|
1 --- |
|
2 labels: |
|
3 - 'Stage-Alpha' |
|
4 - 'Type-Auth' |
|
5 summary: LDAP authentication module |
|
6 ... |
|
7 |
|
8 ***Note:** A modified version of this module is available, but is not |
|
9 yet committed here. The plan is to merge them, for more info see [this |
|
10 thread](http://groups.google.com/group/prosody-dev/browse_thread/thread/282e876116ae4177/906121492495ad35#906121492495ad35).* |
|
11 |
|
12 Introduction |
|
13 ============ |
|
14 |
|
15 This is a Prosody authentication plugin which uses LDAP as the backend. |
|
16 |
|
17 Dependecies |
|
18 =========== |
|
19 |
|
20 This module depends on [LuaLDAP](http://www.keplerproject.org/lualdap/) |
|
21 for connecting to an LDAP server. |
|
22 |
|
23 Configuration |
|
24 ============= |
|
25 |
|
26 Copy the module to the prosody modules/plugins directory. |
|
27 |
|
28 In Prosody's configuration file, under the desired host section, add: |
|
29 |
|
30 authentication = "ldap" |
|
31 ldap_base = "ou=people,dc=example,dc=com" |
|
32 |
|
33 LDAP options are: |
|
34 |
|
35 Name Description Default value |
|
36 ---------------- ---------------------------------------------------------------------------------------------------------------------- ------------------ |
|
37 ldap\_server Space-separated list of hostnames or IPs, optionally with port numbers (e.g. "localhost:8389") "localhost" |
|
38 ldap\_rootdn The distinguished name to auth against "" (anonymous) |
|
39 ldap\_password Password for rootdn "" |
|
40 ldap\_filter Search filter, with \$user and $host substituded for user- and hostname | "(uid=$user)" |
|
41 ldap\_scope Search scope. other values: "base" and "subtree" "onelevel" |
|
42 ldap\_tls Enable TLS (StartTLS) to connect to LDAP (can be true or false). The non-standard 'LDAPS' protocol is not supported. false |
|
43 ldap\_base LDAP base directory which stores user accounts This is required |
|
44 ldap\_mode How passwords are validated. "bind" |
|
45 |
|
46 **Note:** lua-ldap reads from /etc/ldap/ldap.conf and other files like |
|
47 \~prosody/.ldaprc if they exist. Users wanting to use a particular TLS |
|
48 root certificate can specify it in the normal way using TLS\_CACERT in |
|
49 the OpenLDAP config file. |
|
50 |
|
51 Modes |
|
52 ===== |
|
53 |
|
54 The "getpasswd" mode requires plain text access to passwords in LDAP and |
|
55 feeds them into Prosodys authentication system. This enables more secure |
|
56 authentication mechanisms but does not work for all deployments. |
|
57 |
|
58 The "bind" performs an LDAP bind, does not require plain text access to |
|
59 passwords but limits you to the PLAIN authentication mechanism. |
|
60 |
|
61 Compatibility |
|
62 ============= |
|
63 |
|
64 --------------- ------------- |
|
65 0.8 and above should work |
|
66 --------------- ------------- |