Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:2.1:applications:obm [2016/07/19 12:10] (current)
Line 1: Line 1:
 +====== OBM ======
  
 +{{ :​applications:​obm_logo.png |}}
 +
 +===== Presentation =====
 +
 +[[http://​obm.org|OBM]] is enterprise-class messaging and collaboration platform for workgroup or enterprises with many thousands users. OBM includes Groupware, messaging server, CRM, LDAP, Windows Domain, smartphone and PDA synchronization…
 +
 +OBM is shipped with a LL::NG plugin with these features:
 +  * SSO on OBM web interface
 +  * Logout
 +  * User provisioning (account auto creation at first connection)
 +
 +===== Configuration =====
 +
 +==== OBM ====
 +
 +To enable LL::NG authentication plugin, go in ''/​etc/​obm/​obm_conf.inc'':​
 +
 +<file php>
 +$auth_kind = '​LemonLDAP';​
 +
 +$lemonldap_config = Array(
 +                "​auto_update" ​          => true,
 +                "​auto_update_force_user"​ => true,
 +                "​auto_update_force_group"​ => false,
 +                "​url_logout" ​           => "​https://​OBMURL/​logout",​
 +                "​server_ip_address" ​    => "​localhost",​
 +                "​server_ip_check" ​      => false,
 +                "​debug_level" ​          => "​NONE",​
 +//                "​debug_header_name" ​    => "​HTTP_OBM_UID",​
 +//                "​group_header_name" ​    => "​HTTP_OBM_GROUPS",​
 +                "​headers_map" ​          => Array(
 +                        //"​userobm_gid" ​                  => "​HTTP_OBM_GID",​
 +                        //"​userobm_domain_id" ​          => ,
 +                        "​userobm_login" ​                => "​HTTP_OBM_UID",​
 +                        "​userobm_password" ​             => "​HTTP_OBM_USERPASSWORD",​
 +                        //"​userobm_password_type" ​      => ,
 +                        "​userobm_perms" ​                => "​HTTP_OBM_PERMS",​
 +                        //"​userobm_kind" ​               => ,
 +                        "​userobm_lastname" ​             => "​HTTP_OBM_SN",​
 +                        "​userobm_firstname" ​            => "​HTTP_OBM_GIVENNAME",​
 +//                        "​userobm_title" ​                => "​HTTP_OBM_TITLE",​
 +                        "​userobm_email" ​                => "​HTTP_OBM_MAIL",​
 +                        "​userobm_datebegin" ​            => "​HTTP_OBM_DATEBEGIN",​
 +                        //"​userobm_account_dateexp" ​    => ,
 +                        //"​userobm_delegation_target" ​  => ,
 +                        //"​userobm_delegation" ​         => ,
 +                        "​userobm_description" ​          => "​HTTP_OBM_DESCRIPTION",​
 +                        //"​userobm_archive" ​            => ,
 +                        //"​userobm_hidden" ​             => ,
 +                        //"​userobm_status" ​             => ,
 +                        //"​userobm_local" ​              => ,
 +                        //"​userobm_photo_id" ​           => ,
 +                        "​userobm_phone" ​                => "​HTTP_OBM_TELEPHONENUMBER",​
 +                        //"​userobom_phone2" ​            => ,
 +                        //"​userobm_mobile" ​             => ,
 +                        "​userobm_fax" ​                  => "​HTTP_OBM_FACSIMILETELEPHONENUMBER",​
 +                        //"​userobm_fax2" ​               => ,
 +                        "​userobm_company" ​              => "​HTTP_OBM_O",​
 +                        //"​userobm_direction" ​          => ,
 +                        "​userobm_service" ​              => "​HTTP_OBM_OU",​
 +                        "​userobm_address1" ​             => "​HTTP_OBM_POSTALADDRESS",​
 +                        //"​userobm_address2" ​           => ,
 +                        //"​userobm_address3" ​           => ,
 +                        "​userobm_zipcode" ​              => "​HTTP_OBM_POSTALCODE",​
 +                        "​userobm_town" ​                 => "​HTTP_OBM_L",​
 +                        "​userobm_zipcode" ​              => "​HTTP_OBM_POSTALCODE",​
 +                        "​userobm_town" ​                 => "​HTTP_OBM_L",​
 +                        //"​userobm_expresspostal" ​      => ,
 +                        //"​userobm_host_id" ​            => ,
 +                        //"​userobm_web_perms" ​          => ,
 +                        //"​userobm_web_list" ​           => ,
 +                        //"​userobm_web_all" ​            => ,
 +                        //"​userobm_mail_perms" ​         => ,
 +                        //"​userobm_mail_ext_perms" ​     => ,
 +                        //"​userobm_mail_server_id" ​     => ,
 +                        //"​userobm_mail_server_hostname"​ => ,
 +                        "​userobm_mail_quota" ​           => "​HTTP_OBM_MAILQUOTA",​
 +                        //"​userobm_nomade_perms" ​       => ,
 +                        //"​userobm_nomade_enable" ​      => ,
 +                        //"​userobm_nomade_local_copy" ​  => ,
 +                        //"​userobm_email_nomade" ​       => ,
 +                        //"​userobm_vacation_enable" ​    => ,
 +                        //"​userobm_vacation_datebegin" ​ => ,
 +                        //"​userobm_vacation_dateend" ​   => ,
 +                        //"​userobm_vacation_message" ​   => ,
 +                        //"​userobm_samba_perms" ​        => ,
 +                        //"​userobm_samba_home" ​         => ,
 +                        //"​userobm_samba_home_drive" ​   => ,
 +                        //"​userobm_samba_logon_script" ​ => ,
 +                        // ---- Unused values ? ----
 +                        "​userobm_ext_id" ​               => "​HTTP_OBM_SERIALNUMBER",​
 +                        //"​userobm_system" ​             => ,
 +                        //"​userobm_nomade_datebegin" ​   => ,
 +                        //"​userobm_nomade_dateend" ​     => ,
 +                        //"​userobm_location" ​           => ,
 +                        //"​userobm_education" ​          => ,
 +                        ),
 +        );
 +</​file>​
 +
 +Parameters:
 +  * **url_logout**:​ URL used by OBM to logout, will be caught by LL::NG
 +  * **headers_map**:​ map OBM internal field to LL::NG header
 +
 +Edit also OBM configuration to enable LL::NG Handler:
 +
 +  * For Apache:
 +<file apache>
 +<​VirtualHost *:80>
 +    ServerName obm.example.com
 +    ​
 +    # SSO protection
 +    PerlHeaderParserHandler Lemonldap::​NG::​Handler
 +
 +    DocumentRoot /​usr/​share/​obm/​php
 +
 +    ...
