Installing Horde 5 and configuring it for Active Directory and Dovecot

I have been using Horde for quite some time as my Webmail solution. Unfortunately the Update from Horde 4 to Horde 5 always produced some issues on my system, so I decided to do a fresh install. My old Horde was a very simple Setup: It used the IMAP authentication of IMP  to authenticate users against my Active Directory. While this certainly works, this time around I want to configure Horde to authenticate against my Active Directory directly. Additionally I wanted my to use my Active Directory as Global Address Book for Horde.

Preparing the Server

Before I could start installing a new Horde, I had to uninstall the old one. The easiest way to do that is using this command from the horde wiki:

pear uninstall `pear list -c horde | tail -n +4 | awk '{ print "horde/"$1 }'`
mv horde horde_bk

After getting rid of my old Horde Installation, I moved the old horde folder. I figured it might be a good idea to still have those config files around, if I need to look something up.
With all the uninstalling out of the way, I could start a fresh installation of Horde5. Since I had a Horde Server Running before, I was sure that my Server had all the requirements of Horde installed/configured.  If you need to look them up, the Horde wiki is a good place to do that. But the Basic requirements are PHP, a database (MySQL in my case) and a working mail server with IMAP or POP3 support.

Preparing the Database

First order of business was getting a new MySQL Database ready for Horde. Horde creates its database tables later in the installation, so all it needs prepared is an empty Database and an user to connect to it. I logged onto my MySQL Server and prepared this with the following two commands in the MySQL console:

CREATE database horde;
GRANT ALL ON horde.* TO 'horde'@'hostip' IDENTIFIED BY 'password';

The GRANT command creates a new user that is allowed to connect from the host ‘hostip’ with the password ‘password’. I use IP Addresses to specify the hosts allowed to connect, but DNS names should work fine as well. The Database should have utf-8 as charset, if your MySQL does not use that by default, you can change it with the command “ALTER DATABASE horde charset=utf8;”. The next task was the actual installation of horde.

Installing Horde

For that I logged back onto my web server and ran the following four commands:

pear install horde/horde_role
pear run-scripts horde/horde_role
pear install -a -B horde/webmail
webmail-install

The when you run the horde_role script, you will be asked for a installation directory. This should be a directory that is served by your web server. For instance “/var/www/webmail”.
The last command starts a small script, that does the basic configuration of horde by asking a bunch of questions. In the next segment I list all the questions, the answers I typed in (bold) and my comments (green). Please note that the script will also tell you all possible answers.

  • 1st Question: What database backend should we use: mysql
    Other options are false, mysqli, pgsql and sqlite
  • 2nd Question: Request persistent connections: 0
    1=Yes and 0=No. If you don’t have a good reason to turn them on leave the default of 0.
  • 3rd Question: Username to connect to the database as: horde
    The user was created after the MySQL database.
  • 4th Question: Password to connect with: password
    The password used to identify the MySQL user.
  • 5th Question: How should we connect to the database: tcp
    Since my database runs on a different server I choose tcp. If your database runs on the same server as horde, you should use unix sockets by typing ‘unix’
  • 6th Question: Database server/host: mysqlserver.yourdomain.com
    The FQDN or IP Address of the MySQL server.
  • 7th Question: Port the DB is running on, if non-standard: press Enter
    The standard Port 3306 will be used if you just press Enter. If your MySQL server listens on a different port, you need to specify that port here.
  • 8th Question Database name to use: horde
    The name of the Database that was created earlier
  • 9th Question: Internally used charset: press Enter
    The standard is utf-8. This setting should match the charset of the database to avoid errors.
  • 10th Question: use SSL to connect to the server: 0
    1=Yes and 0=No. I switched it off because I am the only user on my local network and ok with the additional security risk. In most cases this should be on though.
  • 11th Question: Certification Authority to use for SSL connections: press Enter
    I pressed Enter because I do not use SSL connections. you have to specify a CA here if you plan to use SSL connections. Please note that outside connections are still handled via SSL because horde is a part of my apache ssl configuration.
  • 12th Question: Split reads to a different server?: press Enter
    The options are false (disabled) and true (enabled), with false being the standard choice. I do not have multiple horde servers and also no where near the load for that option to be needed.
  • 13th Question: Specify an existing mail user who you want to give administrator permissions (optional): hordeadmin
    The username of the user that can access the admin panel in horde.

