nur Bahnhof

Prosody with authentification against LDAP/ActiveDirectory

· Oluf Lorenzen

Hey, this post is really old.

It was published and/or last updated over 3 years ago. It may be very out of date; as the world, and I, may have changed a lot since I wrote it. I could have completely changed my mind about the below in the intervening time. I don't make a habit of revisiting old posts to update them. If I had, you would see the updated timestamp above, and likely a note about what I changed at the bottom of the article. That being said, if any views I've expressed here are particularly offensive or breaches someone's privacy, please contact me.

I am using

you need several packages:

apt-get update ; apt-get install sasl2-bin libsasl2-modules-ldap lua-ldap lua-cyrussasl

and configs:

/etc/default/saslauthd

START=yes
MECHANISMS="ldap"
MECH_OPTIONS="/etc/saslauthd.conf"

/etc/saslauthd.conf

ldap_servers: ldap://ldap.example.com/
ldap_search_base: ou=foo,dc=example,dc=com

ldap_bind_dn: ldap-user-for-binding
ldap_bind_pw: pw-for-that-user
ldap_use_sasl: no
ldap_start_tls: no
ldap_auth_method: bind

ldap_filter: (sAMAccountName=%u)

/etc/prosody/prosody.cfg.lua

authentication = "cyrus"
cyrus_service_name = "xmpp"

-- eventually configure SSL properly
ssl = {
        key = "x";
        certificate = "y";

        options = { "no_sslv2", "no_sslv3" , "no_ticket", "no_compression" };
        ciphers = "HIGH:!DSS:!aNULL@STRENGTH!:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA";
}

Add the system-user ‘prosody’ to the ‘sasl’-group and restart both services:

adduser prosody sasl ; service saslauth restart ; service prosody restart

Eventually have a look at /var/log/auth.log for sasl-problems or the prosody-logs.

Comments

#active directory #ad #debian #ldap #linux #prosody #xmpp

Reply to this post by email ↪