Calibre-Web With OpenLDAP
Adapted from instructions on the Wiki for Calibre-Web (Wiki page) as of 2023-11-16.
Installation
LDAP can be used as login provider for Calibre-Web. Depending on your distro some packages need to be installed. As further prerequiste you need to install the dependencies listed in optional-requirements.txt in the LDAP section.
Configuration
After a reboot of Calibre-Web you should see Flask_SimpleLDAP in the
“About” section. In the Admin section -> Basic Configuration ->
Feature Configuration a new option “Login Type” appears. After selecting
it you have to configure your LDAP connection: * LDAP Server
Host: Please insert the name (fully qualified domain name) of
your LDAP server or it’s IP Address without “ldap://” prefix *
LDAP Server Port: Please insert your servers port here,
usually 389 for unencrypted traffic, and 636 for ssl encrpyted traffic *
LDAP Encryption: For STARTTls select TLS,
for SSL encrypted connection use SSL * LDAP
CACertificate Path: This field is only visible for TLS or SSL
encrypted connections. If your server need a certificate for client
authentication, enter the file path on the server for the Certification
Authority Certificate file * LDAP Certificate Path:
This field is only visible for TLS or SSL encrypted connections. If your
server need a certificate for client authentication, enter the file path
on the server for the certificate file * LDAP Keyfile
Path: This field is only visible for TLS or SSL encrypted
connections. If your server need a certificate for client
authentication, enter the file path on the server for the Secret Key
file * LDAP Authentication: Please select your
authentication method for the administrator. Anonymous
means no Adminstrator username and password is needed,
Unauthenticated means you only need an Administrators
username and no password. The setting Simple means you have
to provide Administrator’s username and password for bind requests.
‘Simple’ authentication (username AND password) is HIGHLY
RECOMMENDED for security. * LDAP Administrator
Username: Please fill in your administrators username, normally
something like cn=admin,dc=example,dc=com * LDAP
Administrator Password: Enter your Adminstrator’s password,
after submitting the form, the field will be empty as in the create user
section. * LDAP Distinguished Name: Put in your search
root, usually something like dc=example,dc=com * LDAP User
Object Filter: Put in the search term used to find a specific
user. Usually something like
(&(objectclass=Person)(userPrincipalName=%s)). The
string has to contain exactly one %s, this is replace by
Calibre-Web with the username is currently searchs for * LDAP
Server is OpenLDAP?: If you are using an openLDAP server, or
your server is using an openLDAP dialect tick this option * LDAP
Group Object Filter: Field can be empty if you want to add your
users manually. Otherwise it should be filled with a search term to
query the group to add, usually something like
(&(objectclass=groupofnames)(cn=%s)). The string has to
contain exactly one %s, this is replace by Calibre-Web with
the groupname * LDAP Group Name: The group name to
search for upon importing users from the LDAP server * LDAP
Group Members Field: The field in the Response to the Group
query, usually something like member, or
memberuid * LDAP Member User Filter
Detection: Usually Autodetect works, if your users
are not detected upon import, change it to Custom Filter *
LDAP Member User Filter: Change this setting if your
users aren’t found during import. You could use
e.g. (&(objectclass=Person)(cn=%s)) to fetch the user, but the login
will be the value in sAMAccountName field. In this case enter:
sAMAccountName=%s. The string has to contain exactly one
%s. Setting is needed for using Windows Active Directory
Authentication
To get logged in to Calibre-Web via LDAP the users have to be created or imported in Calibre-Web (The user account has to be visible in Calibre-Web admin section). If you enter a password in the edit user section for your admin account, you can login as fallback if the LDAP server is not reachable (or connection is wrongly configured). Otherwise there is no chance to log into Calibre-Web and change settings. If the LDAP server is down, no user without fallback password can log into Calibre-Web. User’s passwords are not updated/stored in Calibre-Web’s own database. As long as the LDAP server is running, users with fallback password can only login via their LDAP password and not with the fallback password.
Usernames are not case sensitive, so username user is
same as uSeR.
Login with LDAP to the OPDS feed
With enabling LDAP login this login method will also be used to log into the OPDS feed. The fallback login as described above will not work there.
Import Users
In the admin section it is possible to import users from a certain group from your LDAP server. Upon import, usernames and, if existing, emails are imported. If users have a second email in their account, this email is imported as Kindle Email. For imported users the settings for new users are applied. User rights can be changed after import like for any other user. The import function can be conducted later on again, already imported users are not affected from later imports.
