(>= 3.3.0)
-The URI to the ldap server
+URI to the LDAP server. Mandatory for auth type
+ldap.
Default: ldap://localhost
(>= 3.3.0)
-LDAP base DN of the ldap server. This parameter must be provided if -auth type is ldap.
-Default:
+Base DN of the LDAP server. Mandatory for auth type
+ldap.
Default: (unset)
(>= 3.3.0)
-The DN of a ldap user with read access to get the user accounts. This -parameter must be provided if auth type is ldap.
-Default:
+DN of a LDAP user with read access users and - if defined - groups.
+Mandatory for auth type ldap.
Default: (unset)
(>= 3.3.0)
-The password of the ldap_reader_dn. Either this parameter or
-ldap_secret_file must be provided if auth type is ldap.
Default:
+Password of ldap_reader_dn. Mandatory for auth type
+ldap unless ldap_secret_file is given.
Default: (unset)
(>= 3.3.0)
-Path of the file containing the password of the ldap_reader_dn.
-Either this parameter or ldap_secret must be provided if
-auth type is ldap.
Default:
+Path to the file containing the password of
+ldap_reader_dn. Mandatory for auth type ldap
+unless ldap_secret is given.
Default: (unset)
(>= 3.3.0)
-The search filter to find the user DN to authenticate by the -username. User '{0}' as placeholder for the user name.
+Filter to search for the LDAP entry of the user to authenticate. It +must contain '{0}' as placeholder for the login name.
Default: (cn={0})
(>= 3.4.0)
-The LDAP attribute whose value shall be used as the user name after -successful authentication
-Default: not set, i.e. the login name given is used directly.
-(>= 3.4.0)
-The LDAP attribute to read the group memberships from in the -authenticated user's LDAP entry.
-If set, load the LDAP group memberships from the attribute given -These memberships can be used later on to define rights. This also gives -you access to the group calendars, if they exist.
-Use 'memberOf' if you want to load groups on Active Directory and -alikes, 'groupMembership' on Novell eDirectory, ...
-Default: (unset)
+LDAP attribute whose value shall be used as the username after +successful authentication.
+If set, you can use flexible logins in ldap_filter and
+still have consolidated usernames, e.g. to allow login in using mail
+addresses as an alternative to cn, simply set
ldap_filter = (&(objectclass=inetOrgPerson)(|(cn={0})(mail={0})))
+ldap_user_attribute = cnEven for simple filter setups, it is recommended to set it in order +to get usernames exactly as they are stored in LDAP and to avoid +inconsistencies in the upper-/lower-case spelling of the login +names.
+Default: (unset, in which case the login name is directly used as the +username)
(>= 3.3.0)
-Use ssl on the ldap connection (soon to be deprecated, use -ldap_security instead)
+Use ssl on the LDAP connection. Deprecated, use
+ldap_security instead**!**
(>= 3.5.2)
-Use encryption on the ldap connection. none, tls, starttls
-Default: none
+Use encryption on the LDAP connection. One of none,
+tls, starttls.
Default: none
(>= 3.3.0)
-The certificate verification mode. Works for tls and starttls. NONE, -OPTIONAL or REQUIRED
-Default: REQUIRED
+Certificate verification mode for tls and starttls. One of
+NONE, OPTIONAL, REQUIRED.
Default: REQUIRED
(>= 3.3.0)
-The path to the CA file in pem format which is used to certificate -the server certificate
-Default:
+Path to the CA file in PEM format which is used to certify the server +certificate
+Default: (unset)
+(>= 3.4.0)
+LDAP attribute in the authenticated user's LDAP entry to read the +group memberships from.
+E.g. memberOf to get groups on Active Directory and
+alikes, groupMembership on Novell eDirectory, ...
If set, get the user's LDAP groups from the attribute given.
+For DN-valued attributes, the value of the RDN is used to determine +the group names. The implementation also supports non-DN-valued +attributes: their values are taken directly.
+The user's group names can be used later on to define rights. They +also give you access to the group calendars, if those exist.
+/GROUPS/ with the
+base64-encoded group name as the calendar folder name.Default: (unset)
+(>= 3.5.6)
+Attribute in the group entries to read the group's members from.
+E.g. member for groups with objectclass
+groupOfNames.
Using ldap_group_members_attribute,
+ldap_group_base and ldap_group_filter is an
+alternative approach to getting the user's groups. Instead of reading
+them from ldap_groups_attribute in the user's entry, an
+additional query is performed to seach for those groups beneath
+ldap_group_base, that have the user's DN in their
+ldap_group_members_attribute and additionally fulfil
+ldap_group_filter.
As with DN-valued ldap_groups_attribute, the value of
+the RDN is used to determine the group names.
