[ EN ]    [ DE ]   
kOOL Logo HomeAboutDownloadDocumentation

  LDAP access for kOOL addresses

The whole address database in kOOL can be configured to be available in real time through an LDAP server. In order to use this feature, you have to have an LDAP server setup and running. The following installation instructions have been tested on OpenLDAP 2.3.30 on a GNU/Linux system (Debian sarge and etch).


It is beyond the scope of these instructions to describe the whole process of setting up and maintaining an LDAP server. Please refer to the appropriate documentations of your LDAP server software.

OpenLDAP configuration

You should include the following shemas:

(moz.schema might not have come with your LDAP server. In this case you'll have to download this manually from Mozilla's wiki and store it as a file in /etc/ldap/schema/moz.schema)


include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/moz.schema


With your LDAP admin account you have to import the following ldif file to get the necessary base structure. Additionally you have to create an LDAP login, for the kOOL process to be able to add, alter and delete entries on the LDAP server. In this example, this login ist called "kOOL_ldapadmin". The password for this login can be encrypted with the command "slappassword" and pasted into the below given ldif file.



dn: ou=kOOL_demo,dc=your.ldap.server,dc=com
objectClass: top
objectClass: organizationalUnit
ou: kOOL_demo

dn: ou=login,ou=kOOL_demo,dc=your.ldap.server,dc=com
objectClass: top
objectClass: organizationalUnit
ou: login

dn: cn=kOOL_ldapadmin,ou=login,ou=kOOL_demo,dc=your.ldap.server,dc=com
objectClass: top
objectClass: person
sn: kOOL LDAP Admin
cn: kOOL_ldapadmin



Now you can import this structure into your LDAP server with the following command:


ldapadd -x -v -D cn=admin,dc=your.ldap.server,dc=com -W < kool.ldif


As the last step you have to set the access permissions to your LDAP server for the users. To do this, you have to edit your /etc/ldap/slapd.conf:

(You might have to remove access lines from your default config file if present, as they might overwrite your settings below them.)


access to attrs=userPassword
              by dn="cn=kOOL_ldapadmin,ou=login,ou=kOOL_demo,dc=your.ldap.server,dc=com" write
              by anonymous auth
              by * none

access to dn.subtree="ou=login,ou=kOOL_demo,dc=your.ldap.server,dc=com"
        by dn="cn=kOOL_ldapadmin,ou=login,ou=kOOL_demo,dc=
your.ldap.server,dc=com" write
        by * auth
access to dn.subtree="ou=kOOL_demo,dc=
        by dn="cn=kOOL_ldapadmin,ou=login,ou=kOOL_demo,dc=
your.ldap.server,dc=com" write
        by dn.children="ou=login,ou=kOOL_demo,dc=
your.ldap.server,dc=com" read
        by * none


This allows the kOOL_ldapadmin login to have write access to the login section, and grant auth rights to anybody else. The last section grants read access to all kOOL users and write access for kOOL_ldapadmin to the actual addresses.

Enable LDAP support in kOOL

After your LDAP server is running and prepared for the kOOL addresses you can enable the LDAP support in config/ko-config.inc:


$ldap_enabled = TRUE;
$ldap_admin = "kOOL_ldapadmin";
$ldap_admin_pw = "PASSWORD";
$ldap_server = "your.ldap.server.com";
$ldap_dn = "ou=kOOL_demo,dc=your.ldap.server,dc=com";


From now on, all addresses in kOOL will also be available in the LDAP directory. And also all the kOOL logins, that have access to the addresses module, will be authorized to access the data through LDAP.

©Renzo Lauper, CH-5000 Aarau, All rights reserved