This is an install that took an inordinate amount of time and seemed quite badly documented, so I thought I’d make the documentation slightly more confusing by saying what I did.
Disclaimer: I made these notes during a re-install on a possibly not-quite-clean system, so there might be bits missing. Futhermore, I am not an expert on LDAP.
The basic thing I wanted to achieve was to sync my (Android) phone’s contacts and calendar to a computer and then have the contacts available from LDAP for use with Alpine. If there’s an easier way to do it, I’m all ears.
Hold tight.
slapd
slapd is the LDAP server. We’ll use it as egroupware’s backend for storing users and contacts. Then our contact data is available over LDAP, which is handy.
apt-get install slapd
apt will ask you for a password (twice). Now do
dpkg-reconfigure slapd
Now apt will ask you some more questions: most of them don’t matter too much but do enter your DNS domain name and organization name (I used carlh.net for both). Enter the same password again and say no to LDAP2 (for some reason I am not sure of).
egroupware
egroupware is a large online “collaboration tool” with shared calendars, contacts, time tracking etc. etc. It’s very much overkill for our purposes but it does have effective SyncML support, which is hard to find.
It is not in the main debian repos, so add this line to /etc/apt/sources.list:
deb http://download.opensuse.org/repositories/server:/eGroupWare/Debian_6.0/ ./
then fetch the key for the repo:
wget -O - http://download.opensuse.org/repositories/server:/eGroupWare/Debian_6.0/Release.key | apt-key add -
then
apt-get update apt-get install egroupware-addressbook egroupware-calendar
During this install you will be asked for a root password for the mysql server, if you don’t already have one installed.
You also need
apt-get install php5-ldap
or egroupware will give confusing errors about LDAP not working.
Now to set up egroupware, which is a little trying, to say the least. First edit /etc/php5/apache2/php.ini and uncomment the line:
; date.timezone = '';
changing it to something like
date.timezone = 'Europe/London';
Now
chmod o-r /var/lib/egroupware/header.inc.php cd /etc/apache2/conf.d/ ln -s ../../egroupware/apache.conf egroupware.conf /etc/init.d/apache2 restart
Open http://localhost/egroupware/setup in a browser, then:
- click “run installation tests” (you might get a few warnings but there should be no errors)
- click “continue to the header admin”
- fill in a header admin password
- fill in an egroupware database password
- use the header admin password again for the “configuration password”
- click “download” to download header.inc.php
- copy header.inc.php to /var/lib/egroupware/header.inc.php
Then
chgrp www-data /var/lib/egroupware/header.inc.php
Now:
- click “continue”
- Log in to the top prompt with the user “admin” and the header admin password from above.
- On the next page, enter your MySQL root password and click “create database”.
- Click “re-check my installation”
- Click “install all applications”
- Click “re-check my installation”
- Click “edit current configuration”
At this point you will need to
mkdir -p /var/lib/egroupware/default/files chgrp www-data /var/lib/egroupware/default/files chmod g+w /var/lib/egroupware/default/files mkdir -p /var/lib/egroupware/default/backup chgrp www-data /var/lib/egroupware/default/backup chmod g+w /var/lib/egroupware/default/backup
Choose LDAP for the “type of authentication” and “store/retrieve user accounts” settings. You will also need to set up the mail server details; I’m not sure why.
Now the LDAP configuration; bear in mind that I set my domain name as “carlh.net” (when configuring slapd). In LDAP-speak, this is dc=carlh,dc=net (the domain name is split up into “domain components” (DCs). Wherever I say dc=carlh,dc=net below you need to substitute it for your domain name.
The LDAP options are:
- LDAP host: localhost
- Accounts context: ou=accounts,dc=carlh,dc=net
- Groups context: ou=groups,dc=carlh,dc=net
- Root DN: cn=admin,dc=carlh,dc=net
- LDAP root password: whatever you entered when configuring slapd
- Allow usernames identical to system users: yes
Now for some bizarre reason we have to create the accounts and groups “directories” in LDAP. First:
apt-get install ldap-utils
Now, run the following two commands, entering your LDAP admin password for each one:
ldapadd -D 'cn=admin,dc=carlh,dc=net' -W << EOF dn: ou=groups, dc=carlh, dc=net objectClass: top objectClass: organizationalUnit ou: admin EOF
ldapadd -D 'cn=admin,dc=carlh,dc=net' -W << EOF dn: ou=accounts, dc=carlh, dc=net objectClass: top objectClass: organizationalUnit ou: admin EOF
Back in the browser, click save, then on the next page click “create admin account”. Create an account for your administrator, then go to http://localhost/egroupware and log on with that account.
LDAP permissions hack
slapd will only allow egroupware to add contacts to the LDAP database if you give slapd the appropriate ACL (access control list). The correct ACL is shipped with egroupware, but unfortunately slapd has recently changed its configuration format which means that you can’t use the egroupware-supplied one.
What really should happen is a conversion of this ACL to the new format required by slapd. I half-heartedly tried and failed to get this right. As a complete and very insecure hack I have currently just set an ACL to allow everyone to write to the database. If you do this, make sure the LDAP server is only accessible to those you trust.
The hack is run the following command:
ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to * by * write EOF
Finally, we can set our address book up to use LDAP. Logged in with your normal user account, click “Admin” at the top left of the egroupware page and then choose “site configuration” under “address book”. Select “LDAP” under where you want to store/retrive contacts. LDAP host for contacts should be localhost, and the context dc=carlh,dc=net. Click Save.
Alpine setup
Now you can get alpine to read the LDAP contacts list by doing Setup/Directory/Add and then specifying:
- ldap-server: localhost
- search-base: dc=carlh,dc=net
- bind-dn: cn=admin,dc=carlh,dc=net
And tick “use implicitly from composer”.