-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
LDAP Login
LDAP can be used as login provider for Calibre-Web. Depending on your distro some packages need to be installed. As further prerequiste you need to install the dependencies listed in optional-requirements.txt in the LDAP section.
After a reboot of Calibre-Web you should see Flask_SimpleLDAP in the "About" section. In the Admin section -> Basic Configuration -> Feature Configuration a new option "Login Type" appears. After selecting it you have to configure your LDAP connection:
- LDAP Server Host: Please insert the same of your LDAP server, or it's IP Address, without starting ldap://
- LDAP Server Port: Please insert your servers port here, usually 389 for unencrypted traffic, and 636 for ssl encrpyted traffic
-
LDAP Encryption: For STARTTls select
TLS
, for SSL encrypted connection useSSL
- LDAP CACertificate Path: This field is only visible for TLS or SSL encrypted connections. If your server need a certificate for client authentication, enter the file path on the server for the Certification Authority Certificate file
- LDAP Certificate Path: This field is only visible for TLS or SSL encrypted connections. If your server need a certificate for client authentication, enter the file path on the server for the certificate file
- LDAP Keyfile Path: This field is only visible for TLS or SSL encrypted connections. If your server need a certificate for client authentication, enter the file path on the server for the Secret Key file
-
LDAP Authentication: Please select your authentication method for the administrator.
Anonymous
means no Adminstrator username and password is needed,Unauthenticated
means you only need an Administrators username and no password. The settingSimple
means you have to provide Administrator's username and password for bind requests. -
LDAP Administrator Username: Please fill in your administrators username, normally something like
cn=admin,dc=example,dc=com
- LDAP Administrator Password: Enter your Adminstrator's password, after submitting the form, the field will be empty as in the create user section
- LDAP Distinguished Name: Put in your search root, usually something like dc=example,dc=com
-
LDAP User Object Filter: Put in the search term used to find a specific user. Usually something like
(&(objectclass=Person)(userPrincipalName=%s))
. The string has to contain exactly one%s
, this is replace by Calibre-Web with the username is currently searchs for - LDAP Server is OpenLDAP?: If you are using an openLDAP server, or your server is using an openLDAP dialect tick this option
-
LDAP Group Object Filter: Field can be empty if you want to add your users manually. Otherwise it should be filled with a search term to query the group to add, usually something like
(&(objectclass=groupofnames)(cn=%s))
. The string has to contain exactly one%s
, this is replace by Calibre-Web with the groupname - LDAP Group Name: The group name to search for upon importing users from the LDAP server
-
LDAP Group Members Field: The field in the Response to the Group query, usually something like
member
, ormemberuid
-
LDAP Member User Filter Detection: Usually
Autodetect
works, if your users are not detected upon import, change it toCustom Filter
-
LDAP Member User Filter: Change this setting if your users aren't found during import. You could use e.g. (&(objectclass=Person)(cn=%s)) to fetch the user, but the login will be the value in sAMAccountName field. In this case enter:
sAMAccountName=%s
. The string has to contain exactly one%s
. Setting is needed for using Windows Active Directory Authentication
To get logged in to Calibre-Web via LDAP the users have to be created or imported in Calibre-Web (The user account has to be visible in Calibre-Web admin section). If you enter a password in the edit user section for your admin account, you can login as fallback if the LDAP server is not reachable (or connection is wrongly configured). Otherwise there is no chance to log into Calibre-Web and change settings. If the LDAP server is down, no user without fallback password can log into Calibre-Web. User's passwords are not updated/stored in Calibre-Web's own database. As long as the LDAP server is running, users with fallback password can only login via their LDAP password and not with the fallback password.
Usernames are not case sensitive, so username user
is same as uSeR
.
With enabling LDAP login this login method will also be used to log into the OPDS feed. The fallback login as described above will not work there.
In the admin section it is possible to import users from a certain group from your LDAP server. Upon import, usernames and, if existing, emails are imported. If users have a second email in their account, this email is imported as Kindle Email. For imported users the settings for new users are applied. User rights can be changed after import like for any other user. The import function can be conducted later on again, already imported users are not affected from later imports.
This is an basic example generated on a Manjaro Linux 19.0 with openldap version 2.4.49-1.
Remark the string between the < >
are symbolising are random choosen passwart and have to be replaced with your own passwords. Furthermore it's requested to also hash the admins password, this was skipped here for make the example better understandable.
Basic slap.conf file:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /run/openldap/slapd.pid
argsfile /run/openldap/slapd.args
#######################################################################
# MDB database definitions
#######################################################################
database mdb
maxsize 1073741824
suffix "dc=calibreweb,dc=com"
rootdn "cn=root,dc=calibreweb,dc=com"
rootpw <root-password>
directory /var/lib/openldap/openldap-data
# Indices to maintain
index objectClass eq
index uid pres,eq
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=root,dc=calibre,dc=com" write
by * none
access to *
by self read
by dn.base="cn=root,dc=calibre,dc=com" write
by * read
Following file was used for basic configuration:
# calibre.com
dn: dc=calibreweb,dc=com
dc: Calibreweb
o: Calibre Organization
objectClass: dcObject
objectClass: organization
# root, calibreweb.com
dn: cn=root,dc=calibreweb,dc=com
cn: root
description: LDAP administrator
objectClass: organizationalRole
objectClass: top
roleOccupant: dc=calibreweb,dc=com
# People, calibreweb.com
dn: ou=People,dc=calibreweb,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# User Joe
dn: uid=joe,ou=People,dc=calibreweb,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: joe
cn: Joe Smith
sn: Smith
userPassword: {SSHA}<joes-password>
# User John
dn: uid=john,ou=People,dc=calibreweb,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
mail: john@doe.org
uid: john
cn: John Doe
sn: Doe
userPassword: {SSHA}<johns-password>
#Generic groups
dn: ou=groups,dc=calibreweb,dc=com
objectclass:organizationalunit
ou: groups
# create the cps entry
dn: cn=cps,ou=groups,dc=calibreweb,dc=com
objectclass: groupofnames
cn: cps
member: uid=joe,ou=People,dc=calibreweb,dc=com
member: uid=john,ou=People,dc=calibreweb,dc=com
Alternatively the following would work for defining the groups:
dn: cn=cps,ou=groups,dc=calibreweb,dc=com
objectClass: posixGroup
cn: cps
gidNumber: 5001
memberUid: joe
memberUid: John
Example command for searching after group and user (done similar by Calibre-Web)
ldapsearch -H ldap://my-computer.com -D "cn=root,dc=calibreweb,dc=com" -w <root-passwort> -b 'dc=calibreweb,dc=com' '(&(objectclass=groupofnames)(cn=cps))' member
ldapsearch -H ldap://my-computer.com -D "cn=root,dc=calibreweb,dc=com" -w <root-passwort> -b 'dc=calibreweb,dc=com' '(uid=john)' *
Corresponding Calibre-Web settings
LDAP Server Host: my-computer.com
LDAP Server Port: 389
LDAP Encryption: None
LDAP Administrator Username: cn=root,dc=calibre,dc=com
LDAP Administrator Password:
LDAP Distinguished Name: dc=calibre,dc=com
LDAP User Object Filter: (uid=%s)
LDAP Group Object Filter: (&(objectclass=groupofnames)(cn=%s))
LDAP Group Name: cps
LDAP Group Members Field: member