Enable LDAP Authentication

The first step to enable LDAP authentication is the installation of the corresponding python module. Even if the python-ldap module is supported, we recommend the use of python-ldap3 as the further development is only based on this module.

Configure LDAP Authentication

After installing the python ldap module you have to enable and configure it in the [auth] section of the configuration file of Radicale. Please note that anonymous bind is not supported. That means you have to provide a LDAP-account with read-rights to the user accounts. At the moment only SUBTREE searches are implemented.

Following parameter are available. No default values are provided that means you have to set all parameters:

• type = ldap
• ldap_uri The URI to the LDAP-server. ldap|ldaps://hostname|ip[:port]
• ldap_base The base DN from where the users must be searched for.
• ldap_reader_dn The DN of the LDAP account with read rights to the subtree from ldap_base
• ldap_secret The password of the ldap_reader_dn
• ldap_filter The ldap filter to find the DN of the login user. This filter must contain a python format string with placeholder(s) for the login: (&(objectClass=person)(cn={0}))

Using LDAP group membership of users

There is an additional parameter ldap_load_groups. Settings this to True the memberOf LDAP-attributes of the user will be evaluated and can be used for the handling of access rights management and to the access the group calendars. The group calendars will not be created automaticaly but you have to create it on demand. After next access to the server the new calender is visible for all member of the group. Here is a scipt to create group calendar with random color.

#!/bin/bash
# create-group-calendar.sh
# Copyright (c) 2024 Peter Varkoly Nürnberg, Germany.  All rights reserved.
# Script to create a group calender for Radicale
#
if (( $# != 2))
then
        echo "Usage $0 'group name' 'Calendar Description'"
        exit
fi

name=$1
description=$2
base64name=$( echo -n ${name} | base64 )
color="$(head -c3 </dev/urandom|xxd -p -u )"

mkdir -p /var/lib/radicale/collections/collection-root/GROUPS/${base64name}/.Radicale.cache/sync-token
echo '{"C:calendar-description": "'${description}'", "C:supported-calendar-component-set": "VEVENT,VJOURNAL,VTODO", "D:displayname": "'${name}'", "ICAL:calendar-color": "#'${color,,}'ff", "ICAL:calendar-order": "2", "tag": "VCALENDAR"}' > /var/lib/radicale/collections/collection-root/GROUPS/${base64name}/.Radicale.props

chown -R radicale /var/lib/radicale/collections/collection-root/GROUPS/${base64name}/

You can use the group membership also for managing the rights. For examle you want to give everyone read rights to the group calendars in which he is a member and write access to the member of the group administrators. This can you achive with following rules:

[calendarsWriter]
groups: administrators
collection: GROUPS/[^/]+
permissions: rw

[calendarsReader]
user: .+
collection: GROUPS/[^/]+
permissions: r

Important The members of the group administrators have only write access to the group calendars in which he is a member.

Examples

Configuration

[auth]
type = ldap
ldap_uri = ldap://localhost:3890
ldap_base = dc=example,dc=tld
ldap_reader_dn = uid=radicale,ou=people,dc=example,dc=tld
ldap_secret = SECRET
ldap_filter = (&(objectClass=person)(uid={0}))
lc_username = True