1 ---

     2 labels:

     3 - 'Stage-Alpha'

     4 - 'Type-Auth'

     5 summary: LDAP authentication module

     6 ...

     7 

     8 ***Note:** A modified version of this module is available, but is not

     9 yet committed here. The plan is to merge them, for more info see [this

    10 thread](http://groups.google.com/group/prosody-dev/browse_thread/thread/282e876116ae4177/906121492495ad35#906121492495ad35).*

    11 

    12 Introduction

    13 ============

    14 

    15 This is a Prosody authentication plugin which uses LDAP as the backend.

    16 

    17 Dependecies

    18 ===========

    19 

    20 This module depends on [LuaLDAP](http://www.keplerproject.org/lualdap/)

    21 for connecting to an LDAP server.

    22 

    23 Configuration

    24 =============

    25 

    26 Copy the module to the prosody modules/plugins directory.

    27 

    28 In Prosody's configuration file, under the desired host section, add:

    29 

    30         authentication = "ldap"

    31         ldap_base = "ou=people,dc=example,dc=com"

    32 

    33 LDAP options are:

    34 

    35   Name             Description                                                                                                            Default value

    36   ---------------- ---------------------------------------------------------------------------------------------------------------------- ------------------

    37   ldap\_server     Space-separated list of hostnames or IPs, optionally with port numbers (e.g. "localhost:8389")                         "localhost"

    38   ldap\_rootdn     The distinguished name to auth against                                                                                 "" (anonymous)

    39   ldap\_password   Password for rootdn                                                                                                    ""

    40   ldap\_filter     Search filter, with \$user and $host substituded for user- and hostname | "(uid=$user)"                                

    41   ldap\_scope      Search scope. other values: "base" and "subtree"                                                                       "onelevel"

    42   ldap\_tls        Enable TLS (StartTLS) to connect to LDAP (can be true or false). The non-standard 'LDAPS' protocol is not supported.   false

    43   ldap\_base       LDAP base directory which stores user accounts                                                                         This is required

    44   ldap\_mode       How passwords are validated.                                                                                           "bind"

    45 

    46 **Note:** lua-ldap reads from /etc/ldap/ldap.conf and other files like

    47 \~prosody/.ldaprc if they exist. Users wanting to use a particular TLS

    48 root certificate can specify it in the normal way using TLS\_CACERT in

    49 the OpenLDAP config file.

    50 

    51 Modes

    52 =====

    53 

    54 The "getpasswd" mode requires plain text access to passwords in LDAP and

    55 feeds them into Prosodys authentication system. This enables more secure

    56 authentication mechanisms but does not work for all deployments.

    57 

    58 The "bind" performs an LDAP bind, does not require plain text access to

    59 passwords but limits you to the PLAIN authentication mechanism.

    60 

    61 Compatibility

    62 =============

    63 

    64   --------------- -------------

    65   0.8 and above   should work

    66   --------------- -------------