Basic Authentication via IMAP

My fresh Horde install wanted to authenticate against a mail server as default, so I copied back my old backends configuration. It is recommended, that you do not change the original backends.php file in the imp/config directory. Instead you should copy the backends.php to backends.local.php and and make your changes there. I disabled the default IMAP backend and enabled the secure-imap backend. There is already an example for the secure IMAP backend in the file. With my changes to enable it, the configuration for the secure IMAP backend looks like this:

$servers['secure-imap'] = array(
    // Disabled by default
    'disabled' => false,
    'name' => 'yourdomain.com',
    'hostspec' => 'mail.yourdomain.com',
    'hordeauth' => full,
    'protocol' => 'imap',
    'port' => 993,
    'secure' => 'ssl',
    'maildomain' => 'yourdomain.com',
    // 'smtphost' => 'mail.yourdomain.com',
    // 'smtpport' => 25,
    'acl' => true,
    'cache' => false,
);

Testing the Installation

Now would be a good time to test your installation by accessing your horde on a browser and calling the test.php. If you installed horde in the location webmail without SSL, you can access the page with the address “http://yourdomain.com/webmail/test.php”.
Before you can do this however, you will have to enable this script in the Horde configuration. To enable the test script log into horde as admin user and go to Administration –> Configuration and click on horde in the list of applications. Now deselect “$conf[testdisable]” in the PHP Settings and click Generate Horde Configuration.
If you can not login or if there is some other error, you can also enable the test script on the command line. To do that you need to edit the config.php file in the config directory of your horde installation. Look for the line “$conf[‘testdisable’] = true;” and replace the true with a false. After saving the test script is enabled. The line should be close to the beginning of the file.

Configuring the Active Directory Authentication

With the IMP Backend in place, horde is functional and since my mail server authenticates against my Active Directory it is actually usable at this point. But I wanted to use horde to Authenticate against my Active Directory on its own.
The LDAP configuration can be done as Horde administrator from the Web Interface. Start by going to the Horde administrator panel and then click Horde. Here click the LDAP tab to set up a LDAP backend for Horde. Here you have to decide if you want to be able to do some user management with Horde or if you simply want to use LDAP for authentication.
I choose to go with the management path:Horde5 LDAP backend configuration
The user you configure as binddn should have the right to create and edit users and groups in your Active Directory. If you select a user without those privileges, the authentication will still work, but you will not be able to create or change users within Horde. As you can see the fields given are pretty standard for LADP authentication, this is a good thing because it seems to me that the Horde documentation for this is a little outdated.
Horde5 Authentication Options

Like the LDAP Settings most of these Settings are fairly straight forward, but I did encounter a problem with one Option. Unlike any other LDAP authentication I have used so far, you can not specify the Base DN as “DC=yourdomain,DC=com”. This will cause a fatal error when trying to log in. You need to specify at least one OU as well. After I changed this setting to a form that it can work with like “OU=users,DC=yourdomain,DC=com”, everything worked as it was supposed to. Unfortunately I could not find this mentioned anywhere in the Horde wiki.
As said in the picture, the LDAP filter can be used to restrict the access to only certain users in your directory. In my case that is only users that are classified as Persons and in the group webmail.  So my filter ends up as (the objectClass=Person in the Screenshot is still from testing and while it works, it is not optimal):

(&(objectClass=user)(objectCategory=person)(memberOf=cn=webmail,ou=groups,dc=yourdomain,dc=com))

Depending on how many users you have and how often they change, it might also be a good idea to implement additional restrictions. One very useful addition could be excluding deactivated user accounts like this.:

(&(objectClass=user)(objectCategory=person)(memberOf=cn=webmail,ou=groups,dc=yourdomain,dc=com)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

More useful Active Directory LDAP Filter options can be found in the Microsoft Technet wiki.
As a warning I should mention that I did not find any documentation (mostly because I did not bother looking for it further than the Horde wiki site I was on at the time), which object Classes a new user in Active Directory needs. So I am not entirely sure what to fill in there and I doubt that it is a good idea to create new users with the horde web interface using the settings in the screen shot.

