OBM === |image0| Presentation ------------ `OBM `__ is enterprise-class messaging and collaboration platform for workgroup or enterprises with many thousands users. OBM includes Groupware, messaging server, CRM, LDAP, Windows Domain, smartphone and PDA synchronization… OBM is shipped with a LL::NG plugin with these features: - SSO on OBM web interface - Logout - User provisioning (account auto creation at first connection) Configuration ------------- .. _obm-1: OBM ~~~ To enable LL::NG authentication plugin, go in ``/etc/obm/obm_conf.inc``: .. code-block:: php $auth_kind = 'LemonLDAP'; $lemonldap_config = Array( "auto_update" => true, "auto_update_force_user" => true, "auto_update_force_group" => false, "url_logout" => "https://OBMURL/logout", "server_ip_address" => "localhost", "server_ip_check" => false, "debug_level" => "NONE", // "debug_header_name" => "HTTP_OBM_UID", // "group_header_name" => "HTTP_OBM_GROUPS", "headers_map" => Array( //"userobm_gid" => "HTTP_OBM_GID", //"userobm_domain_id" => , "userobm_login" => "HTTP_OBM_UID", "userobm_password" => "HTTP_OBM_USERPASSWORD", //"userobm_password_type" => , "userobm_perms" => "HTTP_OBM_PERMS", //"userobm_kind" => , "userobm_lastname" => "HTTP_OBM_SN", "userobm_firstname" => "HTTP_OBM_GIVENNAME", // "userobm_title" => "HTTP_OBM_TITLE", "userobm_email" => "HTTP_OBM_MAIL", "userobm_datebegin" => "HTTP_OBM_DATEBEGIN", //"userobm_account_dateexp" => , //"userobm_delegation_target" => , //"userobm_delegation" => , "userobm_description" => "HTTP_OBM_DESCRIPTION", //"userobm_archive" => , //"userobm_hidden" => , //"userobm_status" => , //"userobm_local" => , //"userobm_photo_id" => , "userobm_phone" => "HTTP_OBM_TELEPHONENUMBER", //"userobom_phone2" => , //"userobm_mobile" => , "userobm_fax" => "HTTP_OBM_FACSIMILETELEPHONENUMBER", //"userobm_fax2" => , "userobm_company" => "HTTP_OBM_O", //"userobm_direction" => , "userobm_service" => "HTTP_OBM_OU", "userobm_address1" => "HTTP_OBM_POSTALADDRESS", //"userobm_address2" => , //"userobm_address3" => , "userobm_zipcode" => "HTTP_OBM_POSTALCODE", "userobm_town" => "HTTP_OBM_L", "userobm_zipcode" => "HTTP_OBM_POSTALCODE", "userobm_town" => "HTTP_OBM_L", //"userobm_expresspostal" => , //"userobm_host_id" => , //"userobm_web_perms" => , //"userobm_web_list" => , //"userobm_web_all" => , //"userobm_mail_perms" => , //"userobm_mail_ext_perms" => , //"userobm_mail_server_id" => , //"userobm_mail_server_hostname" => , "userobm_mail_quota" => "HTTP_OBM_MAILQUOTA", //"userobm_nomade_perms" => , //"userobm_nomade_enable" => , //"userobm_nomade_local_copy" => , //"userobm_email_nomade" => , //"userobm_vacation_enable" => , //"userobm_vacation_datebegin" => , //"userobm_vacation_dateend" => , //"userobm_vacation_message" => , //"userobm_samba_perms" => , //"userobm_samba_home" => , //"userobm_samba_home_drive" => , //"userobm_samba_logon_script" => , // ---- Unused values ? ---- "userobm_ext_id" => "HTTP_OBM_SERIALNUMBER", //"userobm_system" => , //"userobm_nomade_datebegin" => , //"userobm_nomade_dateend" => , //"userobm_location" => , //"userobm_education" => , ), ); Parameters: - **url_logout**: URL used by OBM to logout, will be caught by LL::NG - **headers_map**: map OBM internal field to LL::NG header Edit also OBM configuration to enable LL::NG Handler: - For Apache: .. code-block:: apache ServerName obm.example.com # SSO protection PerlHeaderParserHandler Lemonldap::NG::Handler DocumentRoot /usr/share/obm/php ... - For Nginx: .. code-block:: nginx server { listen 80; server_name obm.example.com; root /usr/share/obm/php; # Internal authentication request location = /lmauth { internal; include /etc/nginx/fastcgi_params; fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock; # Drop post data fastcgi_pass_request_body off; fastcgi_param CONTENT_LENGTH ""; # Keep original hostname fastcgi_param HOST $http_host; # Keep original request (LL::NG server will receive /lmauth) fastcgi_param X_ORIGINAL_URI $original_uri; } # Client requests location ~ \.php$ { auth_request /lmauth; set $original_uri $uri$is_args$args; auth_request_set $lmremote_user $upstream_http_lm_remote_user; auth_request_set $lmlocation $upstream_http_location; error_page 401 $lmlocation; try_files $uri $uri/ =404; ... include /etc/lemonldap-ng/nginx-lua-headers.conf; } location / { try_files $uri $uri/ =404; } } LL::NG ~~~~~~ Attributes and macros ^^^^^^^^^^^^^^^^^^^^^ You will need to collect all attributes needed to create a user in OBM, this includes: - First name - Last name - Login - Mail - ... To add these attributes, go in Manager, ``Variables`` » ``Exported Variables``. .. attention:: If you plan to forward user's password to OBM, then you have to :doc:`keep the password in session<../passwordstore>`. You may also create these macros to manage OBM administrator account (``Variables`` » ``Macros``): ===== ============================================================================ field value ===== ============================================================================ uidR ``($uid =~ /^admin0/i)[0] ? "admin0\@global.virt" : $uid`` mailR ``($uid =~ /admin0/i)[0] ? "" : ($mail =~ / ([ @]+)/)[0] . "\@example.com"`` ===== ============================================================================ Virtual host ^^^^^^^^^^^^ Create OBM virtual host (for example obm.example.com) in LL::NG configuration: ``Virtual Hosts`` » ``New virtual host``. Then edit rules and headers. Rules ''''' Define at least: - **Default rule**: who can access to the application - **Logout rule**: catch OBM logout - **Exceptions**: allow anonymous access for specific URLs (connectors, etc.) ============================= ============================= field value ============================= ============================= ^/logout logout_sso ^/obm-sync unprotect ^/minig unprotect ^/Microsoft-Server-ActiveSync unprotect ^/caldav unprotect default accept (or whatever you want) ============================= ============================= Headers ''''''' Define headers used in OBM mapping, for example: ================ ========== field valeur ================ ========== OBM_GIVENNAME $givenName OBM_GROUPS $groups OBM_UID $uidR OBM_MAIL $mailR OBM_USERPASSWORD $_password ================ ========== Other ^^^^^ Do not forget to add OBM in :doc:`applications menu<../portalmenu>`. .. |image0| image:: /applications/obm_logo.png :class: align-center