Feature #841
Updated by Daniel Curtis over 7 years ago
This is a guide on how to setup LDAP authentication for users with Prosody. The LDAP server is OpenLDAP on FreeBSD -9- 10, but should work on any LDAP server. h2. Prepare the Environment * Install a couple dependencies: <pre> pkg install lua52-lualdap mercurial portmaster </pre> * Update the ports tree: <pre> portsnap fetch extract </pre> * Set the make.conf file to use Lua 5.1 at the default version to use while building: <pre> echo "DEFAULT_VERSIONS+= lua=5.1" >> /etc/make.conf </pre> * Install lualdap: <pre> portmaster net/lualdap </pre> h3. Install Prosody Modules * Clone the prosody-module repo using mercurial: <pre> cd /usr/local/etc/prosody hg clone https://hg.prosody.im/prosody-modules/ prosody-modules </pre> * Edit the prosody config: <pre> vi /usr/local/etc/prosody/prosody.cfg.lua </pre> #* And add the prosody-modules path to the plugins definition: <pre> plugin_paths = { "/usr/local/lib/prosody/modules", "/usr/local/etc/prosody/prosody-modules" } </pre> * Restart prosody: <pre> service prosody restart </pre> h2. Populate the LDAP Server * Create the People Organizational Unit ldif file: <pre> vi ~/people-ou.ldif </pre> #* And add the following: <pre> dn: ou=People,dc=example,dc=com objectclass: organizationalUnit ou: People </pre> * Import the People OU file into the server: <pre> ldapadd -D "cn=Manager,dc=example,dc=com" -W -f ~/people-ou.ldif </pre> * Create the bob user ldif file: <pre> vi ~/bob.ldif </pre> #* And add the following: <pre> dn: cn=Bob Guy,ou=People,dc=example,dc=com cn: Bob Guy givenname: Bob initials: BG mail: bob@example.com objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: person sn: Guy uid: bob userpassword: {MD5}X03MO1qnZdYdgyfeuILPmQ== </pre> #* *NOTE*: The password for bob is *password*. h2. Setup LDAP Authentication * Edit the ldap client config: <pre> vi /usr/local/etc/openldap/ldap.conf </pre> #* And adjust the following values: <pre> BASE dc=example,dc=com URI ldap://ldap.example.com </pre> * Edit the prosody config: <pre> vi /usr/local/etc/prosody/prosody.cfg.lua </pre> #* And add the following values to the VirtualHost block: <pre> VirtualHost "example.com" enabled = true authentication = "ldap" ldap_base = "ou=People,dc=example,dc=com" ldap_server = "ldap.example.com" ldap_rootdn = "cn=Manager,dc=example,dc=com" ldap_password = "SuperSecretPassword" ldap_filter: (mail=%U@example.com) ssl = { key = "/usr/local/etc/ssl/prosody.example.com.key"; certificate = "/usr/local/etc/ssl/prosody.example.com.crt"; } </pre> h2. Resources * https://modules.prosody.im/mod_auth_ldap.html * https://blogs.mafia-server.net/nur-bahnhof/2013/12/prosody-authentification-ldapactivedirectory/