Installing Prosody v0.8 (Jabber Server) with LDAP Authentication

 local new_sasl = require "util.sasl".new; local nodeprep = require "util.encodings".stringprep.nodeprep; local log = require "util.logger".init("auth_ldap"); local ldap_server = module:get_option("ldap_server") or "localhost"; local ldap_rootdn = module:get_option("ldap_rootdn") or ""; local ldap_password = module:get_option("ldap_password") or ""; local ldap_tls = module:get_option("ldap_tls"); local ldap_base = assert(module:get_option("ldap_base"), "ldap_base is a required option for ldap"); local ldap_scope = module:get_option("ldap_scope") or "onelevel"; local ldap_filter = module:get_option("ldap_filter") or ""; local lualdap = require "lualdap"; local ld = assert(lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls)); module.unload = function() ld:close(); end local function ldap_filter_escape(s) return (s:gsub("[\\*\\(\\)\\\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end local function find_userdn(username) local iter, err = ld:search { base = ldap_base; -- we need to set scope here, else ldap-search may fail (silently!!) scope = ldap_scope; filter = "(&(uid="..ldap_filter_escape(username)..")"..ldap_filter..")"; } if not iter then module:log("error", "LDAP usersearch failed (%s): %s", username, err); return false; end for dn, attribs in iter do return dn; end return false; end local provider = { name = "ldap" }; function provider.test_password(username, password) local userdn = find_userdn(username); if not userdn then return false; end local ldu = lualdap.open_simple(ldap_server, userdn, password, ldap_tls); if not ldu then return false; end ldu:close(); return true; end function provider.user_exists(username) return find_userdn(username); end function provider.get_password(username) return nil, "Passwords unavailable for LDAP."; end function provider.set_password(username, password) return nil, "Passwords unavailable for LDAP."; end function provider.create_user(username, password) return nil, "Account creation/modification not available with LDAP."; end function provider.get_sasl_handler() local realm = module:get_option("sasl_realm") or module.host; local testpass_authentication_profile = { plain_test = function(sasl, username, password, realm) local prepped_username = nodeprep(username); if not prepped_username then log("debug", "NODEprep failed on username: %s", username); return "", nil; end return provider.test_password(prepped_username, password), true; end }; return new_sasl(realm, testpass_authentication_profile); end module:add_item("auth-provider", provider); 

 -- Prosody XMPP Server Configuration -- -- Information on configuring Prosody can be found on our -- website at http://prosody.im/doc/configure -- -- Tip: You can check that the syntax of this file is correct -- when you have finished by running: luac -p prosody.cfg.lua -- If there are any errors, it will let you know what and where -- they are, otherwise it will keep quiet. -- ---------- Server-wide settings ---------- -- Settings in this section apply to the whole server and are the default settings -- for any virtual hosts -- This is a (by default, empty) list of accounts that are admins -- for the server. Note that you must create the accounts separately -- (see http://prosody.im/doc/creating_accounts for info) -- Example: admins = { "user1@example.com", "user2@example.net" } admins = { } -- Enable use of libevent for better performance under high load -- For more information see: http://prosody.im/doc/libevent use_libevent = false; -- This is the list of modules Prosody will load on startup. -- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. -- Documentation on modules can be found at: http://prosody.im/doc/modules modules_enabled = { -- Generally required "roster"; -- Allow users to have a roster. Recommended ;) "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. "tls"; -- Add support for secure TLS on c2s/s2s connections "dialback"; -- s2s dialback support "disco"; -- Service discovery -- Not essential, but recommended "private"; -- Private XML storage (for room bookmarks, etc.) "vcard"; -- Allow users to set vCards --"privacy"; -- Support privacy lists --"compression"; -- Stream compression -- Nice to have "legacyauth"; -- Legacy authentication. Only used by some old clients and bots. "version"; -- Replies to server version requests "uptime"; -- Report how long server has been running "time"; -- Let others know the time here on this server "ping"; -- Replies to XMPP pings with pongs "pep"; -- Enables users to publish their mood, activity, playing music and more "register"; -- Allow users to register on this server using a client and change passwords "adhoc"; -- Support for "ad-hoc commands" that can be executed with an XMPP client -- Admin interfaces "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands --"admin_telnet"; -- Opens telnet console interface on localhost port 5582 -- Other specific functionality "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" --"httpserver"; -- Serve static files from a directory over HTTP --"groups"; -- Shared roster support --"announce"; -- Send announcement to all online users --"welcome"; -- Welcome users who register accounts --"watchregistrations"; -- Alert admins of registrations --"motd"; -- Send a message to users when they log in }; -- These modules are auto-loaded, should you -- (for some mad reason) want to disable -- them then uncomment them below modules_disabled = { -- "presence"; -- Route user/contact status information -- "message"; -- Route messages -- "iq"; -- Route info queries -- "offline"; -- Store offline messages }; -- Disable account creation by default, for security -- For more information see http://prosody.im/doc/creating_accounts allow_registration = false; -- These are the SSL/TLS-related settings. If you don't want -- to use SSL/TLS, you may comment or remove this ssl = { key = "/etc/prosody/certs/localhost.key"; certificate = "/etc/prosody/certs/localhost.cert"; } -- Only allow encrypted streams? Encryption is already used when -- available. These options will cause Prosody to deny connections that -- are not encrypted. Note that some servers do not support s2s -- encryption or have it disabled, including gmail.com and Google Apps -- domains. c2s_require_encryption = true --s2s_require_encryption = false -- Select the authentication backend to use. The 'internal' providers -- use Prosody's configured data storage to store the authentication data. -- To allow Prosody to offer secure authentication mechanisms to clients, the -- default provider stores passwords in plaintext. If you do not trust your -- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed -- for information about using the hashed backend. --authentication = "internal_plain" authentication = "ldap"; ldap_server = "localhost"; ldap_base = "ou=users,dc=example,dc=com"; ldap_rootdn = "cn=manager,dc=example,dc=com"; ldap_password = "password"; --ldap_filter = "(authorizedService=jabber)"; -- optional Include '/etc/prosody/prosody-posix-ldap.cfg.lua' -- Select the storage backend to use. By default Prosody uses flat files -- in its configured data directory, but it also supports more backends -- through modules. An "sql" backend is included by default, but requires -- additional dependencies. See http://prosody.im/doc/storage for more info. --storage = "sql" -- Default is "internal" -- For the "sql" backend, you can uncomment *one* of the below to configure: --sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename. --sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } --sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } -- Logging configuration -- For advanced logging see http://prosody.im/doc/logging -- Hint: If you create a new log file or rename them, don't forget -- to update the logrotate config at /etc/logrotate.d/prosody log = { -- Log all error messages to prosody.err error = "/var/log/prosody/prosody.err"; -- Log everything of level "info" and higher (that is, all except "debug" messages) -- to prosody.log info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging --"*syslog"; -- Uncomment this for logging to syslog } -- Pidfile, used by prosodyctl and the init.d script pidfile = "/var/run/prosody/prosody.pid"; ----------- Virtual hosts ----------- -- You need to add a VirtualHost entry for each domain you wish Prosody to serve. -- Settings under each VirtualHost entry apply *only* to that host. VirtualHost "localhost" VirtualHost "example.com" -- enabled = false -- Remove this line to enable this host -- Assign this host a certificate for TLS, otherwise it would use the one -- set in the global section (if any). -- Note that old-style SSL on port 5223 only supports one certificate, and will always -- use the global one. ssl = { key = "/etc/prosody/certs/localhost.key"; certificate = "/etc/prosody/certs/localhost.cert"; } ------ Components ------ -- You can specify components to add hosts that provide special services, -- like multi-user conferences, and transports. -- For more information on components, see http://prosody.im/doc/components ---Set up a MUC (multi-user chat) room server on conference.example.com: --Component "conference.example.com" "muc" -- Set up a SOCKS5 bytestream proxy for server-proxied file transfers: --Component "proxy.example.com" "proxy65" ---Set up an external component (default component port is 5347) -- -- External components allow adding various services, such as gateways/ -- transports to other networks like ICQ, MSN and Yahoo. For more info -- see: http://prosody.im/doc/components#adding_an_external_component -- --Component "gateway.example.com" -- component_secret = "password" 

 -- Use Include 'prosody-posix-ldap.cfg.lua' from prosody.cfg.lua to include this file authentication = 'ldap' -- Indicate that we want to use LDAP for authentication --storage = 'ldap' -- Indicate that we want to use LDAP for roster/vcard storage storage = { roster = "ldap"; vcard = "ldap"; } ldap = { hostname = 'localhost', -- LDAP server location bind_dn = 'cn=manager,dc=example,dc=com', -- Bind DN for LDAP authentication (optional if anonymous bind is supported) bind_password = 'password', -- Bind password (optional if anonymous bind is supported) user = { basedn = 'ou=users,dc=example,dc=com', -- The base DN where user records can be found filter = 'objectClass=posixAccount', -- Filter expression to find user records under basedn usernamefield = 'uid', -- The field that contains the user's ID (this will be the username portion of the JID) namefield = 'cn', -- The field that contains the user's full name (this will be the alias found in the roster) }, groups = { basedn = 'ou=groups,dc=example,dc=com', -- The base DN where group records can be found memberfield = 'memberUid', -- The field that contains user ID records for this group (each member must have a corresponding entry under the user basedn with the same value in usernamefield) namefield = 'cn', -- The field that contains the group's name (used for matching groups in LDAP to group definitions below) { name = 'First Group', -- The group name that will be seen in users' rosters cn = 'first_group', -- This field's key *must* match ldap.groups.namefield! It's the name of the LDAP group this definition represents admin = false, -- (Optional) A boolean flag that indicates whether members of this group should be considered administrators. }, { name = 'Second Group', cn = 'second_group', admin = true, }, }, vcard_format = { displayname = 'cn', -- Consult the vCard configuration section in the README nickname = 'uid', }, } 

 # Installation directories # System's libraries directory (where binary libraries are installed) LUA_LIBDIR= /usr/lib/lua/5.1 # Lua includes directory LUA_INC= /usr/include/lua5.1 # OpenLDAP includes directory OPENLDAP_INC= /usr/include # OpenLDAP library (an optional directory can be specified with -L<dir>) OPENLDAP_LIB= -lldap # OS dependent LIB_OPTION= -shared #for Linux #LIB_OPTION= -bundle -undefined dynamic_lookup #for MacOS X # Lua version number (first and second digits of target version) LUA_VERSION_NUM= 500 LIBNAME= $T.so.$V COMPAT_DIR= ../compat-5.1r5 # Compilation parameters WARN= -O2 -Wall -fPIC -W -Waggregate-return -Wcast-align -Wmissing-prototypes -Wnested-externs -Wshadow -Wwrite-strings -ansi INCS= -I$(LUA_INC) -I$(OPENLDAP_INC) -I$(COMPAT_DIR) CFLAGS= $(WARN) $(INCS) CC= gcc # $Id: config,v 1.5 2006/07/24 01:42:06 tomas Exp $ 

 # $Id: Makefile,v 1.30 2007/03/13 22:07:33 godinho Exp $ T= lualdap V= 1.1.0 CONFIG= ./config include $(CONFIG) ifeq "$(LUA_VERSION_NUM)" "500" COMPAT_O= $(COMPAT_DIR)/compat-5.1.o endif OBJS= src/lualdap.o $(COMPAT_O) src/$(LIBNAME): $(OBJS) export MACOSX_DEPLOYMENT_TARGET="10.3"; $(CC) $(CFLAGS) $(LIB_OPTION) -o src/$(LIBNAME) $(OBJS) $(OPENLDAP_LIB) $(COMPAT_DIR)/compat-5.1.o: $(COMPAT_DIR)/compat-5.1.c $(CC) -c $(CFLAGS) -o $@ $(COMPAT_DIR)/compat-5.1.c install: src/$(LIBNAME) mkdir -p $(LUA_LIBDIR) cp src/$(LIBNAME) $(LUA_LIBDIR) cd $(LUA_LIBDIR); ln -f -s $(LIBNAME) $T.so clean: rm -f $(OBJS) src/$(LIBNAME)