|
1782
|
1 #summary LDAP authentication module |
|
|
2 #labels Stage-Alpha,Type-Auth |
|
|
3 |
|
|
4 _*Note:* A modified version of this module is available, but is not yet committed here. The plan is to merge them, for more info see [http://groups.google.com/group/prosody-dev/browse_thread/thread/282e876116ae4177/906121492495ad35#906121492495ad35 this thread]._ |
|
|
5 |
|
|
6 = Introduction = |
|
|
7 |
|
|
8 This is a Prosody authentication plugin which uses LDAP as the backend. |
|
|
9 |
|
|
10 = Dependecies = |
|
|
11 |
|
|
12 This module depends on [http://www.keplerproject.org/lualdap/ LuaLDAP] for connecting to an LDAP server. |
|
|
13 |
|
|
14 = Configuration = |
|
|
15 |
|
|
16 Copy the module to the prosody modules/plugins directory. |
|
|
17 |
|
|
18 In Prosody's configuration file, under the desired host section, add: |
|
|
19 {{{ |
|
|
20 authentication = "ldap" |
|
|
21 ldap_base = "ou=people,dc=example,dc=com" |
|
|
22 }}} |
|
|
23 |
|
|
24 LDAP options are: |
|
|
25 || *Name* || *Description* || *Default value* || |
|
|
26 || ldap_server || Space-separated list of hostnames or IPs, optionally with port numbers (e.g. "localhost:8389") || "localhost" || |
|
|
27 || ldap_rootdn || The distinguished name to auth against || "" (anonymous) || |
|
|
28 || ldap_password || Password for rootdn || "" || |
|
|
29 || ldap_filter || Search filter, with $user and $host substituded for user- and hostname || "(uid=$user)" || |
|
|
30 || ldap_scope || Search scope. other values: "base" and "subtree" || "onelevel" || |
|
|
31 || ldap_tls || Enable TLS (StartTLS) to connect to LDAP (can be true or false). The non-standard 'LDAPS' protocol is not supported. || false || |
|
|
32 || ldap_base || LDAP base directory which stores user accounts || This is required || |
|
|
33 || ldap_mode || How passwords are validated. || "bind" || |
|
|
34 |
|
|
35 *Note:* lua-ldap reads from /etc/ldap/ldap.conf and other files like |
|
|
36 ~prosody/.ldaprc if they exist. Users wanting to use a particular TLS |
|
|
37 root certificate can specify it in the normal way using TLS_CACERT in |
|
|
38 the OpenLDAP config file. |
|
|
39 |
|
|
40 = Modes = |
|
|
41 |
|
|
42 The "getpasswd" mode requires plain text access to passwords in LDAP and |
|
|
43 feeds them into Prosodys authentication system. This enables more secure |
|
|
44 authentication mechanisms but does not work for all deployments. |
|
|
45 |
|
|
46 The "bind" performs an LDAP bind, does not require plain text access to |
|
|
47 passwords but limits you to the PLAIN authentication mechanism. |
|
|
48 |
|
|
49 = Compatibility = |
|
|
50 |
|
|
51 || 0.8 and above || should work || |
