Introduction
A quick guide to get you up to speed regarding the (open)LDAP backend for Kopano Groupware Core
Tested
This guide has been tested on Debian 7, 8 and Ubuntu 14.04 LTS
Installation
Please note : slapd uses the hostname to "guess" the organisation name for the LDAP.
In this howto we use the hostname kopano.example.local, which results in dc=example,dc=local in LDAP.
For your setup you probably want to change this to something more useful.
Install OpenLDAP
$ sudo apt-get install slapd ldap-utils
Enter LDAP administrator password twice and write it down.
Use slapcat to verify that the install took the defaults from your hostname for your organisation correctly, if that's not the case run dpkg-reconfigure -plow slapd and set it up manually
$ sudo slapcat dn: dc=example,dc=local objectClass: top objectClass: dcObject objectClass: organization o: example.local dc: example structuralObjectClass: organization entryUUID: 907f25dc-91f2-1032-97fa-b34646bf14f6 creatorsName: cn=admin,dc=example,dc=local createTimestamp: 20130805081250Z entryCSN: 20130805081250.289774Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=local modifyTimestamp: 20130805081250Z dn: cn=admin,dc=example,dc=local objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1NTSEF9dm1rV21GdmVPbVBXTnI4blhSbE5oeVVmTTVSWm4vV2U= structuralObjectClass: organizationalRole entryUUID: 907fc91a-91f2-1032-97fb-b34646bf14f6 creatorsName: cn=admin,dc=example,dc=local createTimestamp: 20130805081250Z entryCSN: 20130805081250.293957Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=local modifyTimestamp: 20130805081250Z
Create the placeholder for our users.
Create a file called org.ldif containing:
dn: ou=People,dc=example,dc=local objectClass: organizationalUnit objectClass: top ou: People
Import the ldif file into ldap.
$ sudo ldapadd -x -D cn=admin,dc=example,dc=local -W -f org.ldif
Check if it was added with a simple search.
$ sudo ldapsearch -x -D cn=admin,dc=example,dc=local -W -b dc=example,dc=local
Download and install Kopano
Install Kopano Groupware Core using the Install How-to: Kopano Groupware Installation
Add the kopano schema to our ldap
$ sudo zcat /usr/share/doc/kopano/kopano.ldif.gz | ldapadd -H ldapi:/// -Y EXTERNAL
Add an kopano user to our ldap
Create a new ldif file called user.ldif containing the following. This user will have kopano admin rights:
dn: uid=john,ou=People,dc=example,dc=local objectClass: posixAccount objectClass: top objectClass: kopano-user objectClass: inetOrgPerson gidNumber: 1000 cn: John Doe homeDirectory: /home/john mail: john@example.local uidNumber: 1000 kopanoAliases: j.doe@example.local kopanoUserServer: kopano uid: john kopanoAccount: 1 kopanoAdmin: 1 sn: Doe userPassword: john kopanoQuotaOverride: 1 kopanoEnabledFeatures: imap kopanoDisabledFeatures: pop3 kopanoQuotaWarn: 1000000000 kopanoQuotaSoft: 1100000000 kopanoQuotaHard: 1200000000
Verify the user anonymously.$ sudo ldapsearch -xLLL -b dc=example,dc=local uid=john
Changing the kopano configuration
Edit /etc/kopano/server.cfg
Change the line user_plugin into the following.
user_plugin = ldap
|
Setup the ldap.cfg
Depending on the Kopano version (8.2.0 and higher) :
$ sudo cd /etc/kopano/ $ sudo cp /usr/share/doc/kopano/example-config/ldap.cfg ldap.cfg
And include the correct ldap template and change the other required fields.
!include /usr/share/kopano/ldap.openldap.cfg #!include /usr/share/kopano/ldap.active-directory.cfg
Or on Kopano versions < 8.2:
$ sudo cd /etc/kopano/ $ sudo cp ldap.openldap.cfg ldap.cfg
For this howto to we will be using anonymous binding
Edit /etc/kopano/ldap.cfg
Add your LDAP bind user and password if you do not use anonymous bind;
ldap_bind_user = ldap_bind_passwd =
Change the search base so it matches our organisationldap_search_base = dc=example,dc=local
Restart the kopano-server
$ sudo /etc/init.d/kopano-server restart
Check if kopano can get the user from LDAP$ sudo kopano-admin -l User list for Default(2): Username Fullname Homeserver ------------------------------------------ SYSTEM SYSTEM kopano john John Doe
Lets show the details of our user john.
