Howto: Open LDAP and Mozilla Thunderbird
Intro
This HOWTO explains how to setup an OpenLDAP2 server to interface with Mozilla Thunderbird as a remote address book. The objective of this document was to cover only basic features available with the inetorgPerson.schema, which covers about half the items in the addressbook.
I'd be glad to add use of Mozilla specific schema if anyone figures out a simple procedure that doesn't break between OpenLDAP 2.1 and 2.2
This HOWTO assume only a basic familiarity with LDAP, and attempts to cover all the detailed steps to setup a SuSE 9.0 professional server.
This setup allows running multiple databases within one LDAP instance to handle multiple LDAP directories ( as in the case of virtual hosting ).
Requirements
This HOWTO has been tested with the following components.
- SuSE 9.0 Professional Server
- openldap2-2.1.22
- openldap2-back-ldap-2.1.22
- openldap2-client-2.1.22
- db-4.1.25 ( Berkley DB )
- java2-1.4.2
- Thunderbird v0.9.2
- ldapbrowser v2.8.2b2
- PhpLDAPadmin v 0.9.4b
Verify the packages listed above under SuSE 9.0 are installed. For debugging purposes, download ldapbrowser from the link above.
Untar ldapbrowser in /usr/local/src/java/. To run ldapbrowser, create a shell script /usr/local/bin/ldapbrowser with the following contents:
/usr/lib/java/bin/java -jar /usr/local/src/java/ldapbrowser/lbe.jar $1 $2
Slapd.conf
Modify the contents of /etc/openldap/slapd.conf to the following:
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema #Added
include /etc/openldap/schema/inetorgperson.schema #Added
#Uncommend for early Thunderbird releases ( not needed for v0.9.2 )
#allow bind_v2
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
#Repeat this section for each directory instance
# the directory listed below "/var/lib/ldap/examp_com must be owned
# by ldap.ldap ( chown ldap.ldap /var/lib/ldap/examp_com, chmod 700 /var/lib/ldap/examp_com )
# Change example.com to your own domain as appropriate.
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /var/lib/ldap/examp_com
index objectClass eq
#ACL to allow user to authenticate, and change own password.
access to attr=userPassword
by self write
by anonymous auth
by dn.base="cn=Admin,dc=example,dc=com" write
by * none
#ACL to disallow read access to anon, only users can read, and
# owner can modify own records.
access to *
by self write
by dn.base="cn=Admin,dc=example,dc=com" write
by users read
by anonymous auth
Load Base records
Create a file examp_com.ldif as shown below to specify the basic records for the LDAP server. Change the example.com to the appropriate domain name.
EXAMP_COM.LDIF # Organization dn: dc=example,dc=com objectClass: dcObject objectClass: organization dc: example o: Name Of Organization description: Description of Organization # Organizational Role for Directory Manager dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager description: Directory Manager dn: ou=Users,dc=example,dc=com objectClass: top objectClass: organizationalunit ou: Users description: This is the tree were user accounts are stored
Start the LDAP server with the command.
rcldap start
Load the basic LDAP info into the server with the command
ldapadd -D "cn=Manager,dc=example,dc=com" -c -x -W < examp_com.ldif
The password from the slapd.conf file will be prompted for.
Load User records
Create a file examp_com_users.ldif as shown below to specify the user records for the LDAP server. Change the example.com to the appropriate domain name. Change example.com to the new domain name, and change the user info. Add addition user records as required.
EXAMP_COM_USERS.LDIF # 1st User Entry dn: uid=username1, ou=users, dc=example, dc=com objectClass: inetOrgPerson uid: username1 userPassword: userpass1 cn: Firstname Lastname givenName: Firstname sn: Lastname title: Title of user mail: user@example.com telephoneNumber: none homePhone: 610 555-1212 homePostalAddress: 123 First St. facsimileTelephoneNumber: none pager: none mobile: none o: Acme Inc l: Anytown st: PA postalAddress: 54321 Street postalCode: 19380 description: Additional notes go here # 2nd User Entry ...
Load the user records into OpenLDAP with the command:
ldapadd -D "cn=Manager,dc=example,dc=com" -c -x -W < examp_com_users.ldif
Testing
Start the ldapbrowser by executing the ldapbrowser script created above. Login with the Manager login which allow add or changing any entry. Create a new connection with the following properties:
Host: localhost Port: 389 Version: 3 BaseDN: dc=example, dc=com Anonymous Bind = No User DN: cn=Manager Append base DN = YES Password: secret ( from slapd.conf )
Verify that records show up and can be edited.
Setting Non-cleartext passwords for users
Install and use phpLDAPadmin and set password for each user using the {SSHA} hash. This is the default and works with Thunderbird
Start the ldapbrowser by executing the ldapbrowser script created above. Login with a user login which allows only editing own entries.
Create a new connection with the following properties:
Host: localhost Port: 389 Version: 3 BaseDN: dc=example, dc=com Anonymous Bind = No User DN: uid=username1,ou=users Append base DN = YES Password: userpass1 ( from examp_com_users.ldif )
Verify that records show up and only username1 records and be edited. All other record edits should fail.
Editing records is easy with PhpLDAPadmin
Todo
- SASL/TLS setup for OpenLDAP
- Does Thunderbird even use SASL for directories ?
- Integration/testing with Rolodap
- Expand instrutions for PhpLDAPadmin
Links
- Lots of LDAP references at topology.org
- MozillaOrgPerson documentation
Known Problems
- Thunderbird does not support LDAP add/update operations
- blank records in LDIF cause problems with command line LDAP utilties.
- postalAddress doesn't show up in Thunderbird 0.9.2
- early versions of Mozilla and Thunderbird only support LDAP v2 and need the "allow bind_v2" directive to be uncommented in the slapd.conf file.