Making sure Horde can send E-Mails

Now that the Authentication worked, I still had to do some general configuration changes but I did not encounter any problems there. The important Settings are:
Horde5 SMTP configuration
Since Horde is used as webmailer, it should be able to send E-Mails. To enable Horde to do so, you need to go to the Horde configuration in the Mailer tab and fill in the information for your Mail Server.

Enabeling Hordes Cache

Horde5 Cache configuration
Navigate to the Cache System Tab of the Horde configuration and enable CSS Caching, Javascript Caching and Theme Caching, in order the ensure better performance for Horde.

Allow Horde to show HTML E-Mails in the web frontend

Next I wanted to enable the display of HTML mails in the web interface. This is disabled by default, because it is somewhat of a security risk. The additional convenience is worth the risk for me though. First I went into the folder horde –> imp –> config and copied the file “mime-drivers.php” to mine-drivers.local.php. Afterwards I opened the file in an editor and change the line “ ‘inline’ => false” to “ ‘inline’ => true” in the html section of the file. The section looks like this now:

    /* HTML driver settings */
    'html' => array(
        /* NOTE: Inline HTML display is turned OFF by default. */
        'inline' => true,
        'handles' => array(
            'text/html'
        ),
        'icons' => array(
            'default' => 'html.png'
        ),

        'limit_inline_size' => 1048576,

        /* Check for phishing exploits? */
        'phishing_check' => true
    ),

Enabling Hordes Alarm System

Now I had to enable the alarms. This was a fairly easy process. The following command created a crontab for my www-data user and opened it for editing:

crontab -u www-data -e

I used the editor to add the cron job by adding following line to then end of the file:

#Horde Alarms
*/5 * * * * /usr/bin/horde-alarms

Setting up ActiveSync

Finally it was time to enable some advanced functionality. One of my main reasons for originally choosing Horde was the ActiveSync support. ActiveSync is the functionality used by Microsoft Exchange Servers to Synchronise E-Mails, Contacts and Calendar Data to mobile devices. While I personally use IMAP for receiving my E-Mails from my Server and owncloud to sync my calendar and contacts, I still believe ActiveSync is a nice feature to have.
To get ActiveSync working, you need an Alias for /Microsoft-Server-Active-Sync in your webserver, that points to the remote.php of Horde. I still had that prepared from my previous Horde Installation, but you can create the alias by adding following lines to the configuration of Hordes virtual host in Apache:

# Enable Active Sync for Horde
Alias /Microsoft-Server-ActiveSync /var/www/webmail/rpc.php

After creating the Alias you should reload the Apache configuration. Now all that was left was enabling ActiveSync in the Horde configuration
Horde5 ActiveSync configuration

Using the Active Directory as Global Address Book in Horde

Finally I wanted my users to have a Global Address Book, much like the one you would have with a Microsoft Exchange Server. Horde has the functionality for this prepared, but it is not activated by default.
In order to activate it, go into the horde->turba->config directory on your horde server. Once there copy the file “backends.php” to “backends.local.php” and edit the new file. I listed the relevant part and what it should look like below:

/**
 * A local address book in an LDAP directory. This implements a public
 * (shared) address book.
 *
 * To store distribution lists in the LDAP directory, you'll need to include
 * horde.schema from Horde in your LDAP configuration.
 *
 * To store freebusy information in the LDAP directory, you'll need to include
 * rfc2739.schema from Horde in your LDAP configuration.
 */
$cfgSources['localldap'] = array(
    // Disabled by default
    'disabled' => false,
    'title' => _("yourdomain.com Global Addresses"),
    'type' => 'ldap',
    'params' => array(
        'server' => 'ad.yourdomain.com',
        'port' => 389,
        'tls' => false,
        'root' => 'ou=users,dc=yourdomain,dc=com',
        'bind_dn' => 'YOURDOMAIN\systemuser',
        // For Active Directory:
        // 'bind_dn' => 'username [at] example [dot] com',
        'bind_password' => 'password',
        'sizelimit' => 0,
        // For Active Directory:
        // 'sizelimit' => 0,
        'dn' => array('cn'),
        'objectclass' => array('organizationalPerson',
                               'user',
                               'group',
                               'contact'),
                               // Add 'turbaContact' to this array if using
                               // 'turbaType' attribute below, and 'calEntry'
                               // if using 'freebusyUrl'.
        // For Active Directory:
        // 'objectclass' => array('organizationalPerson',
        //                        'user',
        //                        'group',
        //                        'contact'),
        'scope' => 'sub',
        // For Active Directory:
        // 'scope' => 'sub',
        'charset' => 'utf-8',
        // Consult the LDAP schema to verify that all required attributes for
        // an entry are set and add them if needed.
        'checkrequired' => false,
        // Value used to fill in missing required attributes.
        'checkrequired_string' => ' ',
        // Check LDAP schema for valid syntax. If this is false an address
        // field is assumed to have postalAddress syntax; otherwise the schema
        // is consulted for the syntax to use.
        'checksyntax' => false,
        'version' => 3,

        // For Active Directory you probably want to also set the following
        // parameters:
        'deref' => LDAP_DEREF_ALWAYS,
        'filter' => '&(SAMAccountName=*)(mail=*)',
        'referrals' => 0,
    ),
    'map' => array(
        '__key' => 'dn',

        // Remove this mapping if using Active Directory server:
        //'__uid' => 'uid',

        // From horde.schema.  Make sure you have 'turbaContact' objectClass
        // included above:
        // '__type' => 'turbaType',
        // '__members' => 'turbaMembers',

        //'name' => 'cn',
     'name' => 'displayname',        
     'email' => 'mail',
        'homePhone' => 'homephone',
        'workPhone' => 'telephonenumber',
        'cellPhone' => 'mobiletelephonenumber',
        'homeAddress' => 'homepostaladdress',

        // From rfc2739.schema:
        // 'freebusyUrl' => 'calFBURL',

        // For Active Directory servers:
        //'name' => 'displayname',
        'title' => 'title',
        'cellPhone' => 'mobile',
        'department' => 'department',
        'company' => 'company',
    ),
    'search' => array(
        'name',
        'email',
        'homePhone',
        'workPhone',
        'cellPhone',
        'homeAddress'
    ),
    'strict' => array(
        'dn', 'uid'
    ),
    'approximate' => array(
        'cn',
    ),
    // For Active Directory servers:
    // 'approximate' => array(
    //     'displayname',
    //     'samaccountname',
    // ),
    'export' => true,
    'browse' => true,
);

Basically you just have to set the ‘disabled’ parameter to false and fill in the information of your Active Directory. The one thing that has to be watched is the root, because it will not work with the example given in the file. Just like with the Authentication, Horde needs a root of “ou=something,dc=yourdomain,dc=com”. If you use the “dc=yourdomain,dc=com” configuration of the example file, the Address Book will not work.
And since you are using Active Directory, you will have to comment in or replace the settings with settings appropriate for Active Directory wherever the file tells you to.

With all that done Horde was ready to use. If you have any questions about this leave a comment or contact me via E-Mail.

27 thoughts on “Installing Horde 5 and configuring it for Active Directory and Dovecot”

  1. Excellent page ~ it has helped me install Horde Groupware. This is working but, there are still two problems:
    I am trying to configure it, but I get the following errors. “SQL DB is our of date” and “missing configuration”.

    Update all configurations and Update all DB schemas has no effect.

    1. Sorry I have never encountered that particular problem. The only think I can think of is:
      Check that you can connect to the Database from the horde webserver with the settings you used in the horde config.

  2. Very good document, thanks!!!!
    I’m trying to configura Horde Ldap auth with samba4’s Active Directory.
    All work without errors, but i’m not able to find users form horde and the authentication not work.
    Can you help me to solve my problem?

      1. hello,
        I’ve tried:
        ou = users, dc = sambadomain, dc = com
        and I also tried
        ou = users, dc = sambadomain, dc = local
        but does not work
        can you help me?
        Thank you!

        1. if your domain is sambadomain.local then use dc= sambadomain, dc =local
          also the correct denomination according to ms is
          cn =users, dc =yourdomain, dc =local
          Using ou worked in my setup so i never changed it when I heard about it. But it might be the problem for you.

