mod_lib_ldap

LDAP plugin suite for Prosody

The LDAP plugin suite includes an authentication plugin (mod_auth_ldap2) and storage plugin (mod_storage_ldap) to query against an LDAP server. It also provides a plugin library (mod_lib_ldap) for accessing an LDAP server to make writing other LDAP-based plugins easier in the future.

LDAP Authentication

NOTE: LDAP authentication currently only works with plaintext auth (as opposed to DIGEST-MD5 or SCRAM) If this isn’t ok with you, don’t use it! (Or better yet, fix it =) )

With that note in mind, if you need to allow (XMPP) clients to connect to your server without TLS and want to use this module, you need to set ‘allow_unencrypted_plain_auth’ to true in your configuration. You probably don’t actually want to do this, though.

To enable LDAP authentication, set ‘authentication’ to ‘ldap2’ in your configuration file. See also http://prosody.im/doc/authentication.

LDAP Storage

LDAP storage is currently read-only, and it only supports rosters and vCards.

To enable LDAP storage, set ‘storage’ to ‘ldap’ in your configuration file. See also http://prosody.im/doc/storage.

LDAP Configuration

All of the LDAP-specific configuration for the plugin set goes into an ‘ldap’ section in the configuration. You must set the ‘hostname’ field in the ‘ldap’ section to your LDAP server’s location (a custom port is also accepted, so I guess it’s not strictly a hostname). The ‘bind_dn’ and ‘bind_password’ are optional if you want to bind as a specific DN. There should be an example configuration included with this README, so feel free to consult that.

The user section

The user section must contain the following keys:

The groups section

The LDAP plugin suite has support for grouping (ala mod_groups), which can be enabled via the groups section in the ldap section of the configuration file. Currently, you must have at least one group. The groups section must contain the following keys:

The groups section must contain at least one entry in its array section. Each entry must be a table, with the following keys:

The vcard_format section

The vcard_format section is used to generate a vCard given an LDAP entry. See http://xmpp.org/extensions/xep-0054.html for more information. The JABBERID field is automatically populated.

The key/value pairs in this table fall into three categories:

Simple pairs

Some values in the vcard_format table are simple key-value pairs, where the key corresponds to a vCard entry, and the value corresponds to the attribute name in the LDAP entry for the user. The fields that be configured this way are:

Single-level fields

These pairs have a table as their values, and the table itself has a series of key value pairs that are translated similarly to simple pairs. The fields that are configured this way are:

Multi-level fields

These pairs have a table as their values, and each table itself has tables as its values. The nested tables have the same key-value pairs you’re used to, the only difference being that values may have a boolean as their type, which converts them into an empty XML tag. I recommend looking at the example configuration for clarification.

For example, to get something like this in your vCard:

<TEL>
  <WORK />
  <VOICE />
  <NUMBER>555-555-5555</NUMBER>
</TEL>

Your configuration for telephone will probably look something like this:

telephone = {
  work = {
    voice = true,
    number = 'telephoneNumber',
  },
}

Unsupported vCard fields

Example Configuration

You can find an example configuration in the dev directory underneath the directory that this file is located in.

Missing Features

This set of plugins is missing a few features, some of which are really just ideas:


Installation

With the plugin installer in Prosody 0.12 you can use:

sudo prosodyctl install --server=https://modules.prosody.im/rocks/ mod_lib_ldap

For earlier versions see the documentation for installing 3rd party modules