prosody: Move from IMAP to LDAP for authentication

Users in the `prosody_user` and `prosody_admin` groups will be granted access to Prosody (as regular users and administrators, respectively), making this a more flexible solution compared to IMAP.
2024-09-21 13:40:45 +00:00 · 2022-09-25 13:34:09 +01:00 · 2022-09-25 13:34:09 +01:00 · 491bed37a8
commit 491bed37a8
parent 4740570100
5 changed files with 14 additions and 14 deletions
--- a/service/prosody/Containerfile
+++ b/service/prosody/Containerfile
@ -13,7 +13,7 @@ RUN echo "deb https://packages.prosody.im/debian bullseye main" > /etc/apt/sourc
    echo "deb-src https://packages.prosody.im/debian bullseye main" >> /etc/apt/sources.list.d/prosody.list && \
    curl -o - https://prosody.im/files/prosody-debian-packages.key | apt-key add - && \
    apt-get update -y && apt-get install -y --no-install-recommends \
-    lua5.2 lua-dbi-sqlite3 lua-zlib lua-sec lua-luaossl lua-bitop lua-unbound prosody=${VERSION}*
+    lua5.2 lua-dbi-sqlite3 lua-zlib lua-sec lua-luaossl lua-bitop lua-unbound lua-ldap prosody=${VERSION}*
 RUN mkdir -p /usr/lib/prosody/community-modules && \
    hg clone --rev ${MODULES_VERSION} https://hg.prosody.im/prosody-modules /usr/lib/prosody/community-modules
--- a/service/prosody/container/config/prosody.cfg.lua
+++ b/service/prosody/container/config/prosody.cfg.lua
@ -156,13 +156,13 @@ conversejs_options = {
    view_mode = "fullscreen";
 }
-- Configuration for IMAP authentication.
+-- Configuration for LDAP authentication.
-imap_auth_host = os.getenv("PROSODY_IMAP_AUTH_HOST") or "localhost"
+ldap_server       = os.getenv("PROSODY_AUTH_LDAP_HOST") or "localhost"
-imap_auth_port = os.getenv("PROSODY_IMAP_AUTH_PORT") or 993
+ldap_base         = "ou=people,dc=ldap,dc=local"
-auth_imap_ssl = {
+ldap_rootdn       = "uid=" .. (os.getenv("PROSODY_AUTH_LDAP_BIND_UID") or "admin") .. ",ou=people,dc=ldap,dc=local"
-    mode = "client",
+ldap_password     = os.getenv("PROSODY_AUTH_LDAP_BIND_PASSWORD") or ""
-    protocol = "tlsv1_2"
+ldap_filter       = "(&(memberof=cn=prosody_user,ou=groups,dc=ldap,dc=local)(|(uid=$user)(mail=$user@$host)))"
-}
+ldap_admin_filter = "(memberof=cn=prosody_admin,ou=groups,dc=ldap,dc=local)"
 -- Configuration for TURN/STUN.
 turn_external_host   = os.getenv("PROSODY_TURN_HOST") or "localhost"
--- a/service/prosody/container/config/virtualhost.cfg.lua
+++ b/service/prosody/container/config/virtualhost.cfg.lua
@ -11,8 +11,7 @@ local host_external = os.getenv("PROSODY_HOST_EXTERNAL") or "external.localhost"
 VirtualHost(host_base)
  http_host         = host_external
  http_external_url = "https://" .. host_external .. "/"
-  authentication    = "imap"
+  authentication    = "ldap"
  auth_append_host  = true
  http_paths = {
    conversejs = "/web"
  }
--- a/service/prosody/prosody.env.template
+++ b/service/prosody/prosody.env.template
@ -3,8 +3,9 @@ PROSODY_HOST=${PROSODY_HOST}
 PROSODY_HOST_EXTERNAL=${PROSODY_HOST_EXTERNAL}
 # Authentication options.
-PROSODY_IMAP_AUTH_HOST=dovecot
+PROSODY_AUTH_LDAP_HOST=lldap:3890
-PROSODY_IMAP_AUTH_PORT=993
+PROSODY_AUTH_LDAP_BIND_UID=${LLDAP_ADMIN_USERNAME}
 PROSODY_AUTH_LDAP_BIND_PASSWORD=${LLDAP_ADMIN_PASSWORD}
 # TURN server options.
 PROSODY_TURN_HOST=${COTURN_REALM}
--- a/service/prosody/systemd/prosody.service
+++ b/service/prosody/systemd/prosody.service
@ -1,7 +1,7 @@
 [Unit]
 Description=Prosody XMPP server
-Wants=container-build@%N.service container-volume@%N.service dovecot.service grafana-dashboard@prosody.service
+Wants=container-build@%N.service container-volume@%N.service lldap.service grafana-dashboard@prosody.service
-After=container-build@%N.service container-volume@%N.service dovecot.service grafana-dashboard@prosody.service
+After=container-build@%N.service container-volume@%N.service lldap.service grafana-dashboard@prosody.service
 [Service]
 Type=notify