Groupware Client Configuration
Configuring clients to connect to iscape.
Very much a work in progress, but we have to start somewhere.
Creating the user
smbldap-useradd -a -m user-name
(or use the web interface)
After creating the user, use their computer to connect to their home directory. Retrieve the certificate and import into Thunderbird and Mozilla.
The user's home directory contains a Samba Recycle Bin?. Create a shortcut named "Recycle Bin" in the home directory, pointing to \\<server>\<home directory>\.recycle and give it a wastebasket icon.
Managing Groups
Security
Apart from SMB and CUPS on the local network, all communication with the server is encrypted using SSL and requires an appropriate client certificate to be presented by the client application.
When a new user is created, the groupware server generates a client certificate and password and puts them in the user's home directory.
For a user on the local network it is easy enough to connect to the groupware server and copy the client certificate and password to secure storage on the user's machine (after this the client certificate should be removed from the server).
For remote users a secure mechanism must be used to get the client certificate and password to them.
One way of doing this is where the remote users already have client certificates issued by another Certificate Authority. If that CA's CA certificate is added to the list of trusted CAs on the groupware server, users can access the groupware server by presenting a pre-existing client certificate in which the common name matches the groupware server user name.
Alternatively the generated client certificate can be e-mailed to the remote user using something like GPG.
File Sharing
SMB
DAV
How far you get with DAV is platform-dependent. Where client DAV implementations support client certificates, they certificate storage mechanism usually varies from one application to another. Since the security of these mechanisms cannot be controlled, only the server-generated client certificate should be used for DAV.
Linux
It looks like Gnome-VFS does not yet support the use of client certificates (http://www.mail-archive.com/gnome-vfs-list@gnome.org/msg00697.html).
davfs2 provides a filesystem-level mapping that allows a DAV server to be mounted as a Linux filesystem. Great, except that it maintains a local cache of files from the server - we need to find a way to keep that cache on encrypted storage. Client certificate support is available in davfs2's CVS.
Mac OS X
Goliath supports client-cert secured DAV.
Windows XP
Double click on the cert to import into Windows' security story. First visit the home folder in IE, (to check you can access it fine and that IE is happy with the server's certificate) and then go to File > Open and type in the home folder's URL, making sure to click "Open as web folder".
Shared folders
Access like any other DAV share.
Set up IMAP account in the usual way.
Address books
To set up LDAP in Thunderbird:
- Go to "Address Book", set up a new LDAP directory. Leave the bind DN empty, set the base DN to o=civicrm. And of course, use SSL.
- Now you should be able to search in the LDAP directory. The first time you do this, you will need to permanently accept the certificate.
- You cannot browse the directory in Thunderbird, only search it, so don't worry if nothing shows up immediately.
- To enable autocompletion, go to the config editor and set ldap_2.autoComplete.directoryServer to ldap_2.servers.Whatever where "Whatever" is what you called the LDAP directory.
Calendar sharing
TODO
Contact management
TODO
