author | Kim Alvefur <zash@zash.se> |
Wed, 03 Mar 2021 11:43:38 +0100 | |
changeset 4494 | cf2bdb2aaa57 |
parent 3958 | 7a2998e48545 |
child 4721 | f4f07891c4cc |
permissions | -rw-r--r-- |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
1 |
--- |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
2 |
labels: |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
3 |
- 'Stage-Alpha' |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
4 |
- 'Type-Auth' |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
5 |
summary: LDAP authentication module |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
6 |
... |
1786 | 7 |
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
8 |
Introduction |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
9 |
============ |
1786 | 10 |
|
11 |
This is a Prosody authentication plugin which uses LDAP as the backend. |
|
12 |
||
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
13 |
Dependecies |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
14 |
=========== |
1786 | 15 |
|
3958
7a2998e48545
mod_auth_ldap: Fix broken link to LuaLDAP
Kim Alvefur <zash@zash.se>
parents:
3330
diff
changeset
|
16 |
This module depends on [LuaLDAP](https://github.com/lualdap/lualdap) |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
17 |
for connecting to an LDAP server. |
1786 | 18 |
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
19 |
Configuration |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
20 |
============= |
1786 | 21 |
|
22 |
Copy the module to the prosody modules/plugins directory. |
|
23 |
||
24 |
In Prosody's configuration file, under the desired host section, add: |
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
25 |
|
1827
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1826
diff
changeset
|
26 |
``` {.lua} |
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1826
diff
changeset
|
27 |
authentication = "ldap" |
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1826
diff
changeset
|
28 |
ldap_base = "ou=people,dc=example,dc=com" |
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1826
diff
changeset
|
29 |
``` |
1786 | 30 |
|
1827
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1826
diff
changeset
|
31 |
Further LDAP options are: |
1786 | 32 |
|
3330
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3329
diff
changeset
|
33 |
Name Description Default value |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3329
diff
changeset
|
34 |
--------------------- ---------------------------------------------------------------------------------------------------------------------- -------------------- |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3329
diff
changeset
|
35 |
ldap\_base LDAP base directory which stores user accounts **Required field** |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3329
diff
changeset
|
36 |
ldap\_server Space-separated list of hostnames or IPs, optionally with port numbers (e.g. "localhost:8389") `"localhost"` |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3329
diff
changeset
|
37 |
ldap\_rootdn The distinguished name to auth against `""` (anonymous) |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3329
diff
changeset
|
38 |
ldap\_password Password for rootdn `""` |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3329
diff
changeset
|
39 |
ldap\_filter Search filter, with `$user` and `$host` substituted for user- and hostname `"(uid=$user)"` |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3329
diff
changeset
|
40 |
ldap\_scope Search scope. other values: "base" and "onelevel" `"subtree"` |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3329
diff
changeset
|
41 |
ldap\_tls Enable TLS (StartTLS) to connect to LDAP (can be true or false). The non-standard 'LDAPS' protocol is not supported. `false` |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3329
diff
changeset
|
42 |
ldap\_mode How passwords are validated. `"bind"` |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3329
diff
changeset
|
43 |
ldap\_admin\_filter Search filter to match admins, works like ldap\_filter |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
44 |
|
1828
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1827
diff
changeset
|
45 |
**Note:** lua-ldap reads from `/etc/ldap/ldap.conf` and other files like |
1827
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1826
diff
changeset
|
46 |
`~prosody/.ldaprc` if they exist. Users wanting to use a particular TLS |
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
47 |
root certificate can specify it in the normal way using TLS\_CACERT in |
1786 | 48 |
the OpenLDAP config file. |
49 |
||
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
50 |
Modes |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
51 |
===== |
1786 | 52 |
|
1828
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1827
diff
changeset
|
53 |
The `"getpasswd"` mode requires plain text access to passwords in LDAP |
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1827
diff
changeset
|
54 |
and feeds them into Prosodys authentication system. This enables more |
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1827
diff
changeset
|
55 |
secure authentication mechanisms but does not work for all deployments. |
1786 | 56 |
|
1828
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1827
diff
changeset
|
57 |
The `"bind"` mode performs an LDAP bind, does not require plain text |
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1827
diff
changeset
|
58 |
access to passwords but limits you to the PLAIN authentication |
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1827
diff
changeset
|
59 |
mechanism. |
1786 | 60 |
|
1807
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
61 |
Compatibility |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1786
diff
changeset
|
62 |
============= |
1786 | 63 |
|
1827
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1826
diff
changeset
|
64 |
Works with 0.8 and later. |