Open in app

Sign in

Write

Sign in

Install Kolab and integrate it with FreeIPA

Andrei Kvapil
4 min readOct 4, 2018

--

Here is written steps for install Kolab Groupware server and integrate it with FreeIPA server.

Most of actions requires basic understanding in LDAP mechanism.
FreeIPA should be already installed before preparing Kolab installation.
We will connect only users from the existing tree (which provided by FreeIPA), and we will create new tree for the rest Kolab resources, like mail groups, shared mailboxes, etc.

In the end, we will can authenticate them, edit their parameters via kolab-webadmin, and manage other resources.

For make LDAP editing easier, I suggest you using Apache Directory Studio, this software provides the nice LDAP-browser interface, it allows you to edit any parameters without any difficults.

On Kolab server

Setup Kolab:

setup-kolab

Export Kolab config:

ldapsearch -L -D "cn=Directory Manager" -w <password> -b "cn=kolab,cn=config" > /tmp/kolab-config.ldif

Save Kolab schema:

cp /usr/share/doc/kolab-schema-3.3/kolab3.ldif /tmp/kolab3.ldif

On FreeIPA server

Create users:

  • kolab-svc
  • kolab-admin-svc
  • cyrus-svc

Add kolab-admin-svc to admin group.

Make sure that cyrus-svc have no any mail address.

Import Kolab schema:

cp /tmp/kolab3.ldif /etc/dirsrv/slapd-EXAMPLE-ORG/schema/99kolab3.ldifsystemctl restart dirsrv.target

Import Kolab config:

ldapadd -x -D "cn=Directory Manager" -w <password> -f /tmp/kolab-config.ldif

Open LDAP browser and add those aci to cn=kolab,cn=config:

(targetattr="*")(version 3.0; acl "allow read"; allow (read,compare,search) userdn="ldap:///all";)(targetattr="*")(version 3.0;acl "allow all"; allow (all) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=example,dc=org";)

On Kolab server

Configure LDAP connection to our FreeIPA server:

sed -i '/^ldap_uri =/ s|=.*|= ldap://ipa.example.org:389|' /etc/kolab/kolab.conf

Set our kolab-admin-svc, cyrus-svc and cyrus-svc users:

sed -i '/^admin_login =/ s|=.*|= cyrus-svc|' /etc/kolab/kolab.confsed -i 's/uid=kolab-service,ou=Special Users/uid=kolab-svc,cn=users,cn=accounts/' /etc/kolab/kolab.confsed -i '/^service_bind_dn =/ s|=.*|= uid=kolab-svc,cn=users,cn=accounts,%(base_dn)s|' /etc/kolab/kolab.conf

Confgure LDAP paths:

sed -i 's/ou=People/cn=users,cn=accounts/' /etc/kolab/kolab.confsed -i 's/ou=\(Groups\|Shared Folders\|Resources\)/ou=\1,ou=kolab/' /etc/kolab/kolab.conf

And change uniquieid value to ipauniqueid:

sed -i '/^unique_attribute/ s/=.*/= ipauniqueid/' /etc/kolab/kolab.conf

Let’s check the changed parameters in /etc/kolab/kolab.conf:

[ldap]
ldap_uri = ldap://ipa.example.org:389
user_base_dn = cn=users,cn=accounts,%(base_dn)s
kolab_user_base_dn = cn=users,cn=accounts,%(base_dn)s
group_base_dn = ou=Groups,ou=kolab,%(base_dn)s
sharedfolder_base_dn = ou=Shared Folders,ou=kolab,%(base_dn)s
resource_base_dn = ou=Resources,ou=kolab,%(base_dn)s
bind_dn = uid=kolab-admin-svc,cn=users,cn=accounts,dn=example,dn=org
bind_pw = <password>
service_bind_dn = uid=kolab-svc,cn=users,cn=accounts,dn=example,dn=org
service_bind_pw = <password>[cyrus-imap]
admin_login = cyrus-svc
admin_password = <password>[cyrus-sasl]
result_attribute = uid

Now go to kolab-webadmin and create Organization Units:

kolab
|-Groups 
|-Resources
'-Shared Folders

Open LDAP browser and add those aci to ou=kolab,dc=example,dc=org

(targetattr="*")(version 3.0; acl "allow read"; allow (read,compare,search) userdn="ldap:///all";)(targetattr="*")(version 3.0;acl "allow all"; allow (all) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=example,dc=org";)

