Mercurial > prosody-modules
diff mod_lib_ldap/README.md @ 809:1d51c5e38faa
Add LDAP plugin suite
author | rob@hoelz.ro |
---|---|
date | Sun, 02 Sep 2012 15:35:50 +0200 (2012-09-02) |
parents | |
children | 675945ea2ed6 |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_lib_ldap/README.md Sun Sep 02 15:35:50 2012 +0200 @@ -0,0 +1,151 @@ +# LDAP plugin suite for Prosody + +The LDAP plugin suite includes an authentication plugin (mod\_auth\_ldap2) and storage plugin +(mod\_storage\_ldap) to query against an LDAP server. It also provides a plugin library (mod\_lib\_ldap) +for accessing an LDAP server to make writing other LDAP-based plugins easier in the future. + +# LDAP Authentication + +**NOTE**: LDAP authentication currently only works with plaintext auth! If this isn't ok +with you, don't use it! (Or better yet, fix it =) ) + +With that note in mind, you need to set 'allow\_unencrypted\_plain\_auth' to true in your configuration if +you want to use LDAP authentication. + +To enable LDAP authentication, set 'authentication' to 'ldap' in your configuration file. +See also http://prosody.im/doc/authentication. + +# LDAP Storage + +LDAP storage is currently read-only, and it only supports rosters and vCards. + +To enable LDAP storage, set 'storage' to 'ldap' in your configuration file. +See also http://prosody.im/doc/storage. + +# LDAP Configuration + +All of the LDAP-specific configuration for the plugin set goes into an 'ldap' section +in the configuration. You must set the 'hostname' field in the 'ldap' section to +your LDAP server's location (a custom port is also accepted, so I guess it's not strictly +a hostname). The 'bind\_dn' and 'bind\_password' are optional if you want to bind as +a specific DN. There should be an example configuration included with this README, so +feel free to consult that. + +## The user section + +The user section must contain the following keys: + + * basedn - The base DN against which to base your LDAP queries for users. + * filter - An LDAP filter expression that matches users. + * usernamefield - The name of the attribute in an LDAP entry that contains the username. + * namefield - The name of the attribute in an LDAP entry that contains the user's real name. + +## The groups section + +The LDAP plugin suite has support for grouping (ala mod\_groups), which can be enabled via the groups +section in the ldap section of the configuration file. Currently, you must have at least one group. +The groups section must contain the following keys: + + * basedn - The base DN against which to base your LDAP queries for groups. + * memberfield - The name of the attribute in an LDAP entry that contains a list of a group's members. The contents of this field + must match usernamefield in the user section. + * namefield - The name of the attribute in an LDAP entry that contains the group's name. + +The groups section must contain at least one entry in its array section. Each entry must be a table, with the following keys: + + * name - The name of the group that will be presented in the roster. + * $namefield (whatever namefield is set to is the name) - An attribute pair to match this group against. + * admin (optional) - whether or not this group's members are admins. + +## The vcard\_format section + +The vcard\_format section is used to generate a vCard given an LDAP entry. See http://xmpp.org/extensions/xep-0054.html for +more information. The JABBERID field is automatically populated. + +The key/value pairs in this table fall into three categories: + +### Simple pairs + +Some values in the vcard\_format table are simple key-value pairs, where the key corresponds to a vCard +entry, and the value corresponds to the attribute name in the LDAP entry for the user. The fields that +be configured this way are: + + * displayname - corresponds to FN + * nickname - corresponds to NICKNAME + * birthday - corresponds to BDAY + * mailer - corresponds to MAILER + * timezone - corresponds to TZ + * title - corresponds to TITLE + * role - corresponds to ROLE + * note - corresponds to NOTE + * rev - corresponds to REV + * sortstring - corresponds to SORT-STRING + * uid - corresponds to UID + * url - corresponds to URL + * description - corresponds to DESC + +### Single-level fields + +These pairs have a table as their values, and the table itself has a series of key value pairs that are translated +similarly to simple pairs. The fields that are configured this way are: + + * name - corresponds to N + * family - corresponds to FAMILY + * given - corresponds toGIVEN + * middle - corresponds toMIDDLE + * prefix - corresponds toPREFIX + * suffix - corresponds toSUFFIX + * photo - corresponds to PHOTO + * type - corresponds to TYPE + * binval - corresponds to BINVAL + * extval - corresponds to EXTVAL + * geo - corresponds to GEO + * lat - corresponds to LAT + * lon - corresponds to LON + * logo - corresponds to LOGO + * type - corresponds to TYPE + * binval - corresponds to BINVAL + * extval - corresponds to EXTVAL + * org - corresponds to ORG + * orgname - corresponds to ORGNAME + * orgunit - corresponds to ORGUNIT + * sound - corresponds to SOUND + * phonetic - corresponds to PHONETIC + * binval - corresponds to BINVAL + * extval - corresponds to EXTVAL + * key - corresponds to KEY + * type - corresponds to TYPE + * cred - corresponds to CRED + +### Multi-level fields + +These pairs have a table as their values, and each table itself has tables as its values. The nested tables have +the same key-value pairs you're used to, the only difference being that values may have a boolean as their type, which +converts them into an empty XML tag. I recommend looking at the example configuration for clarification. + + * address - ADR + * telephone - TEL + * email - EMAIL + +### Unsupported vCard fields + + * LABEL + * AGENT + * CATEGORIES + * PRODID + * CLASS + +### Example Configuration + +You can find an example configuration in the dev directory underneath the +directory that this file is located in. + +# Missing Features + +This set of plugins is missing a few features, some of which are really just ideas: + + * Implement non-plaintext authentication. + * Use proper LDAP binding (LuaLDAP must be patched with http://prosody.im/patches/lualdap.patch, though) + * Non-hardcoded LDAP groups (derive groups from LDAP queries) + * LDAP-based MUCs (like a private MUC per group, or something) + * This suite of plugins was developed with a POSIX-style setup in mind; YMMV. Patches to work with other setups are welcome!