Blogs

Kolab - SSL certificate authentication (web-based interface)

I have spent some time this weekend investigating SSL certificate-based authentication and implementing it in Kolab web-based user interface.

This topic is very interesting, but definitely too broad to be briefly described in a single blog post, so do not look at it as complete solution, but treat it only as a proof of concept.

Table of contents

Certification Authority

Apache

Kolab - Web-based user interface

Notes

Prepare Certification Authority

At first you need to create Certification Authority on an off-line, and secured system.

I have already created required shell scripts (miniature-octo-ca) to ease the whole operation, so just clone the following repository and move it to the CA system.

$ git clone https://github.com/milosz/miniature-octo-ca.git
Cloning into 'miniature-octo-ca'...
remote: Counting objects: 10, done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 10 (delta 2), reused 10 (delta 2)
Unpacking objects: 100% (10/10), done.

Please remember to change working directory before executing any available shell script.

$ cd miniature-octo-ca

Configure Certification Authority

The next step is to configure CA by using common-ca-settings.sh configuration file.

Kolab - SSL certificate authentication (web-based interface)

I have spent some time this weekend investigating SSL certificate-based authentication and implementing it in Kolab web-based user interface.

This topic is very interesting, but definitely too broad to be briefly described in a single blog post, so do not look at it as complete solution, but treat it only as a proof of concept.

Table of contents

Certification Authority

Apache

Kolab - Web-based user interface

Notes

Prepare Certification Authority

At first you need to create Certification Authority on an off-line and secured system.

I have already created required shell scripts (miniature-octo-ca) to ease the whole operation, so just clone the following repository and move it to the CA system.

$ git clone https://github.com/milosz/miniature-octo-ca.git
Cloning into 'miniature-octo-ca'...
remote: Counting objects: 10, done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 10 (delta 2), reused 10 (delta 2)
Unpacking objects: 100% (10/10), done.

Please remember to change working directory before executing any available shell script.

$ cd miniature-octo-ca

Configure Certification Authority

The next step is to configure CA by using common-ca-settings.sh configuration file.

HOWTO: CalDAV+CardDAV-iRony-Subdomain NGINX

Apple Clients work best if you create a virtual host for them.

In CentOS create the file /etc/nginx/conf.d/irony.cf

server {
    listen                      443 ssl;
    server_name                 caldav.example.org;



location /
{
    client_max_body_size 30M; # set maximum upload size
    # Make Apple Calendar.app and Contacts.app happy:
    rewrite ^/.well-known/caldav / last;
    rewrite ^/.well-known/carddav / last;
    include fastcgi_params;
    fastcgi_index index.php;
        fastcgi_pass unix:/var/run/php-fpm/kolab.example.org_iRony.sock;
    fastcgi_param SCRIPT_FILENAME /usr/share/iRony/public_html/index.php;
}

}

Edit /usr/share/iRony/config/dav.inc.php or /etc/iRony/dav.inc.php

changes:

// Log DAV requests to <log_dir>/davdebug
$config['base_uri'] = '/';

Restart nginx and choose try manual setup in your Apple Calendar with your virtual host caldav.example.org.

HOWTO: Catch-all for Postfix in Kolab 3.2

Create the file /etc/postfix/ldap/virtual_alias_maps_catchall.cf

server_host = localhost
server_port = 389
version = 3
search_base = dc=example,dc=org
scope = sub
domain = ldap:/etc/postfix/ldap/mydestination.cf
bind_dn = uid=kolab-service,ou=Special Users,dc=example,dc=org
bind_pw = PASSWORD_FROM_kolab-service
query_filter = (&(alias=catchall@%d)(objectclass=kolabinetorgperson))
result_attribute = mail

Change dc=example,dc=org twice and the password in this file.

Then edit /etc/postfix/main.cf
add

,   ldap:/etc/postfix/ldap/virtual_alias_maps_catchall.cf

at the end of virtual_alias_maps

In the kolab-webadmin page you can now add a new alias called catchall@domain.org

HOWTO: Use Dovecot instead of Cyrus in Kolab 3.2

EDIT 22 Nov 2014: Patch for Roundcube included in Kolab 3.3
https://github.com/roundcube/roundcubemail/commit/6646809
https://github.com/roundcube/roundcubemail/commit/0d273c9a

This HOWTO is for CentOS 6.5 and Kolab 3.2
Download the Kolab packages but don't run setup-kolab.

Warning: This will not work if you follow this HOWTO:

  • chwala (File Storing)

-- >>>fixed in 3.3

  • Roundcube tasklist does not show created entries (Maybe a bug in Dovecot, Tasklist plugin or configuration problem)

-- >>>fixed in 3.3

  • Delegation
  • Kolab Command-Line Interface!

-- >>>Thomas Baumann wrote how one could maybe list mailboxes with Kolab CLI http://lists.kolab.org/pipermail/users/2014-September/017796.html

  • Roundcube bugs (I solved this with using nginx instead of httpd)

-- >>>fixed in 3.3

Sieve and ACL are also described in this text.

Dependencies

# yum install mercurial
# setup-kolab ldap

Look for the Cyrus Administrator Passwort.
It is needed for the config of the master user in Dovecot. Also Directory
Manager password is needed later in this HOWTO.

