Skip to content

LDAP authentication

Jump to bottom Edit New page
Peter Marschall edited this page Jan 3, 2025 · 10 revisions

Enable LDAP Authentication

The first step to enable LDAP authentication is the installation of the corresponding Python module. Even if the python-ldap module is supported, we recommend the use of python-ldap3 as the further development will only be based on this module.

Configure LDAP Authentication

After installing the Python LDAP module you have to enable and configure it in the [auth] section Radicale's configuration file.

Please note that anonymous bind is not supported. That means you have to provide a LDAP account with read-rights to the user accounts. At the moment only SUBTREE searches are implemented.

Following parameter are available. No default values are provided that means you have to set all parameters:

  • type = ldap Use LDAP authentication.

  • ldap_uri The URI to the LDAP server in the format {ldap|ldaps}://{hostname|ip}[:port] or ldapi://[path].

  • ldap_base The base DN from where the users must be searched for.

  • ldap_reader_dn The DN of the LDAP account with read rights to the subtree from ldap_base.

  • ldap_secret The password of the ldap_reader_dn

  • ldap_secret_file Path of the file containing the password of the ldap_reader_dn.

    Either this parameter or ldap_secret must be provided.

  • ldap_filter The LDAP filter to find the DN of the login user.

    This filter must contain a python format string with placeholder(s) for the login: (&(objectClass=person)(cn={0}))

  • ldap_user_attribute LDAP attribute whose value shall be used as the user name after successful authentication.

    Default is unset, in which case the login name is used as the username

Using LDAP group membership of users

There is an additional parameter ldap_load_groups. Settings this to True the memberOf LDAP-attributes of the user will be evaluated and can be used for the handling of access rights management and to the access the group calendars. The group calendars will not be created automatically but you have to create it on demand. After next access to the server the new calendar is visible for all member of the group. Here is a script to create group calendar with random color.

#!/bin/bash
# create-group-calendar.sh
# Copyright (c) 2024 Peter Varkoly Nürnberg, Germany.  All rights reserved.
# Script to create a group calendar for Radicale
#
if (( $# != 2))
then
        echo "Usage $0 'group name' 'Calendar Description'"
        exit
fi

name=$1
description=$2
base64name=$( echo -n ${name} | base64 )
color="$(head -c3 </dev/urandom|xxd -p -u )"

mkdir -p /var/lib/radicale/collections/collection-root/GROUPS/${base64name}/.Radicale.cache/sync-token
echo '{"C:calendar-description": "'${description}'", "C:supported-calendar-component-set": "VEVENT,VJOURNAL,VTODO", "D:displayname": "'${name}'", "ICAL:calendar-color": "#'${color,,}'ff", "ICAL:calendar-order": "2", "tag": "VCALENDAR"}' > /var/lib/radicale/collections/collection-root/GROUPS/${base64name}/.Radicale.props

chown -R radicale /var/lib/radicale/collections/collection-root/GROUPS/${base64name}/

You can use the group membership also for managing the rights. For example you want to give everyone read rights to the group calendars in which he is a member and write access to the member of the group administrators. This can you achieved with following rules:

[calendarsWriter]
groups: administrators
collection: GROUPS/[^/]+
permissions: rw

[calendarsReader]
user: .+
collection: GROUPS/[^/]+
permissions: r

Important The members of the group administrators have only write access to the group calendars in which he is a member.

Examples

Configuration

[auth]
type = ldap
ldap_uri = ldap://localhost:3890
ldap_base = dc=example,dc=tld
ldap_reader_dn = uid=radicale,ou=people,dc=example,dc=tld
ldap_secret = SECRET
ldap_filter = (&(objectClass=person)(uid={0}))
lc_username = True
Add a custom footer
Add a custom sidebar
Clone this wiki locally