Using OpenLDAP with Calibre Web
Discover how to integrate OpenLDAP with Calibre Web, allowing you to manage user authentication and access control within your ebook library with ease.
Table of Contents
Adapted from instructions on the Wiki for Calibre-Web (Wiki page) as of 2023-11-16.
Installation
LDAP can be used as login provider for Calibre-Web. Depending on your distro some packages need to be installed. As further prerequiste you need to install the dependencies listed in optional-requirements.txt in the LDAP section.
Configuration
After a reboot of Calibre-Web you should see Flask_SimpleLDAP in the “About” section. In the Admin section -> Basic Configuration -> Feature Configuration a new option “Login Type” appears. After selecting it you have to configure your LDAP connection: * LDAP Server Host: Please insert the name (fully qualified domain name) of your LDAP server or it’s IP Address without “ldap://” prefix * LDAP Server Port: Please insert your servers port here, usually 389 for unencrypted traffic, and 636 for ssl encrpyted traffic * LDAP Encryption: For STARTTls select TLS
, for SSL encrypted connection use SSL
* LDAP CACertificate Path: This field is only visible for TLS or SSL encrypted connections. If your server need a certificate for client authentication, enter the file path on the server for the Certification Authority Certificate file * LDAP Certificate Path: This field is only visible for TLS or SSL encrypted connections. If your server need a certificate for client authentication, enter the file path on the server for the certificate file * LDAP Keyfile Path: This field is only visible for TLS or SSL encrypted connections. If your server need a certificate for client authentication, enter the file path on the server for the Secret Key file * LDAP Authentication: Please select your authentication method for the administrator. Anonymous
means no Adminstrator username and password is needed, Unauthenticated
means you only need an Administrators username and no password. The setting Simple
means you have to provide Administrator’s username and password for bind requests. ‘Simple’ authentication (username AND password) is HIGHLY RECOMMENDED for security. * LDAP Administrator Username: Please fill in your administrators username, normally something like cn=admin,dc=example,dc=com
* LDAP Administrator Password: Enter your Adminstrator’s password, after submitting the form, the field will be empty as in the create user section. * LDAP Distinguished Name: Put in your search root, usually something like dc=example,dc=com * LDAP User Object Filter: Put in the search term used to find a specific user. Usually something like (&(objectclass=Person)(userPrincipalName=%s))
. The string has to contain exactly one %s
, this is replace by Calibre-Web with the username is currently searchs for * LDAP Server is OpenLDAP?: If you are using an openLDAP server, or your server is using an openLDAP dialect tick this option * LDAP Group Object Filter: Field can be empty if you want to add your users manually. Otherwise it should be filled with a search term to query the group to add, usually something like (&(objectclass=groupofnames)(cn=%s))
. The string has to contain exactly one %s
, this is replace by Calibre-Web with the groupname * LDAP Group Name: The group name to search for upon importing users from the LDAP server * LDAP Group Members Field: The field in the Response to the Group query, usually something like member
, or memberuid
* LDAP Member User Filter Detection: Usually Autodetect
works, if your users are not detected upon import, change it to Custom Filter
* LDAP Member User Filter: Change this setting if your users aren’t found during import. You could use e.g. (&(objectclass=Person)(cn=%s)) to fetch the user, but the login will be the value in sAMAccountName field. In this case enter: sAMAccountName=%s
. The string has to contain exactly one %s
. Setting is needed for using Windows Active Directory Authentication
To get logged in to Calibre-Web via LDAP the users have to be created or imported in Calibre-Web (The user account has to be visible in Calibre-Web admin section). If you enter a password in the edit user section for your admin account, you can login as fallback if the LDAP server is not reachable (or connection is wrongly configured). Otherwise there is no chance to log into Calibre-Web and change settings. If the LDAP server is down, no user without fallback password can log into Calibre-Web. User’s passwords are not updated/stored in Calibre-Web’s own database. As long as the LDAP server is running, users with fallback password can only login via their LDAP password and not with the fallback password.
Usernames are not case sensitive, so username user
is same as uSeR
.
Login with LDAP to the OPDS feed
With enabling LDAP login this login method will also be used to log into the OPDS feed. The fallback login as described above will not work there.
Import Users
In the admin section it is possible to import users from a certain group from your LDAP server. Upon import, usernames and, if existing, emails are imported. If users have a second email in their account, this email is imported as Kindle Email. For imported users the settings for new users are applied. User rights can be changed after import like for any other user. The import function can be conducted later on again, already imported users are not affected from later imports.
Example
This is an basic example generated on a Manjaro Linux 19.0 with openldap version 2.4.49-1.
Remark: the string between the < >
symbolise random choosen password and have to be replaced with your own passwords. Furthermore it’s requested to also hash the admins password, this was skipped here for make the example better understandable. However, you can find how to generate passwords on this page.
Basic slap.conf file:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /run/openldap/slapd.pid
argsfile /run/openldap/slapd.args
#######################################################################
# MDB database definitions
#######################################################################
database mdb
maxsize 1073741824
suffix "dc=calibreweb,dc=com"
rootdn "cn=root,dc=calibreweb,dc=com"
rootpw <root-password>
directory /var/lib/openldap/openldap-data
# Indices to maintain
index objectClass eq
index uid eq
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to *
by self read
by * read
Following file was used for basic configuration:
# calibre.com
dn: dc=calibreweb,dc=com
dc: Calibreweb
o: Calibre Organization
objectClass: dcObject
objectClass: organization
# root, calibreweb.com
dn: cn=root,dc=calibreweb,dc=com
cn: root
description: LDAP administrator
objectClass: organizationalRole
objectClass: top
roleOccupant: dc=calibreweb,dc=com
# People, calibreweb.com
dn: ou=People,dc=calibreweb,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# User Joe
dn: uid=joe,ou=People,dc=calibreweb,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: joe
cn: Joe Smith
sn: Smith
userPassword: {SSHA}<joes-password>
# User John
dn: uid=john,ou=People,dc=calibreweb,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
mail: john@doe.org
uid: john
cn: John Doe
sn: Doe
userPassword: {SSHA}<johns-password>
#Generic groups
dn: ou=groups,dc=calibreweb,dc=com
objectclass:organizationalunit
ou: groups
# create the cps entry
dn: cn=cps,ou=groups,dc=calibreweb,dc=com
objectclass: groupofnames
cn: cps
member: uid=joe,ou=People,dc=calibreweb,dc=com
member: uid=john,ou=People,dc=calibreweb,dc=com
Alternatively the following would work for defining the groups:
dn: cn=cps,ou=groups,dc=calibreweb,dc=com
objectClass: posixGroup
cn: cps
gidNumber: 5001
memberUid: joe
memberUid: John
Example command for searching after group and user (done similar by Calibre-Web)
ldapsearch -H ldap://my-computer.com -D "cn=root,dc=calibreweb,dc=com" -w <root-passwort> -b 'dc=calibreweb,dc=com' '(&(objectclass=groupofnames)(cn=cps))' member
ldapsearch -H ldap://my-computer.com -D "cn=root,dc=calibreweb,dc=com" -w <root-passwort> -b 'dc=calibreweb,dc=com' '(uid=john)' *
Corresponding Calibre-Web settings
LDAP Server Host: my-computer.com
LDAP Server Port: 389
LDAP Encryption: None
LDAP Administrator Username: cn=root,dc=calibre,dc=com
LDAP Administrator Password:
LDAP Distinguished Name: dc=calibre,dc=com
LDAP User Object Filter: (uid=%s)
LDAP Group Object Filter: (&(objectclass=groupofnames)(cn=%s))
LDAP Group Name: cps
LDAP Group Members Field: member
Replace dc=example,dc=com
with your LDAP configured domain.
Login type
Use LDAP Authentication
LDAP Server Host Name or IP Address
ldap
LDAP Server Port
389
LDAP Encryption
none
LDAP Authentication
simple
LDAP Administrator Username
uid=admin,ou=people,dc=example,dc=com
LDAP Administrator Password
CHANGE_ME
LDAP Distinguished Name (DN)
dc=example,dc=com
LDAP User Object Filter
(&(objectclass=person)(uid=%s))
LDAP Server is OpenLDAP?
yes
LDAP Group Object Filter
(&(objectclass=groupOfUniqueNames)(cn=%s))
LDAP Group Name
calibre_web
Note: Create a group in ldap and add users to it that will have access to your Calibre-Web instance
LDAP Group Members Field
uniqueMember
LDAP Member User Filter Detection
Custom Filter
LDAP Member User Filter
(&(objectclass=person)(uid=%s))
Note: lowercase the word “person” until this bug is fixed