Skip to content
Ozzie Isaacs edited this page Jun 27, 2020 · 9 revisions

Installation

LDAP can be used as login provider for Calibre-Web. Depending on your distro some packages need to be installed. As further prerequiste you need to install the dependencies listed in optional-requirements.txt in the LDAP section.

Configuration

After a reboot of Calibre-Web you should see Flask_SimpleLDAP in the about section and in the Admin section Basic Configuration, Feature Configuration a new option "Login Type" appears. After selecting it you have to configure your LDAP connection:

  • LDAP Server Host: Please insert the same of your LDAP server, or it's IP Address, without starting ldap://
  • LDAP Server Port: Please insert your servers port here, usually 389 for unencrypted traffic, and 636 for ssl encrpyted traffic
  • LDAP Encryption: For STARTTls select TLS, for SSL encrypted connection use SSL
  • LDAP Certificate PATH: This field is only visible for TLS or SSL encrypted connections. If your server need a certificate for client authentication, enter the file path on the server
  • LDAP Authentication: Please select your authentication method for the administrator. Anonymous means no Adminstrator username and password is needed, Unauthenticated means you only need an Administrators username and no password. The setting Simple means you have to provide Administrator's username and password for bind requests.
  • LDAP Administrator Username: Please fill in your administrators username, normally something like cn=admin,dc=example,dc=com
  • LDAP Administrator Password: Enter your Adminstrator's password, after submitting the form, the field will be empty as in the create user section
  • LDAP Distinguished Name: Put in your search root, usually something like dc=example,dc=com
  • LDAP User Object Filter: Put in the search term used to find a specific user. Usually something like (&(objectclass=Person)(userPrincipalName=%s)). The string has to contain exactly one %s, this is replace by Calibre-Web with the username is currently searchs for
  • LDAP Server is OpenLDAP?: If you are using an openLDAP server, or your server is using an openLDAP dialect tick this option
  • LDAP Group Object Filter: Field can be empty if you want to add your users manually. Otherwise it should be filled with a search term to query the group to add, usually something like (&(objectclass=groupofnames)(cn=%s)). The string has to contain exactly one %s, this is replace by Calibre-Web with the groupname
  • LDAP Group Name: The group name to search for upon importing users from the LDAP server
  • LDAP Group Members Field: The field in the Response to the Group query, usually something like member, or memberuid

To get logged in to Calibre-Web via LDAP the users have to be created or imported in Calibre-Web (The user account has to be visible in Calibre-Web admin section). If you enter a password in the edit user section for your admin account, you can login as fallback if the LDAP server is not reachable (or connection is wrongly configured). Otherwise there is no chance to log into Calibre-Web and change settings. If the LDAP server is down, no user without fallback password can log into Calibre-Web. User's passwords are not updated/stored in Calibre-Web's own database. As long as the LDAP server is running, users with fallback password can only login via their LDAP password and not with the fallback password.

Usernames are not case sensitive, so username user is same as uSeR.

Login with LDAP to the OPDS feed

With enabling LDAP login this login method will also be used to log into the OPDS feed. The fallback login as desribed above will not work there.

Import Users

In the admin section it is possible to import users from a certain group from your LDAP server. Upon import, usernames and, if existing, emails are imported. If users have a second email in their account, this email is imported as Kindle Email. For imported users the settings for new users are applied. User rights can be changed after import like for any other user. The import function can be conducted later on again, already imported users are not affected from later imports.

Example

This is an basic example generated on a Manjaro Linux 19.0 with openldap version 2.4.49-1. Remark the string between the < > are symbolising are random choosen passwart and have to be replaced with your own passwords. Furthermore it's requested to also hash the admins password, this was skipped here for make the example better understandable. Basic slap.conf file:

include		/etc/openldap/schema/core.schema
include 	/etc/openldap/schema/cosine.schema
include 	/etc/openldap/schema/inetorgperson.schema

pidfile		/run/openldap/slapd.pid
argsfile	/run/openldap/slapd.args

#######################################################################
# MDB database definitions
#######################################################################

database	mdb
maxsize		1073741824
suffix		"dc=calibreweb,dc=com"
rootdn		"cn=root,dc=calibreweb,dc=com"
rootpw		<root-password>

directory	/var/lib/openldap/openldap-data
# Indices to maintain

index   objectClass     eq
index   uid             pres,eq

access to attrs=userPassword
	by self write
	by anonymous auth
	by dn.base="cn=root,dc=calibre,dc=com" write
	by * none

access to *
	by self read
	by dn.base="cn=root,dc=calibre,dc=com" write
	by * read

Following file was used for basic configuration:

# calibre.com
dn: dc=calibreweb,dc=com
dc: Calibreweb
o: Calibre Organization
objectClass: dcObject
objectClass: organization

# root, calibreweb.com
dn: cn=root,dc=calibreweb,dc=com
cn: root
description: LDAP administrator
objectClass: organizationalRole
objectClass: top
roleOccupant: dc=calibreweb,dc=com

# People, calibreweb.com
dn: ou=People,dc=calibreweb,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

# User Joe
dn: uid=joe,ou=People,dc=calibreweb,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: joe
cn: Joe Smith
sn: Smith
userPassword: {SSHA}<joes-password>

# User John
dn: uid=john,ou=People,dc=calibreweb,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
mail: john@doe.org
uid: john
cn: John Doe
sn: Doe
userPassword: {SSHA}<johns-password>

#Generic groups
dn: ou=groups,dc=calibreweb,dc=com
objectclass:organizationalunit
ou: groups

# create the cps entry
dn: cn=cps,ou=groups,dc=calibreweb,dc=com
objectclass: groupofnames
cn: cps
member: uid=joe,ou=People,dc=calibreweb,dc=com
member: uid=john,ou=People,dc=calibreweb,dc=com

Alternatively the following would work for defining the groups:

dn: cn=cps,ou=groups,dc=calibreweb,dc=com
objectClass: posixGroup
cn: cps
gidNumber: 5001
memberUid: joe
memberUid: John

Example command for searching after group and user (done similar by Calibre-Web)

ldapsearch -H ldap://my-computer.com -D "cn=root,dc=calibreweb,dc=com" -w <root-passwort> -b 'dc=calibreweb,dc=com' '(&(objectclass=groupofnames)(cn=cps))' member
ldapsearch -H ldap://my-computer.com -D "cn=root,dc=calibreweb,dc=com" -w <root-passwort> -b 'dc=calibreweb,dc=com' '(uid=john)' *

Corresponding Calibre-Web settings

LDAP Server Host: my-computer.com
LDAP Server Port: 389
LDAP Encryption: None
LDAP Administrator Username: cn=root,dc=calibre,dc=com
LDAP Administrator Password:
LDAP Distinguished Name: dc=calibre,dc=com
LDAP User Object Filter: (uid=%s)
LDAP Group Object Filter: (&(objectclass=groupofnames)(cn=%s))
LDAP Group Name: cps
LDAP Group Members Field: member