Install Kolab and integrate it with FreeIPA

Image for post
Image for post

Here is written steps for install Kolab Groupware server and integrate it with FreeIPA server.

Most of actions requires basic understanding in LDAP mechanism.
FreeIPA should be already installed before preparing Kolab installation.
We will connect only users from the existing tree (which provided by FreeIPA), and we will create new tree for the rest Kolab resources, like mail groups, shared mailboxes, etc.

In the end, we will can authenticate them, edit their parameters via kolab-webadmin, and manage other resources.

For make LDAP editing easier, I suggest you using Apache Directory Studio, this software provides the nice LDAP-browser interface, it allows you to edit any parameters without any difficults.

Setup Kolab:

setup-kolab

Export Kolab config:

ldapsearch -L -D "cn=Directory Manager" -w <password> -b "cn=kolab,cn=config" > /tmp/kolab-config.ldif

Save Kolab schema:

cp /usr/share/doc/kolab-schema-3.3/kolab3.ldif /tmp/kolab3.ldif

Create users:

  • kolab-svc
  • kolab-admin-svc
  • cyrus-svc

Add kolab-admin-svc to admin group.

Make sure that cyrus-svc have no any mail address.

Import Kolab schema:

cp /tmp/kolab3.ldif /etc/dirsrv/slapd-EXAMPLE-ORG/schema/99kolab3.ldifsystemctl restart dirsrv.target

Import Kolab config:

ldapadd -x -D "cn=Directory Manager" -w <password> -f /tmp/kolab-config.ldif

Open LDAP browser and add those aci to cn=kolab,cn=config:

(targetattr="*")(version 3.0; acl "allow read"; allow (read,compare,search) userdn="ldap:///all";)(targetattr="*")(version 3.0;acl "allow all"; allow (all) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=example,dc=org";)

Configure LDAP connection to our FreeIPA server:

sed -i '/^ldap_uri =/ s|=.*|= ldap://ipa.example.org:389|' /etc/kolab/kolab.conf

Set our kolab-admin-svc, cyrus-svc and cyrus-svc users:

sed -i '/^admin_login =/ s|=.*|= cyrus-svc|' /etc/kolab/kolab.confsed -i 's/uid=kolab-service,ou=Special Users/uid=kolab-svc,cn=users,cn=accounts/' /etc/kolab/kolab.confsed -i '/^service_bind_dn =/ s|=.*|= uid=kolab-svc,cn=users,cn=accounts,%(base_dn)s|' /etc/kolab/kolab.conf

Confgure LDAP paths:

sed -i 's/ou=People/cn=users,cn=accounts/' /etc/kolab/kolab.confsed -i 's/ou=\(Groups\|Shared Folders\|Resources\)/ou=\1,ou=kolab/' /etc/kolab/kolab.conf

And change uniquieid value to ipauniqueid:

sed -i '/^unique_attribute/ s/=.*/= ipauniqueid/' /etc/kolab/kolab.conf

Let’s check the changed parameters in /etc/kolab/kolab.conf:

[ldap]
ldap_uri = ldap://ipa.example.org:389
user_base_dn = cn=users,cn=accounts,%(base_dn)s
kolab_user_base_dn = cn=users,cn=accounts,%(base_dn)s
group_base_dn = ou=Groups,ou=kolab,%(base_dn)s
sharedfolder_base_dn = ou=Shared Folders,ou=kolab,%(base_dn)s
resource_base_dn = ou=Resources,ou=kolab,%(base_dn)s
bind_dn = uid=kolab-admin-svc,cn=users,cn=accounts,dn=example,dn=org
bind_pw = <password>
service_bind_dn = uid=kolab-svc,cn=users,cn=accounts,dn=example,dn=org
service_bind_pw = <password>
[cyrus-imap]
admin_login = cyrus-svc
admin_password = <password>
[cyrus-sasl]
result_attribute = uid

Now go to kolab-webadmin and create Organization Units:

kolab
|-Groups
|-Resources
'-Shared Folders

Open LDAP browser and add those aci to ou=kolab,dc=example,dc=org

(targetattr="*")(version 3.0; acl "allow read"; allow (read,compare,search) userdn="ldap:///all";)(targetattr="*")(version 3.0;acl "allow all"; allow (all) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,dc=example,dc=org";)

