Mercurial > prosody-modules
annotate mod_auth_ldap/README.markdown @ 4876:0f5f2d4475b9
mod_http_xep227: Add support for import via APIs rather than direct store manipulation
In particular this transitions PEP nodes and data to be imported via mod_pep's
APIs, fixing issues with importing at runtime while PEP data may already be
live in RAM.
Next obvious candidate for this approach is rosters, so clients get immediate
roster pushes and other special handling (such as emitting subscribes to reach
the desired subscription state).
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 18 Jan 2022 17:01:18 +0000 |
| parents | f4f07891c4cc |
| children |
| rev | line source |
|---|---|
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
1 --- |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
2 labels: |
|
4717
f4f07891c4cc
mod_auth_ldap: Mark as Merged into Prosody
Kim Alvefur <zash@zash.se>
parents:
3954
diff
changeset
|
3 - 'Stage-Merged' |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
4 - 'Type-Auth' |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
5 summary: LDAP authentication module |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
6 ... |
| 1782 | 7 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
8 Introduction |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
9 ============ |
| 1782 | 10 |
| 11 This is a Prosody authentication plugin which uses LDAP as the backend. | |
| 12 | |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
13 Dependecies |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
14 =========== |
| 1782 | 15 |
|
3954
7a2998e48545
mod_auth_ldap: Fix broken link to LuaLDAP
Kim Alvefur <zash@zash.se>
parents:
3326
diff
changeset
|
16 This module depends on [LuaLDAP](https://github.com/lualdap/lualdap) |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
17 for connecting to an LDAP server. |
| 1782 | 18 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
19 Configuration |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
20 ============= |
| 1782 | 21 |
| 22 Copy the module to the prosody modules/plugins directory. | |
| 23 | |
| 24 In Prosody's configuration file, under the desired host section, add: | |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
25 |
|
1823
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1822
diff
changeset
|
26 ``` {.lua} |
|
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1822
diff
changeset
|
27 authentication = "ldap" |
|
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1822
diff
changeset
|
28 ldap_base = "ou=people,dc=example,dc=com" |
|
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1822
diff
changeset
|
29 ``` |
| 1782 | 30 |
|
1823
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1822
diff
changeset
|
31 Further LDAP options are: |
| 1782 | 32 |
|
3326
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
33 Name Description Default value |
|
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
34 --------------------- ---------------------------------------------------------------------------------------------------------------------- -------------------- |
|
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
35 ldap\_base LDAP base directory which stores user accounts **Required field** |
|
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
36 ldap\_server Space-separated list of hostnames or IPs, optionally with port numbers (e.g. "localhost:8389") `"localhost"` |
|
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
37 ldap\_rootdn The distinguished name to auth against `""` (anonymous) |
|
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
38 ldap\_password Password for rootdn `""` |
|
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
39 ldap\_filter Search filter, with `$user` and `$host` substituted for user- and hostname `"(uid=$user)"` |
|
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
40 ldap\_scope Search scope. other values: "base" and "onelevel" `"subtree"` |
|
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
41 ldap\_tls Enable TLS (StartTLS) to connect to LDAP (can be true or false). The non-standard 'LDAPS' protocol is not supported. `false` |
|
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
42 ldap\_mode How passwords are validated. `"bind"` |
|
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
43 ldap\_admin\_filter Search filter to match admins, works like ldap\_filter |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
44 |
|
1824
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1823
diff
changeset
|
45 **Note:** lua-ldap reads from `/etc/ldap/ldap.conf` and other files like |
|
1823
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1822
diff
changeset
|
46 `~prosody/.ldaprc` if they exist. Users wanting to use a particular TLS |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
47 root certificate can specify it in the normal way using TLS\_CACERT in |
| 1782 | 48 the OpenLDAP config file. |
| 49 | |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
50 Modes |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
51 ===== |
| 1782 | 52 |
|
1824
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1823
diff
changeset
|
53 The `"getpasswd"` mode requires plain text access to passwords in LDAP |
|
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1823
diff
changeset
|
54 and feeds them into Prosodys authentication system. This enables more |
|
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1823
diff
changeset
|
55 secure authentication mechanisms but does not work for all deployments. |
| 1782 | 56 |
|
1824
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1823
diff
changeset
|
57 The `"bind"` mode performs an LDAP bind, does not require plain text |
|
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1823
diff
changeset
|
58 access to passwords but limits you to the PLAIN authentication |
|
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1823
diff
changeset
|
59 mechanism. |
| 1782 | 60 |
|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
61 Compatibility |
|
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
62 ============= |
| 1782 | 63 |
|
1823
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1822
diff
changeset
|
64 Works with 0.8 and later. |