prosody: add LDAP authentication via SASL mechanism
This commit is contained in:
parent
0db4b7dce9
commit
2e3576f6ca
20
README.md
20
README.md
|
@ -130,8 +130,26 @@ Variable | Description | Example
|
|||
--- | --- | ---
|
||||
`ENABLE_AUTH` | Enable authentication | 1
|
||||
`ENABLE_GUESTS` | Enable guest access | 1
|
||||
`ENABLE_LDAP_AUTH` | Enable authentication via LDAP. Depends on `ENABLE_AUTH` | 1
|
||||
|
||||
Users must be created with the ``prosodyctl`` utility in the ``prosody`` container.
|
||||
Variables that might be configured if the `ENABLE_LDAP_AUTH` is set:
|
||||
|
||||
Variable | Description | Example
|
||||
--- | --- | ---
|
||||
`LDAP_URL` | URL for ldap connection | ldaps://ldap.domain.com/
|
||||
`LDAP_BASE` | LDAP base DN. Can be empty. | DC=example,DC=domain,DC=com
|
||||
`LDAP_BINDDN` | LDAP user DN. Do not specify this parameter for the anonymous bind. | CN=binduser,OU=users,DC=example,DC=domain,DC=com
|
||||
`LDAP_BINDPW` | LDAP user password. Do not specify this parameter for the anonymous bind. | LdapUserPassw0rd
|
||||
`LDAP_FILTER` | LDAP filter. | (sAMAccountName=%u)
|
||||
`LDAP_AUTH_METHOD` | LDAP authentication method. | bind
|
||||
`LDAP_VERSION` | LDAP protocol version | 3
|
||||
`LDAP_USE_TLS` | Enable LDAP TLS | 1
|
||||
`LDAP_TLS_CIPHERS` | Set TLS ciphers list to allow | SECURE256:SECURE128
|
||||
`LDAP_TLS_CHECK_PEER` | Require and verify LDAP server certificate | 1
|
||||
`LDAP_TLS_CACERT_FILE` | Path to CA cert file. Used when server sertificate verify is enabled | /etc/ssl/certs/ca-certificates.crt
|
||||
`LDAP_TLS_CACERT_DIR` | Path to CA certs directory. Used when server sertificate verify is enabled. | /etc/ssl/certs
|
||||
|
||||
Internal users must be created with the ``prosodyctl`` utility in the ``prosody`` container.
|
||||
In order to do that, first execute a shell in the corresponding container:
|
||||
|
||||
``docker-compose exec prosody /bin/bash``
|
||||
|
|
|
@ -39,6 +39,19 @@ services:
|
|||
environment:
|
||||
- ENABLE_AUTH
|
||||
- ENABLE_GUESTS
|
||||
- ENABLE_LDAP_AUTH
|
||||
- LDAP_URL
|
||||
- LDAP_BASE
|
||||
- LDAP_BINDDN
|
||||
- LDAP_BINDPW
|
||||
- LDAP_FILTER
|
||||
- LDAP_AUTH_METHOD
|
||||
- LDAP_VERSION
|
||||
- LDAP_USE_TLS
|
||||
- LDAP_TLS_CIPHERS
|
||||
- LDAP_TLS_CHECK_PEER
|
||||
- LDAP_TLS_CACERT_FILE
|
||||
- LDAP_TLS_CACERT_DIR
|
||||
- XMPP_DOMAIN
|
||||
- XMPP_AUTH_DOMAIN
|
||||
- XMPP_GUEST_DOMAIN
|
||||
|
|
48
env.example
48
env.example
|
@ -81,6 +81,54 @@ TZ=Europe/Amsterdam
|
|||
# Advanced configuration options (you generally don't need to change these)
|
||||
#
|
||||
|
||||
# Enable LDAP authentication in prosody via SASL mechanism.
|
||||
# Note: turn on ENABLE_AUTH for get it work.
|
||||
#ENABLE_LDAP_AUTH=1
|
||||
|
||||
###################### LDAP settings ############################
|
||||
# for detail information please see Cyrus SASL saslauthd.conf man page
|
||||
|
||||
# LDAP url for connection.
|
||||
#LDAP_URL=ldaps://ldap.domain.com/
|
||||
|
||||
# LDAP base DN. Can be empty
|
||||
#LDAP_BASE=DC=example,DC=domain,DC=com
|
||||
|
||||
# LDAP user DN. Do not specify this parameter for the anonymous bind.
|
||||
#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
|
||||
|
||||
# LDAP user password. Do not specify this parameter for the anonymous bind.
|
||||
#LDAP_BINDPW=LdapUserPassw0rd
|
||||
|
||||
# LDAP filter. Tokens example:
|
||||
# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail.
