---
labels:
- 'Stage-Alpha'
- 'Type-Auth'
summary: LDAP authentication module
...
Introduction
============
This is a Prosody authentication plugin which uses LDAP as the backend.
Dependecies
===========
This module depends on [LuaLDAP](http://www.keplerproject.org/lualdap/)
for connecting to an LDAP server.
Configuration
=============
Copy the module to the prosody modules/plugins directory.
In Prosody's configuration file, under the desired host section, add:
``` {.lua}
authentication = "ldap"
ldap_base = "ou=people,dc=example,dc=com"
```
Further LDAP options are:
Name Description Default value
--------------------- ---------------------------------------------------------------------------------------------------------------------- --------------------
ldap\_base LDAP base directory which stores user accounts **Required field**
ldap\_server Space-separated list of hostnames or IPs, optionally with port numbers (e.g. "localhost:8389") `"localhost"`
ldap\_rootdn The distinguished name to auth against `""` (anonymous)
ldap\_password Password for rootdn `""`
ldap\_filter Search filter, with `$user` and `$host` substituted for user- and hostname `"(uid=$user)"`
ldap\_scope Search scope. other values: "base" and "onelevel" `"subtree"`
ldap\_tls Enable TLS (StartTLS) to connect to LDAP (can be true or false). The non-standard 'LDAPS' protocol is not supported. `false`
ldap\_mode How passwords are validated. `"bind"`
ldap\_admin\_filter Search filter to match admins, works like ldap\_filter
**Note:** lua-ldap reads from `/etc/ldap/ldap.conf` and other files like
`~prosody/.ldaprc` if they exist. Users wanting to use a particular TLS
root certificate can specify it in the normal way using TLS\_CACERT in
the OpenLDAP config file.
Modes
=====
The `"getpasswd"` mode requires plain text access to passwords in LDAP
and feeds them into Prosodys authentication system. This enables more
secure authentication mechanisms but does not work for all deployments.
The `"bind"` mode performs an LDAP bind, does not require plain text
access to passwords but limits you to the PLAIN authentication
mechanism.
Compatibility
=============
Works with 0.8 and later.