Example
This is an basic example generated on a Manjaro Linux 19.0 with openldap version 2.4.49-1.
Remark: the string between the
< > symbolise random choosen password and have to be
replaced with your own passwords. Furthermore it’s requested to also
hash the admins password, this was skipped here for make the example
better understandable. However, you can find how to generate passwords
on this page.
Basic slap.conf file:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /run/openldap/slapd.pid
argsfile /run/openldap/slapd.args
#######################################################################
# MDB database definitions
#######################################################################
database mdb
maxsize 1073741824
suffix "dc=calibreweb,dc=com"
rootdn "cn=root,dc=calibreweb,dc=com"
rootpw <root-password>
directory /var/lib/openldap/openldap-data
# Indices to maintain
index objectClass eq
index uid eq
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to *
by self read
by * readFollowing file was used for basic configuration:
# calibre.com
dn: dc=calibreweb,dc=com
dc: Calibreweb
o: Calibre Organization
objectClass: dcObject
objectClass: organization
# root, calibreweb.com
dn: cn=root,dc=calibreweb,dc=com
cn: root
description: LDAP administrator
objectClass: organizationalRole
objectClass: top
roleOccupant: dc=calibreweb,dc=com
# People, calibreweb.com
dn: ou=People,dc=calibreweb,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# User Joe
dn: uid=joe,ou=People,dc=calibreweb,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: joe
cn: Joe Smith
sn: Smith
userPassword: {SSHA}<joes-password>
# User John
dn: uid=john,ou=People,dc=calibreweb,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
mail: john@doe.org
uid: john
cn: John Doe
sn: Doe
userPassword: {SSHA}<johns-password>
#Generic groups
dn: ou=groups,dc=calibreweb,dc=com
objectclass:organizationalunit
ou: groups
# create the cps entry
dn: cn=cps,ou=groups,dc=calibreweb,dc=com
objectclass: groupofnames
cn: cps
member: uid=joe,ou=People,dc=calibreweb,dc=com
member: uid=john,ou=People,dc=calibreweb,dc=comAlternatively the following would work for defining the groups:
dn: cn=cps,ou=groups,dc=calibreweb,dc=com
objectClass: posixGroup
cn: cps
gidNumber: 5001
memberUid: joe
memberUid: JohnExample command for searching after group and user (done similar by Calibre-Web)
ldapsearch -H ldap://my-computer.com -D "cn=root,dc=calibreweb,dc=com" -w <root-passwort> -b 'dc=calibreweb,dc=com' '(&(objectclass=groupofnames)(cn=cps))' member
ldapsearch -H ldap://my-computer.com -D "cn=root,dc=calibreweb,dc=com" -w <root-passwort> -b 'dc=calibreweb,dc=com' '(uid=john)' *
Corresponding Calibre-Web settings
LDAP Server Host: my-computer.com
LDAP Server Port: 389
LDAP Encryption: None
LDAP Administrator Username: cn=root,dc=calibre,dc=com
LDAP Administrator Password:
LDAP Distinguished Name: dc=calibre,dc=com
LDAP User Object Filter: (uid=%s)
LDAP Group Object Filter: (&(objectclass=groupofnames)(cn=%s))
LDAP Group Name: cps
LDAP Group Members Field: member
Replace dc=example,dc=com with your LDAP configured
domain.
Login type
Use LDAP AuthenticationLDAP Server Host Name or IP Address
ldapLDAP Server Port
389LDAP Encryption
noneLDAP Authentication
simpleLDAP Administrator Username
uid=admin,ou=people,dc=example,dc=comLDAP Administrator Password
CHANGE_MELDAP Distinguished Name (DN)
dc=example,dc=comLDAP User Object Filter
(&(objectclass=person)(uid=%s))LDAP Server is OpenLDAP?
yesLDAP Group Object Filter
(&(objectclass=groupOfUniqueNames)(cn=%s))LDAP Group Name
calibre_webNote: Create a group in ldap and add users to it that will have access to your Calibre-Web instance
LDAP Group Members Field
uniqueMemberLDAP Member User Filter Detection
Custom FilterLDAP Member User Filter
(&(objectclass=person)(uid=%s))Note: lowercase the word “person” until this bug is fixed