Roundcube LDAP Setup
#!/bin/bash | |
#------------configuration-------------------------------- | |
# the url of the openldap server | |
server="ldap://localhost:389"; | |
# the static config file of openldap | |
config="/etc/ldap/slapd.conf"; | |
# the LDAP base suffix and admin rootdn | |
# -> this must correspond with /etc/ldap/slapd.conf | |
suffix="dc=localhost"; | |
rootdn="cn=admin,$suffix"; | |
organisation="LDAP Addressbook Server"; | |
# the addressbook base directory, bind user and password | |
# -> the base/bind_* fields must correspond with config/main.inc.php | |
abook_name="rcabook"; | |
abook_user="rcuser"; | |
abook_pass="rcpass"; | |
base_dn="ou=$abook_name,$suffix"; | |
bind_dn="cn=$abook_user,$base_dn"; | |
bind_pass="$abook_pass"; | |
subdir_public="public"; | |
subdir_private="private"; | |
#------------execution------------------------------------ | |
echo "This script prepares an openLDAP server for a simple | |
addressbook, working \"out of the box\" with Roundcube: | |
server: $server | |
org : $organisation | |
config: $config | |
suffix: $suffix | |
rootdn: $rootdn | |
"; | |
# test if the user has read access to the config file | |
slapacl -f $config -D $rootdn -b $suffix ou/write 2>&1 | | |
grep -q "Permission denied" && | |
{ | |
echo "ERROR-you have no read access to the config file: $config | |
please try to run with \"sudo\" or even as root! | |
"; | |
exit 1; | |
} | |
# test if the openLDAP root suffix exists | |
slapacl -f $config -D $rootdn -b $suffix ou/write 2>&1 | | |
grep -q -E "ALLOWED|DENIED" || | |
{ | |
echo -n "-create the openLDAP base directory: $suffix | |
(as LDAP administator: $rootdn) | |
"; | |
suffix_short=${suffix%,*}; | |
echo " | |
dn: $suffix | |
objectClass: top | |
objectClass: dcObject | |
objectClass: organization | |
${suffix_short%=*}: ${suffix_short#*=} | |
o: $organisation | |
" | ldapadd -x -c -H $server -D $rootdn -W 2> /dev/null || | |
{ echo "ERROR-unable to create suffix!"; exit 1; }; | |
} | |
# test if the openLDAP admin has write permissions | |
slapacl -f $config -D $rootdn -b $suffix ou/write 2>&1 | | |
grep -q "ALLOWED" || | |
{ | |
echo "ERROR-the administrator \"$rootdn\" has no | |
write permissions in the base of \"$suffix\"! | |
Please check the rootdn and suffix, they must correspond | |
with the openLDAP coniguration file, usually /etc/ldap/slapd.conf | |
"; | |
exit 1; | |
} | |
# test if the addressbook directory exist | |
slapacl -f $config -D $rootdn -b $base_dn ou/write 2>&1 | | |
grep -q "ALLOWED" || | |
{ | |
echo -n "-create addressbook base directory: $base_dn | |
(as LDAP administator: $rootdn) | |
"; | |
echo " | |
dn: $base_dn | |
ou: $abook_name | |
objectClass: top | |
objectClass: organizationalUnit | |
" | ldapadd -x -c -H $server -D $rootdn -W 2> /dev/null || | |
{ echo "ERROR-unable to create base!"; exit 1; }; | |
} | |
# test if the addressbook user exist | |
slapacl -f $config -D $rootdn -b $bind_dn cn/write 2>&1 | | |
grep -q "ALLOWED" || | |
{ | |
echo -n "-create the addressbook user: $bind_dn | |
(as LDAP administator: $rootdn) | |
"; | |
echo " | |
dn: $bind_dn | |
cn: $abook_user | |
userPassword: `slappasswd -s $abook_pass` | |
objectClass: organizationalRole | |
objectClass: simpleSecurityObject | |
" | ldapadd -x -c -H $server -D $rootdn -W 2> /dev/null || | |
{ echo "ERROR-unable to create user!"; exit 1; }; | |
} | |
# test if the addressbook user has write permissions | |
slapacl -f $config -D $bind_dn -b $base_dn ou/write 2>&1 | | |
grep -q "ALLOWED" || | |
{ | |
echo "ERROR-the addressbook user \"$bind_dn\" | |
has no write permissions to \"$base_dn\"! | |
