LDAP for Roundcube and Thunderbird

[frank]

Hi folks,

I'm well running RC 0.2.1 on my apache webserver. The server has got Debian 4.0 running.
Now I want to serve my customers with a personal addressbook based on LDAP for r/w access via Roundcube and read (probably r/w) access by Thunderbird.

So I did install openldap. And that's the point where the confusion begins.
I'm very new in LDAP and I cannot figure out the configuration part. Google gave a few results but not in relation to Roundcube.

Has anybody Roundcube running with LDAP for access via Roundcube and Thunderbird who could tell me the configuration.

Frank

[davel]

Hi,
I've got that combination working ok. First of all, have you populated any addressbook entries in your LDAP directory with attributes that Thunderbird expects? Once this is in place, you need to edit the main roundcube config ("main.inc.php") - you'll find the LDAP section about halfway down the file.

It's fairly straightforward - you need to spend some time getting to grips with LDAP. The good news is that there is plenty of info online and on paper.

Dave

[frank]

Hi Dave,

while testing the base config for LDAP I placed a set of data. I was able to read them by Thunderbird but not to change this data.
Roundcube told me "nothing found".

The bad thing is that I didn't find out how this LDAP stuff works and how to get the right structure.
Do you propose to have phpldapadmin for administration of ldap?

Would you be so nice and post or pm your configs?

Frank

[frank]

After a few days and a lot of coffee i was able to get openldap working with Roundcube 0.2.1 and Thunderbird.
IT'S WORKING!

I got in the know about the ldap structure after I did install phpLDAPadmin.
It's recommended for all ldap newbies to use phpLDAPadmin or some other client to get in touch!

btw: beware of fully commented (ldap-) sections in main.inc.php !!!  

Frank

[techdude]

This is EXACTLY what I want to do!!!

Frank: Do your users have a private addressbook that only they can see?  How did you do that with LDAP?

[frank]

Hi

this is quite easy, once you've done the "step behind".
Anyhow I'm still not a ldap professional!
There might be security holes which I didn't recognize, yet!
If you'll fild one, please tell me!

1.
Install a ldap-server such as openladp or similar.
Grab phpLDAPadmin from sourceforge and do it's install procedure as described there.

2.
With phpldapadmin I've created the ldap sutucture like this:

Code Select Expand

version: 1

# LDIF Export for: dc=yourserver,dc=com
# Generated by phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) on May 12, 2009 9:41 am
# Server: My LDAP Server (localhost)
# Search Scope: sub
# Search Filter: (objectClass=*)

dn: dc=yourserver,dc=com
objectClass: top
objectClass: domain
dc: nameofyourservice

dn: cn=mailusers,dc=yourserver,dc=com
cn: mailusers
gidNumber: 1000
objectClass: posixGroup
objectClass: top


# example mailuser entry for address [email protected]
dn: [email protected],cn=mailusers,dc=yourserver,dc=com
sn: Test
cn:  User
uid: [email protected]
userPassword: {MD5}passwd
uidNumber: 1002
gidNumber: 1000
homeDirectory: /dev/null
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top

# example addressbook entry for user [email protected]
dn: [email protected],[email protected],cn=mailusers,dc=yourserver,dc=com
objectClass: top
objectClass: inetOrgPerson
cn: Somebody
givenName: Body
sn: Some
mail: [email protected]

3.
The ldap section in /config/main.inc.php file of roundcube 0.2.1 looks like this:

Code Select Expand

$rcmail_config['ldap_public']['addressbook'] = array(
  'name'          => 'Personal Addressbook',
  'hosts'         => array('yourldapserver.com'),
  'port'          => 389,
  'use_tls'       => false,
  'user_specific' => true,

  'base_dn'       => 'cn=%fu,cn=mailusers,dc=yourserver,dc=com',
  'bind_dn'       => 'cn=%fu,cn=mailusers,dc=yourserver,dc=com',
  'bind_pass'     => 'PASSWORD',

  'LDAP_Object_Classes' => array("top", "inetOrgPerson"),
  'required_fields'     => array("cn", "sn", "mail"),  
  'LDAP_rdn'      => 'mail',

  'ldap_version'  => 3,
  'search_fields' => array('givenName', 'cn', 'sn', 'mail'),
  'name_field'    => 'cn',
  'email_field'   => 'mail',
  'surname_field' => 'sn',
  'firstname_field' => 'givenName',
  'sort'          => 'cn',  
  'scope'         => 'sub',
  'filter'        => 'givenName=*',
  'fuzzy_search'  => true);

Every mail user has got the same password (entry userPassword = ... in ldap directory) for ldap, because the bind_pass is always the same. This might be a security hole because anybody could access others addressbooks simply by choosing another cn=, if he could guess one.

4.
In Thunderbird you've got to create a new directory-server entry.
The steps are as follows (in German language because this is how my Thunderbird is speaking to me ):

• Extras -> Konten (or under Linux: Bearbeiten -> Konten)
• Verfassen & Adressieren
• Einen anderen LDAP-Verzeichnisserver verwenden: -> Bearbeiten...
• Hinzufügen
• Name: choose one
  
• Server-Adresse: IP or domainname of your ldap server
  
• Basis-DN: [email protected],cn=mailusers,dc=yourserver,dc=com
  
• Port-Nummer: 389
  
• Bind-DN: [email protected],cn=mailusers,dc=yourserver,dc=com
  

5.
Next steps (if I can find time to do so):

• I'm looking forward to replace the bind_pass with some php code and sql query to lookup each users password and protect the adressbooks against spy.
• Figuring out why Thunderbird (2.0.0.21 running on ubuntu 8.10) is only able to read but not able to add entries to addressbook. Seems that there is no function for adding contacts to a ldap directory.

Your comments will be welcome.

[techdude]

Frank:  Is there anyway to make each seperate private addressbook password protected?  Like using the username and password of their Linux account?