Search:  
Gentoo Wiki

HOWTO_OpenGroupware.org_with_OpenLDAP


This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

Contents

Intro

Original forum post: http://forums.gentoo.org/viewtopic.php?t=178197

This is just a howto based on my experiences getting opengroupware.org up and running (minus email, cause I can't seem to get the webmail portion to work). It will use OpenLDAP for authentication.

This guide is written for someone with little linux experience or just shallow experience, like myself.

Look at http://bugs.gentoo.org/show_bug.cgi?id=24247 for the newest ebuild. If you don't know how the bugtracker works and why there are different ebuilds, please do _not_ try to install opengroupware with this howto.

Recommended USE flags: "ldap, imap, apache2, sasl2, sasl, pam", some of these are most likely redundant, but I know they work

Install OpenLDAP

I recommend following the official OpenLDAP guide at http://www.gentoo.org/doc/en/ldap-howto.xml. (Following this guide broke my system - the talk page says that it out of date. Do not use.) The great thing about using OpenLDAP is you can configure opengroupware.org, cyrus, postfix, and the system to all authenticate off of it.

After getting OpenLDAP running according to the guide, open your slapd.conf file (usually in /etc/openldap/) and add the line

     allow   bind_v2

This will allow opengroupware to bind to the server to authenticate a user.

Make sure the opengroupware ebuild file is ready

There have been a few cases the after downloading the latest ebuild file when running the emerge gives an error, usually a syntax error. There's a really simple fix, open the latest ebuild file in your favorite text editor and simply save it. That should do the trick.


Then Build the digest files:

    cd /usr/local/portage/net-misc/opengroupware/
    ebuild opengroupware-<VERSION>.ebuild digest

emerge opengroupware

echo "net-misc/opengroupware ~x*" >> /etc/portage/package.keywords 

(replace <VERSION> with the version your build has)

emerge opengroupware

configure postgresql.conf

Open "/var/lib/postgresql/data/postgresql.conf" (or whereever your data directory is) in your favorite text editor. Find the commented line #tcpip_socket = false. Uncomment it and change it to true:

 "tcpip_socket = true"

This will allow postgresql to listen for tcpip traffic

added by gerblazi at hotmail dot com
I didn't have a working postgresql on my system. When I emerge'd Opengroupware, the includes automatically added postgresql, but didn't configure it, and I found that the /var/lib/postgresql/data directory did not yet exist. The following was found in the /usr/share/doc/postgresql-8.0.1/INSTALL.gz file
mkdir /usr/local/pgsql/data
chown postgres /usr/local/pgsql/data
su - postgres
/usr/local/pgsql/bin/initdb -D /usr/local/pgsql/data
/usr/local/pgsql/bin/postmaster -D /usr/local/pgsql/data >logfile 2>&1 &
/usr/local/pgsql/bin/createdb test
/usr/local/pgsql/bin/psql test

I adjusted the instructions slightly; Instead of running the .../postmaster line I ran /etc/init.d/postgresql start as root.

Also, the line "tcpip_socket" referenced in this HOWTO did not exist in my postgresql.conf file. Uncommenting the "listen_address" and "port" lines in the postgresql.conf file seems to have a similar effect.

Watch the output of the postgresql ebuild there is a post ebuild installation step (makes sure you adjust for your version of postgres):

  ebuild /var/db/pkg/dev-db/postgresql-8.0.1-r2/postgresql-8.0.1-r2.ebuild config

start postgresql

You've got to do this manually.

RedHat

  1. /etc/init.d/postgresql [start|stop|restart]

or

  1. /sbin/service postgresql [start|stop|restart]

setup the opengroupware databases

Navigate to where you extracted your opengroupware folder to, mine's in /usr/portage/net-misc/opengroupware configure the ebuild "ebuild opengroupware-0.2.1-r2 config" and watch the script make lots of tables.

configure apache to load the opengroupware module

Add "-D OGo" to your apache opts (in /etc/conf.d/apache2 for those of you who are like me)


configure opengroupware LDAP authentication

Open the NSGlobalDomain.plist file, usually in "/opt/opengroupware.org/.libFoundation/Defaults/NSGlobalDomain.plist" with your favorite text editor. Add the following lines at the bottom of the file, but before the closing bracket:

     LSAuthLDAPServer = "ldap.mydomain.com";
     LSAuthLDAPServerRoot = "dc=mydomain,dc=com";

LSAuthLDAPServer is your ldap server's FQDN and LSAuthLDAPServerRoot is the LDAP root of your directory.