Please check the ACL in the coniguration file, | |
usually /etc/ldap/slapd.conf. | |
Do not forget to restart the server afterwards! | |
"; | |
exit 1; | |
} | |
# create subdirectory for public contacts | |
slapacl -f $config -D $bind_dn -b "ou=$subdir_public,$base_dn" ou/write 2>&1 | | |
grep -q "ALLOWED" || | |
{ | |
echo "-create subdirectory for public contacts: ou=$subdir_public,$base_dn | |
(as Roundcube user: $bind_dn)"; | |
echo " | |
dn: ou=$subdir_public,$base_dn | |
ou: $subdir_public | |
objectClass: top | |
objectClass: organizationalUnit | |
" | ldapadd -x -H $server -D $bind_dn -w $bind_pass 2> /dev/null || | |
{ echo "ERROR-unable to create subdirectory!"; exit 1; }; | |
} | |
# create subdirectory for private addressbooks | |
slapacl -f $config -D $bind_dn -b "ou=$subdir_private,$base_dn" ou/write 2>&1 | | |
grep -q "ALLOWED" || | |
{ | |
echo "-create subdirectory for private addressbooks: ou=$subdir_private,$base_dn | |
(as Roundcube user: $bind_dn)"; | |
echo " | |
dn: ou=$subdir_private,$base_dn | |
ou: $subdir_private | |
objectClass: top | |
objectClass: organizationalUnit | |
" | ldapadd -x -H $server -D $bind_dn -w $bind_pass 2> /dev/null || | |
{ echo "ERROR-unable to create subdirectory!"; exit 1; }; | |
} | |
# finally | |
echo "The LDAP addressbook is ready now for using: | |
base_dn: $base_dn | |
bind_dn: $bind_dn | |
Use the following command for reading and checking your setup: | |
ldapsearch -xLLL -H $server -D $bind_dn -w $bind_pass -b $base_dn"; |
####################################################################### | |
# Global Directives: | |
include /etc/ldap/schema/core.schema | |
include /etc/ldap/schema/cosine.schema | |
include /etc/ldap/schema/inetorgperson.schema | |
pidfile /var/run/slapd/slapd.pid | |
argsfile /var/run/slapd/slapd.args | |
loglevel none | |
modulepath /usr/lib/ldap | |
moduleload back_hdb | |
sizelimit 500 | |
tool-threads 1 | |
backend hdb | |
####################################################################### | |
# Specific Directives for database #1, of type hdb: | |
database hdb | |
directory "/var/lib/ldap" | |
dbconfig set_cachesize 0 2097152 0 | |
dbconfig set_lk_max_objects 1500 | |
dbconfig set_lk_max_locks 1500 | |
dbconfig set_lk_max_lockers 1500 | |
index objectClass eq | |
lastmod on | |
# If you change the suffix, change all the "localhost" you find below as well! | |
suffix "dc=localhost" | |
# Please change the password with the result of "slappasswd" | |
rootdn "cn=admin,dc=localhost" | |
rootpw {SSHA}TNLUlmvLB86mzX5tA7klra2Cepv/Nn47 | |
checkpoint 512 30 | |
# Grant the Roundcub user to create private users | |
access to dn.one="ou=private,ou=rcabook,dc=localhost" attrs=userPassword | |
by dn="cn=rcuser,ou=rcabook,dc=localhost" write | |
by anonymous auth | |
by self write | |
by * none | |
# For user authentication and password change | |
access to attrs=userPassword | |
by dn="cn=admin,dc=localhost" write | |
by anonymous auth | |
by self write | |
by * none | |
# Grant the Roundcube users access to their private addressbooks | |
access to dn.regex="^.*cn=([^,]+),ou=private,ou=rcabook,dc=localhost$" | |
by dn="cn=admin,dc=localhost" write | |
by dn="cn=rcuser,ou=rcabook,dc=localhost" write | |
by dn.exact,expand="cn=$1,ou=private,ou=rcabook,dc=localhost" write | |
# Grant the Roundcube user access to the whole addressbook | |
access to dn.subtree="ou=rcabook,dc=localhost" | |
by dn="cn=admin,dc=localhost" write | |
by dn="cn=rcuser,ou=rcabook,dc=localhost" write | |
# For direcory access | |
access to * | |
by dn="cn=admin,dc=localhost" write |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment