Frequently Asked Question

I want to be able to share a corporate address books among users
Τελευταία Ενημέρωση πριν 9 χρόνια

It is possible to use the LDAP server as a backend for shared addressbooks.

Those addressbooks can be accessed and managed via iNODE's GroupWARE interface and directly accessed from all known mail clients.

The LDAP backend can be any LDAP server or iNODE's LDAP server.

This tutorial will guide you through the configuration of the LDAP server in order to be used as a shared addressbooks backend, and the configuration of iNODE groupware in order to be able to access and manage the shared LDAP addressbooks.

LDAP is not required to be setup as the authentication backend of iNODE, but in case the LDAP server is also the authentication backend, it is possible, with careful configuration (making sure only read access is provided), to use the user database as a shared addressbook in order to lookup the other users' provided information.

LDAP initialization
LDAP server must be properly initialized before using it. Please follow the LDAP initialization instructions if the server has not been initialized yet.


There are mainly two scenarios regarding the use of the shared Addressbooks:
  1. The addressbooks are available via anonymous access to all lan IPs
    In this case, management is very simple, no users are required on the LDAP server. Administrators can access the LDAP server using the root DN account and manage the addressbooks and all other users can access the LDAP server addressbooks anonymously, without authentication.
  2. Each user must be authenticated on the LDAP server in order to access the addressbooks.
    In this case, a user database must exist on the LDAP server, so that users can authenticate using their own or a common set of credentials and accessing only what is accessible to them, controlled by ACLs on the LDAP server.


Anonymous access on LDAP server

By default anonymous access on the LDAP server is disabled. To enable it, goto Configuration :: LDAP Service :: General Settings and change the "Allow anonymous access" setting to "Yes"

image

To allow anonymous users to access any data on the LDAP server, a new access rule must be added. Go to Configuration :: LDAP Service :: Access Control Lists and add a new ACL similar to the picture below.
This will allow anonymous clients to access (search and read) the LDAP contents (shared addressbooks):

image

To restrict anonymous users to specific parts of the LDAP directory, instead of "Everything", choose "All descendants of specific DN".



User based access on LDAP server

In most cases we do not want to allow anonymous access to the LDAP server and we require users to authenticate when accessing the LDAP server, in order to provide different levels of access on the contents of the LDAP server. For example allowing some users to access the addressbook read-only, while others have the ability to add, delete and modify the LDAP contacts.

This options requires the maintenance of a user database on the LDAP server.


Create users on LDAP server
In case the LDAP server is used as the authentication backend, the user database can be fully managed from the web interface's user management (Configuration :: System :: User Management):

image

Some extra details (personal information) is available for users on the LDAP server. These details correspond to additional attributes stored on the user (the user's object on the LDAP server):

image



In case the LDAP server is not used by iNODE as the authentication backend, a 3rd party software must be used to manage the user database. For a tutorial on using LDAP Admin as a tools for managing LDAP contents and maintaining a user database on the LDAP server, see this tutorial



LDAP Access Lists

After creating the necessary users for providing different access levels on the LDAP server, LDAP access lists must be created for each user to enforce the user's access level on the LDAP contents:

image


GroupWARE access on shared addressbooks


iNODE Groupware can use shared addressbooks stored on LDAP server.
In order to use the shared address books a LDAP connection profile must be created that will be used by the GroupWARE to access the LDAP server.

NOTE: This profile is common to all users. This means that all users accessing the shared addressbooks via GroupWARE webmail will always connect with the same settings, thus not allowing access control at this level. This means that if the LDAP connection settings allow full access on the LDAP server's contents, all GroupWARE users will be able to create, delete and modify the addressbook's contacts. If the LDAP connection settings give read-only access to LDAP contents, all GroupWARE users will only be able to read the contents and not do any modifications.


In case we have allowed anonymous access to the LDAP server, we may want to create an anonymous connection:

image


Otherwise, a Bind DN and a password must be specified. If we want all GroupWARE users to have full access on the LDAP addressbok, and we do not want to create any users on the LDAP server, the root DN and the root password could be used here. This is not recommended though.

,image

While editing the LDAP connection, an attempt to connect to the LDAP server is made with the settings provided and the connection status can be seen at the top of the form. If everything is ok, the status should display a "Working" with a green tick.

After creating the LDAP connection profile:

image


GroupWARE shared LDAP addressbooks
After the LDAP connection profile is set up and working, we can create the shared address books on GroupWARE. Go to Configuration :: E-Mail Service :: GroupWARE :: Shared Address Books and click on "Add Addressbook...". Fill the form with the appropriate settings.

image

Title: This is the name that identifies the Address Book and the name the users will see for this addressbook.

Enabled: Use this settings to disable an Address Book while maintaining its settings. When the addressbook is disabled, It is not available to the users.

Connection profile: The connection profile provides all necessary settings for the connection to the LDAP server. Note that the connection is made by the Groupware and the authentication type used is static (the same for all users) and only provided by the settings of the LDAP connection profile we select here.

Server type: Select the type of the LDAP server that is used as backend. An Active Directory server can also be used, but in this case, the access is read-only. Attempting to manipulate the contacts in this addressbook (create/edit/delete) will fail. The same applies when the account used in the LDAP connection profile does not have sufficient rights to perform any changes to the data stored on the LDAP server.

NOTE: It is possible to specify settings that point to a user database stored on the LDAP server. This way all the users in the database will appear as contacts in the shared address book. You have to be extra careful in this case, to provide an account in the connection profile that does not have the right to manipulate the data in any way.

Search path: This is the path of the LDAP server that is used as the base for the LDAP search that will return the contact entries. This is also called the base DN for the search.

Search scope: The scope for the LDAP search:
Children: This value is used to indicate searching all entries one level under the search path - but not including the search path and not including any entries under that one level under the search path. Also called one.
Descendants: This value is used to indicate searching of all entries at all levels under and including the specified search path. Also called sub.


image


You can create multiple addressbooks here, even reusing the same connection profile, just by changing the "Search path".


Managing addressbooks via GroupWare

After the addressbook is created, GroupWARE users can directly access the contacts of the shared addressbook from the webmail and either create, delete, edit and even import and export the shared address books.


image


Accessing shared addressbooks from mail clients

Shared addressbooks on LDAP server can be used directly by mail clients to lookup contact information when composing a new email.

Note that access to the LDAP addressbooks via most mail clients is read only. The clients can search the directory in order to find matching contacts but have no means of creating, deleting or editing any of the contacts stored on the LDAP server, even though it would be permitted by the server.


  • Thunderbird
To access the shared addressbook from thunderbird, goto Tools -> Addressbook and click on New -> LDAP Directory...

image

Fill the necessary LDAP connection settings, and provide the Bind DN in case authentication is required.

image

After that, the shared LDAP addressbook is available.

image

On the first use (LDAP search), if a bind DN was provided, a password will be asked for the account:

image


image


image

  • Outlook
To access the shared LDAP address book from Microsoft Outllook, click on File tab, Account Settings -> Account Settings.



Click on the "Address Books" tab

image

and click on the "New..." button. Select "Internet Directory Service (LDAP)"

image

and finally fill in the server IP or hostname, and if authentication is required, provide the credentials of an LDAP user as well:

image


When finished, restart Outlook.

Now when composing a new email, the recipient's email address can be looked up automatically while typing the To: address.

Παρακαλούμε περιμένετε!

Παρακαλούμε περιμένετε... θα πάρει ένα δευτερόλεπτο!