prosody: add LDAP authentication via SASL mechanism

2019-03-13 20:10:40 +03:00
parent 0db4b7dce9
commit 2e3576f6ca
9 changed files with 151 additions and 16 deletions
--- a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
+++ b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
@@ -12,14 +12,18 @@ asap_accepted_audiences = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_AU

 VirtualHost "{{ .Env.XMPP_DOMAIN }}"
 {{ if .Env.ENABLE_AUTH | default "0" | toBool }}
-    {{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }}
+  {{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }}
    authentication = "token"
    app_id = "{{ .Env.JWT_APP_ID }}"
    app_secret = "{{ .Env.JWT_APP_SECRET }}"
    allow_empty_token = false
-    {{ else }}
+  {{ else if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
+    authentication = "cyrus"
+    cyrus_application_name = "xmpp"
+    allow_unencrypted_plain_auth = true
+  {{ else }}
    authentication = "internal_plain"
-    {{ end }}
+  {{ end }}
 {{ else }}
    authentication = "anonymous"
 {{ end }}
@@ -34,6 +38,9 @@ VirtualHost "{{ .Env.XMPP_DOMAIN }}"
        {{ if .Env.XMPP_MODULES }}
        "{{ join "\";\n\"" (splitList "," .Env.XMPP_MODULES) }}";
        {{ end }}
+        {{ if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
+        "auth_cyrus";
+        {{end}}
    }

    c2s_require_encryption = false
--- a/prosody/rootfs/defaults/saslauthd.conf
+++ b/prosody/rootfs/defaults/saslauthd.conf
@@ -0,0 +1,21 @@
+{{ if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
+ldap_servers: {{ .Env.LDAP_URL }}
+ldap_search_base: {{ .Env.LDAP_BASE }}
+ldap_bind_dn: {{ .Env.LDAP_BINDDN }}
+ldap_bind_pw: {{ .Env.LDAP_BINDPW }}
+ldap_filter: {{ .Env.LDAP_FILTER | default "uid=%u" }}
+ldap_version: {{ .Env.LDAP_VERSION | default "3" }}
+ldap_auth_method: {{ .Env.LDAP_AUTH_METHOD | default "bind" }}
+  {{ if .Env.LDAP_USE_TLS | default "0" | toBool }}
+ldap_tls_key: /config/certs/{{ .Env.XMPP_DOMAIN }}.key
+ldap_tls_cert: /config/certs/{{ .Env.XMPP_DOMAIN }}.crt
+    {{ if .Env.LDAP_TLS_CHECK_PEER | default "0" | toBool }}
+ldap_tls_check_peer: yes
+ldap_tls_cacert_file: {{ .Env.LDAP_TLS_CACERT_FILE | default "/etc/ssl/certs/ca-certificates.crt" }}
+ldap_tls_cacert_dir: {{ .Env.LDAP_TLS_CACERT_DIR | default "/etc/ssl/certs" }}
+    {{ end }}
+    {{ if .Env.LDAP_TLS_CIPHERS }}
+ldap_tls_ciphers: {{ .Env.LDAP_TLS_CIPHERS }}
+    {{ end }}
+  {{ end }}
+{{ end }}