(This page is still under construction!)

LDAP Addressbook Server for Roundcube

This Howto describes the setup of a simple LDAP addressbook server that should be ready for using with Roundcube "out of the box". The goal is to have an addressbook solution similar to the SQL based one, including contact groups and configurable fields. On the other side should it be possible to connect with any LDAP addressbook client out there.

Since Roundcube 0.5 is not aleb to manage LDAP contact groups, this feature will be available not before Roundcube 0.6. Nevertheless can this LDAP addressbook server allready be used: new contacts do just not belong to a group, they can be added later.

This Howto makes some simplifications that are maybe a good choice for a smal home server, but not what proffessionals would do:

• this Howto is based on OpenLDAP (​http://www.openldap.org)
• the LDAP server is running on the same host as Roundcube
• the static config file is used instead of the newer dynamic config directory
• security issues are not part of this Howto, neverthelsess it is highly recomanded to disallow connections from other hosts to the concernig ldap port (389) with a firewall
• this Howto is based and tested on Debian Lenny and Ubuntu 10.10, but other Distros (and OS?) should do it as well

If you do not agree with my propositions, help your self to improve your installation!

Install the LDAP Server

Install the OpenLDAP following packages (if they are called different on your distro, please let me know):

• slapd : the OpenLDAP server daemon
• ldap-utils : LDAP tools like ldapsearch and ldapadd
• php5-ldap : the PHP bindings later used by Roundcube

E.g. on Debian based systems do:

$ sudo apt-get install slapd ldap-utils php5-ldap

Depending on your distribution (e.g. on Debian Lenny), you will be asked during the installation about:

• domainname : localhost
• organisation : Local LDAP Addressbook Server
• administrator password : mypasswd

The proposed answers for the domainname (or suffix) fit well with this Howto: if you want to use another, you have to know (or even find out) how to adapt the following steps! Please change the password to your favorite one!

E.g. on Debian based systems, you can redo this preconfiguration:

$ sudo dpkg-reconfigure slapd

If you are not asked about the above, like on distros as Ubuntu 9.10 and later, you have to define everything int the configuration file. Then you have to generate a administrator password first:

$ sudo slappasswd
New password: 
Re-enter new password: 
{SSHA}bCiMXssO6JJ2ZsPikd1qjNuWhApr+fHr

Remember (or even copy) the last line for using later.

Configure the LDAP Server

OpenLDAP supports two types of configuration:

1. the static config file, usually /etc/ldap/slapd.conf
2. the newer dynamic config directory, usually /etc/ldap/slapd.d/

Some distros like Debian Lenny still preconfigure the config file. Others like Ubuntu 9.10 and later are using the config directory instead: in this case you have to change this default behaviour first!

E.g. in Ubuntu 10.10 you have to edit the file /etc/default/slapd and change the first entry:

SLAPD_CONF=/etc/ldap/slapd.conf
SLAPD_USER="openldap"
SLAPD_GROUP="openldap"

By the way, remember the user and group of the slapd daemon, usually openldap.

Now you have to create/modify the config file: /etc/ldap/slapd.conf
The following example config should just work for this simple Roundcube LDAP addressbook:

#######################################################################
# Global Directives:
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        none
modulepath      /usr/lib/ldap
moduleload      back_hdb
sizelimit 500
tool-threads 1
backend         hdb

#######################################################################
# Specific Directives for database #1, of type hdb:
database        hdb
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index           objectClass eq
lastmod         on

# If you change the suffix, change all the "localhost" you find below as well!
suffix          "dc=localhost"

# Please change the password with the result of "slappasswd"
rootdn          "cn=admin,dc=localhost"
rootpw          {SSHA}TNLUlmvLB86mzX5tA7klra2Cepv/Nn47

checkpoint      512 30

# For user authentication and password change
access to attrs=userPassword
        by dn="cn=admin,dc=localhost" write
        by anonymous auth
        by self write
        by * none

# Grant the roundcube user access to the addressbook
access to dn.subtree="ou=rcabook,dc=localhost"
        by dn="cn=rcuser,dc=localhost" write

# For direcory access
access to *
        by dn="cn=admin,dc=localhost" write
        by * read

Some words to this proposed example:

• compared to the default slapd.conf file, all the nonrelevant comments are removed.
• the nis schema is removed because the simple addressbook do not need it.
• normally you must not touch anything else than: suffix, rootdn, rootpw and the access directives!
• if you just follow my Howto, just change the password.

After you created/modified it, check or even set restrictive permissions for the config file: because the password is stored inside, normal user must not be able to read it! User and group must correspond with the ones you found above /etc/default/slapd.

$ sudo chmod 640 /etc/ldap/slapd.conf
$ sudo chown openldap.openldap /etc/ldap/slapd.conf

Try to restart the OpenLDAP server now, e.g. on Debian based systems do:

$ sudo invoke-rc.d slapd restart

If you do not find any errors on the command line, your LDAP server is ready to become a LDAP addressbook server :-)

Setup the LDAP Server

Configure Roundcube