Bug#670549: ITP: lua-ldap -- LDAP library for the Lua language

To: Enrico Tassi <gareuselesinge@debian.org>
Cc: 670549@bugs.debian.org, Antoine Beaupré <anarcat@debian.org>
Subject: Bug#670549: ITP: lua-ldap -- LDAP library for the Lua language
From: Luca Capello <luca@pca.it>
Date: Wed, 02 May 2012 21:18:57 +0200
Message-id: <[🔎] 87r4v2wfvi.fsf@gismo.pca.it>
Reply-to: Luca Capello <luca@pca.it>, 670549@bugs.debian.org
References: <87haw6pihy.fsf@gismo.pca.it> <20120426180725.GA26640@birba>

affects 671015 + prosody
thanks

Hi Enrico!

On Thu, 26 Apr 2012 20:07:26 +0200, Enrico Tassi wrote:
> On Thu, Apr 26, 2012 at 06:26:01PM +0200, Luca Capello wrote:
>> * Package name    : lua-ldap
>
> On another topic, thanks to lua-cyrussasl I think prosody is already
> able to use LDAP: http://prosody.im/doc/cyrus_sasl
>
> But I guess the module you mentioned is simpler/better.

I see two "problems" in this case:

1) it seems that Prosody only supports authentication against Cyrus
   SASL.  If you have Dovecot, however, you can use its SASL
   implementation for external services, for example for Postfix (as I
   do on the server where I want to install Prosody):

     <http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL>

2) at a first glance it seems that the Cyrus SASL LDAP filtering, while
   complete, is quite difficult to set up and does not resemble any
   ldapsearch's filter.

I anyway tried to configure Prosody LDAP authentication via SASL (tested
with empathy_3.2.2-1+b3, gajim_0.15-1 and pidgin_2.10.2-1 on an
up-to-date squeeze), following the instructions at the following links
(I Cc:ed the author of the last one):

  <http://prosody.im/doc/cyrus_sasl>
  <http://blog.marc-seeger.de/2009/12/30/setting-up-prosody-to-authenticate-against-ldap/>
  <https://wiki.koumbit.net/ProsodyConfiguration>

=====
root@debian:~# apt-get install prosody
[at least!]
root@debian:~# apt-get install sasl2-bin
[the Cyrus SASL authentication daemon]
root@debian:~# cat /etc/default/saslauthd
START=yes
MECHANISMS="ldap"
root@debian:~# cat /etc/saslauthd.conf
# see also #671015 for the available options
ldap_servers: ldap://ldap.example.com
ldap_search_base: ou=people,dc=example,dc=com
ldap_scope: one
ldap_auth_method: bind
ldap_bind_dn: cn=admin,dc=example,dc=com
ldap_bind_pw: PASSWOD
# uid=NAME.SURNAME, while mail=NAME@example.com
ldap_filter: mail=%u
root@debian:~# testsaslauthd -u MAIL -p PASSWORD
0: OK "Success."

root@debian:~# apt-get install libsasl2-modules-ldap
[let local servers use Cyrus SASL LDAP authentication]

root@debian:~# apt-get install liblua5.1-sec1
[Prosody SASL requires TLS]

root@debian:~# apt-get install liblua5.1-cyrussasl0
[let Prosody authenticate against Cyrus SASL]
root@debian:~# cat /etc/prosody/prosody.cfg.lua
sasl_backend = "cyrus"
cyrus_application_name = "prosody"
root@debian:~# cat /etc/sasl/prosody.conf
# see also #465569 for /etc/sasl2 (from sasl2-bin >= 2.1.24~rc1.dfsg1-1)
pwcheck_method: saslauthd
mech_list: plain
root@debian:~# adduser prosody sasl
[let Prosody access the Cyrus SASL socket]
Adding user `prosody' to group `sasl' ...
Adding user prosody to group sasl
Done.
root@debian:~# service prosody restart
Restarting Prosody XMPP Server: prosody.
--8<---------------cut here---------------end--------------->8---

At this point authentication will not work, because Prosody passes
'NAME and not 'MAIL' (thus 'NAME@example.com'), so you need a better
LDAP "filter":

--8<---------------cut here---------------start------------->8---
root@debian:~# vi /etc/saslauthd.conf
ldap_filter: mail=%u@%d
root@debian:~# testsaslauthd -r DOMAIN -u MAIL -p PASSWORD
0: OK "Success."
root@debian:~# service prosody restart
Restarting Prosody XMPP Server: prosody.
root@debian:~# cat /var/log/auth.log
[errors, but authentication works]
Apr 28 20:12:20 jabber prosody[2527]: auxpropfunc error invalid parameter supplied
Apr 28 20:12:20 jabber prosody[2527]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
--8<---------------cut here---------------end--------------->8---

I also tested that with prosody_0.8 via the backport package at (soon to
be uploaded to squeeze-backports, see #631265):

  <http://people.debian.org/~gismo/tmp/prosody/>

There are no changes needed for Cyrus SASL, but only for Prosody:

--8<---------------cut here---------------start------------->8---
root@debian:~# cat /etc/prosody/prosody.cfg.lua
authentication = "cyrus"
-- <http://prosody.im/doc/cyrus_sasl>
-- The service name to pass to Cyrus SASL.
--cyrus_service_name = "xmpp"
-- The realm to pass to Cyrus SASL, the virtual host the user is signing into
-- if not specified.
--cyrus_service_realm = (auto)
-- If true then Prosody requires user accounts to exist in Prosody, even if
-- successfully authenticated via SASL
--cyrus_require_provisioning = false
-- The application name to pass to Cyrus SASL. Determines the Cyrus SASL
-- configuration file name.
--cyrus_application_name = "prosody"
--8<---------------cut here---------------end--------------->8---

Thx, bye,
Gismo / Luca

Attachment: pgpkMfw8V8IkZ.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#670549: ITP: lua-ldap -- LDAP library for the Lua language
  - From: Luca Capello <luca@pca.it>

Prev by Date: Bug#670549: ITP: lua-ldap -- LDAP library for the Lua language
Next by Date: Processed (with 1 errors): tagging as pending bugs that are closed by packages in NEW
Previous by thread: Bug#670549: ITP: lua-ldap -- LDAP library for the Lua language
Next by thread: Bug#670549: ITP: lua-ldap -- LDAP library for the Lua language
Index(es):
- Date
- Thread