Default: (unset)
+(>= 3.5.6)
+Base DN to search for groups. Only necessary if
+ldap_group_members_attribute is set, and if the base DN for
+groups differs from ldap_base.
Default: (unset, in which case ldap_base is used as
+fallback)
(>= 3.5.6)
+Search filter to search for groups having the user DN found as
+member. Only necessary ldap_group_members_attribute is set,
+and you want the groups returned to be restricted instead of all groups
+the user's DN is in.
Default: (unset)
(>= 3.5.1)
-Add modifyTimestamp and createTimestamp to the exclusion list of -internal ldap3 client so that these schema attributes are not checked. -This is needed at least for Authentik LDAP server as not providing these -both attributes.
-Default: false
+Quirks for Authentik LDAP server, which violates the LDAP RFCs: add +modifyTimestamp and createTimestamp to the exclusion list of internal +ldap3 client so that these schema attributes are not checked.
+Default: false
Сonvert username to lowercase, must be true for case-insensitive auth providers like ldap, kerberos
Default: False
Note: cannot be enabled together with uc_username
Notes:
+lc_username and uc_username are mutually
+exclusiveldap the use of
+ldap_user_attribute is preferredСonvert username to uppercase, must be true for case-insensitive auth providers like ldap, kerberos
Default: False
Note: cannot be enabled together with lc_username
Notes:
+uc_username and lc_username are mutually
+exclusiveldap the use of
+ldap_user_attribute is preferredIn this section additional HTTP headers that are sent to clients can be specified.
An example to relax the same-origin policy:
-Access-Control-Allow-Origin = *Access-Control-Allow-Origin = *To create a new calendar run something like:
-$ curl -u user -X MKCOL 'http://localhost:5232/user/calendar' --data \
-'<?xml version="1.0" encoding="UTF-8" ?>
-<create xmlns="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav" xmlns:I="http://apple.com/ns/ical/">
- <set>
- <prop>
- <resourcetype>
- <collection />
- <C:calendar />
- </resourcetype>
- <C:supported-calendar-component-set>
- <C:comp name="VEVENT" />
- <C:comp name="VJOURNAL" />
- <C:comp name="VTODO" />
- </C:supported-calendar-component-set>
- <displayname>Calendar</displayname>
- <C:calendar-description>Example calendar</C:calendar-description>
- <I:calendar-color>#ff0000ff</I:calendar-color>
- </prop>
- </set>
-</create>'To create a new address book run something like:
-$ curl -u user -X MKCOL 'http://localhost:5232/user/addressbook' --data \
+$ curl -u user -X MKCOL 'http://localhost:5232/user/calendar' --data \
'<?xml version="1.0" encoding="UTF-8" ?>
-<create xmlns="DAV:" xmlns:CR="urn:ietf:params:xml:ns:carddav">
+<create xmlns="DAV:" xmlns:C="urn:ietf:params:xml:ns:caldav" xmlns:I="http://apple.com/ns/ical/">
<set>
<prop>
<resourcetype>
<collection />
- <CR:addressbook />
+ <C:calendar />
</resourcetype>
- <displayname>Address book</displayname>
- <CR:addressbook-description>Example address book</CR:addressbook-description>
- </prop>
- </set>
-</create>'
+ <C:supported-calendar-component-set>
+ <C:comp name="VEVENT" />
+ <C:comp name="VJOURNAL" />
+ <C:comp name="VTODO" />
+ </C:supported-calendar-component-set>
+ <displayname>Calendar</displayname>
+ <C:calendar-description>Example calendar</C:calendar-description>
+ <I:calendar-color>#ff0000ff</I:calendar-color>
+ </prop>
+ </set>
+</create>'To create a new address book run something like:
+$ curl -u user -X MKCOL 'http://localhost:5232/user/addressbook' --data \
+'<?xml version="1.0" encoding="UTF-8" ?>
+<create xmlns="DAV:" xmlns:CR="urn:ietf:params:xml:ns:carddav">
+ <set>
+ <prop>
+ <resourcetype>
+ <collection />
+ <CR:addressbook />
+ </resourcetype>
+ <displayname>Address book</displayname>
+ <CR:addressbook-description>Example address book</CR:addressbook-description>
+ </prop>
+ </set>
+</create>'The collection /USERNAME will be created automatically,
when the user authenticates to Radicale for the first time. Clients with
automatic discovery of collections will only show calendars and address
books that are direct children of the path /USERNAME/.
