Install Kolab and integrate it with FreeIPA

Oct 4, 2018 · 4 min read

Here is written steps for install Kolab Groupware server and integrate it with FreeIPA server.

Most of actions requires basic understanding in LDAP mechanism.
FreeIPA should be already installed before preparing Kolab installation.
We will connect only users from the existing tree (which provided by FreeIPA), and we will create new tree for the rest Kolab resources, like mail groups, shared mailboxes, etc.

In the end, we will can authenticate them, edit their parameters via kolab-webadmin, and manage other resources.

For make LDAP editing easier, I suggest you using Apache Directory Studio, this software provides the nice LDAP-browser interface, it allows you to edit any parameters without any difficults.

On Kolab server

Setup Kolab:

Export Kolab config:

Save Kolab schema:

On FreeIPA server

Create users:

  • kolab-svc
  • kolab-admin-svc
  • cyrus-svc

Add kolab-admin-svc to admin group.

Make sure that cyrus-svc have no any mail address.

Import Kolab schema:

Import Kolab config:

Open LDAP browser and add those aci to cn=kolab,cn=config:

On Kolab server

Configure LDAP connection to our FreeIPA server:

Set our kolab-admin-svc, cyrus-svc and cyrus-svc users:

Confgure LDAP paths:

And change uniquieid value to ipauniqueid:

Let’s check the changed parameters in /etc/kolab/kolab.conf:

Now go to kolab-webadmin and create Organization Units:

Open LDAP browser and add those aci to ou=kolab,dc=example,dc=org

Setup IMAP:

Setup MTA:

Now we will install latest pykolab from git, and patch it for FreeIPA:

Wipe imported users database

Update systemd unit for kolabd and wallace, then restart them:

Configure LDAP server for roundcube addressbook:

Now we can exclude users which ends with -svc from our addressbook:

Update /etc/roundcubemail/

Disable kolab’s dirsrv, we don’t need it anymore:

Configure objectClasses and attributes

On FreeIPA server

Go to IPA server → Configuration → objectClass by default for users


  • kolabInetOrgPerson
  • mailRecipient

Open LDAP browser, and add missing objectClasses to the current users (except service users).

Go to IPA server → Role-Based Access Control → Permissions → System: Read User Addressbook Attributes


  • alias

On Kolab server

Login as cn=Directory Manager into kolab-webadmin GUI

Go to Settings → Objcet type: User → Mail-enabled POSIX User

On Propertes tab, Object class (add missing):

  • inetorgperson
  • inetuser
  • ipaobject
  • ipaSshGroupOfPubKeys
  • ipasshuser
  • kolabinetorgperson
  • krbprincipalaux
  • krbticketpolicyaux
  • mailrecipient
  • mepOriginEntry
  • organizationalperson
  • person
  • posixaccount
  • top

On Attributes tab:

  • ou (update)
    Field type: text
    Value: Generated (read-only)
    Click Save
  • ipaUniqueID (add new)
    Field type: text
    Value: Generated (read-only)
    Click Save
  • uid (update)
    Field type: text
    Value: Noraml
    Click Save
  • displayName (update)
    Field type: text
    Value: Noraml
    Click Save

Click Submit button.

Update kolab-webadmin for use nsuniqueid instead ipauniqueid, it’s needed for allow editing Kolab created resources, sharedfoulders and etc.

That’s all.
Now you might continue Kolab configuration as usual Kolab installation.

Next steps

Secure all Kolab Services

Configure nginx and php-fpm:

Configure DKIM

Configure catchall

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade