view mod_auth_ldap/README.markdown @ 1824:8435e1766054

mod_auth_ldap/README: Fix missing word and more markdown syntax tweaks
author Kim Alvefur <>
date Thu, 03 Sep 2015 03:22:31 +0200
parents 50d3383a2e08
children 6d7699eda594
line wrap: on
line source

- 'Stage-Alpha'
- 'Type-Auth'
summary: LDAP authentication module


This is a Prosody authentication plugin which uses LDAP as the backend.


This module depends on [LuaLDAP](
for connecting to an LDAP server.


Copy the module to the prosody modules/plugins directory.

In Prosody's configuration file, under the desired host section, add:

``` {.lua}
authentication = "ldap"
ldap_base = "ou=people,dc=example,dc=com"

Further LDAP options are:

  Name             Description                                                                                                            Default value
  ---------------- ---------------------------------------------------------------------------------------------------------------------- --------------------
  ldap\_base       LDAP base directory which stores user accounts                                                                         **Required field**
  ldap\_server     Space-separated list of hostnames or IPs, optionally with port numbers (e.g. "localhost:8389")                         `"localhost"`
  ldap\_rootdn     The distinguished name to auth against                                                                                 `"" (anonymous)`
  ldap\_password   Password for rootdn                                                                                                    `""`
  ldap\_filter     Search filter, with `$user` and `$host` substituded for user- and hostname                                             `"(uid=$user)"`
  ldap\_scope      Search scope. other values: "base" and "subtree"                                                                       `"onelevel"`
  ldap\_tls        Enable TLS (StartTLS) to connect to LDAP (can be true or false). The non-standard 'LDAPS' protocol is not supported.   `false`
  ldap\_mode       How passwords are validated.                                                                                           `"bind"`

**Note:** lua-ldap reads from `/etc/ldap/ldap.conf` and other files like
`~prosody/.ldaprc` if they exist. Users wanting to use a particular TLS
root certificate can specify it in the normal way using TLS\_CACERT in
the OpenLDAP config file.


The `"getpasswd"` mode requires plain text access to passwords in LDAP
and feeds them into Prosodys authentication system. This enables more
secure authentication mechanisms but does not work for all deployments.

The `"bind"` mode performs an LDAP bind, does not require plain text
access to passwords but limits you to the PLAIN authentication


Works with 0.8 and later.