Prosody jabber and ldap
I've often been searching for a nice simple Jabber server. Today I was strolling the internet a bit and stumbled upon Prosody. Looking through the docs I noticed I should be able to get it to authenticate agains an LDAP server. So let's give it a shot!
I've tested on Debian Squeeze using the version supplied in the standard repositories. Version 0.7. I noticed the newer versions have a different configuration for ldap authentication.
Installing Prosody
First install Prosody and Sasl on a clean system.
apt-get install prosody liblua5.1-cyrussasl0 libsasl2-modules-ldap libsasl2-2 libsasl2-modules sasl2-bin
Get sasl to operate properly. By default it authenticates to PAM.
Change this entry in /etc/default/saslauthd
START=yes
Test authentication against a user on your system:
testsaslauthd -u someuser -p somepass
0: OK "Success."
Now let's see if we can let Sasl talk against an LDAP server. Of course you don't do this if you only need PAM authentication....
Change an entry in /etc/default/saslauthd
MECHANISMS="ldap"
Create /etc/saslauthd.conf:
ldap_servers: ldap://ldap.example.com:389/
ldap_search_base: ,ou=people,dc=example,dc=com
Read LDAP_SASLAUTHD (google) for more information on configuration parameters.
Restart Sasl and run a test again this time for a user in your ldap tree.
/etc/init.d/saslauthd restart
Stopping SASL Authentication Daemon: saslauthd.
Starting SASL Authentication Daemon: saslauthd.
testsaslauthd -u someldapuser -p hispassword
0: OK "Success."
Right that seems to go well. Let's have a look at Prosody. By default it enables an 'localhost' host. Open /etc/prosody/conf.d/localhost.cfg.lua and edit it correspondingly to enable ldap login on localhost:
//Leave localhost as is if you are doing test on a local system. In my case I have setup an domain with the SRV records needed for Jabber. That's a different story. // /etc/prosody/conf.d/localhost.cfg.lua:
1.- Section for localhost
2.- This allows clients to connect to localhost. No harm in it.
VirtualHost "localhost"
sasl_backend = "cyrus" -- 0.7
anonymous_login = false
allow_unencrypted_plain_auth = false
cyrus_application_name = "xmpp"
c2s_require_encryption = true
Prosody runs as the prosody user by default. This user needs to have access to the sasl directory and sockets. This is accomplished by adding the user to the sasl group.
usermod -a -G sasl prosody
Restart Prosody and test if your jabber client can login. I'm using telepathy on Ubuntu and it seems to work. Finally a simple Jabber setup with an LDAP backend :)
Ow, and of course we need to add valid certificates to the setup!
I've had some trouble getting SASL to work. In order to fix it I added the file /etc/sasl/xmpp.conf
pwcheck_method: saslauthd
mech_list: PLAIN
real domain setup
create the file /etc/prosody/conf.avail/yourdomain.com.cfg.lua and enter the following:
VirtualHost "yourdomain.com"
enabled = true -- Remove this line to enable this host
3.- Assign this host a certificate for TLS, otherwise it would use the one
4.- set in the global section (if any).
5.- Note that old-style SSL on port 5223 only supports one certificate, and will always
6.- use the global one.
ssl = {
key = "/etc/prosody/certs/yourdomain.com.key";
certificate = "/etc/prosody/certs/yourdomain.com.crt";
}
sasl_backend = "cyrus" -- 0.7
anonymous_login = false
allow_unencrypted_plain_auth = false
cyrus_application_name = "xmpp"
c2s_require_encryption = true
Create a symbolic link to the config file:
cd /etc/prosody/conf.d
ln -s ../conf.avail/yourdomain.com.cfg.lua yourdomain.com.cfg.lua