Created
April 6, 2016 20:55
-
-
Save rcubetrac/035af863abea7d89723225739a410e83 to your computer and use it in GitHub Desktop.
Roundcube LDAP Setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
#------------configuration-------------------------------- | |
# the url of the openldap server | |
server="ldap://localhost:389"; | |
# the static config file of openldap | |
config="/etc/ldap/slapd.conf"; | |
# the LDAP base suffix and admin rootdn | |
# -> this must correspond with /etc/ldap/slapd.conf | |
suffix="dc=localhost"; | |
rootdn="cn=admin,$suffix"; | |
organisation="LDAP Addressbook Server"; | |
# the addressbook base directory, bind user and password | |
# -> the base/bind_* fields must correspond with config/main.inc.php | |
abook_name="rcabook"; | |
abook_user="rcuser"; | |
abook_pass="rcpass"; | |
base_dn="ou=$abook_name,$suffix"; | |
bind_dn="cn=$abook_user,$base_dn"; | |
bind_pass="$abook_pass"; | |
subdir_public="public"; | |
subdir_private="private"; | |
#------------execution------------------------------------ | |
echo "This script prepares an openLDAP server for a simple | |
addressbook, working \"out of the box\" with Roundcube: | |
server: $server | |
org : $organisation | |
config: $config | |
suffix: $suffix | |
rootdn: $rootdn | |
"; | |
# test if the user has read access to the config file | |
slapacl -f $config -D $rootdn -b $suffix ou/write 2>&1 | | |
grep -q "Permission denied" && | |
{ | |
echo "ERROR-you have no read access to the config file: $config | |
please try to run with \"sudo\" or even as root! | |
"; | |
exit 1; | |
} | |
# test if the openLDAP root suffix exists | |
slapacl -f $config -D $rootdn -b $suffix ou/write 2>&1 | | |
grep -q -E "ALLOWED|DENIED" || | |
{ | |
echo -n "-create the openLDAP base directory: $suffix | |
(as LDAP administator: $rootdn) | |
"; | |
suffix_short=${suffix%,*}; | |
echo " | |
dn: $suffix | |
objectClass: top | |
objectClass: dcObject | |
objectClass: organization | |
${suffix_short%=*}: ${suffix_short#*=} | |
o: $organisation | |
" | ldapadd -x -c -H $server -D $rootdn -W 2> /dev/null || | |
{ echo "ERROR-unable to create suffix!"; exit 1; }; | |
} | |
# test if the openLDAP admin has write permissions | |
slapacl -f $config -D $rootdn -b $suffix ou/write 2>&1 | | |
grep -q "ALLOWED" || | |
{ | |
echo "ERROR-the administrator \"$rootdn\" has no | |
write permissions in the base of \"$suffix\"! | |
Please check the rootdn and suffix, they must correspond | |
with the openLDAP coniguration file, usually /etc/ldap/slapd.conf | |
"; | |
exit 1; | |
} | |
# test if the addressbook directory exist | |
slapacl -f $config -D $rootdn -b $base_dn ou/write 2>&1 | | |
grep -q "ALLOWED" || | |
{ | |
echo -n "-create addressbook base directory: $base_dn | |
(as LDAP administator: $rootdn) | |
"; | |
echo " | |
dn: $base_dn | |
ou: $abook_name | |
objectClass: top | |
objectClass: organizationalUnit | |
" | ldapadd -x -c -H $server -D $rootdn -W 2> /dev/null || | |
{ echo "ERROR-unable to create base!"; exit 1; }; | |
} | |
# test if the addressbook user exist | |
slapacl -f $config -D $rootdn -b $bind_dn cn/write 2>&1 | | |
grep -q "ALLOWED" || | |
{ | |
echo -n "-create the addressbook user: $bind_dn | |
(as LDAP administator: $rootdn) | |
"; | |
echo " | |
dn: $bind_dn | |
cn: $abook_user | |
userPassword: `slappasswd -s $abook_pass` | |
objectClass: organizationalRole | |
objectClass: simpleSecurityObject | |
" | ldapadd -x -c -H $server -D $rootdn -W 2> /dev/null || | |
{ echo "ERROR-unable to create user!"; exit 1; }; | |
} | |
# test if the addressbook user has write permissions | |
slapacl -f $config -D $bind_dn -b $base_dn ou/write 2>&1 | | |
grep -q "ALLOWED" || | |
{ | |
echo "ERROR-the addressbook user \"$bind_dn\" | |
has no write permissions to \"$base_dn\"! | |
Please check the ACL in the coniguration file, | |
usually /etc/ldap/slapd.conf. | |
Do not forget to restart the server afterwards! | |
"; | |
exit 1; | |
} | |
# create subdirectory for public contacts | |
slapacl -f $config -D $bind_dn -b "ou=$subdir_public,$base_dn" ou/write 2>&1 | | |
grep -q "ALLOWED" || | |
{ | |
echo "-create subdirectory for public contacts: ou=$subdir_public,$base_dn | |
(as Roundcube user: $bind_dn)"; | |
echo " | |
dn: ou=$subdir_public,$base_dn | |
ou: $subdir_public | |
objectClass: top | |
objectClass: organizationalUnit | |
" | ldapadd -x -H $server -D $bind_dn -w $bind_pass 2> /dev/null || | |
{ echo "ERROR-unable to create subdirectory!"; exit 1; }; | |
} | |
# create subdirectory for private addressbooks | |
slapacl -f $config -D $bind_dn -b "ou=$subdir_private,$base_dn" ou/write 2>&1 | | |
grep -q "ALLOWED" || | |
{ | |
echo "-create subdirectory for private addressbooks: ou=$subdir_private,$base_dn | |
(as Roundcube user: $bind_dn)"; | |
echo " | |
dn: ou=$subdir_private,$base_dn | |
ou: $subdir_private | |
objectClass: top | |
objectClass: organizationalUnit | |
" | ldapadd -x -H $server -D $bind_dn -w $bind_pass 2> /dev/null || | |
{ echo "ERROR-unable to create subdirectory!"; exit 1; }; | |
} | |
# finally | |
echo "The LDAP addressbook is ready now for using: | |
base_dn: $base_dn | |
bind_dn: $bind_dn | |
Use the following command for reading and checking your setup: | |
ldapsearch -xLLL -H $server -D $bind_dn -w $bind_pass -b $base_dn"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
####################################################################### | |
# Global Directives: | |
include /etc/ldap/schema/core.schema | |
include /etc/ldap/schema/cosine.schema | |
include /etc/ldap/schema/inetorgperson.schema | |
pidfile /var/run/slapd/slapd.pid | |
argsfile /var/run/slapd/slapd.args | |
loglevel none | |
modulepath /usr/lib/ldap | |
moduleload back_hdb | |
sizelimit 500 | |
tool-threads 1 | |
backend hdb | |
####################################################################### | |
# Specific Directives for database #1, of type hdb: | |
database hdb | |
directory "/var/lib/ldap" | |
dbconfig set_cachesize 0 2097152 0 | |
dbconfig set_lk_max_objects 1500 | |
dbconfig set_lk_max_locks 1500 | |
dbconfig set_lk_max_lockers 1500 | |
index objectClass eq | |
lastmod on | |
# If you change the suffix, change all the "localhost" you find below as well! | |
suffix "dc=localhost" | |
# Please change the password with the result of "slappasswd" | |
rootdn "cn=admin,dc=localhost" | |
rootpw {SSHA}TNLUlmvLB86mzX5tA7klra2Cepv/Nn47 | |
checkpoint 512 30 | |
# Grant the Roundcub user to create private users | |
access to dn.one="ou=private,ou=rcabook,dc=localhost" attrs=userPassword | |
by dn="cn=rcuser,ou=rcabook,dc=localhost" write | |
by anonymous auth | |
by self write | |
by * none | |
# For user authentication and password change | |
access to attrs=userPassword | |
by dn="cn=admin,dc=localhost" write | |
by anonymous auth | |
by self write | |
by * none | |
# Grant the Roundcube users access to their private addressbooks | |
access to dn.regex="^.*cn=([^,]+),ou=private,ou=rcabook,dc=localhost$" | |
by dn="cn=admin,dc=localhost" write | |
by dn="cn=rcuser,ou=rcabook,dc=localhost" write | |
by dn.exact,expand="cn=$1,ou=private,ou=rcabook,dc=localhost" write | |
# Grant the Roundcube user access to the whole addressbook | |
access to dn.subtree="ou=rcabook,dc=localhost" | |
by dn="cn=admin,dc=localhost" write | |
by dn="cn=rcuser,ou=rcabook,dc=localhost" write | |
# For direcory access | |
access to * | |
by dn="cn=admin,dc=localhost" write |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment