From 491bed37a836502fdab31991b43cb0503161304d Mon Sep 17 00:00:00 2001 From: Alex Palaistras Date: Sun, 25 Sep 2022 13:34:09 +0100 Subject: [PATCH] prosody: Move from IMAP to LDAP for authentication Users in the `prosody_user` and `prosody_admin` groups will be granted access to Prosody (as regular users and administrators, respectively), making this a more flexible solution compared to IMAP. --- service/prosody/Containerfile | 2 +- service/prosody/container/config/prosody.cfg.lua | 14 +++++++------- .../prosody/container/config/virtualhost.cfg.lua | 3 +-- service/prosody/prosody.env.template | 5 +++-- service/prosody/systemd/prosody.service | 4 ++-- 5 files changed, 14 insertions(+), 14 deletions(-) diff --git a/service/prosody/Containerfile b/service/prosody/Containerfile index 40f076e..ab17558 100644 --- a/service/prosody/Containerfile +++ b/service/prosody/Containerfile @@ -13,7 +13,7 @@ RUN echo "deb https://packages.prosody.im/debian bullseye main" > /etc/apt/sourc echo "deb-src https://packages.prosody.im/debian bullseye main" >> /etc/apt/sources.list.d/prosody.list && \ curl -o - https://prosody.im/files/prosody-debian-packages.key | apt-key add - && \ apt-get update -y && apt-get install -y --no-install-recommends \ - lua5.2 lua-dbi-sqlite3 lua-zlib lua-sec lua-luaossl lua-bitop lua-unbound prosody=${VERSION}* + lua5.2 lua-dbi-sqlite3 lua-zlib lua-sec lua-luaossl lua-bitop lua-unbound lua-ldap prosody=${VERSION}* RUN mkdir -p /usr/lib/prosody/community-modules && \ hg clone --rev ${MODULES_VERSION} https://hg.prosody.im/prosody-modules /usr/lib/prosody/community-modules diff --git a/service/prosody/container/config/prosody.cfg.lua b/service/prosody/container/config/prosody.cfg.lua index d46ec50..e8a990b 100644 --- a/service/prosody/container/config/prosody.cfg.lua +++ b/service/prosody/container/config/prosody.cfg.lua @@ -156,13 +156,13 @@ conversejs_options = { view_mode = "fullscreen"; } --- Configuration for IMAP authentication. -imap_auth_host = os.getenv("PROSODY_IMAP_AUTH_HOST") or "localhost" -imap_auth_port = os.getenv("PROSODY_IMAP_AUTH_PORT") or 993 -auth_imap_ssl = { - mode = "client", - protocol = "tlsv1_2" -} +-- Configuration for LDAP authentication. +ldap_server = os.getenv("PROSODY_AUTH_LDAP_HOST") or "localhost" +ldap_base = "ou=people,dc=ldap,dc=local" +ldap_rootdn = "uid=" .. (os.getenv("PROSODY_AUTH_LDAP_BIND_UID") or "admin") .. ",ou=people,dc=ldap,dc=local" +ldap_password = os.getenv("PROSODY_AUTH_LDAP_BIND_PASSWORD") or "" +ldap_filter = "(&(memberof=cn=prosody_user,ou=groups,dc=ldap,dc=local)(|(uid=$user)(mail=$user@$host)))" +ldap_admin_filter = "(memberof=cn=prosody_admin,ou=groups,dc=ldap,dc=local)" -- Configuration for TURN/STUN. turn_external_host = os.getenv("PROSODY_TURN_HOST") or "localhost" diff --git a/service/prosody/container/config/virtualhost.cfg.lua b/service/prosody/container/config/virtualhost.cfg.lua index 8c09cba..95bb6bd 100644 --- a/service/prosody/container/config/virtualhost.cfg.lua +++ b/service/prosody/container/config/virtualhost.cfg.lua @@ -11,8 +11,7 @@ local host_external = os.getenv("PROSODY_HOST_EXTERNAL") or "external.localhost" VirtualHost(host_base) http_host = host_external http_external_url = "https://" .. host_external .. "/" - authentication = "imap" - auth_append_host = true + authentication = "ldap" http_paths = { conversejs = "/web" } diff --git a/service/prosody/prosody.env.template b/service/prosody/prosody.env.template index 709b81a..760197f 100644 --- a/service/prosody/prosody.env.template +++ b/service/prosody/prosody.env.template @@ -3,8 +3,9 @@ PROSODY_HOST=${PROSODY_HOST} PROSODY_HOST_EXTERNAL=${PROSODY_HOST_EXTERNAL} # Authentication options. -PROSODY_IMAP_AUTH_HOST=dovecot -PROSODY_IMAP_AUTH_PORT=993 +PROSODY_AUTH_LDAP_HOST=lldap:3890 +PROSODY_AUTH_LDAP_BIND_UID=${LLDAP_ADMIN_USERNAME} +PROSODY_AUTH_LDAP_BIND_PASSWORD=${LLDAP_ADMIN_PASSWORD} # TURN server options. PROSODY_TURN_HOST=${COTURN_REALM} diff --git a/service/prosody/systemd/prosody.service b/service/prosody/systemd/prosody.service index bf0229c..5774ec4 100644 --- a/service/prosody/systemd/prosody.service +++ b/service/prosody/systemd/prosody.service @@ -1,7 +1,7 @@ [Unit] Description=Prosody XMPP server -Wants=container-build@%N.service container-volume@%N.service dovecot.service grafana-dashboard@prosody.service -After=container-build@%N.service container-volume@%N.service dovecot.service grafana-dashboard@prosody.service +Wants=container-build@%N.service container-volume@%N.service lldap.service grafana-dashboard@prosody.service +After=container-build@%N.service container-volume@%N.service lldap.service grafana-dashboard@prosody.service [Service] Type=notify