#54 LDAP support

Reporter MattJ
Owner MattJ
Created
Updated
Stars ★ (1)
Tags
  • Status-Accepted
  • Type-Enhancement
  • Priority-Medium
  • Milestone-0.12
  1. MattJ on

    Add support for LDAP as an authentication mechanism. It should also be possible for users to query the LDAP server through [http://www.xmpp.org/extensions/xep-0055.html XEP-0055] or some such.

  2. marc.seeger on

    using lualdap ( http://www.keplerproject.org/lualdap/ ) one could assert a simple bind like this: lualdap.open_simple("ldap1.mi.hdm-stuttgart.de", "uid=username,ou=userlist,dc=somedc,dc=de", "password") This would allow prosody if the supplied credentials are valid Sadly, I am not fluid in lua and don't really have the time at the moment :(

  3. marc.seeger on

    possible in the current trunk version thanks to cyrus sasl ( --> http://blog.marc- seeger.de/2009/12/30/Setting_up_prosody_to_authenticate_against_LDAP )

  4. MattJ on

    I'm uncertain yet whether this is enough to satisfy everyone, or whether we should still add native support. Native support would allow to integrate vCards with LDAP I guess, so it's probably still desirable.

  5. matthewshoran on

    Native LDAP support would be a huge win. In addition to populating vCards from LDAP (I'm having problems getting vCards to work with SASL authenticated users, but that's another issue), authentication configuration would be simplified. Also, allowing multiple forms of authentication, e.g. LDAP users and a local user database, is something that drew me to Prosody in the first place. I've implemented this by using both auxprop with sasldb and saslauthd, but the configuration is not pretty. Also, I'd love to not have to install Cyrus SASL on my systems.

  6. MattJ on

    There is a mod_auth_ldap in prosody-modules that is compatible with trunk/0.8. It requires LuaLDAP and best of all hasn't been tested... volunteers welcome :) http://code.google.com/p/prosody-modules/wiki/mod_auth_ldap The new storage API in trunk/0.8 should also allow for a full LDAP storage backend to be written.

  7. stefan.j.hepp on

    Hello, I have written a mod_auth_ldap version, based on the one posted above, which works for me with prosody 0.8 RC1 (module is attached). It uses ldap_bind to test the user password instead of a plaintext lookup, and allows you to add an additional filter. It still assumes your username is stored in 'uid', but this should be easy to change. It does a lookup to find the DN, so it does not depend on the username to be in the DN, but requires two binds per login (should be easy to change in the code to use only one bind if the DN can be constructed from the username, but it requires a bit more code to make a single configurable module which supports both methods). To use it, place the following in your prosody.cfg.lua ldap_server = "servername"; ldap_base = "ou=People,dc=example,dc=org"; ldap_rootdn = "<admindn>"; -- optional ldap_password = "<adminpw>"; -- optional ldap_filter = "(authorizedService=jabber)"; -- optional -- dont forget this one! authentication = "ldap";

    Attachments
  8. MattJ on

    This thread will also be of interest to people following this issue: https://groups.google.com/d/topic/prosody-dev/ZwGQjeTdUu4/discussion

  9. marclaporte on

    Another example: http://www.fyzix.net/index.php?title=Installing_and_configuring_Prosody_%28XMPP_Jabber_server%29%2Bldap

  10. MattJ on

    I'm hoping to be able to merge one of our LDAP plugins for 0.10. Which, I'm not sure yet. We need to decide if they can be merged, or properly document their differences. Feedback welcome.

    Changes
    • tags Milestone-1.0 Milestone-0.10
  11. marclaporte on

    Some more relevant links: https://wiki.debian.org/InstallingProsody#Cyrus_SASL_with_LDAP http://blog.tolik.org/2011/11/howto-ubuntu-1004-lts-prosody-09-sasl.html

  12. marclaporte on

    More: http://code.google.com/p/prosody-modules/wiki/mod_srvinjection http://code.google.com/p/prosody-modules/wiki/mod_storage_ldap http://code.google.com/p/prosody-modules/wiki/mod_auth_ldap http://code.google.com/p/prosody-modules/wiki/mod_auth_ldap2

  13. MattJ on

    Pushing this to a future release so as to not block 0.10. The modules are available already, in any case. They just won't be shipped with Prosody.

    Changes
    • tags Milestone-0.11
  14. MattJ on

    Pushing to new milestone. As I wrote in my previous comment, LDAP modules already exist in prosody-modules. Some feedback on those from people who are actively using them would be good.

    Changes
    • tags Milestone-0.12
  15. Branko Majic on

    After having a short chat with Zash on Prosody channel, I thought to leave a couple of comments since I have faced some LDAP-related issues on Debian after upgrading to 0.11.0. Currently I am using the mod_auth_ldap module, and it has worked pretty fine in the releases prior to 0.11.0. This is both on Debian 8 Jessie and Debian 9 Stretch. However, one good thing to try to keep in mind would be that Debian at the moment (even in unstable) does not have Lua LDAP bindings for Lua 5.2, only for Lua 5.1. And this broke my Prosody set-up during upgrade to 0.11.0. The Debian bug report at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814218 gives some pretty good information about relevant issues (namely the maintenance of Lua LDAP package seems a bit flaky). Related to module itself, I have a couple of items as feedback: - Currently only the password-based authentication is supported. It might be nice to be able to support other types of authentication, like TLS (client) certificate etc. SASL has been mentioned on chat in general. - If you want to have a filter that grants XMPP access to a specific group of users, you must use some form of meta-attribute at the moment (e.g the memberOf attribute via OpenLDAP's memberof overlay). In many cases it might make more sense to introduce a group-based filter instead (e.g. specifying groupOfNames or groupOfUniqueNames entry in LDAP directory). In such a case it could be useful to have ability to recurse the groups as well (can be costly, though, and I think only AD has some kind of built-in support for this for doing it server-side).

New comment

Not published. Used for spam prevention and optional update notifications.