Skip to content

Instantly share code, notes, and snippets.

Last active May 25, 2021
What would you like to do?

Kopano Identity Manager quick start

This assumes you have obtained the kopano-kidm software by installing the package from a repository or deb file.

If not stated otherwise, all commands in this guide are run as root.

Whats Kopano Identity Manager

The kidm deamon provides a LDAP server which is easy to configure, does not have external dependencies and is tailored to work perfectly with other Kopano software.

The goal is that everyone who does not have or need an LDAP server, uses kidm.

Thus, kidm is a (read-only) drop in replacement for an existing LDAP server or does provide an LDAP server if none is there already.

Kidmd supports LDAP search, bind and unbind.

Install kidm daemon if you did not already

Eventually, the kidm daemon will show up in a public repository. For the time being you neede to be connected with Wireguard to Kopano to access the rolling release repository.

Rolling release repository

Debian 10:

cat <<EOF > /etc/apt/sources.list.d/kopano-kidm-dev.list
deb [trusted=yes] ./

Ubuntu 20.04:

cat <<EOF > /etc/apt/sources.list.d/kopano-kidm-dev.list
deb [trusted=yes] ./

Install package

apt update && apt install kopano-kidmd

The service will automatically start up.


The default base DN of kidmd is dc=kopano,dc=local. There is usually no need to change it if you don't use the LDAP data for anything else. The value needs to match to what the clients have configured.

Similarly, the default mail domain is kopano.local. Change it as needed in /etc/kopano/kidmd.cfg to match the SMTP setup.

Kidm uses ldif files for its data source and those files are by default in the /etc/kopano/kidm/ldif directory.

Add service user for LDAP access

By default, kidmd does not have any users and anonymous bind is disabled. You can enable anonynous bind support for local requests in kidmd.cfg or add a service user like this.

cat <<EOF > /etc/kopano/kidm/ldif/config.ldif
dn: cn=readonly,{{.BaseDN}}
cn: readonly
description: LDAP read only service user
objectClass: simpleSecurityObject
objectClass: organizationalRole
userPassword: readonly

And reload kidmd systemctl reload kopano-kidmd.

The config.ldif is for service users only and the data in there is used for bind requests only, but never returned for search requests.

Main configuration

The main directory data comes from the mail.d folder. All .ldif files in there are loaded in lexical order and parsed as templates to create the data provided by the kdidmd LDAP endpoint.

Whenever any of the ldif files are changed, added or removed, make sure to reload kidmd with systemctl reload kopano-kidmd.

Kidmd listen on by default and does not ship with and default users. Example configuration is installed (commented) and also available in the /usr/share/doc/kopano-kidmd/examples directory.

Add new users using the gen newusers command

Kidmd provides a way to create ldif data for new users using batch mode similar to the unix newusers command using the following stanard password file format:


For example, like this:

cat <<EOF | kopano-kidmd gen newusers - --min-password-strength=4 >/etc/kopano/kidm/ldif/main.d/50-users.ldif
jonas:passwordOfJonas123:::Jonas Brekke,jonas@kopano.local::
timmothy:passwordOfTimmothy456:::Timmothy Schöwalter::

This outputs an LDIF template file which you can modify as needed. When done systemctl reload kopano-kidmd to make the new users available. Keep in mind that some of the attributes must be unique.

Quick start with demo users

To add the standard Kopano demo users use the following command (you might want to remove existing ldif configuration with rm /etc/kopano/kidm/ldif/main.d/*.ldif before generating the demo users to avoid conflicts).

/usr/share/kopano-kidmd/generate-demo-users-ldif >/etc/kopano/kidm/ldif/main.d/10-main.ldif

This script generates a ldif template, which uses the global configuration values for base DN and mail domain automatically.

Replace existing OpenLDAP with kidmd

On the LDAP server export all its data using slapcat and write the resulting ldif to /etc/kopano/kidm/ldif/main.d/10-main.ldif. This is a drop in replacement and all what was in OpenLDAP is now also in kidm.

Either stop slapd and change the kidmd configuration to listen where slapd used to listen or change the clients to connect to where kidmd listens to migrate.

Assuming its all on the same server, this goes like this (you might want to remove existing ldif configuration with rm /etc/kopano/kidm/ldif/main.d/*.ldif before, to avoid conflicts).

slapcat > /etc/kopano/kidm/ldif/main.d/10-main.ldif
systemctl stop slapd
systemctl disable slapd
sed -i 's/^#ldap_listen = .*/ldap_listen =' /etc/kopano/kidmd.cfg
systemctl restart kopano-kidmd

Extra goodies

Template support

All ldif files loaded by kdidm support template syntax as defined in to allow auto generation and replacement of various values. You find example templates in /usr/share/doc/kopano-kidmd/examples/ directory as well. All the gen commands output template syntax if applicable.

Generate secure password hash using the gen passwd command

Kidm supports secure password hashing using ARGON2. To create such password hashes either use gen newusers or the interactive gen passwd which is very similar to slappasswd from OpenLDAP.

kopano-kidmd gen passwd
New password:
Re-enter new password:

Test kidmd

Since kidmd provides standard LDAP, also standard LDAP tools can be used to interact with it for testing. Run apt install ldap-utils to install LDAP commandline tools.

ldapsearch -x -H ldap:// -b "dc=kopano,dc=local" -D "cn=readonly,dc=kopano,dc=local" -w 'readonly'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment