datenspuren/jitsi-deployment
datenspuren
/
jitsi-deployment
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

prosody: add LDAP authentication via SASL mechanism

This commit is contained in:
netaskd 2019-03-13 20:10:40 +03:00 committed by Saúl Ibarra Corretgé
parent 0db4b7dce9
commit 2e3576f6ca
9 changed files with 151 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@ -130,8 +130,26 @@ Variable | Description | Example
--- | --- | ---
`ENABLE_AUTH` | Enable authentication | 1
`ENABLE_GUESTS` | Enable guest access | 1
`ENABLE_LDAP_AUTH` | Enable authentication via LDAP. Depends on `ENABLE_AUTH` | 1
Users must be created with the ``prosodyctl`` utility in the ``prosody`` container.
Variables that might be configured if the `ENABLE_LDAP_AUTH` is set:
Variable | Description | Example
--- | --- | ---
`LDAP_URL` | URL for ldap connection | ldaps://ldap.domain.com/
`LDAP_BASE` | LDAP base DN. Can be empty. | DC=example,DC=domain,DC=com
`LDAP_BINDDN` | LDAP user DN. Do not specify this parameter for the anonymous bind. | CN=binduser,OU=users,DC=example,DC=domain,DC=com
`LDAP_BINDPW` | LDAP user password. Do not specify this parameter for the anonymous bind. | LdapUserPassw0rd
`LDAP_FILTER` | LDAP filter. | (sAMAccountName=%u)
`LDAP_AUTH_METHOD` | LDAP authentication method. | bind
`LDAP_VERSION` | LDAP protocol version | 3
`LDAP_USE_TLS` | Enable LDAP TLS | 1
`LDAP_TLS_CIPHERS` | Set TLS ciphers list to allow | SECURE256:SECURE128
`LDAP_TLS_CHECK_PEER` | Require and verify LDAP server certificate | 1
`LDAP_TLS_CACERT_FILE` | Path to CA cert file. Used when server sertificate verify is enabled | /etc/ssl/certs/ca-certificates.crt
`LDAP_TLS_CACERT_DIR` | Path to CA certs directory. Used when server sertificate verify is enabled. | /etc/ssl/certs
Internal users must be created with the ``prosodyctl`` utility in the ``prosody`` container.
In order to do that, first execute a shell in the corresponding container:
``docker-compose exec prosody /bin/bash``

13
docker-compose.yml
View File

@ -39,6 +39,19 @@ services:
environment:
- ENABLE_AUTH
- ENABLE_GUESTS
- ENABLE_LDAP_AUTH
- LDAP_URL
- LDAP_BASE
- LDAP_BINDDN
- LDAP_BINDPW
- LDAP_FILTER
- LDAP_AUTH_METHOD
- LDAP_VERSION
- LDAP_USE_TLS
- LDAP_TLS_CIPHERS
- LDAP_TLS_CHECK_PEER
- LDAP_TLS_CACERT_FILE
- LDAP_TLS_CACERT_DIR
- XMPP_DOMAIN
- XMPP_AUTH_DOMAIN
- XMPP_GUEST_DOMAIN

48
env.example
View File

@ -81,6 +81,54 @@ TZ=Europe/Amsterdam
# Advanced configuration options (you generally don't need to change these)
#
# Enable LDAP authentication in prosody via SASL mechanism.
# Note: turn on ENABLE_AUTH for get it work.
#ENABLE_LDAP_AUTH=1
###################### LDAP settings ############################
# for detail information please see Cyrus SASL saslauthd.conf man page
# LDAP url for connection.
#LDAP_URL=ldaps://ldap.domain.com/
# LDAP base DN. Can be empty
#LDAP_BASE=DC=example,DC=domain,DC=com
# LDAP user DN. Do not specify this parameter for the anonymous bind.
#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
# LDAP user password. Do not specify this parameter for the anonymous bind.
#LDAP_BINDPW=LdapUserPassw0rd
# LDAP filter. Tokens example:
# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail.
# %s - %s is replaced by the complete service string.
# %r - %r is replaced by the complete realm string.
#LDAP_FILTER=(sAMAccountName=%u)
# LDAP authentication method
#LDAP_AUTH_METHOD=bind
# LDAP version
#LDAP_VERSION=3
# LDAP TLS using
#LDAP_USE_TLS=1
# List of SSL/TLS ciphers to allow.
#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
# Require and verify server certificate
#LDAP_TLS_CHECK_PEER=1
# Path to CA cert file. Used when server sertificate verify is enabled.
#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
# Path to CA certs directory. Used when server sertificate verify is enabled.
#LDAP_TLS_CACERT_DIR=/etc/ssl/certs
#################################################################
# Internal XMPP domain.
XMPP_DOMAIN=meet.jitsi

37
prosody/Dockerfile
View File

@ -7,18 +7,31 @@ ADD https://raw.githubusercontent.com/jitsi/jitsi-meet/fc129d9849ca5e26245d54df6
RUN sed -i s/hook/hook_global/g /prosody-plugins/mod_auth_token.lua
RUN \
apt-dpkg-wrap apt-get update && \
apt-dpkg-wrap apt-get install -y lua5.2 liblua5.2-dev libssl1.0-dev lua-basexx luarocks gcc git && \
apt-dpkg-wrap apt-get install -t stretch-backports -y prosody && \
rm -rf /etc/prosody
RUN \
luarocks install lua-cjson 2.1.0-1 && \
luarocks install luajwtjitsi
RUN \
apt-dpkg-wrap apt-get remove -y liblua5.2-dev libssl1.0-dev gcc git && \
apt-cleanup
apt-dpkg-wrap apt-get update \
&& apt-dpkg-wrap apt-get install -t stretch-backports -y \
prosody \
liblua5.2-dev \
sasl2-bin \
libsasl2-modules-ldap \
libsasl2-dev \
libssl1.0-dev \
lua-basexx \
lua-ldap \
luarocks \
git \
gcc \
&& luarocks install cyrussasl 1.1.0-1 \
&& luarocks install lua-cjson 2.1.0-1 \
&& luarocks install luajwtjitsi 1.3-7 \
&& apt-dpkg-wrap apt-get remove -t stretch-backports -y \
git \
gcc \
luarocks \
libsasl2-dev \
libssl1.0-dev \
liblua5.2-dev \
&& apt-cleanup \
&& rm -rf /etc/prosody
COPY rootfs/ /

13
prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
View File

@ -12,14 +12,18 @@ asap_accepted_audiences = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_AU
VirtualHost "{{ .Env.XMPP_DOMAIN }}"
{{ if .Env.ENABLE_AUTH | default "0" | toBool }}
{{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }}
{{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }}
authentication = "token"
app_id = "{{ .Env.JWT_APP_ID }}"
app_secret = "{{ .Env.JWT_APP_SECRET }}"
allow_empty_token = false
{{ else }}
{{ else if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
authentication = "cyrus"
cyrus_application_name = "xmpp"
allow_unencrypted_plain_auth = true
{{ else }}
authentication = "internal_plain"
{{ end }}
{{ end }}
{{ else }}
authentication = "anonymous"
{{ end }}
@ -34,6 +38,9 @@ VirtualHost "{{ .Env.XMPP_DOMAIN }}"
{{ if .Env.XMPP_MODULES }}
"{{ join "\";\n\"" (splitList "," .Env.XMPP_MODULES) }}";
{{ end }}
{{ if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
"auth_cyrus";
{{end}}
}
c2s_require_encryption = false

21
prosody/rootfs/defaults/saslauthd.conf Normal file
View File

@ -0,0 +1,21 @@
{{ if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
ldap_servers: {{ .Env.LDAP_URL }}
ldap_search_base: {{ .Env.LDAP_BASE }}
ldap_bind_dn: {{ .Env.LDAP_BINDDN }}
ldap_bind_pw: {{ .Env.LDAP_BINDPW }}
ldap_filter: {{ .Env.LDAP_FILTER | default "uid=%u" }}
ldap_version: {{ .Env.LDAP_VERSION | default "3" }}
ldap_auth_method: {{ .Env.LDAP_AUTH_METHOD | default "bind" }}
{{ if .Env.LDAP_USE_TLS | default "0" | toBool }}
ldap_tls_key: /config/certs/{{ .Env.XMPP_DOMAIN }}.key
ldap_tls_cert: /config/certs/{{ .Env.XMPP_DOMAIN }}.crt
{{ if .Env.LDAP_TLS_CHECK_PEER | default "0" | toBool }}
ldap_tls_check_peer: yes
ldap_tls_cacert_file: {{ .Env.LDAP_TLS_CACERT_FILE | default "/etc/ssl/certs/ca-certificates.crt" }}
ldap_tls_cacert_dir: {{ .Env.LDAP_TLS_CACERT_DIR | default "/etc/ssl/certs" }}
{{ end }}
{{ if .Env.LDAP_TLS_CIPHERS }}
ldap_tls_ciphers: {{ .Env.LDAP_TLS_CIPHERS }}
{{ end }}
{{ end }}
{{ end }}

11
prosody/rootfs/etc/cont-init.d/10-config
View File

@ -1,5 +1,16 @@
#!/usr/bin/with-contenv bash
if [[ ! -f /config/saslauthd.conf ]]; then
cp /defaults/saslauthd.conf /config/
fi
if [[ ! -f /etc/saslauthd.conf ]]; then
tpl /config/saslauthd.conf > /etc/saslauthd.conf
mkdir -pm777 /var/run/saslauthd
adduser prosody sasl
echo >> /etc/ldap/ldap.conf "TLS_REQCERT allow"
fi
PROSODY_CFG="/config/prosody.cfg.lua"
if [[ ! -d /config/data ]]; then

2
prosody/rootfs/etc/sasl/xmpp.conf Normal file
View File

@ -0,0 +1,2 @@
pwcheck_method: saslauthd
mech_list: PLAIN

2
prosody/rootfs/etc/services.d/10-saslauthd/run Normal file
View File

@ -0,0 +1,2 @@
#!/usr/bin/with-contenv bash
exec s6-setuidgid root saslauthd -a ldap -O /etc/saslauthd.conf -c -m /var/run/saslauthd -n 5 -d