/rcabook-setup.sh
Created Apr 6, 2016
Roundcube LDAP Setup
| #!/bin/bash | |
| #------------configuration-------------------------------- | |
| # the url of the openldap server | |
| server="ldap://localhost:389"; | |
| # the static config file of openldap | |
| config="/etc/ldap/slapd.conf"; | |
| # the LDAP base suffix and admin rootdn | |
| # -> this must correspond with /etc/ldap/slapd.conf | |
| suffix="dc=localhost"; | |
| rootdn="cn=admin,$suffix"; | |
| organisation="LDAP Addressbook Server"; | |
| # the addressbook base directory, bind user and password | |
| # -> the base/bind_* fields must correspond with config/main.inc.php | |
| abook_name="rcabook"; | |
| abook_user="rcuser"; | |
| abook_pass="rcpass"; | |
| base_dn="ou=$abook_name,$suffix"; | |
| bind_dn="cn=$abook_user,$base_dn"; | |
| bind_pass="$abook_pass"; | |
| subdir_public="public"; | |
| subdir_private="private"; | |
| #------------execution------------------------------------ | |
| echo "This script prepares an openLDAP server for a simple | |
| addressbook, working \"out of the box\" with Roundcube: | |
| server: $server | |
| org : $organisation | |
| config: $config | |
| suffix: $suffix | |
| rootdn: $rootdn | |
| "; | |
| # test if the user has read access to the config file | |
| slapacl -f $config -D $rootdn -b $suffix ou/write 2>&1 | | |
| grep -q "Permission denied" && | |
| { | |
| echo "ERROR-you have no read access to the config file: $config | |
| please try to run with \"sudo\" or even as root! | |
| "; | |
| exit 1; | |
| } | |
| # test if the openLDAP root suffix exists | |
| slapacl -f $config -D $rootdn -b $suffix ou/write 2>&1 | | |
| grep -q -E "ALLOWED|DENIED" || | |
| { | |
| echo -n "-create the openLDAP base directory: $suffix | |
| (as LDAP administator: $rootdn) | |
| "; | |
| suffix_short=${suffix%,*}; | |
| echo " | |
| dn: $suffix | |
| objectClass: top | |
| objectClass: dcObject | |
| objectClass: organization | |
| ${suffix_short%=*}: ${suffix_short#*=} | |
| o: $organisation | |
| " | ldapadd -x -c -H $server -D $rootdn -W 2> /dev/null || | |
| { echo "ERROR-unable to create suffix!"; exit 1; }; | |
| } | |
| # test if the openLDAP admin has write permissions | |
| slapacl -f $config -D $rootdn -b $suffix ou/write 2>&1 | | |
| grep -q "ALLOWED" || | |
| { | |
| echo "ERROR-the administrator \"$rootdn\" has no | |
| write permissions in the base of \"$suffix\"! | |
| Please check the rootdn and suffix, they must correspond | |
| with the openLDAP coniguration file, usually /etc/ldap/slapd.conf | |
| "; | |
| exit 1; | |
| } | |
| # test if the addressbook directory exist | |
| slapacl -f $config -D $rootdn -b $base_dn ou/write 2>&1 | | |
| grep -q "ALLOWED" || | |
| { | |
| echo -n "-create addressbook base directory: $base_dn | |
| (as LDAP administator: $rootdn) | |
| "; | |
| echo " | |
| dn: $base_dn | |
| ou: $abook_name | |
| objectClass: top | |
| objectClass: organizationalUnit | |
| " | ldapadd -x -c -H $server -D $rootdn -W 2> /dev/null || | |
| { echo "ERROR-unable to create base!"; exit 1; }; | |
| } | |
| # test if the addressbook user exist | |
| slapacl -f $config -D $rootdn -b $bind_dn cn/write 2>&1 | | |
| grep -q "ALLOWED" || | |
| { | |
| echo -n "-create the addressbook user: $bind_dn | |
| (as LDAP administator: $rootdn) | |
| "; | |
| echo " | |
| dn: $bind_dn | |
| cn: $abook_user | |
| userPassword: `slappasswd -s $abook_pass` | |
| objectClass: organizationalRole | |
| objectClass: simpleSecurityObject | |
| " | ldapadd -x -c -H $server -D $rootdn -W 2> /dev/null || | |
| { echo "ERROR-unable to create user!"; exit 1; }; | |
| } | |
| # test if the addressbook user has write permissions | |
| slapacl -f $config -D $bind_dn -b $base_dn ou/write 2>&1 | | |
| grep -q "ALLOWED" || | |
| { | |
| echo "ERROR-the addressbook user \"$bind_dn\" | |
