rcubetrac/rcabook-setup.sh

## rcabook-setup.sh
#!/bin/bash
#------------configuration--------------------------------

# the url of the openldap server
server="ldap://localhost:389";

# the static config file of openldap
config="/etc/ldap/slapd.conf";

# the LDAP base suffix and admin rootdn
# -> this must correspond with /etc/ldap/slapd.conf
suffix="dc=localhost";
rootdn="cn=admin,$suffix";
organisation="LDAP Addressbook Server";

# the addressbook base directory, bind user and password
# -> the base/bind_* fields must correspond with config/main.inc.php
abook_name="rcabook";
abook_user="rcuser";
abook_pass="rcpass";
base_dn="ou=$abook_name,$suffix";
bind_dn="cn=$abook_user,$base_dn";
bind_pass="$abook_pass";

subdir_public="public";
subdir_private="private";


#------------execution------------------------------------
echo "This script prepares an openLDAP server for a simple
addressbook, working \"out of the box\" with Roundcube:

  server: $server
  org   : $organisation
  config: $config
  suffix: $suffix
  rootdn: $rootdn
";

# test if the user has read access to the config file
slapacl -f $config -D $rootdn -b $suffix ou/write 2>&1 |
grep -q "Permission denied" &&
{
  echo "ERROR-you have no read access to the config file: $config
please try to run with \"sudo\" or even as root!
";
  exit 1;
}

# test if the openLDAP root suffix exists
slapacl -f $config -D $rootdn -b $suffix ou/write 2>&1 |
grep -q -E "ALLOWED|DENIED" ||
{
  echo -n "-create the openLDAP base directory: $suffix
  (as LDAP administator: $rootdn)
  ";
  suffix_short=${suffix%,*};
  echo "
dn: $suffix
objectClass: top
objectClass: dcObject
objectClass: organization
${suffix_short%=*}: ${suffix_short#*=}
o: $organisation
" | ldapadd -x -c -H $server -D $rootdn -W 2> /dev/null ||
  { echo "ERROR-unable to create suffix!"; exit 1; };
}

# test if the openLDAP admin has write permissions
slapacl -f $config -D $rootdn -b $suffix ou/write 2>&1 |
grep -q "ALLOWED" ||
{
  echo "ERROR-the administrator \"$rootdn\" has no
write permissions in the base of \"$suffix\"!
Please check the rootdn and suffix, they must correspond
with the openLDAP coniguration file, usually /etc/ldap/slapd.conf
";
  exit 1;
}

# test if the addressbook directory exist
slapacl -f $config -D $rootdn -b $base_dn ou/write 2>&1 |
grep -q "ALLOWED" ||
{
  echo -n "-create addressbook base directory: $base_dn
  (as LDAP administator: $rootdn)
  ";
  echo "
dn: $base_dn
ou: $abook_name
objectClass: top
objectClass: organizationalUnit
" | ldapadd -x -c -H $server -D $rootdn -W 2> /dev/null ||
  { echo "ERROR-unable to create base!"; exit 1; };
}

# test if the addressbook user exist
slapacl -f $config -D $rootdn -b $bind_dn cn/write 2>&1 |
grep -q "ALLOWED" ||
{
  echo -n "-create the addressbook user: $bind_dn
  (as LDAP administator: $rootdn)
  ";
  echo "
dn: $bind_dn
cn: $abook_user
userPassword: `slappasswd -s $abook_pass`
objectClass: organizationalRole
objectClass: simpleSecurityObject
" | ldapadd -x -c -H $server -D $rootdn -W 2> /dev/null ||
  { echo "ERROR-unable to create user!"; exit 1; };
}

# test if the addressbook user has write permissions
slapacl -f $config -D $bind_dn -b $base_dn ou/write 2>&1 |
grep -q "ALLOWED" ||
{
  echo "ERROR-the addressbook user \"$bind_dn\"
has no write permissions to \"$base_dn\"!
Please check the ACL in the coniguration file,
usually /etc/ldap/slapd.conf.
Do not forget to restart the server afterwards!
";
  exit 1;
}

# create subdirectory for public contacts
slapacl -f $config -D $bind_dn -b "ou=$subdir_public,$base_dn" ou/write 2>&1 |
grep -q "ALLOWED" ||
{
  echo "-create subdirectory for public contacts: ou=$subdir_public,$base_dn
  (as Roundcube user: $bind_dn)";
  echo "
dn: ou=$subdir_public,$base_dn
ou: $subdir_public
objectClass: top
objectClass: organizationalUnit
" | ldapadd -x -H $server -D $bind_dn -w $bind_pass 2> /dev/null ||
  { echo "ERROR-unable to create subdirectory!"; exit 1; };
}

# create subdirectory for private addressbooks
slapacl -f $config -D $bind_dn -b "ou=$subdir_private,$base_dn" ou/write 2>&1 |
grep -q "ALLOWED" ||
{
  echo "-create subdirectory for private addressbooks: ou=$subdir_private,$base_dn
  (as Roundcube user: $bind_dn)";
  echo "
dn: ou=$subdir_private,$base_dn
ou: $subdir_private
objectClass: top
objectClass: organizationalUnit
" | ldapadd -x -H $server -D $bind_dn -w $bind_pass 2> /dev/null ||
  { echo "ERROR-unable to create subdirectory!"; exit 1; };
}

# finally
echo "The LDAP addressbook is ready now for using:
  base_dn: $base_dn
  bind_dn: $bind_dn

Use the following command for reading and checking your setup:
  ldapsearch -xLLL -H $server -D $bind_dn -w $bind_pass -b $base_dn";

## slapd.conf
#######################################################################
# Global Directives:
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        none
modulepath	/usr/lib/ldap
moduleload	back_hdb
sizelimit 500
tool-threads 1
backend		hdb

#######################################################################
# Specific Directives for database #1, of type hdb:
database        hdb
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index           objectClass eq
lastmod         on

# If you change the suffix, change all the "localhost" you find below as well!
suffix          "dc=localhost"

# Please change the password with the result of "slappasswd"
rootdn          "cn=admin,dc=localhost"
rootpw		{SSHA}TNLUlmvLB86mzX5tA7klra2Cepv/Nn47

checkpoint      512 30

# Grant the Roundcub user to create private users
access to dn.one="ou=private,ou=rcabook,dc=localhost" attrs=userPassword
        by dn="cn=rcuser,ou=rcabook,dc=localhost" write
        by anonymous auth
        by self write
        by * none

# For user authentication and password change
access to attrs=userPassword
        by dn="cn=admin,dc=localhost" write
        by anonymous auth
        by self write
        by * none

# Grant the Roundcube users access to their private addressbooks
access to dn.regex="^.*cn=([^,]+),ou=private,ou=rcabook,dc=localhost$"
        by dn="cn=admin,dc=localhost" write
        by dn="cn=rcuser,ou=rcabook,dc=localhost" write
        by dn.exact,expand="cn=$1,ou=private,ou=rcabook,dc=localhost" write

# Grant the Roundcube user access to the whole addressbook
access to dn.subtree="ou=rcabook,dc=localhost"
        by dn="cn=admin,dc=localhost" write
        by dn="cn=rcuser,ou=rcabook,dc=localhost" write

# For direcory access
access to *
        by dn="cn=admin,dc=localhost" write
	#!/bin/bash
	#------------configuration--------------------------------

	# the url of the openldap server
	server="ldap://localhost:389";

	# the static config file of openldap
	config="/etc/ldap/slapd.conf";

	# the LDAP base suffix and admin rootdn
	# -> this must correspond with /etc/ldap/slapd.conf
	suffix="dc=localhost";
	rootdn="cn=admin,$suffix";
	organisation="LDAP Addressbook Server";

	# the addressbook base directory, bind user and password
	# -> the base/bind_* fields must correspond with config/main.inc.php
	abook_name="rcabook";
	abook_user="rcuser";
	abook_pass="rcpass";
	base_dn="ou=$abook_name,$suffix";
	bind_dn="cn=$abook_user,$base_dn";
	bind_pass="$abook_pass";

	subdir_public="public";
	subdir_private="private";


	#------------execution------------------------------------
	echo "This script prepares an openLDAP server for a simple
	addressbook, working \"out of the box\" with Roundcube:

	server: $server
	org : $organisation
	config: $config
	suffix: $suffix
	rootdn: $rootdn
	";

	# test if the user has read access to the config file
	slapacl -f $config -D $rootdn -b $suffix ou/write 2>&1 \|
	grep -q "Permission denied" &&
	{
	echo "ERROR-you have no read access to the config file: $config
	please try to run with \"sudo\" or even as root!
	";
	exit 1;
	}

	# test if the openLDAP root suffix exists
	slapacl -f $config -D $rootdn -b $suffix ou/write 2>&1 \|
	grep -q -E "ALLOWED\|DENIED" \|\|
	{
	echo -n "-create the openLDAP base directory: $suffix
	(as LDAP administator: $rootdn)
	";
	suffix_short=${suffix%,*};
	echo "
	dn: $suffix
	objectClass: top
	objectClass: dcObject
	objectClass: organization
	${suffix_short%=}: ${suffix_short#=}
	o: $organisation
	" \| ldapadd -x -c -H $server -D $rootdn -W 2> /dev/null \|\|
	{ echo "ERROR-unable to create suffix!"; exit 1; };
	}

	# test if the openLDAP admin has write permissions
	slapacl -f $config -D $rootdn -b $suffix ou/write 2>&1 \|
	grep -q "ALLOWED" \|\|
	{
	echo "ERROR-the administrator \"$rootdn\" has no
	write permissions in the base of \"$suffix\"!
	Please check the rootdn and suffix, they must correspond
	with the openLDAP coniguration file, usually /etc/ldap/slapd.conf
	";
	exit 1;
	}

	# test if the addressbook directory exist
	slapacl -f $config -D $rootdn -b $base_dn ou/write 2>&1 \|
	grep -q "ALLOWED" \|\|
	{
	echo -n "-create addressbook base directory: $base_dn
	(as LDAP administator: $rootdn)
	";
	echo "
	dn: $base_dn
	ou: $abook_name
	objectClass: top
	objectClass: organizationalUnit
	" \| ldapadd -x -c -H $server -D $rootdn -W 2> /dev/null \|\|
	{ echo "ERROR-unable to create base!"; exit 1; };
	}

	# test if the addressbook user exist
	slapacl -f $config -D $rootdn -b $bind_dn cn/write 2>&1 \|
	grep -q "ALLOWED" \|\|
	{
	echo -n "-create the addressbook user: $bind_dn
	(as LDAP administator: $rootdn)
	";
	echo "
	dn: $bind_dn
	cn: $abook_user
	userPassword: `slappasswd -s $abook_pass`
	objectClass: organizationalRole
	objectClass: simpleSecurityObject
	" \| ldapadd -x -c -H $server -D $rootdn -W 2> /dev/null \|\|
	{ echo "ERROR-unable to create user!"; exit 1; };
	}

	# test if the addressbook user has write permissions
	slapacl -f $config -D $bind_dn -b $base_dn ou/write 2>&1 \|
	grep -q "ALLOWED" \|\|
	{
	echo "ERROR-the addressbook user \"$bind_dn\"
	has no write permissions to \"$base_dn\"!
	Please check the ACL in the coniguration file,
	usually /etc/ldap/slapd.conf.
	Do not forget to restart the server afterwards!
	";
	exit 1;
	}

	# create subdirectory for public contacts
	slapacl -f $config -D $bind_dn -b "ou=$subdir_public,$base_dn" ou/write 2>&1 \|
	grep -q "ALLOWED" \|\|
	{
	echo "-create subdirectory for public contacts: ou=$subdir_public,$base_dn
	(as Roundcube user: $bind_dn)";
	echo "
	dn: ou=$subdir_public,$base_dn
	ou: $subdir_public
	objectClass: top
	objectClass: organizationalUnit
	" \| ldapadd -x -H $server -D $bind_dn -w $bind_pass 2> /dev/null \|\|
	{ echo "ERROR-unable to create subdirectory!"; exit 1; };
	}

	# create subdirectory for private addressbooks
	slapacl -f $config -D $bind_dn -b "ou=$subdir_private,$base_dn" ou/write 2>&1 \|
	grep -q "ALLOWED" \|\|
	{
	echo "-create subdirectory for private addressbooks: ou=$subdir_private,$base_dn
	(as Roundcube user: $bind_dn)";
	echo "
	dn: ou=$subdir_private,$base_dn
	ou: $subdir_private
	objectClass: top
	objectClass: organizationalUnit
	" \| ldapadd -x -H $server -D $bind_dn -w $bind_pass 2> /dev/null \|\|
	{ echo "ERROR-unable to create subdirectory!"; exit 1; };
	}

	# finally
	echo "The LDAP addressbook is ready now for using:
	base_dn: $base_dn
	bind_dn: $bind_dn

	Use the following command for reading and checking your setup:
	ldapsearch -xLLL -H $server -D $bind_dn -w $bind_pass -b $base_dn";
	#######################################################################
	# Global Directives:
	include /etc/ldap/schema/core.schema
	include /etc/ldap/schema/cosine.schema
	include /etc/ldap/schema/inetorgperson.schema

	pidfile /var/run/slapd/slapd.pid
	argsfile /var/run/slapd/slapd.args
	loglevel none
	modulepath /usr/lib/ldap
	moduleload back_hdb
	sizelimit 500
	tool-threads 1
	backend hdb

	#######################################################################
	# Specific Directives for database #1, of type hdb:
	database hdb
	directory "/var/lib/ldap"
	dbconfig set_cachesize 0 2097152 0
	dbconfig set_lk_max_objects 1500
	dbconfig set_lk_max_locks 1500
	dbconfig set_lk_max_lockers 1500
	index objectClass eq
	lastmod on

	# If you change the suffix, change all the "localhost" you find below as well!
	suffix "dc=localhost"

	# Please change the password with the result of "slappasswd"
	rootdn "cn=admin,dc=localhost"
	rootpw {SSHA}TNLUlmvLB86mzX5tA7klra2Cepv/Nn47

	checkpoint 512 30

	# Grant the Roundcub user to create private users
	access to dn.one="ou=private,ou=rcabook,dc=localhost" attrs=userPassword
	by dn="cn=rcuser,ou=rcabook,dc=localhost" write
	by anonymous auth
	by self write
	by * none

	# For user authentication and password change
	access to attrs=userPassword
	by dn="cn=admin,dc=localhost" write
	by anonymous auth
	by self write
	by * none

	# Grant the Roundcube users access to their private addressbooks
	access to dn.regex="^.*cn=([^,]+),ou=private,ou=rcabook,dc=localhost$"
	by dn="cn=admin,dc=localhost" write
	by dn="cn=rcuser,ou=rcabook,dc=localhost" write
	by dn.exact,expand="cn=$1,ou=private,ou=rcabook,dc=localhost" write

	# Grant the Roundcube user access to the whole addressbook
	access to dn.subtree="ou=rcabook,dc=localhost"
	by dn="cn=admin,dc=localhost" write
	by dn="cn=rcuser,ou=rcabook,dc=localhost" write

	# For direcory access
	access to *
	by dn="cn=admin,dc=localhost" write