HowTo: Create LDAP server for shared Address Book in Thunderbird

[NobodySpecial]

Do you envy Lotus Notes users with their shared Address Book, but want to use only open-source software? Then this HowTo may be for you! We will set up an LDAP server to host an Address Book for users to access via Mozilla Thunderbird.

This was installed on Ubuntu Dapper 6.06 from the Server CD with the LAMP option. Standard desktop install should work, but hasn't been tested.

Also required: You MUST have a "fully qualified domain name" pointing to your server (i.e. can't just point to 192.168.1.2 or other network number, at least not for SSL data). To do this, you go to dyndns.org (or similar website) and register a domain such as "KewlLdapServer.homedns.org" and set your router to forward port 389 traffic to your server computer (and later will change to port 636 when SSL set up).

First install OpenLDAP:

Code:

sudo apt-get install slapd

Set a password:

Code:

slappasswd

The system will return a hash. As an example:

Quote:

{SSHA}Afaw3o8asdAWEfksj

Now we define a schema to match T'Bird's requirements:

Code:

sudo nano /etc/ldap/schema/mozillaorgperson.schema

You can use Gedit instead of Nano if in desktop mode.

Copy/paste the following:

Code:

#
# mozillaOrgPerson schema v. 0.6.3
#

# req. core
# req. cosine
# req. inetorgperson

# attribute defs

attributetype ( 1.3.6.1.4.1.13769.2.1.1 
        NAME ( 'mozillaNickname' ) 
        SUP name )

attributetype ( 1.3.6.1.4.1.13769.2.1.2 
        NAME ( 'mozillaUseHtmlMail' ) 
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.13769.2.1.3
        NAME 'mozillaSecondEmail' 
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 1.3.6.1.4.1.13769.2.1.4
        NAME 'mozillaHomeLocalityName' 
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

attributetype ( 1.3.6.1.4.1.13769.2.1.5 
        NAME 'mozillaPostalAddress2'
        EQUALITY caseIgnoreListMatch
        SUBSTR caseIgnoreListSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )

attributetype ( 1.3.6.1.4.1.13769.2.1.6 
        NAME 'mozillaHomePostalAddress2'
        EQUALITY caseIgnoreListMatch
        SUBSTR caseIgnoreListSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )

attributetype ( 1.3.6.1.4.1.13769.2.1.7 
        NAME ( 'mozillaHomeState' ) SUP name )

attributetype ( 1.3.6.1.4.1.13769.2.1.8 
        NAME 'mozillaHomePostalCode'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )

attributetype ( 1.3.6.1.4.1.13769.2.1.9 
        NAME ( 'mozillaHomeCountryName' ) 
        SUP name SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.13769.2.1.10
        NAME ( 'mozillaHomeFriendlyCountryName' )
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

attributetype ( 1.3.6.1.4.1.13769.2.1.11
        NAME ( 'mozillaHomeUrl' )
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 1.3.6.1.4.1.13769.2.1.12
        NAME ( 'mozillaWorkUrl' )
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

# un-comment for all LDAP server NOT supporting SYNTAX 2.16.840.1.113730.3.7.1
attributetype ( 1.3.6.1.4.1.13769.2.1.13
        NAME ( 'nsAIMid' )
        DESC 'AOL Instant Messenger (AIM) Identity'
        EQUALITY telephoneNumberMatch
        SUBSTR telephoneNumberSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.50 )

attributetype ( 1.3.6.1.4.1.13769.2.1.14 NAME ( 'mozillaHomeStreet' )
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

# un-comment for Netscape 6.x and all other LDAP server supporting SYNTAX 2.16.840.1.113730.3.7.1
# attributeTypes ( 2.16.840.1.113730.3.1.2013
#       NAME ( 'nsAIMid' )
#       DESC 'AOL Instant Messenger (AIM) Identity'
#       SYNTAX 2.16.840.1.113730.3.7.1 )

attributetype ( 1.3.6.1.4.1.13769.2.1.96
        NAME ( 'mozillaCustom1' )
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.13769.2.1.97
        NAME ( 'mozillaCustom2' )
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.13769.2.1.98
        NAME ( 'mozillaCustom3' )
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.13769.2.1.99
        NAME ( 'mozillaCustom4' )
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
        SINGLE-VALUE )
 
# defined in "A Summary of the X.500(96) User Schema for use with LDAPv3" - RFC 2256
#
# attributetype ( 2.5.4.6 NAME ( 'c' 'countryName' )
#       DESC 'RFC2256: ISO-3166 country 2-letter code'
#       SUP name SINGLE-VALUE )

# defined in "The COSINE and Internet X.500 Schema" - RFC 1274
#
# attributetype ( 0.9.2342.19200300.100.1.43
#       NAME ( 'co' 'friendlyCountryName' )
#       DESC 'RFC1274: friendly country name'
#       EQUALITY caseIgnoreMatch
#       SUBSTR caseIgnoreSubstringsMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )


# objectClass defs 

objectclass ( 1.3.6.1.4.1.13769.2.2.1 
        NAME 'mozillaOrgPerson' 
        SUP top 
        AUXILIARY 
        MAY ( 
        sn $ 
        givenName $ 
        cn $ 
        mozillaNickname $ 
        title $ 
        telephoneNumber $ 
        facsimileTelephoneNumber $ 
        mobile $ 
        pager $ 
        homePhone $ 
        street $ 
        postalCode $ 
        mozillaPostalAddress2 $ 
        mozillaHomeStreet $ 
        mozillaHomePostalAddress2 $ 
        l $ 
        mozillaHomeLocalityName $ 
        st $ 
        mozillaHomeState $ 
        mozillaHomePostalCode $ 
        c $ 
        mozillaHomeCountryName $ 
        co $ 
        mozillaHomeFriendlyCountryName $  
        ou $ 
        o $ 
        mail $ 
        mozillaSecondEmail $ 
        mozillaUseHtmlMail $ 
        nsAIMid $ 
        mozillaHomeUrl $ 
        mozillaWorkUrl $ 
        description $ 
        mozillaCustom1 $ 
        mozillaCustom2 $ 
        mozillaCustom3 $ 
        mozillaCustom4 ) ) 

# not part of the official Mozilla schema but read by Mozilla: 'departmentNumber' and 'postOfficeBox'
#

LDAP uses slapd as a daemon. Edit the config file:

Code:

sudo nano /etc/ldap/slapd.conf

Find the following line:

Quote:

include /etc/ldap/schema/nis.schema

Change it to:

Code:

include /etc/ldap/schema/mozillaorgperson.schema

Find the line under datbase #1 that starts with "suffix" and change to:

Code:

suffix          "dc=homedns,dc=org"

You can use any two other names you want instead, such as "dc=example,dc=com" or whatever.

Find the line under datbase #1 that starts with "directory" and change to:

Code:

directory       "/var/lib/ldap"

Someplace in this area under database #1, add the following two lines:

Code:

rootdn          "cn=admin,dc=homedns,dc=org"
rootpw          {SSHA}Afaw3o8asdAWEfksj

You can use a different root user other than "admin" and also change the "dc=homedns,dc=org" to whatever you used under the "suffix" line. Of course you will enter whatever {SSHA} hash you were specifically given after the "slappasswd" command.

Save and exit your editor.

Restart the server daemon:

Code:

sudo /etc/init.d/slapd restart

At this point if you get an error message, it usually means you did something wrong in the configuration file, so go over it again.

If no errors came back at you, erase any prior data:

Code:

sudo rm -rf /var/lib/ldap/*

Next make an initialization file:

Code:

nano ~/init.ldif

Add this code:

Code:

dn: dc=homedns,dc=org
objectClass: top
objectClass: dcObject
objectClass: organizationalUnit
dc: homedns
ou: Kewl LDAP Server HomeDNS

dn: ou=personal,dc=homedns,dc=org
objectClass: top
objectClass: organizationalUnit
ou: personal
description: Personal Addressbook

Again, change the "dc=homedns,dc=org" to whatever you entered previously.

Create a template file:

Code:

nano ~/template.ldif

Add this code:

Code:

dn: cn=Sam Smith,ou=personal,dc=homedns,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: mozillaOrgPerson
givenName: Sam
sn: Smith
cn: Sam Smith
mail: email@here.com
mozillaSecondEmail: .
mozillaNickname: .
homePhone: .
telephoneNumber: .
facsimileTelephoneNumber: .
pager: .
mobile: .
mozillaHomeStreet: .
mozillaHomeLocalityName: .
mozillaHomeState: .
mozillaHomePostalCode: .
mozillaHomeCountryName: .
mozillaHomeUrl: .
title: JobTitle
ou: BusinessDept
o: BusinessOrganization
street: BusinessStreet
l: BusinessCity
st: BusinessState
postalCode: BusinessZip
c: BusinessCountry
mozillaWorkUrl: .
mozillaCustom1: .
mozillaCustom2: .
mozillaCustom3: .
mozillaCustom4: .

Some points about the template:
1. Change "Sam Smith" to a relevent name. Note that the full name "Sam Smith" is twice above (lines 1 and 9) and "Sam" is on line 7 and "Smith" is on line 8. All these names must match as shown in the template above for this to work right.
2. As always, change the "dc=homedns,dc=org" to whatever you decided on.
3. Each line has a definition followed by a colon then some data. The data line must not be blank. I have inserted a period for these lines. For several of the lines I have put desciptors, just so it is clear what they contain. You can change these to periods, too.

Add the initiatlization file to the LDAP database:

Code:

sudo slapadd -v -l init.ldif

If you have an error here, try to reset the server and do the rm command again: sudo slapadd -v -l init.ldif, then sudo rm -rf /var/lib/ldap/*, then try the code again.

Add the template file data:

Code:

sudo slapadd -v -l template.ldif

Again, if you get an error here, try to restart again and troubleshoot until the system accepts the command without error.

Restart the server daemon for it to load the new data:

Code:

sudo /etc/init.d/slapd restart

Now to try to access via Thunderbird. This is tested with the standard repository "mozilla-thunderbird", currently at version 1.5.0.7. Click on "Address Book" then File -> New -> LDAP Directory. Hostname is "KewlLdapServer.homedns.org" (substitute your actual server), Base DN is "dc=homedns,dc=org" (or whatever you used) and port is default 389. Be sure your router is passing all port 389 data to your server's internal IP address.

Now left-click the new addressbook, type Control-F, then try to search for your name. Hint: To bring up all addresses in the list, search the e-maill address field for "@".

If it finds the name you entered, great. If not, exit T'Bird and load again. If it fails again, go back through the above and troubleshoot. You might want to use Luma to troubleshoot (see below).

If all went well up to this point you are ready to secure your server with SSL.

You may have to install OpenSSL:

Code:

sudo apt-get install openssl

Create an SSL certificate:

Code:

openssl req -x509 -days 3650 -newkey rsa:2048 -nodes -keyout ldap_key.pem -keyform PEM -out ldap_crt.pem -outform PEM

You can put anything here you want, except the "common name" MUST match your "fully qualified domain name" such as "KewlLdapServer.homedns.org".

Copy the certificate files to their proper folders:

Code:

sudo cp ldap_crt.pem /etc/ssl/certs
sudo cp ldap_key.pem /etc/ssl/private

Re-edit the config file:

Code:

sudo nano /etc/ldap/slapd.conf

Uncomment the ssl lines, rename to:

Code:

TLSCertificateFile      /etc/ssl/certs/ldap_crt.pem
TLSCertificateKeyFile   /etc/ssl/private/ldap_key.pem

Ask the server to listen for SSL:

Code:

sudo nano /etc/default/slapd

Find the "SLAPD_SERVICES" line and change to:

Code:

SLAPD_SERVICES="ldaps:///"

Now go back to your router and change the forwarded port from 389 to 636.

Restart the server daemon to run with the new config:

Code:

sudo /etc/init.d/slapd restart

Close and restart T'Bird. Edit your LDAP Addressbook (right-click -> properties) and check "use secure connection (SSL)" and it should change the port to 636. Close and restart T'Bird then try to search for your data as before.

At this point you should have a working LDAP Addressbook server with a whopping ONE entry. Now comes the hard part: adding other entries and editing them. It turns out that Mozilla Thunderbird presently will not let you edit any LDAP entries (it is hoped that feature may be added some day). So the basic way to build up your entries is to enter them one at a time after editing the template and executing the "slapadd" command above. This works fine for those of us with a couple dozen entries. If you have in the hundreds, you will have to write some sort of script to automate this.

How do you edit entries? There is an ubntu package "ldap-utils" that runs from the command line, but a GUI solution is available: Luma.

The Dapper repository version of Luma is old, and the newer one worked out some bugs, so we will compile from source. Please note that this is installed on a client computer, not the server.

Note: Luma in Edgy / Feisty is more current than Dapper and works great, so you can install directly via apt-get or Synaptic and skip the steps to compile from source.

Go to http://luma.sourceforge.net and download the latest version (currently "luma-2.3.tar.bz2") and untar to a directory.

Install dependencies:

Code:

sudo apt-get install qt3-dev-tools python2.4-dev python2.4-qt3 python2.4-ldap python2.4-samba

Run the install script:

Code:

./install.py --prefix=/usr/local

You should now be able to Alt-F2 and enter "luma".

Set it up with plugins for Addressbook and Browser. Set up server with SSL, uncheck "anonymous bind", select simple authentication, Bind as "cn=admin,dc=homedns,dc=org" (or whatever you had chosen above), password you had entered above, and select "Use base DN's provided by server".

Under Luma "Addressbook" plugin you can browse the names and change the lines where a period is present. The other blank lines do not match our schema and should be left alone. Disappointingly, only a few basic options can be edited here.

To edit the other options, choose Luma "Browser" plugin and now all options can be edited.

BIG thanks to Nathan Wills and his tutorial at http://applications.linux.com/articl.../05/18/1248224

[keeb]

Thank you very much, this helped tremendously for understanding LDAP and SSL authentication!

[NobodySpecial]

Thanks for the feedback! I'm glad my efforts helped somebody. So many wonderful people have contributed things to these forums that have helped me tremendously and I'm glad I can give something back to this community.

[jdpipe]

Still working my way through this HOWTO, however though I would note that LUMA is now in the Ubuntu Repository (at least as of Ubuntu 6.10)

[jdpipe]

Great, it's all working. A useful HOWTO -- thanks.

BTW, I found a nicer GUI for creating address book entries. It's called 'directoryassistant' and its in the Ubuntu repositories.

Cheers
JP

--- EDIT: I had trouble using 'directoryassistant' over an encrypted connection. So maybe Luma is better after all.

[Pitt Stains]

This may be a stupid question, but is there a way to set up a computer on a local network as an LDAP server? I realize that users won't be able to use the shared address books if they are not in the office, but I don't think that will be a problem in this case.

I have a very simple office setup, where the users work on PCs and Macs and an Ubuntu box acts as a file server. Email clients are Thunderbird and Outlook, though I'm trying to phase out Outlook. There is no domain controller or anything like that.

If this is not possible and/or an alternate solution is better, I'm all ears!

Thanks!

[NobodySpecial]

jdpipe - you are right, Luma in the present Edgy / Feisty repositories works fine, don't need to install from source.

Pitt Stains - if you follow this how-to on a server, you will have it set up for everyone in the office to access. And if you follow it through, you will see that you can access your address book outside the office, from anywhere in the world that you have internet connectivity and a Thunderbird client.

[Pitt Stains]

Quote:

Originally Posted by NobodySpecial Pitt Stains - if you follow this how-to on a server, you will have it set up for everyone in the office to access. And if you follow it through, you will see that you can access your address book outside the office, from anywhere in the world that you have internet connectivity and a Thunderbird client.

Thanks. I see the instructions want me to open up ports 389 and 636 to the world, which I'm not sure I'm ready to do. Too scary. I think I'll try to set this up as a local domain, which will suit our needs for now. For that, I think I can skip the "fully qualified domain name" bit, which I believe would require a static IP address (not sure whether my ISP offers that).

If the need arises I can set up the same thing on the Ubuntu box that will be our web server (in the process of migrating servers), which I'd feel better about (for some reason) than exposing our office network.

I do have a second question... not everyone in the office uses Thunderbird. I see a lot of the attribute names have a "mozilla" prefix. Is it not possible to create a schema that would work for TBird as well as Outlook? I am trying to move people over to TBird, but some are more resistant than others.

Thanks for taking the time to answer.
-Pitt

[NobodySpecial]

Pitt Stains - The 389 port is just initial to test, you end up with only 636 "open to the world" and of course your router points it to only one computer, running Linux, thus minimal security risk (i.e. only risk if that port is also used for something less secure, or risk of a vulnerability in slapd arises).

Your ISP doesn't have to give you a static IP address - just get one from www.dyndns.org and configure your router for it (most routers can handle this).

I don't think there is any way to make it work for Evolution as well, because it would require a different schema.

[silly.agent]

Hi there. First of all, thank you for this great howto.
I have followed all the steps but for some (probably idiotic) reason I cannot get T'Bird to load the data from the LDAP server. Could you take a look at my settings and give me some hints?
Thanks a lot.

sa

Settings:


Domain name: ldap.servername.org
(-> DNS record for ldap.servername.org poiting to static server ip)
Router: forwarding all 389 traffic to local server ip


---
File: init.ldif

dn: dc=servername,dc=org
objectClass: top
objectClass: dcObject
objectClass: organizationalUnit
dc: servername
ou: LDAP Server ServerName

dn: ou=personal,dc=servername,dc=org
objectClass: top
objectClass: organizationalUnit
ou: personal
description: Personal Addressbook


---
File: template.ldif

dn: cn=Sam Smith,ou=personal,dc=servername,dc=org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: mozillaOrgPerson
givenName: Sam
sn: Smith
cn: Sam Smith
mail: email@here.com
mozillaSecondEmail: .
mozillaNickname: .
homePhone: .
telephoneNumber: .
facsimileTelephoneNumber: .
pager: .
mobile: .
mozillaHomeStreet: .
mozillaHomeLocalityName: .
mozillaHomeState: .
mozillaHomePostalCode: .
mozillaHomeCountryName: .
mozillaHomeUrl: .
title: JobTitle
ou: BusinessDept
o: BusinessOrganization
street: BusinessStreet
l: BusinessCity
st: BusinessState
postalCode: BusinessZip
c: BusinessCountry
mozillaWorkUrl: .
mozillaCustom1: .
mozillaCustom2: .
mozillaCustom3: .
mozillaCustom4: .


---
T'Bird LDAP settings:

Name: LDAP Server
Hostname: ldap.servername.org
Base DN: ldap,dc=servername,dc=org
Port number: 389
Bind DN: <empty>