@ -18,7 +25,7 @@ cat <<-!cat
      },
      "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/$RANDOM"
    },
-    "PrivateKey": "$(sed '/^-----/d' $keyfile | sed ':a;N;$!ba;s/\n//g')",
+    "PrivateKey": "$(acme_strip_tag $keyfile)",
    "KeyType": "2048"
  },
  "Certificates": [
--- a/test/dkr.mk
+++ b/test/dkr.mk
@ -0,0 +1,34 @@
+# dkr.mk
+#
+# Container   make-functions
+#
+
+#
+# $(call dkr_srv_cnt,app) -> d03dda046e0b90c...
+#
+dkr_srv_cnt = $(shell docker-compose ps -q $(1) | head -n1)
+#
+# $(call dkr_cnt_ip,demo_app_1) -> 172.28.0.3
+#
+dkr_cnt_ip   = $(shell docker inspect -f \
+	'{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' \
+	$(1) | head -n1)
+#
+# $(call dkr_srv_ip,app) -> 172.28.0.3
+#
+dkr_srv_ip   = $(shell docker inspect -f \
+	'{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' \
+	$$(docker-compose ps -q $(1)) | head -n1)
+#
+#cnt_ip_old = $(shell docker inspect -f \
+#	'{{range .NetworkSettings.Networks}}{{println .IPAddress}}{{end}}' \
+#	$(1) | head -n1)
+
+#
+# List IPs of containers
+#
+ip-list:
+	@for srv in $$(docker ps --format "{{.Names}}"); do \
+	echo $$srv $$(docker inspect -f \
+	'{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $$srv); \
+	done | column -t
--- a/test/ssl.mk
+++ b/test/ssl.mk
@ -0,0 +1,125 @@
+# ssl.mk
+#
+# SSL and TLS   make-functions
+#
+
+SSL_O    ?= example.com
+SSL_KEY  ?= rsa:2048 # rsa:2048 rsa:4096
+SSL_MAIL ?=
+SSL_PASS ?= secret
+SSL_SAN  ?=
+SSL_TRST ?=
+
+#
+# Usage: OpenLDAP
+#
+#SSL_O     = $(AD_DOM)
+#target: ssl/auth.crt ssl/demo.crt
+
+#
+# Usage: SMIME
+#
+#SSL_O     = $(MAIL_DOMAIN)
+#SSL_MAIL  = auto
+#SSL_PASS  = $(AD_USR_PW)
+##SSL_TRST  = $(SSL_SMIME)
+#target: ssl/$(AD_USR_CN)@$(MAIL_DOMAIN).p12
+SSL_SMIME =  -setalias "Self Signed SMIME" -addtrust emailProtection \
+	-addreject clientAuth -addreject serverAuth
+
+#
+# Usage: SUbject Alternate Name SAN
+#
+#SSL_O     = example.com
+#SSL_SAN   = "subjectAltName=DNS:auth,DNS:*.docker"
+#target: ssl/auth.crt
+
+
+#
+# $(call ssl_subj,root,example.com,) -> -subj "/CN=root/O=example.com"
+# $(call ssl_subj,root,example.com,auto) -> -subj "/CN=root/O=example.com/emailAddress=root@example.com"
+# $(call ssl_subj,root,example.com,admin@my.org) -> -subj "/CN=root/O=example.com/emailAddress=admin@my.org"
+#
+ssl_subj  = -subj "/CN=$(1)/O=$(2)$(if $(3),/emailAddress=$(if $(findstring @,$(3)),$(3),$(1)@$(2)),)"
+
+#
+# $(call ssl_extfile,"subjectAltName=DNS:auth") -> -extfile <(printf "subjectAltName=DNS:auth")
+#
+ssl_extfile = $(if $(1),-extfile <(printf $(1)),)
+
+
+.PRECIOUS: %.crt %.csr %.key
+SHELL   = /bin/bash
+
+#
+# Personal information exchange file PKCS#12
+#
+%.p12: %.crt
+	openssl pkcs12 -export -in $< -inkey $*.key -out $@ \
+	-passout pass:$(SSL_PASS)
+
+#
+# Certificate PEM
+#
+%.crt: %.csr ssl/ca.crt
+	openssl x509 -req -in $< -CA $(@D)/ca.crt -CAkey $(@D)/ca.key -out $@ \
+	$(call ssl_extfile,$(SSL_SAN)) $(SSL_TRST) -CAcreateserial
+
+#
+# Certificate signing request PEM
+#
+%.csr: ssl
+	openssl req -new -newkey $(SSL_KEY) -nodes -keyout $*.key -out $@ \
+	$(call ssl_subj,$(*F),$(SSL_O),$(SSL_MAIL))
+
+#
+# Certificate authority certificate PEM
+#
+ssl/ca.crt: ssl
+	openssl req -x509 -new -newkey $(SSL_KEY) -nodes -keyout ssl/ca.key -out $@ \
+	$(call ssl_subj,root,$(SSL_O),$(SSL_MAIL))
+
+#
+# SSL directory
+#
+ssl:
+	mkdir -p $@
+
+#
+# Remove all files in SSL directory
+#
+ssl-destroy:
+	rm -f ssl/*
+
+#
+# Inspect all files in SSL directory
+#
+ssl-list:
+	@for file in $$(ls ssl/*); do \
+	case $$file in \
+	*.crt) \
+	printf "\e[33;1m%s\e[0m\n" $$file; \
+	openssl x509 -noout -issuer -subject -ext basicConstraints,keyUsage,extendedKeyUsage,subjectAltName -in $$file;; \
+	*.csr) \
+	printf "\e[33;1m%s\e[0m\n" $$file; \
+	openssl req -noout -subject -in $$file;; \
+	*.key) \
+	printf "\e[33;1m%s\e[0m\n" $$file; \
+	openssl rsa -text -noout -in $$file | head -n 1;; \
+	esac \
+	done
+
+ssl-inspect:
+	@for file in $$(ls ssl/*); do \
+	case $$file in \
+	*.crt) \
+	printf "\e[33;1m%s\e[0m " $$file; \
+	openssl x509 -text -noout -certopt no_sigdump,no_pubkey -in $$file;; \
+	*.csr) \
+	printf "\e[33;1m%s\e[0m " $$file; \
+	openssl req -text -noout -reqopt no_sigdump,no_pubkey,ext_default -in $$file;; \
+	*.key) \
+	printf "\e[33;1m%s\e[0m " $$file; \
+	openssl rsa -text -noout -in $$file | head -n 1;; \
+	esac \
+	done
--- a/test/ssl/.gitignore
+++ b/test/ssl/.gitignore
@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore