#54 LDAP support

Reporter MattJ
Owner MattJ
Stars ★★★★★ (13)
  • Status-Accepted
  • Milestone-0.12
  • Type-Enhancement
  • Priority-Medium
  1. MattJ on

    Add support for LDAP as an authentication mechanism. It should also be possible for users to query the LDAP server through [http://www.xmpp.org/extensions/xep-0055.html XEP-0055] or some such.

  2. marc.seeger on

    using lualdap ( http://www.keplerproject.org/lualdap/ ) one could assert a simple bind like this: lualdap.open_simple("ldap1.mi.hdm-stuttgart.de", "uid=username,ou=userlist,dc=somedc,dc=de", "password") This would allow prosody if the supplied credentials are valid Sadly, I am not fluid in lua and don't really have the time at the moment :(

  3. marc.seeger on

    possible in the current trunk version thanks to cyrus sasl ( --> http://blog.marc- seeger.de/2009/12/30/Setting_up_prosody_to_authenticate_against_LDAP )

  4. MattJ on

    I'm uncertain yet whether this is enough to satisfy everyone, or whether we should still add native support. Native support would allow to integrate vCards with LDAP I guess, so it's probably still desirable.

  5. matthewshoran on

    Native LDAP support would be a huge win. In addition to populating vCards from LDAP (I'm having problems getting vCards to work with SASL authenticated users, but that's another issue), authentication configuration would be simplified. Also, allowing multiple forms of authentication, e.g. LDAP users and a local user database, is something that drew me to Prosody in the first place. I've implemented this by using both auxprop with sasldb and saslauthd, but the configuration is not pretty. Also, I'd love to not have to install Cyrus SASL on my systems.

  6. MattJ on

    There is a mod_auth_ldap in prosody-modules that is compatible with trunk/0.8. It requires LuaLDAP and best of all hasn't been tested... volunteers welcome :) http://code.google.com/p/prosody-modules/wiki/mod_auth_ldap The new storage API in trunk/0.8 should also allow for a full LDAP storage backend to be written.

  7. stefan.j.hepp on

    Hello, I have written a mod_auth_ldap version, based on the one posted above, which works for me with prosody 0.8 RC1 (module is attached). It uses ldap_bind to test the user password instead of a plaintext lookup, and allows you to add an additional filter. It still assumes your username is stored in 'uid', but this should be easy to change. It does a lookup to find the DN, so it does not depend on the username to be in the DN, but requires two binds per login (should be easy to change in the code to use only one bind if the DN can be constructed from the username, but it requires a bit more code to make a single configurable module which supports both methods). To use it, place the following in your prosody.cfg.lua ldap_server = "servername"; ldap_base = "ou=People,dc=example,dc=org"; ldap_rootdn = "<admindn>"; -- optional ldap_password = "<adminpw>"; -- optional ldap_filter = "(authorizedService=jabber)"; -- optional -- dont forget this one! authentication = "ldap";

  8. MattJ on

    This thread will also be of interest to people following this issue: https://groups.google.com/d/topic/prosody-dev/ZwGQjeTdUu4/discussion

  9. marclaporte on

    Another example: http://www.fyzix.net/index.php?title=Installing_and_configuring_Prosody_%28XMPP_Jabber_server%29%2Bldap

  10. MattJ on

    I'm hoping to be able to merge one of our LDAP plugins for 0.10. Which, I'm not sure yet. We need to decide if they can be merged, or properly document their differences. Feedback welcome.

    • tags Milestone-1.0 Milestone-0.10
  11. marclaporte on

    Some more relevant links: https://wiki.debian.org/InstallingProsody#Cyrus_SASL_with_LDAP http://blog.tolik.org/2011/11/howto-ubuntu-1004-lts-prosody-09-sasl.html

  12. marclaporte on

    More: http://code.google.com/p/prosody-modules/wiki/mod_srvinjection http://code.google.com/p/prosody-modules/wiki/mod_storage_ldap http://code.google.com/p/prosody-modules/wiki/mod_auth_ldap http://code.google.com/p/prosody-modules/wiki/mod_auth_ldap2

  13. MattJ on

    Pushing this to a future release so as to not block 0.10. The modules are available already, in any case. They just won't be shipped with Prosody.

    • tags Milestone-0.11
  14. MattJ on

    Pushing to new milestone. As I wrote in my previous comment, LDAP modules already exist in prosody-modules. Some feedback on those from people who are actively using them would be good.

    • tags Milestone-0.12

New comment

Not published. Used for spam prevention and optional update notifications.