Mercurial > prosody-modules
view mod_auth_ldap/README.markdown @ 4381:a1256e376dca
mod_invites_register_api: reroute register call
The token from the URI was not used anyway. In addition, we now
return the resulting JID because it’s the only way to be sure.
author | Jonas Schäfer <jonas@wielicki.name> |
---|---|
date | Mon, 25 Jan 2021 16:55:39 +0100 |
parents | 7a2998e48545 |
children | f4f07891c4cc |
line wrap: on
line source
--- labels: - 'Stage-Alpha' - 'Type-Auth' summary: LDAP authentication module ... Introduction ============ This is a Prosody authentication plugin which uses LDAP as the backend. Dependecies =========== This module depends on [LuaLDAP](https://github.com/lualdap/lualdap) for connecting to an LDAP server. Configuration ============= Copy the module to the prosody modules/plugins directory. In Prosody's configuration file, under the desired host section, add: ``` {.lua} authentication = "ldap" ldap_base = "ou=people,dc=example,dc=com" ``` Further LDAP options are: Name Description Default value --------------------- ---------------------------------------------------------------------------------------------------------------------- -------------------- ldap\_base LDAP base directory which stores user accounts **Required field** ldap\_server Space-separated list of hostnames or IPs, optionally with port numbers (e.g. "localhost:8389") `"localhost"` ldap\_rootdn The distinguished name to auth against `""` (anonymous) ldap\_password Password for rootdn `""` ldap\_filter Search filter, with `$user` and `$host` substituted for user- and hostname `"(uid=$user)"` ldap\_scope Search scope. other values: "base" and "onelevel" `"subtree"` ldap\_tls Enable TLS (StartTLS) to connect to LDAP (can be true or false). The non-standard 'LDAPS' protocol is not supported. `false` ldap\_mode How passwords are validated. `"bind"` ldap\_admin\_filter Search filter to match admins, works like ldap\_filter **Note:** lua-ldap reads from `/etc/ldap/ldap.conf` and other files like `~prosody/.ldaprc` if they exist. Users wanting to use a particular TLS root certificate can specify it in the normal way using TLS\_CACERT in the OpenLDAP config file. Modes ===== The `"getpasswd"` mode requires plain text access to passwords in LDAP and feeds them into Prosodys authentication system. This enables more secure authentication mechanisms but does not work for all deployments. The `"bind"` mode performs an LDAP bind, does not require plain text access to passwords but limits you to the PLAIN authentication mechanism. Compatibility ============= Works with 0.8 and later.