|
||||
# %s - %s is replaced by the complete service string.
|
||||
# %r - %r is replaced by the complete realm string.
|
||||
#LDAP_FILTER=(sAMAccountName=%u)
|
||||
|
||||
# LDAP authentication method
|
||||
#LDAP_AUTH_METHOD=bind
|
||||
|
||||
# LDAP version
|
||||
#LDAP_VERSION=3
|
||||
|
||||
# LDAP TLS using
|
||||
#LDAP_USE_TLS=1
|
||||
|
||||
# List of SSL/TLS ciphers to allow.
|
||||
#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
|
||||
|
||||
# Require and verify server certificate
|
||||
#LDAP_TLS_CHECK_PEER=1
|
||||
|
||||
# Path to CA cert file. Used when server sertificate verify is enabled.
|
||||
#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
|
||||
|
||||
# Path to CA certs directory. Used when server sertificate verify is enabled.
|
||||
#LDAP_TLS_CACERT_DIR=/etc/ssl/certs
|
||||
|
||||
#################################################################
|
||||
|
||||
# Internal XMPP domain.
|
||||
XMPP_DOMAIN=meet.jitsi
|
||||
|
||||
|
|
|
@ -7,18 +7,31 @@ ADD https://raw.githubusercontent.com/jitsi/jitsi-meet/fc129d9849ca5e26245d54df6
|
|||
RUN sed -i s/hook/hook_global/g /prosody-plugins/mod_auth_token.lua
|
||||
|
||||
RUN \
|
||||
apt-dpkg-wrap apt-get update && \
|
||||
apt-dpkg-wrap apt-get install -y lua5.2 liblua5.2-dev libssl1.0-dev lua-basexx luarocks gcc git && \
|
||||
apt-dpkg-wrap apt-get install -t stretch-backports -y prosody && \
|
||||
rm -rf /etc/prosody
|
||||
|
||||
RUN \
|
||||
luarocks install lua-cjson 2.1.0-1 && \
|
||||
luarocks install luajwtjitsi
|
||||
|
||||
RUN \
|
||||
apt-dpkg-wrap apt-get remove -y liblua5.2-dev libssl1.0-dev gcc git && \
|
||||
apt-cleanup
|
||||
apt-dpkg-wrap apt-get update \
|
||||
&& apt-dpkg-wrap apt-get install -t stretch-backports -y \
|
||||
prosody \
|
||||
liblua5.2-dev \
|
||||
sasl2-bin \
|
||||
libsasl2-modules-ldap \
|
||||
libsasl2-dev \
|
||||
libssl1.0-dev \
|
||||
lua-basexx \
|
||||
lua-ldap \
|
||||
luarocks \
|
||||
git \
|
||||
gcc \
|
||||
&& luarocks install cyrussasl 1.1.0-1 \
|
||||
&& luarocks install lua-cjson 2.1.0-1 \
|
||||
&& luarocks install luajwtjitsi 1.3-7 \
|
||||
&& apt-dpkg-wrap apt-get remove -t stretch-backports -y \
|
||||
git \
|
||||
gcc \
|
||||
luarocks \
|
||||
libsasl2-dev \
|
||||
libssl1.0-dev \
|
||||
liblua5.2-dev \
|
||||
&& apt-cleanup \
|
||||
&& rm -rf /etc/prosody
|
||||
|
||||
COPY rootfs/ /
|
||||
|
||||
|
|
|
@ -12,14 +12,18 @@ asap_accepted_audiences = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_AU
|
|||
|
||||
VirtualHost "{{ .Env.XMPP_DOMAIN }}"
|
||||
{{ if .Env.ENABLE_AUTH | default "0" | toBool }}
|
||||
{{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }}
|
||||
{{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }}
|
||||
