Mercurial > prosody-modules
annotate mod_auth_ldap/README.markdown @ 5643:73c3d5bfce3e
mod_http_oauth2: Allow 'login_hint' as a substitute for OIDC 'select_account' prompt
If the OIDC 'prompt' parameter does not contain the 'select_account'
then it wants us to skip account selection, which means we have to
figure which account to authenticate somehow. One way could be have
this stored in a cookie from a previous successful login. Another way
would be to have the account passed as a hint, which is what we add
here.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 09 Sep 2023 21:42:24 +0200 |
parents | f4f07891c4cc |
children |
rev | line source |
---|---|
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
1 --- |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
2 labels: |
4717
f4f07891c4cc
mod_auth_ldap: Mark as Merged into Prosody
Kim Alvefur <zash@zash.se>
parents:
3954
diff
changeset
|
3 - 'Stage-Merged' |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
4 - 'Type-Auth' |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
5 summary: LDAP authentication module |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
6 ... |
1782 | 7 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
8 Introduction |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
9 ============ |
1782 | 10 |
11 This is a Prosody authentication plugin which uses LDAP as the backend. | |
12 | |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
13 Dependecies |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
14 =========== |
1782 | 15 |
3954
7a2998e48545
mod_auth_ldap: Fix broken link to LuaLDAP
Kim Alvefur <zash@zash.se>
parents:
3326
diff
changeset
|
16 This module depends on [LuaLDAP](https://github.com/lualdap/lualdap) |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
17 for connecting to an LDAP server. |
1782 | 18 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
19 Configuration |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
20 ============= |
1782 | 21 |
22 Copy the module to the prosody modules/plugins directory. | |
23 | |
24 In Prosody's configuration file, under the desired host section, add: | |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
25 |
1823
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1822
diff
changeset
|
26 ``` {.lua} |
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1822
diff
changeset
|
27 authentication = "ldap" |
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1822
diff
changeset
|
28 ldap_base = "ou=people,dc=example,dc=com" |
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1822
diff
changeset
|
29 ``` |
1782 | 30 |
1823
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1822
diff
changeset
|
31 Further LDAP options are: |
1782 | 32 |
3326
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
33 Name Description Default value |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
34 --------------------- ---------------------------------------------------------------------------------------------------------------------- -------------------- |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
35 ldap\_base LDAP base directory which stores user accounts **Required field** |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
36 ldap\_server Space-separated list of hostnames or IPs, optionally with port numbers (e.g. "localhost:8389") `"localhost"` |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
37 ldap\_rootdn The distinguished name to auth against `""` (anonymous) |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
38 ldap\_password Password for rootdn `""` |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
39 ldap\_filter Search filter, with `$user` and `$host` substituted for user- and hostname `"(uid=$user)"` |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
40 ldap\_scope Search scope. other values: "base" and "onelevel" `"subtree"` |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
41 ldap\_tls Enable TLS (StartTLS) to connect to LDAP (can be true or false). The non-standard 'LDAPS' protocol is not supported. `false` |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
42 ldap\_mode How passwords are validated. `"bind"` |
5e0193a27c53
mod_auth_ldap: Correct name of admin option (thanks pep.)
Kim Alvefur <zash@zash.se>
parents:
3325
diff
changeset
|
43 ldap\_admin\_filter Search filter to match admins, works like ldap\_filter |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
44 |
1824
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1823
diff
changeset
|
45 **Note:** lua-ldap reads from `/etc/ldap/ldap.conf` and other files like |
1823
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1822
diff
changeset
|
46 `~prosody/.ldaprc` if they exist. Users wanting to use a particular TLS |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
47 root certificate can specify it in the normal way using TLS\_CACERT in |
1782 | 48 the OpenLDAP config file. |
49 | |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
50 Modes |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
51 ===== |
1782 | 52 |
1824
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1823
diff
changeset
|
53 The `"getpasswd"` mode requires plain text access to passwords in LDAP |
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1823
diff
changeset
|
54 and feeds them into Prosodys authentication system. This enables more |
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1823
diff
changeset
|
55 secure authentication mechanisms but does not work for all deployments. |
1782 | 56 |
1824
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1823
diff
changeset
|
57 The `"bind"` mode performs an LDAP bind, does not require plain text |
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1823
diff
changeset
|
58 access to passwords but limits you to the PLAIN authentication |
8435e1766054
mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
Kim Alvefur <zash@zash.se>
parents:
1823
diff
changeset
|
59 mechanism. |
1782 | 60 |
1803
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
61 Compatibility |
4d73a1a6ba68
Convert all wiki pages to Markdown
Kim Alvefur <zash@zash.se>
parents:
1782
diff
changeset
|
62 ============= |
1782 | 63 |
1823
50d3383a2e08
mod_auth_ldap/README: Minor tweaks
Kim Alvefur <zash@zash.se>
parents:
1822
diff
changeset
|
64 Works with 0.8 and later. |