Mercurial > prosody-modules
annotate mod_lib_ldap/README.md @ 1268:854a3933cfcd
mod_muc_log_http: URL-encode room names. This allows special characters in room names to work. Ideally this escaping shouldn’t be done in the user visible content, but the module’s template system doesn’t currently allow that.
| author | Waqas Hussain <waqas20@gmail.com> |
|---|---|
| date | Sat, 04 Jan 2014 16:50:57 -0500 |
| parents | 0b72b8fe4591 |
| children | 9da03e45c6be |
| rev | line source |
|---|---|
| 809 | 1 # LDAP plugin suite for Prosody |
| 2 | |
| 3 The LDAP plugin suite includes an authentication plugin (mod\_auth\_ldap2) and storage plugin | |
| 4 (mod\_storage\_ldap) to query against an LDAP server. It also provides a plugin library (mod\_lib\_ldap) | |
| 5 for accessing an LDAP server to make writing other LDAP-based plugins easier in the future. | |
| 6 | |
| 7 # LDAP Authentication | |
| 8 | |
| 9 **NOTE**: LDAP authentication currently only works with plaintext auth! If this isn't ok | |
| 10 with you, don't use it! (Or better yet, fix it =) ) | |
| 11 | |
| 12 With that note in mind, you need to set 'allow\_unencrypted\_plain\_auth' to true in your configuration if | |
| 13 you want to use LDAP authentication. | |
| 14 | |
|
862
675945ea2ed6
Change hoelzro's mod_auth_ldap to mod_auth_ldap2
Rob Hoelz <rob@hoelz.ro>
parents:
809
diff
changeset
|
15 To enable LDAP authentication, set 'authentication' to 'ldap2' in your configuration file. |
| 809 | 16 See also http://prosody.im/doc/authentication. |
| 17 | |
| 18 # LDAP Storage | |
| 19 | |
| 20 LDAP storage is currently read-only, and it only supports rosters and vCards. | |
| 21 | |
| 22 To enable LDAP storage, set 'storage' to 'ldap' in your configuration file. | |
| 23 See also http://prosody.im/doc/storage. | |
| 24 | |
| 25 # LDAP Configuration | |
| 26 | |
| 27 All of the LDAP-specific configuration for the plugin set goes into an 'ldap' section | |
| 28 in the configuration. You must set the 'hostname' field in the 'ldap' section to | |
| 29 your LDAP server's location (a custom port is also accepted, so I guess it's not strictly | |
| 30 a hostname). The 'bind\_dn' and 'bind\_password' are optional if you want to bind as | |
| 31 a specific DN. There should be an example configuration included with this README, so | |
| 32 feel free to consult that. | |
| 33 | |
| 34 ## The user section | |
| 35 | |
| 36 The user section must contain the following keys: | |
| 37 | |
| 38 * basedn - The base DN against which to base your LDAP queries for users. | |
| 39 * filter - An LDAP filter expression that matches users. | |
| 40 * usernamefield - The name of the attribute in an LDAP entry that contains the username. | |
| 41 * namefield - The name of the attribute in an LDAP entry that contains the user's real name. | |
| 42 | |
| 43 ## The groups section | |
| 44 | |
| 45 The LDAP plugin suite has support for grouping (ala mod\_groups), which can be enabled via the groups | |
| 46 section in the ldap section of the configuration file. Currently, you must have at least one group. | |
| 47 The groups section must contain the following keys: | |
| 48 | |
| 49 * basedn - The base DN against which to base your LDAP queries for groups. | |
| 50 * memberfield - The name of the attribute in an LDAP entry that contains a list of a group's members. The contents of this field | |
| 51 must match usernamefield in the user section. | |
| 52 * namefield - The name of the attribute in an LDAP entry that contains the group's name. | |
| 53 | |
| 54 The groups section must contain at least one entry in its array section. Each entry must be a table, with the following keys: | |
| 55 | |
| 56 * name - The name of the group that will be presented in the roster. | |
| 57 * $namefield (whatever namefield is set to is the name) - An attribute pair to match this group against. | |
| 58 * admin (optional) - whether or not this group's members are admins. | |
| 59 | |
| 60 ## The vcard\_format section | |
| 61 | |
| 62 The vcard\_format section is used to generate a vCard given an LDAP entry. See http://xmpp.org/extensions/xep-0054.html for | |
| 63 more information. The JABBERID field is automatically populated. | |
| 64 | |
| 65 The key/value pairs in this table fall into three categories: | |
| 66 | |
| 67 ### Simple pairs | |
| 68 | |
| 69 Some values in the vcard\_format table are simple key-value pairs, where the key corresponds to a vCard | |
| 70 entry, and the value corresponds to the attribute name in the LDAP entry for the user. The fields that | |
| 71 be configured this way are: | |
| 72 | |
| 73 * displayname - corresponds to FN | |
| 74 * nickname - corresponds to NICKNAME | |
| 75 * birthday - corresponds to BDAY | |
| 76 * mailer - corresponds to MAILER | |
| 77 * timezone - corresponds to TZ | |
| 78 * title - corresponds to TITLE | |
| 79 * role - corresponds to ROLE | |
| 80 * note - corresponds to NOTE | |
| 81 * rev - corresponds to REV | |
| 82 * sortstring - corresponds to SORT-STRING | |
| 83 * uid - corresponds to UID | |
| 84 * url - corresponds to URL | |
| 85 * description - corresponds to DESC | |
| 86 | |
| 87 ### Single-level fields | |
| 88 | |
| 89 These pairs have a table as their values, and the table itself has a series of key value pairs that are translated | |
| 90 similarly to simple pairs. The fields that are configured this way are: | |
| 91 | |
| 92 * name - corresponds to N | |
| 93 * family - corresponds to FAMILY | |
| 94 * given - corresponds toGIVEN | |
| 95 * middle - corresponds toMIDDLE | |
| 96 * prefix - corresponds toPREFIX | |
| 97 * suffix - corresponds toSUFFIX | |
| 98 * photo - corresponds to PHOTO | |
| 99 * type - corresponds to TYPE | |
| 100 * binval - corresponds to BINVAL | |
| 101 * extval - corresponds to EXTVAL | |
| 102 * geo - corresponds to GEO | |
| 103 * lat - corresponds to LAT | |
| 104 * lon - corresponds to LON | |
| 105 * logo - corresponds to LOGO | |
| 106 * type - corresponds to TYPE | |
| 107 * binval - corresponds to BINVAL | |
| 108 * extval - corresponds to EXTVAL | |
| 109 * org - corresponds to ORG | |
| 110 * orgname - corresponds to ORGNAME | |
| 111 * orgunit - corresponds to ORGUNIT | |
| 112 * sound - corresponds to SOUND | |
| 113 * phonetic - corresponds to PHONETIC | |
| 114 * binval - corresponds to BINVAL | |
| 115 * extval - corresponds to EXTVAL | |
| 116 * key - corresponds to KEY | |
| 117 * type - corresponds to TYPE | |
| 118 * cred - corresponds to CRED | |
| 119 | |
| 120 ### Multi-level fields | |
| 121 | |
| 122 These pairs have a table as their values, and each table itself has tables as its values. The nested tables have | |
| 123 the same key-value pairs you're used to, the only difference being that values may have a boolean as their type, which | |
| 124 converts them into an empty XML tag. I recommend looking at the example configuration for clarification. | |
| 125 | |
| 126 * address - ADR | |
| 127 * telephone - TEL | |
| 128 * email - EMAIL | |
| 129 | |
| 130 ### Unsupported vCard fields | |
| 131 | |
| 132 * LABEL | |
| 133 * AGENT | |
| 134 * CATEGORIES | |
| 135 * PRODID | |
| 136 * CLASS | |
| 137 | |
| 138 ### Example Configuration | |
| 139 | |
| 140 You can find an example configuration in the dev directory underneath the | |
| 141 directory that this file is located in. | |
| 142 | |
| 143 # Missing Features | |
| 144 | |
| 145 This set of plugins is missing a few features, some of which are really just ideas: | |
| 146 | |
| 147 * Implement non-plaintext authentication. | |
| 148 * Use proper LDAP binding (LuaLDAP must be patched with http://prosody.im/patches/lualdap.patch, though) | |
| 149 * Non-hardcoded LDAP groups (derive groups from LDAP queries) | |
| 150 * LDAP-based MUCs (like a private MUC per group, or something) | |
| 151 * This suite of plugins was developed with a POSIX-style setup in mind; YMMV. Patches to work with other setups are welcome! | |
| 1224 | 152 * Add ability for users to change their vCard/passwords/etc from within Prosody |