Delete the collections by running something like:
-curl -u user -X DELETE 'http://localhost:5232/user/calendar'curl -u user -X DELETE 'http://localhost:5232/user/calendar'Note: requires config/option
permit_delete_collection = True
An example rights file:
-# Allow reading root collection for authenticated users
-[root]
-user: .+
-collection:
-permissions: R
-
-# Allow reading and writing principal collection (same as username)
-[principal]
-user: .+
-collection: {user}
-permissions: RW
-
-# Allow reading and writing calendars and address books that are direct
-# children of the principal collection
-[calendars]
-user: .+
-collection: {user}/[^/]+
-permissions: rw# Allow reading root collection for authenticated users
+[root]
+user: .+
+collection:
+permissions: R
+
+# Allow reading and writing principal collection (same as username)
+[principal]
+user: .+
+collection: {user}
+permissions: RW
+
+# Allow reading and writing calendars and address books that are direct
+# children of the principal collection
+[calendars]
+user: .+
+collection: {user}/[^/]+
+permissions: rwThe titles of the sections are ignored (but must be unique). The keys
user and collection contain regular
expressions, that are matched against the username and the path of the
@@ -2023,10 +2084,10 @@ system. The storage is locked with exclusive access while the
Use the flock utility.
-# Exclusive
-$ flock --exclusive /path/to/storage/.Radicale.lock COMMAND
-# Shared
-$ flock --shared /path/to/storage/.Radicale.lock COMMAND# Exclusive
+$ flock --exclusive /path/to/storage/.Radicale.lock COMMAND
+# Shared
+$ flock --shared /path/to/storage/.Radicale.lock COMMAND.Radicale.props with the following content in the
folder:
-{"tag": "VCALENDAR"}{"tag": "VCALENDAR"}The calendar is now available at the URL path
/user/calendar. For address books the file must
contain:
{"tag": "VADDRESSBOOK"}{"tag": "VADDRESSBOOK"}Calendar and address book collections must not have any child collections. Clients with automatic discovery of collections will only show calendars and address books that are direct children of the path @@ -2185,49 +2246,49 @@ password.
modules is Distutils. For a minimal setup create the filesetup.py with the
following content in an empty folder:
-#!/usr/bin/env python3
-
-from distutils.core import setup
-
-setup(name="radicale_static_password_auth",
- packages=["radicale_static_password_auth"])#!/usr/bin/env python3
+
+from distutils.core import setup
+
+setup(name="radicale_static_password_auth",
+ packages=["radicale_static_password_auth"])In the same folder create the sub-folder
radicale_static_password_auth. The folder must have the
same name as specified in packages above.
Create the file __init__.py in the
radicale_static_password_auth folder with the following
content:
from radicale.auth import BaseAuth
-from radicale.log import logger
-
-PLUGIN_CONFIG_SCHEMA = {"auth": {
- "password": {"value": "", "type": str}}}
-
-
-class Auth(BaseAuth):
- def __init__(self, configuration):
- super().__init__(configuration.copy(PLUGIN_CONFIG_SCHEMA))
-
- def _login(self, login, password):
- # Get password from configuration option
- static_password = self.configuration.get("auth", "password")
- # Check authentication
- logger.info("Login attempt by %r with password %r",
- login, password)
- if password == static_password:
- return login
- return ""from radicale.auth import BaseAuth
+from radicale.log import logger
+
+PLUGIN_CONFIG_SCHEMA = {"auth": {
+ "password": {"value": "", "type": str}}}
+
+
+class Auth(BaseAuth):
+ def __init__(self, configuration):
+ super().__init__(configuration.copy(PLUGIN_CONFIG_SCHEMA))
+
+ def _login(self, login, password):
+ # Get password from configuration option
+ static_password = self.configuration.get("auth", "password")
+ # Check authentication
+ logger.info("Login attempt by %r with password %r",
+ login, password)
+ if password == static_password:
+ return login
+ return ""Install the python module by running the following command in the
same folder as setup.py:
python3 -m pip install .python3 -m pip install .To make use this great creation in Radicale, set the configuration
option type in the auth section to
radicale_static_password_auth:
[auth]
-type = radicale_static_password_auth
-password = secret[auth]
+type = radicale_static_password_auth
+password = secretYou can uninstall the module with:
-python3 -m pip uninstall radicale_static_password_authpython3 -m pip uninstall radicale_static_password_authRadicale is available on PyPI. To install, just type as superuser:
-python3 -m pip install --upgrade radicalepython3 -m pip install --upgrade radicaleIf you want the development version of Radicale, take a look at the git repository on GitHub, or install it directly with:
-python3 -m pip install --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gzpython3 -m pip install --upgrade https://github.com/Kozea/Radicale/archive/master.tar.gzYou can also download the content of the repository as an archive.
Radicale is available as a Docker
image for platforms linux/amd64 and
linux/arm64. To install the latest version, run:
docker pull ghcr.io/kozea/radicale:latestdocker pull ghcr.io/kozea/radicale:latestAn example docker-compose.yml and detailed instructions
will soon be updated.