Added by evan at mirrored dot ca
The "4th Version of the ebuild" from the bugzilla page requires these files to be edited in /etc

Open /etc/opengroupware.org/NSGlobalDomain.plist and add the two lines above in this file.

Added by gerblazi at hotmail dot com
The "4th Version of the ebuild" from the bugzilla page did not create anything in /opt.

I found two files with this name under /usr/local/, however:

gbox ~ # qpkg -l opengroupware | grep NSGlobalDomain.plist
/usr/local/lib/opengroupware.org-1.0a/webui/AdminUI.lso/Resources/NSGlobalDomain.plist
/usr/local/share/libFoundation/Defaults/NSGlobalDomain.plist

I am guessing that the /usr/local/lib/... one is the one that should be modified...

Added by cyrius
More information

/usr/local/share/libFoundation/Defaults/NSGlobalDomain.plist is the good file to modify. This is the link to the source code of opengroupware for the ldap managment : link Source Code OGo Ldap As you can see in, you can add an other field : LSAuthLDAPServerPort = "389" (or 636 if using ssl).

But if you suppress thoses parameters from this file after having rebooting ogo. You will see ogo trying to connect via the LDAP despite of your action ! BECAREFUL : This configuration is not the natural ogo way to do. This is the natural way to do : Do the following step on the bash prompt :

       > su - ogo
       $ Defaults write NSGlobalDomain LSAuthLDAPServerPort '"389"'
       $ Defaults read
     This will give you :
   {
   Defaults = {};
   NSGlobalDomain = {
       LSAdaptor = PostgreSQL;
       LSAuthLDAPServePort = 389;
       LSConnectionDictionary = {
           databaseName = OGo;
           hostName = localhost;
           password = "";
           port = 5432;
           userName = OGo;
       };
       Languages = (
           English
       );
       TimeZoneName = GMT;
   };
  }
   To delete :
       $ Default delete NSGLobalDomain LSAuthLDAPServerPort
       $ Default read
    This will show you :
   {
   Defaults = {};
   NSGlobalDomain = {
       LSAdaptor = PostgreSQL;
       LSConnectionDictionary = {
           databaseName = OGo;
           hostName = localhost;
           password = "";
           port = 5432;
           userName = OGo;
       };
       Languages = (
           English
       );
       TimeZoneName = GMT;
   };
   }
        $ exit



The ldap server MUST support LDAPV2 protocol. This is the only one supported by opengroupware. see : link FAQ OpenGroupware. I continue investigations. Very important comming from this FAQ :

"...Note that with LDAP authentication enabled OGo still needs to create an account record in the PostgreSQL database.
    This is done when a user logs in the first time and was successfully authenticated by LDAP (the user is taken to a welcome-page where he can decide whether to proceed)..."


create an LDAP root account for opengroupware

OpenGroupware normally authenticates to the passwd file and uses the root user to configure stuff. If you're using LDAP, you must create a root user in the LDAP database. I actually create the root LDAP user to have the same credentials as the standard root account so everything is through LDAP now. Create an .ldif file such as this:

     dn: uid=root,ou=People,dc=mydomain,dc=com
     objectClass: organizationalPerson
     objectClass: top
     objectClass: posixAccount
     objectClass: shadowAccount
     uid: root
     uidNumber: 0
     gidNumber: 0
     sn: Root
     cn: Root
     homeDirectory: /root
     loginShell: /bin/bash
     gecos: Root

Add the person to the directory using

     ldapadd -x -D "cn=Manager,dc=mydomain,dc=com" -W -f root.ldif"

This is assuming the in your slapd.conf file (in /etc/openldap/) has the setting

     rootdn   "cn=Manager,dc=mydomain,dc=com"

Do NOT logout! Test this by trying to change the root's password. Instead of giving the generic password changed reply, it should respond "LDAP password information changed for root". If you want to you can comment out the root lines in both /etc/passwd and /etc/shadow and everything should be fine, the system will authenticate root against LDAP and still give the user root priveledges. I don't reccomend deleting any lines so it's recoverable if ldap fails.


set autologin for IMAP (optional)

Open the NSGlobalDomain.plist file again and add the following lines inside the curly-strokes:

        imap_host = "localhost";
        UseSkyrixLoginForImap = YES;

it works! We hope

Start postgresql (if not still running), opengroupware, and apache2. Navigate to "http://ogo.mydomain.com/OpenGroupware" in your webbrowser and login as root, should work now! Please note that you should not use the OpenGroupware user manager to create users this way, though it's good to set permissions this way. If you want a graphical user manager, I personally like phpldapadmin. It's currently masked as unstable, but it runs great and is extremely easy to setup and use.


