Hi there! On Wed, 02 May 2012 21:18:57 +0200, Luca Capello wrote: > On Thu, 26 Apr 2012 20:07:26 +0200, Enrico Tassi wrote: >> On Thu, Apr 26, 2012 at 06:26:01PM +0200, Luca Capello wrote: >>> * Package name : lua-ldap >> >> On another topic, thanks to lua-cyrussasl I think prosody is already >> able to use LDAP: http://prosody.im/doc/cyrus_sasl >> >> But I guess the module you mentioned is simpler/better. [...] > I anyway tried to configure Prosody LDAP authentication via SASL (tested > with empathy_3.2.2-1+b3, gajim_0.15-1 and pidgin_2.10.2-1 on an > up-to-date squeeze), following the instructions at the following links > (I Cc:ed the author of the last one): > > <http://prosody.im/doc/cyrus_sasl> > <http://blog.marc-seeger.de/2009/12/30/setting-up-prosody-to-authenticate-against-ldap/> > <https://wiki.koumbit.net/ProsodyConfiguration> Here is the configuration for prosody_0.8 and mod_auth_ldap at: <http://code.google.com/p/prosody-modules/wiki/mod_auth_ldap> --8<---------------cut here---------------start------------->8--- root@debian:~# apt-get install prosody [at least!] root@debian:~# apt-get install liblua5.1-sec1 [Prosody SASL requires TLS] root@debian:~# cat /etc/prosody/prosody.cfg.lua authentication = "ldap" ldap_server = "ldap.example.com" ldap_rootdn = "cn=admin,dc=example,dc=com" ldap_bind_pw: "PASSWORD" ldap_base = "ou=people,dc=example,dc=com" root@debian:~# service prosody restart Restarting Prosody XMPP Server: prosody. --8<---------------cut here---------------end--------------->8--- Your JID will be 'LDAP_UID@example.com': ATM there is no way to configure that with the mod_auth_ldap.lua version in prosody-modules. However, as Stefan Hepp's found out, ldap-search will silently fail without ldap_scope, so I backported Stefan's "patch": <https://groups.google.com/group/prosody-dev/browse_thread/thread/282e876116ae4177/906121492495ad35> The attached hg patch is enough for mod_auth_ldap.lua to authenticate using LDAP_UID and no TLS: lua-ldap does work (even on squeeze), so I uploaded it. With this email I am also stopping providing feedback about Prosody and LDAP, I will continue elsewhere :-) Thx, bye, Gismo / Luca
# HG changeset patch
# User Luca Capello <luca@pca.it>
# Date 1335992664 -7200
# Node ID 2d18d807eb8488b6c909a9ab8a48d1ab6505c4e9
# Parent a826b61c8f3a555b28fba6147e47f72af4565017
mod_auth_ldap/mod_auth_ldap.lua: add ldap_scope
Without ldap_scope in provider.test_password(username, password), the
ldap-search silently fails.
This was taken from Stefan Hepp's improved mod_auth_ldap.lua.
diff -r a826b61c8f3a -r 2d18d807eb84 mod_auth_ldap/mod_auth_ldap.lua
--- a/mod_auth_ldap/mod_auth_ldap.lua Mon Apr 30 17:25:09 2012 +0200
+++ b/mod_auth_ldap/mod_auth_ldap.lua Wed May 02 23:04:24 2012 +0200
@@ -8,6 +8,7 @@
local ldap_password = module:get_option("ldap_password") or "";
local ldap_tls = module:get_option("ldap_tls");
local ldap_base = assert(module:get_option("ldap_base"), "ldap_base is a required option for ldap");
+local ldap_scope = module:get_option("ldap_scope") or "onelevel";
local lualdap = require "lualdap";
local ld = assert(lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls));
@@ -26,6 +27,9 @@
return do_query({
base = ldap_base;
filter = "(&(uid="..ldap_filter_escape(username)..")(userPassword="..ldap_filter_escape(password)..")(accountStatus=active))";
+ -- <https://groups.google.com/group/prosody-dev/browse_thread/thread/282e876116ae4177/906121492495ad35>
+ -- we need to set scope here, else ldap-search may fail (silently!!)
+ scope = ldap_scope;
});
end
function provider.user_exists(username)
Attachment:
pgphgZ8ZOZxAD.pgp
Description: PGP signature