Install Dovecot 2.2.13 (stable at time of this HOWTO)

Install and erase old dovecot

# yum install dovecot
# yum erase dovecot

Build dependencies:

Kolab 3.1.5, Debian 7.5 and issue during setup process

After a longer period of time I have decided to install Kolab and use it as personal information manager. Installation process went as expected up to the point where setup process tried to install Roundcube database and failed miserably.

Source of the problem

The problem can be easily identified by the error messages returned by the setup process.

Follow the example below to see MySQL errors at the very end.

Kolab 3.1.5, Debian 7.5 and issue during setup process

After a longer period of time I have decided to install Kolab and use it as personal information manager. Installation process went as expected up to the point where setup process tried to install Roundcube database and failed miserably.

Source of the problem

The problem can be easily identified by the error messages returned by the setup process.

Follow the example below to see MySQL errors at the very end.

mollekopf's picture

A new folder subscription system

Wouldn’t it be great if Kontact would allow you to select a set of folders you’re interested in, that setting would automatically be respected by all your devices and you’d still be able to control for each individual folder whether it should be visible and available offline?

I’ll line out a system that allows you to achieve just that in a groupware environment. I’ll take Kolab and calendar folders as example, but the concept applies to all groupware systems and is just as well applicable to email or other groupware content.

User Scenarios

  •  Anna has access to hundreds of shared calendars, but she usually only uses a few selected ones. She therefore only has a subset of the available calendars enabled, that are shown to her in the calendar selection dialog, available for offline usage and also get synchronized to her mobile phone. If she realizes she no longer requires a calendar, she simply disables it and it disappears from the Kontact, the Webclient and her phone.
  • Joe works with a small team that shares their calendars with him. Usually he only uses the shared team-calendar, but sometimes he wants to quickly check if they are in the office before calling them, and he’s often doing this in the train with unreliable internet connection. He therefore disables the team member’s calendars but still enables synchronization for them. This hides the calendars from all his devices, but he still can quickly enable them on his laptop while being offline.
  • Fred has a mailing list folder that he always reads on his mobile, but never on his laptop. He keeps the folder enabled, but hides it on his laptop so his folder list isn’t unnecessarily cluttered.

What these scenarios tell us is that we need a flexible mechanism to specify the folders we want to see and the folders we want synchronized. Additionally we want, in today’s world where we have multiple devices, to synchronize the selection of folders that are important to us. It is likely I’d like to see the calendar I have just enabled in Kontact also on my phone. However, we always want to keep the possibility to alter that default setting on specific devices.

roundcube's picture

Update 1.0.1 released

This is the first service release to update the stable version 1.0. It contains
some important bug fixes and improvements, mainly a fix for the unintentional
redirect from the compose page in Google Chrome which started to happen after
a recent Chrome update.

It’s considered stable and we recommend to update all productive installations
of Roundcube with this version. Download it from roundcube.net/download,
see the full changelog here.

Please note that the update includes a small database schema change so make sure
you run the update script.

DSP3's picture

Integrating ejabberd with Kolab

Kolab is an excellent open source messaging and collaboration suite, the installation of which I discussed in a previous post.

Currently, there is one feature missing from the Kolab suite and that is the ability to send instant messages (IM) between authenticated Kolab users or even outside of the domain. This is where ejabbered comes in. The following is a summary of how you can integrate ejabberd into a Kolab system running on CentOS 6.5

As Kolab is already installed, there is no need to add the EPEL repository used to host the ejabbered .rpm installer. Installation is as simple as:

sudo yum install ejabberd

Ejabbered is written in Erlang and is configured by editing /etc/ejabbered/ejabberd.cfg

sudo nano /etc/ejabberd/ejabberd.cfg

Search for the following code and edit accordingly:

%%{auth_method, internal}.

change to

{auth_method, ldap}.

Search for the remaining lines of code ('ctrl' + 'w' in nano) and change them to fit your environment:

{ldap_servers, ["localhost"]}.
{ldap_port, 389}.
{ldap_rootdn, "cn=Directory Manager"}.
{ldap_password, "the_password_you_set_during_kolab_install_for_ldap"}.
{ldap_filter, "(objectClass=mailrecipient)"}.
{ldap_uids, [{"alias", "%u@%d"}]}.
{acl, admin, {user, "admin", "yourdomain.org"}}.
{hosts, ["yourdomain.org"]}.
{ldap_base, "ou=People,dc=yourdomain,dc=org"}.

Save the file by ctrl 'x' and then pressing 'y' (yes) and enter.

Start ejabberd service

sudo service ejabberd start

Add ejabberd as a service to start at boot

chkconfig ejabberd on

Update iptables

sudo iptables -I INPUT -ptcp --dport 5280 -j ACCEPT
sudo iptables -I INPUT -ptcp --dport 5222 -j ACCEPT
sudo service iptables save
sudo service iptables restart

You should now be able to login with your IM client such as Jitsi or Pidgin. As ejabberd is set to use ldap_uids with 'alias' you can login with an alias instead of firstname.lastname@yourdaomain.org