authentication = "token"
|
||||
app_id = "{{ .Env.JWT_APP_ID }}"
|
||||
app_secret = "{{ .Env.JWT_APP_SECRET }}"
|
||||
allow_empty_token = false
|
||||
{{ else }}
|
||||
{{ else if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
|
||||
authentication = "cyrus"
|
||||
cyrus_application_name = "xmpp"
|
||||
allow_unencrypted_plain_auth = true
|
||||
{{ else }}
|
||||
authentication = "internal_plain"
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{ else }}
|
||||
authentication = "anonymous"
|
||||
{{ end }}
|
||||
|
@ -34,6 +38,9 @@ VirtualHost "{{ .Env.XMPP_DOMAIN }}"
|
|||
{{ if .Env.XMPP_MODULES }}
|
||||
"{{ join "\";\n\"" (splitList "," .Env.XMPP_MODULES) }}";
|
||||
{{ end }}
|
||||
{{ if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
|
||||
"auth_cyrus";
|
||||
{{end}}
|
||||
}
|
||||
|
||||
c2s_require_encryption = false
|
||||
|
|
|
@ -0,0 +1,21 @@
|
|||
{{ if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
|
||||
ldap_servers: {{ .Env.LDAP_URL }}
|
||||
ldap_search_base: {{ .Env.LDAP_BASE }}
|
||||
ldap_bind_dn: {{ .Env.LDAP_BINDDN }}
|
||||
ldap_bind_pw: {{ .Env.LDAP_BINDPW }}
|
||||
ldap_filter: {{ .Env.LDAP_FILTER | default "uid=%u" }}
|
||||
ldap_version: {{ .Env.LDAP_VERSION | default "3" }}
|
||||
ldap_auth_method: {{ .Env.LDAP_AUTH_METHOD | default "bind" }}
|
||||
{{ if .Env.LDAP_USE_TLS | default "0" | toBool }}
|
||||
ldap_tls_key: /config/certs/{{ .Env.XMPP_DOMAIN }}.key
|
||||
ldap_tls_cert: /config/certs/{{ .Env.XMPP_DOMAIN }}.crt
|
||||
{{ if .Env.LDAP_TLS_CHECK_PEER | default "0" | toBool }}
|
||||
ldap_tls_check_peer: yes
|
||||
ldap_tls_cacert_file: {{ .Env.LDAP_TLS_CACERT_FILE | default "/etc/ssl/certs/ca-certificates.crt" }}
|
||||
ldap_tls_cacert_dir: {{ .Env.LDAP_TLS_CACERT_DIR | default "/etc/ssl/certs" }}
|
||||
{{ end }}
|
||||
{{ if .Env.LDAP_TLS_CIPHERS }}
|
||||
ldap_tls_ciphers: {{ .Env.LDAP_TLS_CIPHERS }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{ end }}
|
|
@ -1,5 +1,16 @@
|
|||
#!/usr/bin/with-contenv bash
|
||||
|
||||
if [[ ! -f /config/saslauthd.conf ]]; then
|
||||
cp /defaults/saslauthd.conf /config/
|
||||
fi
|
||||
|
||||
if [[ ! -f /etc/saslauthd.conf ]]; then
|
||||
tpl /config/saslauthd.conf > /etc/saslauthd.conf
|
||||
mkdir -pm777 /var/run/saslauthd
|
||||
adduser prosody sasl
|
||||
echo >> /etc/ldap/ldap.conf "TLS_REQCERT allow"
|
||||
fi
|
||||
|
||||
PROSODY_CFG="/config/prosody.cfg.lua"
|
||||
|
||||
if [[ ! -d /config/data ]]; then
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
pwcheck_method: saslauthd
|
||||
mech_list: PLAIN
|
|
@ -0,0 +1,2 @@
|
|||
#!/usr/bin/with-contenv bash
|
||||
exec s6-setuidgid root saslauthd -a ldap -O /etc/saslauthd.conf -c -m /var/run/saslauthd -n 5 -d
|
Loading…
Reference in New Issue