          Another problem could be the filter if it is too restrictive.

          Also this setup doesn’t allow you to log in with your E-Mail Address

          1. Hello,
            my filter is (objectclass = *)

            if you do not insert the cn = Users get an error when I try to authentication

            In Horde -> Administration -> Horde -> users are not able to perform searches: always 0 results

            They are not even able to login to horde.
            What kind of log should I use?
            SAMBADOMAIN\USER
            or
            user [at] sambadomain [dot] local
            and I need a real mail address?
            sorry but I did not understand this
            Thaks for you help!!!

  3. If you set the username property to sAMAccountName like in the HowTo, you need to enter the Username without the domain.
    If your Domainlogin is “SAMBADOMAIN\USER” then you need to use “USER” as your horde login.

  4. Hi, good tutorial. Do you know anything about setting up Pop3 support with horde? It seems that the horde documentation is lacking on that end. I did setup the horde Frame and Horde Imp environment.
    Pop3 service is running as I tested it with telnet localhost 110.

    But somehow the horde webmail environment doesn’t recognize the Pop3 backend, which is enabled in the backends.local.php. I disabled all IMAP support in the file. But the test.php file output gives “POP3 server denied authentication”. I must be missing something simple, but I can’t seem to find what.

      1. From /horde/imp/config/backends.local.php

        // POP3 server
        $servers[‘pop’] = array(
        // Disabled by default
        ‘disabled’ => false,
        ‘name’ => ‘POP3 Server’,
        ‘hostspec’ => ‘localhost’,
        ‘hordeauth’ => false,
        ‘protocol’ => ‘pop3’,
        ‘port’ => 110,
        // Default to secure TLS authentication by default (see RFC 2595 [4]).
        ‘secure’ => false,
        ‘cache’ => false,
        );

        So for testing purposes I haven’t enabled TLS yet. The host is localhost, because Sendmail and Popper is running on the same machine. I’ll turn on TLS if I get this “simple” setup to work. And I disabled the following IMAP configuration.

        // IMAP server
        $servers[‘imap’] = array(
        // ENABLED by default; will connect to IMAP port on local server
        ‘disabled’ => true,
        ‘name’ => ‘IMAP Server’,
        ‘hostspec’ => ‘localhost’,
        ‘hordeauth’ => false,
        ‘protocol’ => ‘imap’,
        ‘port’ => 143,
        // Plaintext logins are disabled by default on IMAP servers (see RFC 3501
        // [6.2.3]), so TLS is the only guaranteed authentication available by
        // default.
        ‘secure’ => ‘tls’,
        );

        Tnx in advance for taking a look at my issue! 🙂

  5. Ok this looks of if you are using the pop3 backend for horde authentication or you enter an additional nam/password combo for mail access.

    If your horde already uses LDAP/Active Directry for authetication and you want to query your mails with those credentials, you need to set “hordeauth” to true or full

  6. hello,
    I installed everything and I did some testing.
    everything is working properly, authentication, address etc.etc.
    I still have a problem: the webmail when I compose a new message and click “send” I get this error:

    “The configuration database is missing”

    Can you help me please?
    Thank you!

  7. Try to generate new settings for imp.
    Log in with your Horde Admin.
    Go Tp Administration -> configuration
    Select imp and then check all the settings. When everything looks ok click on “Generate Mail Configuration”
    Make sure that there are no configuration Error Messages in the configuration page.

        1. this is my log:

          [imp] The database configuration is missing. [pid XXX on line 179 of “/var/www/horde/turba/lib/Driver/Favourites.php”]

    1. If you havent set up with one domain and changed to another, this shouldnt be a problem.
      But a quick google found that there can be a bug when you change the domain of a horde configuration, that leads to the imp database not being found.

        1. If its only a test VM, thats probably the easiest solution. You could also connect to your horde Database and poke around in everthing concerning IMP. But I cant be of much help there, as I never did that so far.

  8. The cron job for the alerts will go wrong, if the environment variables within the cron are uncomplete. I had to set SHELL and PATH globally in the crontab as defined within a terminal. Call “env” from a job and within a terminal and you will see, what I mean.

Leave a Reply

Your email address will not be published. Required fields are marked *