Setup IMAP:

setup-kolab imap

Setup MTA:

setup-kolab mta

Now we will install latest pykolab from git, and patch it for FreeIPA:

cd /opt
yum install yum-utils git
git clone https://git.kolab.org/diffusion/P/pykolab.git pykolab.git
cd /opt/pykolab.git

Wipe imported users database

rm -f /var/lib/kolab/*.db

Update systemd unit for kolabd and wallace, then restart them:

cp /{lib,etc}/systemd/system/kolabd.service
sed -i 's|/usr/sbin/kolabd|/opt/pykolab.git/kolabd.py|' /etc/systemd/system/kolabd.service
cp /{lib,etc}/systemd/system/wallace.service
sed -i 's|/usr/sbin/wallaced|/opt/pykolab.git/wallace.py|' /etc/systemd/system/wallace.service
systemctl daemon-reload
systemctl restart kolabd wallace

Configure LDAP server for roundcube addressbook:

sed -i "s/Array('localhost')/Array('ipa.example.org')/" /etc/roundcubemail/config.inc.php /etc/roundcubemail/kolab_auth.inc.php

Now we can exclude users which ends with -svc from our addressbook:

sed -i "s/^\( *'filter' *=>\).*inetOrgPerson.*/\1 '(\&(objectClass=inetOrgPerson)(\!(uid=*-svc)))',/" /etc/roundcubemail/config.inc.php

Update /etc/roundcubemail/password.inc.php:

sed -i "/password_ldap_host/ s/=.*/= 'ipa.example.org';/" /etc/roundcubemail/password.inc.php

Disable kolab’s dirsrv, we don’t need it anymore:

systemctl disable dirsrv@kolab
systemctl stop dirsrv@kolab

Configure objectClasses and attributes

Go to IPA server → Configuration → objectClass by default for users

Add:

  • kolabInetOrgPerson
  • mailRecipient

Open LDAP browser, and add missing objectClasses to the current users (except service users).

Go to IPA server → Role-Based Access Control → Permissions → System: Read User Addressbook Attributes

Add:

  • alias

Login as cn=Directory Manager into kolab-webadmin GUI

Go to Settings → Objcet type: User → Mail-enabled POSIX User

On Propertes tab, Object class (add missing):

  • inetorgperson
  • inetuser
  • ipaobject
  • ipaSshGroupOfPubKeys
  • ipasshuser
  • kolabinetorgperson
  • krbprincipalaux
  • krbticketpolicyaux
  • mailrecipient
  • mepOriginEntry
  • organizationalperson
  • person
  • posixaccount
  • top

On Attributes tab:

  • ou (update)
    Field type: text
    Value: Generated (read-only)
    Click Save
  • ipaUniqueID (add new)
    Field type: text
    Value: Generated (read-only)
    Click Save
  • uid (update)
    Field type: text
    Value: Noraml
    Click Save
  • displayName (update)
    Field type: text
    Value: Noraml
    Click Save

Click Submit button.

Update kolab-webadmin for use nsuniqueid instead ipauniqueid, it’s needed for allow editing Kolab created resources, sharedfoulders and etc.

cat > /etc/kolab/kolab-webadmin.conf <<EOT
# Workaround for kolab-webadmin.
# It is can not work with unique_attribute = ipauniqueid
EOT
cat /etc/kolab/kolab.conf >> /etc/kolab/kolab-webadmin.conf
sed -i '/^unique_attribute/ s/=.*/= nsuniqueid/' /etc/kolab/kolab-webadmin.conf
sed -i 's|/etc/kolab/kolab.conf|/etc/kolab/kolab-webadmin.conf|g' /usr/share/kolab-webadmin/lib/Conf.php

That’s all.
Now you might continue Kolab configuration as usual Kolab installation.

Next steps

Secure all Kolab Services

Configure nginx and php-fpm:

Configure DKIM

Configure catchall

Written by

This mess is mine!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store