 +    ​
 +</​VirtualHost>​
 +</​file>​
 +
 +  * For Nginx:
 +<file nginx>
 +server {
 +  listen 80;
 +  server_name obm.example.com;​
 +  root /​usr/​share/​obm/​php;​
 +  # Internal authentication request
 +  location = /lmauth {
 +    internal;
 +    include /​etc/​nginx/​fastcgi_params;​
 +    fastcgi_pass unix:/​var/​run/​llng-fastcgi-server/​llng-fastcgi.sock;​
 +    # Drop post datas
 +    fastcgi_pass_request_body ​ off;
 +    fastcgi_param CONTENT_LENGTH "";​
 +    # Keep original hostname
 +    fastcgi_param HOST $http_host;
 +    # Keep original request (LLNG server will received /llauth)
 +    fastcgi_param X_ORIGINAL_URI ​ $request_uri;​
 +  } 
 + 
 +  # Client requests
 +  location ~ \.php$ {
 +    auth_request /lmauth;
 +    auth_request_set $lmremote_user $upstream_http_lm_remote_user;​
 +    auth_request_set $lmlocation $upstream_http_location;​
 +    error_page 401 $lmlocation;​
 +    try_files $uri $uri/ =404;
 +
 +    ...
 + 
 +    include /​etc/​lemonldap-ng/​nginx-lua-headers.conf;​
 +  }
 +  location / {
 +    try_files $uri $uri/ =404;
 +  }
 +}
 +</​file>​
 +
 +==== LL::NG ====
 +
 +=== Attributes and macros ===
 +
 +You will need to collect all attributes needed to create a user in OBM, this includes:
 +  * First name
 +  * Last name
 +  * Login
 +  * Mail
 +  * ...
 +
 +To add these attributes, go in Manager, ''​Variables''​ » ''​Exported Variables''​.
 +
 +<note important>​If you plan to forward user's password to OBM, then you have to [[..passwordstore|keep the password in session]].</​note>​
 +
 +You may also create these macros to manage OBM administrator account (''​Variables''​ » ''​Macros''​):​
 +^field ^value ^
 +| uidR | %%($uid =~ /​^admin0/​i)[0] ? "​admin0\@global.virt"​ : $uid%% ​ |
 +| mailR  | %%($uid =~ /​^admin0/​i)[0] ? ""​ : ($mail =~ /​^([^@]+)/​)[0] . "​\@example.com"​ %%  |
 +
 +=== Virtual host ===
 +
 +Create OBM virtual host (for example obm.example.com) in LL::NG configuration:​ ''​Virtual Hosts''​ » ''​New virtual host''​.
 +
 +Then edit rules and headers.
 +
 +== Rules ==
 +
 +Define at least:
 +  * **Default rule**: who can access to the application
 +  * **Logout rule**: catch OBM logout
 +  * **Exceptions**:​ allow anonymous access for specific URLs (connectors,​ etc.)
 +
 +^field ^value ^
 +|%%^/​logout%%|%%logout_sso%%|
 +|%%^/​obm-sync%%|%%unprotect%%|
 +|%%^/​minig%%|%%unprotect%%|
 +|%%^/​Microsoft-Server-ActiveSync%%|%%unprotect%%|
 +|%%^/​caldav%%|%%unprotect%%|
 +|default|accept (or whatever you want)|
 +
 +== Headers ==
 +
 +Define headers used in OBM mapping, for example:
 +^field ^valeur ^
 +|OBM_GIVENNAME|$givenName|
 +|OBM_GROUPS|$groups|
 +|OBM_UID|$uidR|
 +|OBM_MAIL|$mailR|
 +|OBM_USERPASSWORD|$_password|
 +
 +=== Other ===
 +
 +Do not forget to add OBM in [[..portalmenu#​categories_and_applications|applications menu]].