Re: [Evolution] Logging LDAP activity in 2.0.1

[Pete Biggs <pete biggs org uk>]

> Well, I am only *just* starting to figure out how to set up LDAP on my
> mail server, and was messing around with it last night.  I can't help
> you with the overall issues, but as far as logging go, if you shut down
> Evo by running:
> $ evolution --force-shutdown
> and then
> $ /usr/libexec/evolution-data-server-1.0
> (for RedHat 9; if it's not in that directory, try this to find it):
> $ locate -r "evolution-data-server-1.0$"
>
> After you've got EDS started, you can just start Evolution normally, and
> you'll see LDAP-related messages appear in the terminal window where EDS
> is running.
>
> But unfortunately, from my limited experience, authentication problems
> don't seem to give any feedback at all.
>
> I just wish someone had written a simple document for "how to set up
> OpenLDAP from scratch to store your Evolution contacts and share them
> with other clients."  I guess I may have to be the one who does it.

Brian Ellis sent something to the mailing list back in May that might be
of help - it certainly got me on the right path,  The email is attached.

P.


-- 
Pete Biggs :{)       pete @ physchem.ox.ac.uk     pete.biggs @ chem.ox.ac.uk
01865 275490 (Work)  pete1biggs @ gmail.com       pete @ biggs.org.uk

--- Begin Message ---

• From: Brian Ellis <bellis saberlogic com>
• To: evolution lists ximian com
• Subject: Re: [Evolution] IMAPs troubleshooting, shared addressbook, calendar, tasks?
• Date: Tue, 18 May 2004 16:00:34 -0400

Hey everyone,

Here is a quick walkthrough I wrote up on getting openldap to work with
evolution. Let me know if you get stuck anywhere...


<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<BEGIN>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

NOTE: Commands will be prefixed by a # 

First and foremost, obviously you need to have OpenLDAP installed. This
document uses the following setup as reference:

      * RedHat 9
      * OpenLDAP RPM: openldap-2.0.27-8 and openldap-2.0.27-2.8.0

Once you have the rpm installed, you should be able to type

-> # /sbin/service ldap start

Add see the response

-> Starting slapd [OK]

So you now have a working ldap server running. If it doesn't work at
this point, don't worry. We need to shut the service down now anyways so
we type.

-> # /sbin/service ldap stop

Now we need to configure our ldap server. The configuration file is
typically (on RedHat) located at /etc/openldap/slapd.conf We need to
change the suffix to our organization. So for example at Saberlogic we
would use.

-> suffix "dc=saberlogic,dc=org"

This isn't really all that important right now because we are not
integrating it into a full DNS system or anything. So you can put
whatever you would like in here. Next we need to make our "root"
account. Just as in Linux this user can control all things. The default
"Manager" will work in our case, but we have to edit the entry to
reflect our location.

-> rootdn "cn=Manager,dc=saberlogic,dc=org"

Now that we have what account we want to control the catalog, we need to
set up the password that account has. This can be done one of two ways.
The insecure method you can simply put the password in cleartext. ->
rootpw ldaproot

Or you can use slappasswd to give you a secure password. To generate the
secure password use the command.

-> # slappasswd -s desired_password

This will return an encrypted password back to you with the format in
brackets. You can put this directly into your slapd.conf file.

-> rootpw {SSHA}3MPlVL6FuMssbIQLm6qxX5/JcCXCZmV0

This is all the config file changes we need right now. Once we have the
server running we will add a few more to make it work better with
Evolution.

We want to now start our ldap server back up

-> # /sbin/service ldap start

Now we want to do some initalization on the catalog such as setting our
organization and creating the Manager user. We want to create a file
ldap1.ldif which contains the following.

   dn: dc=saberlogic,dc=org
   objectclass:dcObject
   objectclass: organization
   o: SaberLogic
   dc: saberlogic

   dn: cn=Manager,dc=saberlogic,dc=org
   objectclass: organizationalRole
   cn: Manager

Obviously you want to replace the information in there with that which
is applicable to your catalog. Also it doesn't have to be named
ldap1.ldif. Now we need to add this information to our catalog.

-> # ldapadd -x -D "cn=Manager,dc=saberlogic,dc=org" -W -f ldap1.ldif

After -D you have to put the name of your root user. It should prompt
you to enter the password of the account passed (this should be what you
set for rootpw).

It should say adding new entry "dc=saberlogic,dc=org" and adding new
entry "cn=Manager,dc=saberlogic,dc=org" with your information. At this
point you have a working LDAP server! You should be able to go into
Evolution and set up the directory service. For the log in method for
right now tell it to use Distinguished name and enter your rootdn for
the distinguished name

-> cn=Manager,dc=saberlogic,dc=org

You should be able to click Show Supported Base to enter the correct
search base. You probably also want to set your Search Scope to One.
Also, you will want to tell it to never use SSL, as this has caused
problems for us. You may also want to change the Time out and the
Download limit. Apply these settings and go to your Other Contacts and
click on your new server. It should ask you to authenticate here, enter
your rootpw. It will likely not show anything because you need to search
to find your entries. So click in the search box and press enter. This
should show you the entries you added earlier. Now you can add your own
contacts here!


________________________________________________________________________

Now we have a working directory, but the problem is that the original
schemas do not contain all of the fields that evolution supports. So we
have to extend our schema to include these. We need to include both the
rfc2739.schema which allows us to store our Free/Busy information and
evolutionperson.schema which adds the rest of the evolution fields. Both
of these files should be attached to this document. 

Download both .schema files and put them into /etc/openldap/schema/. Now
we go back into our slapd.conf file to tell the server to load these as
well.

-> include /etc/openldap/schema/rfc2739.schema

-> include /etc/openldap/schema/evolutionperson.schema

Note: The current evolutionperson.schema is usually distributed with
your version of evolution. For example, the version I use was located
in /usr/share/evolution/1.4/

Now restart the ldap server

-> # /sbin/service ldap restart

At this point in time you have a contact collaboration system that can
handle all of the functionality of Evolution's contacts.


________________________________________________________________________

The problem is now security. You do not want everyone logging in as root
to make changes to the contacts. We can also make sure that spying eyes
do not peer into our contact list. So the first step to this is to
create the contacts of the people who need to log in. You can just
create these in Evolution.

Now when they are created in the LDAP directory, they are now able to be
an authenticated user. This is important because in the slapd.conf file,
we can set up security permissions. By default, everybody is allowed to
read, which I do not like. So instead I add the line:

access to * by anonymous auth

That means that anyone logged in as anonymous is only allowed to
authorize and that's it. That's a good start, next lets say that if
somebody is a user, then we will let them read the contact list. You may
not want this, and instead you may also want to make this auth: But
we'll let users read (p.s. This introduces a huge security problem. By
granting access to * that includes the password field. If you do it like
this, make sure that your passwords are encrypted)

access to * by users read 

Lastly, usually we want to configure this so that people who are editing
their own record are allowed to. This would go like

access to * by self write

But since this is for collaboration, I wanted to be a little more
stringent on who is allowed to write. I want to define only certain
individuals that can write, we can do this by:

access to * by "cn=Brian Ellis,dc=saberlogic,dc=org" write

That means that I can write. And I have to create a rule like this for
each person I want to write. Now we have to put all of these together in
one big statement so...

   access to *
             by dn="cn=Brian Ellis,dc=saberlogic,dc=org" write
             by self read
             by users read
             by anonymous auth

NOTE: If you set anonymous to not be able to read, you can not have
Evolution check for supported bases! You could write a more complex rule
only allowing anonymous access to certain fields if you would like both
the security and the convenience.

Make sure you reset the server after editing the slapd.conf file.

-> # /sbin/service ldap restart

Now we have the rights established we need to assign ourselves a
password. Now this has to be done outside of Evolution, I suggest using
a program called gq to do this. Just browse to your user and in the
field userPassword enter the users password. To be more secure, we can
again turn to the program slappasswd to generate a secure password for
the user. Just put the results in the field. You want the user from now
on to authenticate as their distinguished name. So in Evolution, you
want them to connect as, for example "cn=Brian
Ellis,dc=saberlogic,dc=org".

And that is all it takes! You now have an ldap server that is not only
useful, but provides some security. Good Luck!

-- BrianEllis - 14 Nov 2003


<<<<<<<<<<<<<<<<<<<<<<<<<<<<<END>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On Tue, 2004-05-18 at 20:41 +0200, Tony Earnshaw wrote:

tir, 18.05.2004 kl. 14.15 skrev Brian Ellis:

I think that I'm going to need to set up an LDAP server to store the 
information.  I have a couple of questions that are relevant to Evolution:
1. Is there a way that I can export contacts from Evolution in a format 
that can easily be imported to an LDAP server?  (I think that there may
be a format called ldif for that?)

Good answers, on the whole ...

From my experience setting up evolution to work with LDAP, the easiest

method of moving from Evolution to LDAP was to first initiate the LDAP
connection and then simply drag your contacts from Evolution into LDAP.
As long as you are configured to allow writing, it should work fine.

Getting Openldap set up would be the most difficult. There are many
HOWTOs on the net. Remember that RedHat is utterly lousy with every sort
of Openldap right up to today's date, pam_ldap, nss_ldap and everything
else to do with Openldap. And I'm a RedHat person ;)

[...]

 A good
client to test general LDAP functionality out is called gq.

Yay.

Then once
you have LDAP running, in your slapd.conf include the
evolutionperson.schema (this file should be installed on the computer
that is running evolution).

Should be done on the computer that is running Openldap. It doesn't make
any difference what computer is running Evolution (could be any client).

 Once you get to this point, if you are
having problems let me know and I can try and help (please message me
directly as well because I don't always read through the list).

Good of you :)

Lastly, I'm interested in hearing how others may centrally store tasks 
and calendar information.  Any suggestions?

Others say Open Groupware, yet others Exchange ... at a modest price
:-<. Soon Novell will offer GroupWare - at a modest price ... Most of
the alternatives cost money.

Before you go through the whole process of setting up LDAP for shared
contacts, you may want to look at using OpenGroupware
(www.opengroupware.org with the recently GPL'd Evolution Connector
(thanks guys!). I have just recently started looking at it so I can't
really say if it works or now, but it looks promissing.

Shared contacts one can do (I do) without any groupware. Tasks and
calenders are the worst.

Best,

Tonni

-- 

We make out of the quarrel with others rhetoric
but out of the quarrel with ourselves, poetry.

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl

_______________________________________________
evolution maillist  -  evolution lists ximian com
http://lists.ximian.com/mailman/listinfo/evolution

_______________________________________________
evolution maillist  -  evolution lists ximian com
http://lists.ximian.com/mailman/listinfo/evolution

--- End Message ---