| has no write permissions to \"$base_dn\"! | |
| Please check the ACL in the coniguration file, | |
| usually /etc/ldap/slapd.conf. | |
| Do not forget to restart the server afterwards! | |
| "; | |
| exit 1; | |
| } | |
| # create subdirectory for public contacts | |
| slapacl -f $config -D $bind_dn -b "ou=$subdir_public,$base_dn" ou/write 2>&1 | | |
| grep -q "ALLOWED" || | |
| { | |
| echo "-create subdirectory for public contacts: ou=$subdir_public,$base_dn | |
| (as Roundcube user: $bind_dn)"; | |
| echo " | |
| dn: ou=$subdir_public,$base_dn | |
| ou: $subdir_public | |
| objectClass: top | |
| objectClass: organizationalUnit | |
| " | ldapadd -x -H $server -D $bind_dn -w $bind_pass 2> /dev/null || | |
| { echo "ERROR-unable to create subdirectory!"; exit 1; }; | |
| } | |
| # create subdirectory for private addressbooks | |
| slapacl -f $config -D $bind_dn -b "ou=$subdir_private,$base_dn" ou/write 2>&1 | | |
| grep -q "ALLOWED" || | |
| { | |
| echo "-create subdirectory for private addressbooks: ou=$subdir_private,$base_dn | |
| (as Roundcube user: $bind_dn)"; | |
| echo " | |
| dn: ou=$subdir_private,$base_dn | |
| ou: $subdir_private | |
| objectClass: top | |
| objectClass: organizationalUnit | |
| " | ldapadd -x -H $server -D $bind_dn -w $bind_pass 2> /dev/null || | |
| { echo "ERROR-unable to create subdirectory!"; exit 1; }; | |
| } | |
| # finally | |
| echo "The LDAP addressbook is ready now for using: | |
| base_dn: $base_dn | |
| bind_dn: $bind_dn | |
| Use the following command for reading and checking your setup: | |
| ldapsearch -xLLL -H $server -D $bind_dn -w $bind_pass -b $base_dn"; |
| ####################################################################### | |
| # Global Directives: | |
| include /etc/ldap/schema/core.schema | |
| include /etc/ldap/schema/cosine.schema | |
| include /etc/ldap/schema/inetorgperson.schema | |
| pidfile /var/run/slapd/slapd.pid | |
| argsfile /var/run/slapd/slapd.args | |
| loglevel none | |
| modulepath /usr/lib/ldap | |
| moduleload back_hdb | |
| sizelimit 500 | |
| tool-threads 1 | |
| backend hdb | |
| ####################################################################### | |
| # Specific Directives for database #1, of type hdb: | |
| database hdb | |
| directory "/var/lib/ldap" | |
| dbconfig set_cachesize 0 2097152 0 | |
| dbconfig set_lk_max_objects 1500 | |
| dbconfig set_lk_max_locks 1500 | |
| dbconfig set_lk_max_lockers 1500 | |
| index objectClass eq | |
| lastmod on | |
| # If you change the suffix, change all the "localhost" you find below as well! | |
| suffix "dc=localhost" | |
| # Please change the password with the result of "slappasswd" | |
| rootdn "cn=admin,dc=localhost" | |
| rootpw {SSHA}TNLUlmvLB86mzX5tA7klra2Cepv/Nn47 | |
| checkpoint 512 30 | |
| # Grant the Roundcub user to create private users | |
| access to dn.one="ou=private,ou=rcabook,dc=localhost" attrs=userPassword | |
| by dn="cn=rcuser,ou=rcabook,dc=localhost" write | |
| by anonymous auth | |
| by self write | |
| by * none | |
| # For user authentication and password change | |
| access to attrs=userPassword | |
| by dn="cn=admin,dc=localhost" write | |
| by anonymous auth | |
| by self write | |
| by * none | |
| # Grant the Roundcube users access to their private addressbooks | |
| access to dn.regex="^.*cn=([^,]+),ou=private,ou=rcabook,dc=localhost$" | |
| by dn="cn=admin,dc=localhost" write | |
| by dn="cn=rcuser,ou=rcabook,dc=localhost" write | |
| by dn.exact,expand="cn=$1,ou=private,ou=rcabook,dc=localhost" write | |
| # Grant the Roundcube user access to the whole addressbook | |
| access to dn.subtree="ou=rcabook,dc=localhost" | |
| by dn="cn=admin,dc=localhost" write | |
| by dn="cn=rcuser,ou=rcabook,dc=localhost" write | |
| # For direcory access | |
| access to * | |
| by dn="cn=admin,dc=localhost" write |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment