new domains without changes to /etc/kolab/kolab.conf OR "pure" LDAP-only administration

Thu Oct 31 04:22:47 CET 2013

That I can help with.

Once your kolab 3.1 installation is done (I think I've seen it's 
possible in Kolab 3.0, but..), you have to edit/correct a couple of things:

1) You have to download and run this script:

https://github.com/tpokorra/kolab3_tbits_scripts/blob/master/kolab3.1/initMultiDomain.sh

with a single parameter: your cn=Directory Manager password

It will update a number of files...

Oh! You know what?  I'm attaching the initMultiDomain.sh script that I modified to automate some patches download, in order to make things simpler. Because if you don't check the script before running it, chances are that it will fail to complete since you'll be missing 4 patches.

Maybe someone would want to replace the online script with the one I just provided?  It's the exact same thing, but just easier to run.

Done for the base setup.  Now, you can create the domain, and this will 
create another ldap tree...  completely isolated from the first one. But 
the creation of the domain won't help much at that point. Log out from 
the Kolab Admin Panel, then log back in. On the top right, left from 
Logout, you'll see a text menu with your default domain (the one you 
created during instalation). Click on it, and you'll get a menu allowing 
to change the domain on which to work.  Now, you can create a user in 
the domain you want.

But there's more to do. Actually, the setup-kolab install script does 
not create certificates. So once your user is created, you won't see it 
appear under /var/spool/imap/domain/ structure. Why?  Because the 
pykolab script can't log to the imap server since tls is not available, 
as there's no certificates.

Here's the recipe (adapt it for your environment):

  * openssl req -new -nodes -out req.pem -keyout key.pem
  * openssl rsa -in key.pem -out new.key.pem
  * openssl x509 -in req.pem -out ca-cert -req -signkey new.key.pem
    -days 3650
  * cp new.key.pem /etc/pki/cyrus-imapd/cyrus-imapd.pem
  * cat ca-cert >> /etc/pki/cyrus-imapd/cyrus-imapd.pem

Now, you have a certificate you can work with. By the time you check, 
your user directory will probably be created. Depending on the distro 
you're using (I assume CentOS), you will probably see a lot of errors in 
....  well, I don't remember the logfile name  :-)  , but you'll see 
errors complaining that /etc/sasldb2 does not exist.  You just need to 
create a dummy file with:

saslpasswd2 /etc/sasldb2

and set appropriate permissions:

chown cyrus /etc/sasldb2
chmod 640 /etc/sasldb2

Now, you should have a setup to play with.

Cheers!

Christian...

On 2013-10-30 22:20, Erik M Jacobs wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/30/2013 09:51 PM, Erik M Jacobs wrote:
>> On 10/13/2013 11:41 AM, Christian Hügel wrote:
>>
>>
>>> Am 10.10.2013 11:54, schrieb Torsten Grote:
>>>> On Thursday 10 October 2013 11:49:53 Timotheus Pokorra wrote:
>>>>> I was able to add a new domain, and to create users in that
>>>>> domain, without changing the kolab.conf file.
>>>> Awesome! :)
>>>>
>>>> I somehow missed this. How did we achieve that?
>>>>
>>>> Kind Regards, Torsten
>>>>
>>> I can confirm this. Created domains in webadmin-gui doesn't
>>> require editing kolab.conf anymore.
>> Sorry to revive this old thread.
>>
>> I just did an update against the development repo, but I'm not sure
>> it pulled in the latest things.
>>
>> As an example, I created a domain in the webadmin, but it did not
>> seem to add anything in ldap (didn't create an additional OU), and
>> I can't figure out how to add a user in that domain.
>>
>> What version of things do I need to be on?  Do I need to add the
>> nightly repo?  Do I need to modify kolab.conf or other config
>> files?
>>
>> I'm quite the kolab newbie.
>>
> I've now updated against the nightly repo.  When I add a domain I can
> see that various entries were added in ldap (new dc, new ous, etc).
>
> When I go to the users tab, I still only see the "people" ou on the
> original domain, and not the new domain.
>
> I don't see any way to add a user inside the new domain.
>
> I am guessing I need to make some changes to kolab.conf - perhaps with
> the base_dn settings and others? I am not sure.
>
> Cheers,
> E
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJScb5yAAoJEHFuw9ycpkFhZ0EH/R3wn7JP3nhhHoCeen+AfwiM
> cGJ9HISj/WnTW4Fmi2p0NIniiBXs1yj9VHqcIPmPIoXE5UpNEhGZmh21/PiSPz1g
> azgorCCef59c8d+fEdTmJIhh+P3hd9jbQaLvZzDw99bDqM6/pTTChx4Xmw4WVuXU
> XwUPyIYD5bu/yhI7Fogu9p9DUgF/yBUjzxZBieDOfqsfkEw/8u97HlUziOBYt2vX
> xZPV6V+Dvz8TXlDIshmos8zRvFfs+djDu7mOf0HX8rsua+RhOfP6URDzfuQDBzbw
> i5YQO2bXOoj1rp0I31c9Lf+bWyI4cIETx7F/XBlRteGHRSvHHEu2p7NCvJwrAbc=
> =7tbs
> -----END PGP SIGNATURE-----
> _______________________________________________
> users mailing list
> users at lists.kolab.org
> https://lists.kolab.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kolab.org/pipermail/users/attachments/20131030/43f7dfd9/attachment.html>
-------------- next part --------------
#!/bin/bash

if [ -z "$1" ]
then
   echo "call $0 <ldap password for cn=Directory Manager>"
   exit 1
fi

DirectoryManagerPwd=$1

#####################################################################################
#Removing Canonification from Cyrus IMAP
# TODO: could preserve canonification: http://lists.kolab.org/pipermail/users/2012-August/013711.html
#####################################################################################
cp -f /etc/imapd.conf /etc/imapd.conf.beforeMultiDomain
sed -r -i -e 's/^auth_mech/#auth_mech/g' /etc/imapd.conf
sed -r -i -e 's/^pts_module/#pts_module/g' /etc/imapd.conf
sed -r -i -e 's/^ldap_/#ldap_/g' /etc/imapd.conf
service cyrus-imapd restart

#####################################################################################
#Update Postfix LDAP Lookup Tables
# support subdomains too, search_base = dc=%3,dc=%2,dc=%1
# see https://lists.kolab.org/pipermail/users/2013-January/014233.html
#####################################################################################

cp -Rf /etc/postfix/ldap /etc/postfix/ldap.beforeMultiDomain
rm -f /etc/postfix/ldap/*_3.cf
for f in `find /etc/postfix/ldap/ -type f -name "*.cf" ! -name "mydestination.cf"`;
do
  f3=${f/.cf/_3.cf}
  cp $f $f3
  sed -r -i -e 's/^search_base = .*$/search_base = dc=%2,dc=%1/g' $f
  sed -r -i -e 's/^search_base = .*$/search_base = dc=%3,dc=%2,dc=%1/g' $f3
done

cp -f /etc/postfix/main.cf /etc/postfix/main.cf.beforeMultiDomain
sed -r -i -e 's#^transport_maps = .*$#transport_maps = ldap:/etc/postfix/ldap/transport_maps.cf, ldap:/etc/postfix/ldap/transport_maps_3.cf#g' /etc/postfix/main.cf
sed -r -i -e 's#^virtual_alias_maps = .*$#virtual_alias_maps = $alias_maps, ldap:/etc/postfix/ldap/virtual_alias_maps.cf, ldap:/etc/postfix/ldap/mailenabled_distgroups.cf, ldap:/etc/postfix/ldap/mailenabled_dynamic_distgroups.cf, ldap:/etc/postfix/ldap/virtual_alias_maps_3.cf, ldap:/etc/postfix/ldap/mailenabled_distgroups_3.cf, ldap:/etc/postfix/ldap/mailenabled_dynamic_distgroups_3.cf#g' /etc/postfix/main.cf
sed -r -i -e 's#^local_recipient_maps = .*$#local_recipient_maps = ldap:/etc/postfix/ldap/local_recipient_maps.cf, ldap:/etc/postfix/ldap/local_recipient_maps_3.cf#g' /etc/postfix/main.cf

service postfix restart

#####################################################################################
# withdraw permissions for all users from the default domain, which is used to manage the domain admins
#####################################################################################
management_domain=`cat /etc/kolab/kolab.conf | grep primary_domain`
management_domain=${management_domain:17}
cat > ./ldapparam.txt <<END
dn: associateddomain=$management_domain,cn=kolab,cn=config
changetype: modify
delete: aci
END
ldapmodify -x -h localhost -D "cn=Directory Manager" -w $DirectoryManagerPwd -f ./ldapparam.txt
rm -f ldapparam.txt

#####################################################################################
#kolab_auth conf roundcube; see https://git.kolab.org/roundcubemail-plugins-kolab/commit/?id=1778b5ec70156f064fdda61c817c678001406996
#####################################################################################
cp -r /etc/roundcubemail/kolab_auth.inc.php /etc/roundcubemail/kolab_auth.inc.php.beforeMultiDomain
sed -r -i -e "s#=> 389,#=> 389,\n        'domain_base_dn'            => 'cn=kolab,cn=config',\n        'domain_filter'             => '(\&(objectclass=domainrelatedobject)(associateddomain=%s))',\n        'domain_name_attr'          => 'associateddomain',#g" /etc/roundcubemail/kolab_auth.inc.php
sed -r -i -e "s#'ou=People,.*'#'ou=People,%dc'#g" /etc/roundcubemail/kolab_auth.inc.php
sed -r -i -e "s#'ou=Groups,.*'#'ou=Groups,%dc'#g" /etc/roundcubemail/kolab_auth.inc.php

#####################################################################################
#fix a problem with kolab lm, see http://lists.kolab.org/pipermail/devel/2013-June/014435.html
#####################################################################################
sed -r -i -e "s/kolab_user_filter = /#kolab_user_filter = /g" /etc/kolab/kolab.conf

#####################################################################################
#set primary_mail value in kolab section, so that new users in a different domain will have a proper primary email address, even without changing kolab.conf for each domain
#####################################################################################
sed -r -i -e "s/\[kolab\]/[kolab]\nprimary_mail = %(givenname)s.%(surname)s@%(domain)s/g" /etc/kolab/kolab.conf

if [ 1 = 1 ]
then
#####################################################################################
# install our modified version of the message_label plugin to support virtual folders aka imap flags
# see  https://github.com/tpokorra/message_label/tree/message_label_tbits
#####################################################################################
yum -y install wget
wget https://github.com/tpokorra/message_label/archive/message_label_tbits.zip -O message_label.zip
yum -y install unzip
unzip message_label.zip
rm -f message_label.zip
mv message_label-message_label_tbits /usr/share/roundcubemail/plugins/message_label
cp -f /etc/roundcubemail/config.inc.php /etc/roundcubemail/config.inc.php.beforeMultiDomain
sed -r -i -e "s#'redundant_attachments',#'redundant_attachments',\n            'message_label',#g" /etc/roundcubemail/config.inc.php
# probably a dirty hack: we need to force fetching the headers, so that the labels are always displayed
cp -f /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php.beforeMultiDOmain
sed -i -e 's#function fetch_headers($folder, $msgs, $sort = true, $force = false)#function fetch_headers($folder, $msgs, $sort = true, $forcedummy = false, $force = true)#g' /usr/share/roundcubemail/program/lib/Roundcube/rcube_imap.php

#####################################################################################
# apply a patch to roundcube plugin managesieve, to support the labels set with message_label plugin.
# see https://github.com/tpokorra/roundcubemail/commits/manage_sieve_using_message_label_flags
#####################################################################################
mkdir -p patches
echo Downloading patch managesieveWithMessagelabel.patch...
wget https://raw.github.com/tpokorra/kolab3_tbits_scripts/master/kolab3.1/patches/managesieveWithMessagelabel.patch
mv managesieveWithMessagelabel.patch patches/
patch -p1 -i `pwd`/patches/managesieveWithMessagelabel.patch -d /usr/share/roundcubemail
fi

#####################################################################################
# install the advanced_search plugin
# see https://github.com/GMS-SA/roundcube-advanced-search
#####################################################################################
wget https://github.com/GMS-SA/roundcube-advanced-search/archive/stable.zip -O advanced_search.zip
unzip advanced_search.zip
rm -f advanced_search.zip
mv roundcube-advanced-search-stable /usr/share/roundcubemail/plugins/advanced_search
mv /usr/share/roundcubemail/plugins/advanced_search/config-default.inc.php /usr/share/roundcubemail/plugins/advanced_search/config.inc.php
sed -r -i -e "s#messagemenu#toolbar#g" /usr/share/roundcubemail/plugins/advanced_search/config.inc.php
sed -r -i -e "s#'redundant_attachments',#'redundant_attachments',\n            'advanced_search',#g" /etc/roundcubemail/config.inc.php

#####################################################################################
# apply a couple of patches, see related kolab bugzilla number in filename, eg. https://issues.kolab.org/show_bug.cgi?id=2018
#####################################################################################
mkdir -p patches
echo Downloading patch patchMultiDomainAdminsBug2018.patch...
wget https://raw.github.com/tpokorra/kolab3_tbits_scripts/master/kolab3.1/patches/patchMultiDomainAdminsBug2018.patch
mv patchMultiDomainAdminsBug2018.patch patches/
echo Downloading patch domainquotaBug2046.patch...
wget https://raw.github.com/tpokorra/kolab3_tbits_scripts/master/kolab3.1/patches/domainquotaBug2046.patch
mv domainquotaBug2046.patch patches/
echo Downloading patch  deleteDomainWithUsersBug1869.patch
wget https://raw.github.com/tpokorra/kolab3_tbits_scripts/master/kolab3.1/patches/deleteDomainWithUsersBug1869.patch
mv deleteDomainWithUsersBug1869.patch patches/
patch -p1 -i `pwd`/patches/patchMultiDomainAdminsBug2018.patch -d /usr/share/kolab-webadmin
patch -p1 -i `pwd`/patches/domainquotaBug2046.patch -d /usr/share/kolab-webadmin
patch -p1 -i `pwd`/patches/deleteDomainWithUsersBug1869.patch -d /usr/share/kolab-webadmin