Setup IMAP:

setup-kolab imap

Setup MTA:

setup-kolab mta

Now we will install latest pykolab from git, and patch it for FreeIPA:

cd /opt
yum install yum-utils git
git clone https://git.kolab.org/diffusion/P/pykolab.git pykolab.git
cd /opt/pykolab.git

Wipe imported users database

rm -f /var/lib/kolab/*.db

Update systemd unit for kolabd and wallace, then restart them:

cp /{lib,etc}/systemd/system/kolabd.service
sed -i 's|/usr/sbin/kolabd|/opt/pykolab.git/kolabd.py|' /etc/systemd/system/kolabd.servicecp /{lib,etc}/systemd/system/wallace.service
sed -i 's|/usr/sbin/wallaced|/opt/pykolab.git/wallace.py|' /etc/systemd/system/wallace.servicesystemctl daemon-reload
systemctl restart kolabd wallace

Configure LDAP server for roundcube addressbook:

sed -i "s/Array('localhost')/Array('ipa.example.org')/" /etc/roundcubemail/config.inc.php /etc/roundcubemail/kolab_auth.inc.php

Now we can exclude users which ends with -svc from our addressbook:

sed -i "s/^\( *'filter' *=>\).*inetOrgPerson.*/\1 '(\&(objectClass=inetOrgPerson)(\!(uid=*-svc)))',/" /etc/roundcubemail/config.inc.php

Update /etc/roundcubemail/password.inc.php:

sed -i "/password_ldap_host/ s/=.*/= 'ipa.example.org';/" /etc/roundcubemail/password.inc.php

Disable kolab’s dirsrv, we don’t need it anymore:

systemctl disable dirsrv@kolab
systemctl stop dirsrv@kolab

Configure objectClasses and attributes

On FreeIPA server

Go to IPA server → Configuration → objectClass by default for users

Add:

  • kolabInetOrgPerson
  • mailRecipient

Open LDAP browser, and add missing objectClasses to the current users (except service users).

Go to IPA server → Role-Based Access Control → Permissions → System: Read User Addressbook Attributes

Add:

  • alias

On Kolab server

Login as cn=Directory Manager into kolab-webadmin GUI

Go to Settings → Objcet type: User → Mail-enabled POSIX User

On Propertes tab, Object class (add missing):

  • inetorgperson
  • inetuser
  • ipaobject
  • ipaSshGroupOfPubKeys
  • ipasshuser
  • kolabinetorgperson
  • krbprincipalaux
  • krbticketpolicyaux
  • mailrecipient
  • mepOriginEntry
  • organizationalperson
  • person
  • posixaccount
  • top

On Attributes tab:

  • ou (update)
    Field type: text
    Value: Generated (read-only)
    Click Save
  • ipaUniqueID (add new)
    Field type: text
    Value: Generated (read-only)
    Click Save
  • uid (update)
    Field type: text
    Value: Noraml
    Click Save
  • displayName (update)
    Field type: text
    Value: Noraml
    Click Save

Click Submit button.

Update kolab-webadmin for use nsuniqueid instead ipauniqueid, it’s needed for allow editing Kolab created resources, sharedfoulders and etc.

cat > /etc/kolab/kolab-webadmin.conf <<EOT
# Workaround for kolab-webadmin.
# It is can not work with unique_attribute = ipauniqueid
EOT
cat /etc/kolab/kolab.conf >> /etc/kolab/kolab-webadmin.conf
sed -i '/^unique_attribute/ s/=.*/= nsuniqueid/' /etc/kolab/kolab-webadmin.conf
sed -i 's|/etc/kolab/kolab.conf|/etc/kolab/kolab-webadmin.conf|g' /usr/share/kolab-webadmin/lib/Conf.php

That’s all.
Now you might continue Kolab configuration as usual Kolab installation.

Next steps

Secure all Kolab Services

Configure nginx and php-fpm:

Configure DKIM

Configure catchall

System Administration
Open Source
Linux
Linux Tutorial
Mail

--

--

Andrei Kvapil
Andrei Kvapil

Written by Andrei Kvapil

507 Followers
15 Following

This mess is mine!

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams