Mercurial > prosody-modules
view mod_auth_ldap/README.markdown @ 1843:032b209bb8ff
mod_tls_policy/README: Reflow and strip trailing whitespace (pandoc thougt it meant explicit line breaks)
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 12 Sep 2015 21:04:43 +0200 |
parents | 8435e1766054 |
children | 6d7699eda594 |
line wrap: on
line source
--- labels: - 'Stage-Alpha' - 'Type-Auth' summary: LDAP authentication module ... Introduction ============ This is a Prosody authentication plugin which uses LDAP as the backend. Dependecies =========== This module depends on [LuaLDAP](http://www.keplerproject.org/lualdap/) for connecting to an LDAP server. Configuration ============= Copy the module to the prosody modules/plugins directory. In Prosody's configuration file, under the desired host section, add: ``` {.lua} authentication = "ldap" ldap_base = "ou=people,dc=example,dc=com" ``` Further LDAP options are: Name Description Default value ---------------- ---------------------------------------------------------------------------------------------------------------------- -------------------- ldap\_base LDAP base directory which stores user accounts **Required field** ldap\_server Space-separated list of hostnames or IPs, optionally with port numbers (e.g. "localhost:8389") `"localhost"` ldap\_rootdn The distinguished name to auth against `"" (anonymous)` ldap\_password Password for rootdn `""` ldap\_filter Search filter, with `$user` and `$host` substituded for user- and hostname `"(uid=$user)"` ldap\_scope Search scope. other values: "base" and "subtree" `"onelevel"` ldap\_tls Enable TLS (StartTLS) to connect to LDAP (can be true or false). The non-standard 'LDAPS' protocol is not supported. `false` ldap\_mode How passwords are validated. `"bind"` **Note:** lua-ldap reads from `/etc/ldap/ldap.conf` and other files like `~prosody/.ldaprc` if they exist. Users wanting to use a particular TLS root certificate can specify it in the normal way using TLS\_CACERT in the OpenLDAP config file. Modes ===== The `"getpasswd"` mode requires plain text access to passwords in LDAP and feeds them into Prosodys authentication system. This enables more secure authentication mechanisms but does not work for all deployments. The `"bind"` mode performs an LDAP bind, does not require plain text access to passwords but limits you to the PLAIN authentication mechanism. Compatibility ============= Works with 0.8 and later.