prosody: add LDAP authentication via SASL mechanism

prosody/Dockerfile

@@ -7,18 +7,31 @@ ADD https://raw.githubusercontent.com/jitsi/jitsi-meet/fc129d9849ca5e26245d54df6
 RUN sed -i s/hook/hook_global/g /prosody-plugins/mod_auth_token.lua
 
 RUN \
-	apt-dpkg-wrap apt-get update && \
-	apt-dpkg-wrap apt-get install -y lua5.2 liblua5.2-dev libssl1.0-dev lua-basexx luarocks gcc git && \
-	apt-dpkg-wrap apt-get install -t stretch-backports -y prosody && \
-	rm -rf /etc/prosody
-
-RUN \
-	luarocks install lua-cjson 2.1.0-1 && \
-	luarocks install luajwtjitsi
-
-RUN \
-	apt-dpkg-wrap apt-get remove -y liblua5.2-dev libssl1.0-dev gcc git && \
-	apt-cleanup
+    apt-dpkg-wrap apt-get update \
+    && apt-dpkg-wrap apt-get install -t stretch-backports -y \
+      prosody \
+      liblua5.2-dev \
+      sasl2-bin \
+      libsasl2-modules-ldap \
+      libsasl2-dev \
+      libssl1.0-dev \
+      lua-basexx \
+      lua-ldap \
+      luarocks \
+      git \
+      gcc \
+    && luarocks install cyrussasl 1.1.0-1 \
+    && luarocks install lua-cjson 2.1.0-1 \
+    && luarocks install luajwtjitsi 1.3-7 \
+    && apt-dpkg-wrap apt-get remove -t stretch-backports -y \
+      git \
+      gcc \
+      luarocks \
+      libsasl2-dev \
+      libssl1.0-dev \
+      liblua5.2-dev \
+    && apt-cleanup \
+    && rm -rf /etc/prosody
 
 COPY rootfs/ /
 

prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua

@@ -12,14 +12,18 @@ asap_accepted_audiences = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_AU
 
 VirtualHost "{{ .Env.XMPP_DOMAIN }}"
 {{ if .Env.ENABLE_AUTH | default "0" | toBool }}
-    {{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }}
+  {{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }}
     authentication = "token"
     app_id = "{{ .Env.JWT_APP_ID }}"
     app_secret = "{{ .Env.JWT_APP_SECRET }}"
     allow_empty_token = false
-    {{ else }}
+  {{ else if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
+    authentication = "cyrus"
+    cyrus_application_name = "xmpp"
+    allow_unencrypted_plain_auth = true
+  {{ else }}
     authentication = "internal_plain"
-    {{ end }}
+  {{ end }}
 {{ else }}
     authentication = "anonymous"
 {{ end }}
@@ -34,6 +38,9 @@ VirtualHost "{{ .Env.XMPP_DOMAIN }}"
         {{ if .Env.XMPP_MODULES }}
         "{{ join "\";\n\"" (splitList "," .Env.XMPP_MODULES) }}";
         {{ end }}
+        {{ if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
+        "auth_cyrus";
+        {{end}}
     }
 
     c2s_require_encryption = false

prosody/rootfs/defaults/saslauthd.conf

@@ -0,0 +1,21 @@
+{{ if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
+ldap_servers: {{ .Env.LDAP_URL }}
+ldap_search_base: {{ .Env.LDAP_BASE }}
+ldap_bind_dn: {{ .Env.LDAP_BINDDN }}
+ldap_bind_pw: {{ .Env.LDAP_BINDPW }}
+ldap_filter: {{ .Env.LDAP_FILTER | default "uid=%u" }}
+ldap_version: {{ .Env.LDAP_VERSION | default "3" }}
+ldap_auth_method: {{ .Env.LDAP_AUTH_METHOD | default "bind" }}
+  {{ if .Env.LDAP_USE_TLS | default "0" | toBool }}
+ldap_tls_key: /config/certs/{{ .Env.XMPP_DOMAIN }}.key
+ldap_tls_cert: /config/certs/{{ .Env.XMPP_DOMAIN }}.crt
+    {{ if .Env.LDAP_TLS_CHECK_PEER | default "0" | toBool }}
+ldap_tls_check_peer: yes
+ldap_tls_cacert_file: {{ .Env.LDAP_TLS_CACERT_FILE | default "/etc/ssl/certs/ca-certificates.crt" }}
+ldap_tls_cacert_dir: {{ .Env.LDAP_TLS_CACERT_DIR | default "/etc/ssl/certs" }}
+    {{ end }}
+    {{ if .Env.LDAP_TLS_CIPHERS }}
+ldap_tls_ciphers: {{ .Env.LDAP_TLS_CIPHERS }}
+    {{ end }}
+  {{ end }}
+{{ end }}

prosody/rootfs/etc/cont-init.d/10-config

@@ -1,5 +1,16 @@
 #!/usr/bin/with-contenv bash
 
+if [[ ! -f /config/saslauthd.conf ]]; then
+  cp /defaults/saslauthd.conf /config/
+fi
+
+if [[ ! -f /etc/saslauthd.conf ]]; then
+  tpl /config/saslauthd.conf > /etc/saslauthd.conf
+  mkdir -pm777 /var/run/saslauthd
+  adduser prosody sasl
+  echo >> /etc/ldap/ldap.conf "TLS_REQCERT allow"
+fi
+
 PROSODY_CFG="/config/prosody.cfg.lua"
 
 if [[ ! -d /config/data ]]; then

prosody/rootfs/etc/sasl/xmpp.conf

@@ -0,0 +1,2 @@
+pwcheck_method: saslauthd
+mech_list: PLAIN

prosody/rootfs/etc/services.d/10-saslauthd/run

@@ -0,0 +1,2 @@
+#!/usr/bin/with-contenv bash
+exec s6-setuidgid root saslauthd -a ldap -O /etc/saslauthd.conf -c -m /var/run/saslauthd -n 5 -d