ejabberd: external authentication programs

In the ejabberd note with authorization via LDAP, I described the main points on setting up the ejabberd server and connecting it to LDAP. Unfortunately, the standard LDAP authentication module lacked us. However, ejabberd allows you to use external, including your own, programs for this purpose.


So. Last time I stopped at this configuration:

 {auth_method, ldap},% Authentication Method - LDAP
 {ldap_servers, ["ldap.company.local"]},% Address of the LDAP server
 {ldap_port, 389},% His port
 {ldap_base, "ou = people, dc = company, dc = local"}% Base DN of user accounts

Now all users with LDAP accounts can use our server. It does not quite suit me, I want to give this opportunity only to employees. All employees are in our employees group (cn = employees, ou = groups, dc = company, dc = local).

At first glance, you can achieve your goal with the help of the ldap_filter parameter. But this is only the first. In all the examples that I found (and I revised them quite a bit), the member object attribute of the account object is used or similar in meaning. Unfortunately in our configuration (based on OpenLDAP) there was no such attribute.
')
After a few hours of studying the LDAP filter guides and ejabberd capabilities, I decided to try my own authentication program.

Connecting an external program

This is done very simply:

 {auth_method, external}.
 {extauth_program, "/ path / to / program / program_name"}.

Here /path/to/program/program_name path to the authentication program.

Device program

Everything is very simple. The program works in an infinite loop, reading requests from the standard input and writing the result to the standard output.

Requests and responses are preceded by two bytes containing the length of the request / response.

Requests may be as follows:

• auth: User: Server: Password (check authentication data)
• isuser: User: Server (check user availability)
• setpass: User: Server: Password (set new password for user)

In response, the program should send 1 if the request is successful and 0 if it fails.

Links

• Ready scripts
• Description of the mechanism of the external scripts

Simple example

Here is a simple example of an external PHP authentication program. PHP was used because we already had a ready-made library for working with our LDAP server for it.

 #! / usr / local / bin / php
 <? php
 require 'ldap3w.php';
 $ ldap = new LDAPConnection ();

 while (true) {
         $ length = @fgets (STDIN, 3);
         $ length = @unpack ('n', $ length);
         $ length = $ length [1];
         if ($ length> 0) {
                 $ result = false;
                 $ account = false;

                 $ data = @fgets (STDIN, $ length + 1);
                 $ data = explode (':', $ data);

                 switch ($ data [0]) {
                         case 'auth':
                                 $ account = $ ldap-> getAccount ($ data [1], $ data [3]);
                         break;
                         case 'isuser':
                                 $ account = $ ldap-> getAccount ($ data [1]);
                         break;
                 }

                 if ($ account) {
                         $ groups = $ account-> membership ();
                         $ result = in_array ('employees', $ groups);
                 }

                 $ result = @pack ('nn', 2, intval ($ result));
                 @ inputs (STDOUT, $ result);
         }
 }