1786
|
1 |
#summary LDAP authentication module |
|
2 |
#labels Stage-Alpha,Type-Auth |
|
3 |
|
|
4 |
_*Note:* A modified version of this module is available, but is not yet committed here. The plan is to merge them, for more info see [http://groups.google.com/group/prosody-dev/browse_thread/thread/282e876116ae4177/906121492495ad35#906121492495ad35 this thread]._ |
|
5 |
|
|
6 |
= Introduction = |
|
7 |
|
|
8 |
This is a Prosody authentication plugin which uses LDAP as the backend. |
|
9 |
|
|
10 |
= Dependecies = |
|
11 |
|
|
12 |
This module depends on [http://www.keplerproject.org/lualdap/ LuaLDAP] for connecting to an LDAP server. |
|
13 |
|
|
14 |
= Configuration = |
|
15 |
|
|
16 |
Copy the module to the prosody modules/plugins directory. |
|
17 |
|
|
18 |
In Prosody's configuration file, under the desired host section, add: |
|
19 |
{{{ |
|
20 |
authentication = "ldap" |
|
21 |
ldap_base = "ou=people,dc=example,dc=com" |
|
22 |
}}} |
|
23 |
|
|
24 |
LDAP options are: |
|
25 |
|| *Name* || *Description* || *Default value* || |
|
26 |
|| ldap_server || Space-separated list of hostnames or IPs, optionally with port numbers (e.g. "localhost:8389") || "localhost" || |
|
27 |
|| ldap_rootdn || The distinguished name to auth against || "" (anonymous) || |
|
28 |
|| ldap_password || Password for rootdn || "" || |
|
29 |
|| ldap_filter || Search filter, with $user and $host substituded for user- and hostname || "(uid=$user)" || |
|
30 |
|| ldap_scope || Search scope. other values: "base" and "subtree" || "onelevel" || |
|
31 |
|| ldap_tls || Enable TLS (StartTLS) to connect to LDAP (can be true or false). The non-standard 'LDAPS' protocol is not supported. || false || |
|
32 |
|| ldap_base || LDAP base directory which stores user accounts || This is required || |
|
33 |
|| ldap_mode || How passwords are validated. || "bind" || |
|
34 |
|
|
35 |
*Note:* lua-ldap reads from /etc/ldap/ldap.conf and other files like |
|
36 |
~prosody/.ldaprc if they exist. Users wanting to use a particular TLS |
|
37 |
root certificate can specify it in the normal way using TLS_CACERT in |
|
38 |
the OpenLDAP config file. |
|
39 |
|
|
40 |
= Modes = |
|
41 |
|
|
42 |
The "getpasswd" mode requires plain text access to passwords in LDAP and |
|
43 |
feeds them into Prosodys authentication system. This enables more secure |
|
44 |
authentication mechanisms but does not work for all deployments. |
|
45 |
|
|
46 |
The "bind" performs an LDAP bind, does not require plain text access to |
|
47 |
passwords but limits you to the PLAIN authentication mechanism. |
|
48 |
|
|
49 |
= Compatibility = |
|
50 |
|
|
51 |
|| 0.8 and above || should work || |