affects 671015 + prosody thanks Hi Enrico!
On Thu, 26 Apr 2012 20:07:26 +0200, Enrico Tassi wrote: > On Thu, Apr 26, 2012 at 06:26:01PM +0200, Luca Capello wrote: >> * Package name : lua-ldap > > On another topic, thanks to lua-cyrussasl I think prosody is already > able to use LDAP: http://prosody.im/doc/cyrus_sasl > > But I guess the module you mentioned is simpler/better. I see two "problems" in this case: 1) it seems that Prosody only supports authentication against Cyrus SASL. If you have Dovecot, however, you can use its SASL implementation for external services, for example for Postfix (as I do on the server where I want to install Prosody): <http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL> 2) at a first glance it seems that the Cyrus SASL LDAP filtering, while complete, is quite difficult to set up and does not resemble any ldapsearch's filter. I anyway tried to configure Prosody LDAP authentication via SASL (tested with empathy_3.2.2-1+b3, gajim_0.15-1 and pidgin_2.10.2-1 on an up-to-date squeeze), following the instructions at the following links (I Cc:ed the author of the last one): <http://prosody.im/doc/cyrus_sasl> <http://blog.marc-seeger.de/2009/12/30/setting-up-prosody-to-authenticate-against-ldap/> <https://wiki.koumbit.net/ProsodyConfiguration> ===== root@debian:~# apt-get install prosody [at least!] root@debian:~# apt-get install sasl2-bin [the Cyrus SASL authentication daemon] root@debian:~# cat /etc/default/saslauthd START=yes MECHANISMS="ldap" root@debian:~# cat /etc/saslauthd.conf # see also #671015 for the available options ldap_servers: ldap://ldap.example.com ldap_search_base: ou=people,dc=example,dc=com ldap_scope: one ldap_auth_method: bind ldap_bind_dn: cn=admin,dc=example,dc=com ldap_bind_pw: PASSWOD # uid=NAME.SURNAME, while mail=n...@example.com ldap_filter: mail=%u root@debian:~# testsaslauthd -u MAIL -p PASSWORD 0: OK "Success." root@debian:~# apt-get install libsasl2-modules-ldap [let local servers use Cyrus SASL LDAP authentication] root@debian:~# apt-get install liblua5.1-sec1 [Prosody SASL requires TLS] root@debian:~# apt-get install liblua5.1-cyrussasl0 [let Prosody authenticate against Cyrus SASL] root@debian:~# cat /etc/prosody/prosody.cfg.lua sasl_backend = "cyrus" cyrus_application_name = "prosody" root@debian:~# cat /etc/sasl/prosody.conf # see also #465569 for /etc/sasl2 (from sasl2-bin >= 2.1.24~rc1.dfsg1-1) pwcheck_method: saslauthd mech_list: plain root@debian:~# adduser prosody sasl [let Prosody access the Cyrus SASL socket] Adding user `prosody' to group `sasl' ... Adding user prosody to group sasl Done. root@debian:~# service prosody restart Restarting Prosody XMPP Server: prosody. --8<---------------cut here---------------end--------------->8--- At this point authentication will not work, because Prosody passes 'NAME and not 'MAIL' (thus 'n...@example.com'), so you need a better LDAP "filter": --8<---------------cut here---------------start------------->8--- root@debian:~# vi /etc/saslauthd.conf ldap_filter: mail=%u@%d root@debian:~# testsaslauthd -r DOMAIN -u MAIL -p PASSWORD 0: OK "Success." root@debian:~# service prosody restart Restarting Prosody XMPP Server: prosody. root@debian:~# cat /var/log/auth.log [errors, but authentication works] Apr 28 20:12:20 jabber prosody[2527]: auxpropfunc error invalid parameter supplied Apr 28 20:12:20 jabber prosody[2527]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb --8<---------------cut here---------------end--------------->8--- I also tested that with prosody_0.8 via the backport package at (soon to be uploaded to squeeze-backports, see #631265): <http://people.debian.org/~gismo/tmp/prosody/> There are no changes needed for Cyrus SASL, but only for Prosody: --8<---------------cut here---------------start------------->8--- root@debian:~# cat /etc/prosody/prosody.cfg.lua authentication = "cyrus" -- <http://prosody.im/doc/cyrus_sasl> -- The service name to pass to Cyrus SASL. --cyrus_service_name = "xmpp" -- The realm to pass to Cyrus SASL, the virtual host the user is signing into -- if not specified. --cyrus_service_realm = (auto) -- If true then Prosody requires user accounts to exist in Prosody, even if -- successfully authenticated via SASL --cyrus_require_provisioning = false -- The application name to pass to Cyrus SASL. Determines the Cyrus SASL -- configuration file name. --cyrus_application_name = "prosody" --8<---------------cut here---------------end--------------->8--- Thx, bye, Gismo / Luca
pgpOT5hGTOHjE.pgp
Description: PGP signature
