Meet standalone ldap config

segro

Hi kopano team,

I try to setup meet as standalone app for testing and authenticating against our Samba4-AD.
Login works, but no contacts are listed.
When I search in the contact field, I get an error in syslog:

Apr 27 11:27:27 kopanodeb01 kopano-kapid[13581]: level=debug msg="access denied" error="Missing required scope (:0x10e)" url="/api/gc/v1/users?$top=100&$skip=0&$search=OTHERUSER"

I tried diffrent settings for ldap_* but with no success. How to define the correct scope=sub ?

konnectd.cfg

identity_manager = ldap
#identity_manager = kc
ldap_uri = ldap://192.168.0.1:389
#bind user + bindpw
ldap_basedn = "OU=MYUSEROU,DC=LAN,DC=LOCAL"
ldap_scope = sub

#ldap_login_attribute = mail
#ldap_login_attribute = uid
ldap_login_attribute = sAMAccountName

#ldap_uuid_attribute = uidNumber # or any other unique identifier for your users
ldap_uuid_attribute = uidNumber

#ldap_filter = (objectClass=inetOrgPerson) # or  (objectCategory=Person) for ADC
ldap_filter = (objectClass=Person)

thanks for any help!

longsleep

@segro said in Meet standalone ldap config:

Missing required scope (:0x10e)

@segro you are most likely missing the “kopano/gc” scope in Konnect’s scopes.yaml file.

That scope is required to access groupware data, and if Konnect uses the LDAP backend it needs to be told explicitly about that scope via its configuration.

---
scopes:
  kopano/gc:
    description: "Access Kopano Groupware"

Konnect uses a white list approach for scopes and only allows a default set of scopes (based on the configured identity manager), plus an extra set of scopes from a yaml confiuration.

segro

@longsleep
thank you, but how should that scope look like for an standanlone ldap?

When I just copy your GC (groupware core?) scope, meet tries to connectd to an local kopano-server, which is not present / disabled.

 kopanodeb01 kopano-grapi[10552]: [error  ] HrLogon server "file:///var/run/kopano/server.sock" user "CN=myusername,...

my yaml file: “/etc/kopano/konnectd-identifier-scopes.yaml”

# This file contains additional scopes for Konnect. All of the scopes listed
# here are made available to clients upon request if not limited by other means.

---
scopes:
  kopano/kwm:
    description: "Access Kopano Meet"

  kopano/kvs:
    description: "Access Kopano Key Value Store"

  kopano/pubs:
    description: "Access Kopano Pub/Sub"

longsleep

@segro said in Meet standalone ldap config:

When I just copy your GC (groupware core?) scope, meet tries to connectd to an local kopano-server, which is not present / disabled.

That is expected. If you want to use Meet without Kopano Groupware server you must tell GRAPI to use a different backend (there is an LDAP backend there too for this purpose).

segro

@longsleep
hi,
kopno-grapi is not very well documented, the grapi.cfg template in /usr/shar/kopano doesnt contain any ldap settings.
https://stash.kopano.io/projects/KC/repos/grapi/browse
here are just ENV Variables for docker but no grapi config…
frustrating!

can you please give me an ldap config example?
or documentation links? the offical documantion for meet doesnt have any hints here…

fbartels

Hi @segro,

a working example configuration can be found at https://github.com/Kopano-dev/kopano-docker/tree/master/examples/meet