$ sudo kopano-admin --details john Username: john Fullname: John Doe Emailaddress: john@example.local Active: yes Administrator: yes Address book: Visible Auto-accept meeting req:no Mapped properties: PR_SURNAME Doe PR_EC_ENABLED_FEATURES imap PR_EC_DISABLED_FEATURES pop3 Current user store quota settings: Quota overrides: yes Warning level: 953.67 MB Soft level: 1049.04 MB Hard level: 1144.41 MB Current store size: 0.00 MB Groups (1): Everyone
Ldap optimization
Create a file called optimize-index.ldif containing:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn eq,sub
olcDbIndex: gidNumber eq
olcDbIndex: mail eq
olcDbIndex: memberUid eq
olcDbIndex: ou eq
olcDbIndex: uid eq
olcDbIndex: uidNumber eq
olcDbIndex: uniqueMember eq
olcDbIndex: kopanoAccount eq,pres
olcDbIndex: kopanoAliases eq
olcDbIndex: kopanoViewPrivilege eq
olcDbIndex: sn eq,sub
olcDbIndex: givenName eq,sub
*note depending on your choice during installation the hdb could be mdb,
Add the ldif to add the new indexes.
$ sudo cat optimize-index.ldif | ldapmodify -Y EXTERNAL -H ldapi:///
Check if our new olcDbIndex keys have been added.
$ sudo slapcat -b cn=config | grep olcDbIndex: olcDbIndex: cn eq,sub olcDbIndex: gidNumber eq olcDbIndex: mail eq olcDbIndex: memberUid eq olcDbIndex: ou eq olcDbIndex: uid eq olcDbIndex: uidNumber eq olcDbIndex: uniqueMember eq olcDbIndex: kopanoAccount eq,pres olcDbIndex: kopanoAliases eq olcDbIndex: kopanoViewPrivilege eq olcDbIndex: sn eq,sub olcDbIndex: givenName eq,sub
You could check your slapd logging for suggestion of additional candidates for indexation.
$ sudo cat /var/log/syslog |grep bdb_equality_candidates
Ldap backup and restore using slapcat / slapaddBackup
For the configuration use the the 0 since it is the first database.
$ sudo slapcat -n 0 -l config.ldif
For the organisation use the the 1 since it is the second database.
$ sudo slapcat -n 1 -l example.local.ldif
Restore
Make sure you have stopped slapd before doing this.
You can use slapadd -n 0/1 to restore the respective databases.
$ sudo slapadd -n 0 -l config.ldif $ sudo slapadd -n 1 -l example.local.ldif
Be careful to check if your restored databases end up in /var/lib/ldap with the correct permissions.
The owner should be openldap:openldap and the permissions 0600
Disable anonymous binding
If required you can disable anonymous binding.
Taken from http://serverfault.com/questions/325912/disallow-global-anonymous-bind-with-cn-config
Changing the default behaviour
Create a file disable_anon_backend.ldif
dn: olcDatabase={1}hdb,cn=config
add: olcRequires
olcRequires: authc
*note depending on your choice during installation the hdb could be mdb.
Create a file disable_anon_frontend.ldif
dn: olcDatabase={-1}frontend,cn=config
add: olcRequires
olcRequires: authc
Use ldapmodify to commit these changes.
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f disable_anon_frontend.ldif $ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f disable_anon_backend.ldif
Testing if it works
After this the following should not be possible anymore.
$ sudo ldapsearch -xLLL -b dc=example,dc=local uid=john
The following should work.
$ sudo ldapsearch -x -D cn=admin,dc=example,dc=local -W -b dc=example,dc=local
Modify kopano ldap.cfgldap_bind_user = cn=admin,dc=example,dc=local ldap_bind_passwd = writtendownearlier
Restart the kopano server
$ sudo service kopano-server restart
Check kopano users list$ sudo kopano-admin -l
Related articles
$ sudo ldapadd -x -D cn=admin,dc=example,dc=local -W -f user.ldif