How to set up a EGroupware with LDAP on Debian Wheezy

This is an install that took an inordinate amount of time and seemed quite badly documented, so I thought I’d make the documentation slightly more confusing by saying what I did.

Disclaimer: I made these notes during a re-install on a possibly not-quite-clean system, so there might be bits missing.  Futhermore, I am not an expert on LDAP.

The basic thing I wanted to achieve was to sync my (Android) phone’s contacts and calendar to a computer and then have the contacts available from LDAP for use with Alpine.  If there’s an easier way to do it, I’m all ears.

Hold tight.

slapd

slapd is the LDAP server.  We’ll use it as egroupware’s backend for storing users and contacts.  Then our contact data is available over LDAP, which is handy.

apt-get install slapd

apt will ask you for a password (twice).  Now do

dpkg-reconfigure slapd

Now apt will ask you some more questions: most of them don’t matter too much but do enter your DNS domain name and organization name (I used carlh.net for both).  Enter the same password again and say no to LDAP2 (for some reason I am not sure of).

egroupware

egroupware is a large online “collaboration tool” with shared calendars, contacts, time tracking etc. etc.  It’s very much overkill for our purposes but it does have effective SyncML support, which is hard to find.

It is not in the main debian repos, so add this line to /etc/apt/sources.list:

deb http://download.opensuse.org/repositories/server:/eGroupWare/Debian_6.0/ ./

then fetch the key for the repo:

wget -O - http://download.opensuse.org/repositories/server:/eGroupWare/Debian_6.0/Release.key | apt-key add -

then

apt-get update
apt-get install egroupware-addressbook egroupware-calendar

During this install you will be asked for a root password for the mysql server, if you don’t already have one installed.

You also need

apt-get install php5-ldap

or egroupware will give confusing errors about LDAP not working.

Now to set up egroupware, which is a little trying, to say the least.  First edit /etc/php5/apache2/php.ini and uncomment the line:

; date.timezone = '';

changing it to something like

date.timezone = 'Europe/London';

Now

chmod o-r /var/lib/egroupware/header.inc.php
cd /etc/apache2/conf.d/
ln -s ../../egroupware/apache.conf egroupware.conf
/etc/init.d/apache2 restart

Open http://localhost/egroupware/setup in a browser, then:

  1. click “run installation tests” (you might get a few warnings but there should be no errors)
  2. click “continue to the header admin”
  3. fill in a header admin password
  4. fill in an egroupware database password
  5. use the header admin password again for the “configuration password”
  6. click “download” to download header.inc.php
  7. copy header.inc.php to /var/lib/egroupware/header.inc.php

Then

chgrp www-data /var/lib/egroupware/header.inc.php

Now:

  1. click “continue”
  2. Log in to the top prompt with the user “admin” and the header admin password from above.
  3. On the next page, enter your MySQL root password and click “create database”.
  4. Click “re-check my installation”
  5. Click “install all applications”
  6. Click “re-check my installation”
  7. Click “edit current configuration”

At this point you will need to

mkdir -p /var/lib/egroupware/default/files
chgrp www-data /var/lib/egroupware/default/files
chmod g+w /var/lib/egroupware/default/files
mkdir -p /var/lib/egroupware/default/backup
chgrp www-data /var/lib/egroupware/default/backup
chmod g+w /var/lib/egroupware/default/backup

Choose LDAP for the “type of authentication” and “store/retrieve user accounts” settings. You will also need to set up the mail server details; I’m not sure why.

Now the LDAP configuration; bear in mind that I set my domain name as “carlh.net” (when configuring slapd). In LDAP-speak, this is dc=carlh,dc=net (the domain name is split up into “domain components” (DCs). Wherever I say dc=carlh,dc=net below you need to substitute it for your domain name.

The LDAP options are:

  1. LDAP host: localhost
  2. Accounts context: ou=accounts,dc=carlh,dc=net
  3. Groups context: ou=groups,dc=carlh,dc=net
  4. Root DN: cn=admin,dc=carlh,dc=net
  5. LDAP root password: whatever you entered when configuring slapd
  6. Allow usernames identical to system users: yes

Now for some bizarre reason we have to create the accounts and groups “directories” in LDAP.  First:

apt-get install ldap-utils

Now, run the following two commands, entering your LDAP admin password for each one:

ldapadd -D 'cn=admin,dc=carlh,dc=net' -W << EOF
dn: ou=groups, dc=carlh, dc=net
objectClass: top
objectClass: organizationalUnit
ou: admin
EOF
ldapadd -D 'cn=admin,dc=carlh,dc=net' -W << EOF
dn: ou=accounts, dc=carlh, dc=net
objectClass: top
objectClass: organizationalUnit
ou: admin
EOF

Back in the browser, click save, then on the next page click “create admin account”. Create an account for your administrator, then go to http://localhost/egroupware and log on with that account.

LDAP permissions hack

slapd will only allow egroupware to add contacts to the LDAP database if you give slapd the appropriate ACL (access control list). The correct ACL is shipped with egroupware, but unfortunately slapd has recently changed its configuration format which means that you can’t use the egroupware-supplied one.

What really should happen is a conversion of this ACL to the new format required by slapd. I half-heartedly tried and failed to get this right. As a complete and very insecure hack I have currently just set an ACL to allow everyone to write to the database. If you do this, make sure the LDAP server is only accessible to those you trust.

The hack is run the following command:

ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to * by * write
EOF

Finally, we can set our address book up to use LDAP.  Logged in with your normal user account, click “Admin” at the top left of the egroupware page and then choose “site configuration” under “address book”.  Select “LDAP” under where you want to store/retrive contacts.  LDAP host for contacts should be localhost, and the context dc=carlh,dc=net.  Click Save.

Alpine setup

Now you can get alpine to read the LDAP contacts list by doing Setup/Directory/Add and then specifying:

  1. ldap-server: localhost
  2. search-base: dc=carlh,dc=net
  3. bind-dn: cn=admin,dc=carlh,dc=net

And tick “use implicitly from composer”.