Notes

Postfix

Postfix works great with OpenGroupware, especially with authentication is done against OpenLDAP. To configure Postfix to allow delivery to LDAP users, add this code (to /etc/postfix/main.cf)

      alias_maps = hash:/etc/mail/aliases, ldap:ldapsource

      ldapsource_server_host = ldap.hvbg.local
      ldapsource_search_base = dc=hvbg,dc=local
      ldapsource_bind = no

      # the following enables authentication and sets security
      # so non-local hosts can relay as long as they're authenticated

      smtpd_sasl_auth_enable = yes
      smtpd_sasl2_auto_enable = yes
      smtpd_sasl_local_domain = $localhost
      smtpd_sasl_security_options = noanonymous

      broken_sasl_auth_clients = yes   #for those poor souls using Outlook

      smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_relay_domains

      #for those of you using cyrus imap, add the following, but you probably already knew this

      mailbox_transport = cyrus

Adding "ldap:ldapsource" to the alias-maps will tell Postfix to look up users in LDAP as well as the standard user file. The ...server_host and ...server_base tell postfix where to find the LDAP server and in which directory to start the search for users. SASL auth is enabled to allow users to authenticate to relay. This will have postfix authenticate the users against SASL, which will in turn authenticate against LDAP.

this one worked better for me

alias_maps = hash:/etc/postfix/aliases, ldap:/etc/postfix/ldap-aliases.cf

and with /etc/postfix/ldap-aliases.cf

version=3
server_host = 127.0.0.1
search_base = ou=user,dc=schinx,dc=net
bind = yes
bind_dn = uid=ldapbind,ou=user,dc=schinx,dc=net
bind_pw = xxxxxxxxxxx
query_filter = (|(mail=%u)(mail=%s)(uid=%u))
result_attribute = mail

than you can control the aliasing with the mail attribute in ldap

Cyrus-IMAPD

Cyrus is supposed to play well with OpenGroupware, it is actually the recommended imap server. Unfortunately, I have not been able to get OpenGroupware to work with it. The OpenGroupware program throws an exception whenever it tries to access a user's mailbox, I do not know why this is. Hopefully the problem will be fixed soon. Here's a quick HOWTO to make Cyrus auth against LDAP and automatically create mailboxes when an authenticated user accesses IMAP. This means that all you have to do is create the user and the software does the rest!

First, you must use the modified ebuild available here http://bugs.gentoo.org/show_bug.cgi?id=47803. Make sure you download the specified patch and place it in your cyrus-imapd/files folder in the portage tree. After setting Cyrus up and doing the initial configuration of imapd.conf, add/change these settings in the file

      allowplaintext:      yes

      sasl_pwcheck_method:   saslauthd   #allows use of PAM
      authcreatequota:   -1      #no maximum number of folders created, but autocreation allowed

      # ^ shouldn't this read autocreatequota ?

      autocreateinboxfolders: Sent | Drafts | Trash | Junk

To enable imap to authenticate off of LDAP, add these lines to the TOP of your /etc/pam.d/imap file

     auth      sufficient   /lib/security/pam_ldap.so
     account      sufficient   /lib/security/pam_ldap.so


^ that is definitly not enough because cyrus needs saslauthd /etc/conf.d/saslauthd

SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -a ldap -n 10 -c -s 128 -t 30 -O /etc/saslauthd.conf"


and /etc/saslauthd.conf


ldap_server: ldap://127.0.0.1:389/
ldap_search_base: ou=user,dc=schinx,dc=net
ldap_bind_dn: uid=ldapbind,ou=user,dc=schinx,dc=net
ldap_bind_pw: xxxxxxxx
ldap_filter: uid=%u
ldap_auth_method: bind

OpenGroupware and PaX

I had some segfaults with OpenGroupware and PaX turned on, but this can be fixed by turning off PaX restrictions with the chpax utility (installed by sys-apps/chpax).

Type this command to turn all flags off:

# for f in $(equery f net-misc/opengroupware | grep "/usr/local/s\?bin/"); do chpax -PEMRXS ${f}; done
Retrieved from "http://www.gentoo-wiki.info/HOWTO_OpenGroupware.org_with_OpenLDAP"

Last modified: Fri, 05 Sep 2008 08:04:00 +0000 Hits: 39,187