Setting Up Prosody to Authenticate Against LDAP
UPDATE: There is another guide that shows this setup on more current prosody version over here.
A few years ago, I set up a Jabber server at my university. It worked pretty fine in the beginning, but a lack of updates and a horrible java-overengineering led to the point where the server needed 400 MB of RAM and didn't even consider talking to LDAP anymore.
Since I had no intention of setting up openfire again, I decided to look for other tools.
There is ejabberd, but since I can barely read erlang, let alone write, I decided that I don't really want to deal with ejabberd :)
There also is Tigase, an open-source java based xmpp-server. Since I had bad experience setting up the whole java-enironment, I'd rather not try it again. There also is no support for authenticating against LDAP with Tigase at the time of writing.
The next contestant was Prosody. By simple looking at the website, you see the difference. Where as Tigase and ejabberd are basically a huge, ugly wall of text, prosody is a clean and simple lightweight design.
Prosody is written in Lua. While lua wasn't all thaaat slow to begin with (for a scripting language), since luajit came up, it is only arround 2 times slower than C, according to the benchmarks.
My problem with prosody in the past was the missing LDAP authentication feature. It wouldn't have been all that hard to implement it for somebody that actually knew lua, but I decided that I have other things to do at the moment. This is why this commit cought my eye:
first working version with Cyrus SASL support.
To quote from the ?official website?:
SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols.
Cyrus SASL is a matching library. Here is a quote from its freshmeat page:
The Cyrus SASL library is a generic library for easy integration of secure network authentication to any client or server application. It supports authentication via standard plaintext methods as well as CRAM-MD5 and DIGEST-MD5 shared secret methods and KERBEROS_V4 and GSSAPI Kerberos methods. The SASL protocol framework is used by SMTP, IMAP, ACAP, LDAP, and other standard protocols.
Prosidy uses lua-cyrussasl (which basically can't be found using google) to communicate with the library.
Getting sasl to run and auth against LDAP
While I don't remember everything I installed, here are some packages that seem appropriate:
cyrus-sasl-2.1.22-5.el5
cyrus-sasl-plain-2.1.22-5.el5
cyrus-sasl-lib-2.1.22-5.el5
cyrus-sasl-devel-2.1.22-5.el5
cyrus-sasl-md5-2.1.22-5.el5
cyrus-sasl-ldap-2.1.22-5.el5
cyrus-sasl-ntlm-2.1.22-5.el5
This will also install programs such as "testsaslauthd", "sasl2-sample-client", "sasl2-sample-server", "sasl2-shared-mechlist" and "sasl2-static-mechlist". They are very useful to see if your configuration is actually ok.
Now, set up your /etc/saslauthd.conf:
# cat /etc/saslauthd.conf
ldap_servers: ldap://ldap1.example.org
ldap_search_base: ou=userlist,dc=example,dc=org
After this (and maybe a /etc/init.d/saslauthd restart), the testsaslauthd command should work:
# testsaslauthd -u existing_user -p thepassword
0: OK "Success."
# testsaslauthd -u blabla -p narf
0: NO "authentication failed"
This just set up the connection info for the saslauth daemon. To be able to auth against this, you'll need to set up a matching service.
This is basically just a config file that tells the cyrus-sasl library which service to auth against. For this, you'll have to set up your /usr/lib64/sasl2/xmpp.conf (or /etc/sasl2/xmpp.conf )
# cat /usr/lib64/sasl2/xmpp.conf
pwcheck_method: saslauthd
mech_list: PLAIN
This means that the service called "xmpp" (from the filename) only accepts plain passwords and uses the saslauth daemon to check them.
Check if this works by starting the sample server:
# sasl2-sample-server -s "xmpp" -m "PLAIN"
trying 10, 1, 6
trying 2, 1, 6
bind: Address already in use
and connect to it using the sample client (probably in another terminal session):
# sasl2-sample-client -s "xmpp" -m "PLAIN" localhost
receiving capability list... recv: {5}
PLAIN
PLAIN
please enter an authentication id:
please enter an authorization id: YOURUSERID
Password: YOURPASSWORD
send: {5}
PLAIN
send: {1}
Y
send: {22}
youruserid[0]youruserid[0]yourpassword
successful authentication
closing connection
So far so good. You've set up a proper saslauthd and configured a service called xmpp.
Now:
Getting Prosody
There are installers/packages available for Debian/Ubuntu, Windows, Arch Linux, FreeBSD and Windows. The problem is that, at the time of writing, the sasl support hasn't made it into a stable build yet. That's why I decided to go for the current development version. I simply checked out the git mirror of their official repository (didn't have hg installed):
git clone http://github.com/bjc/prosody.gitAs for other libraries, those are the ones:
liblua5.1, libssl (OpenSSL), libidn11
And the lua stuff you need (as far as I can remember):
lua-luasocket, lua-luasec, lua-expat, lua-cyrussasl (see above), lua-filesystem
You can get the them using your distributions package manager, luarocks (for the lua stuff) or download and compile them yourself.
After everything is installed, just do the usual:
./configure --ostype=linux <-- can be "debian" or "macosx" too
make
make installConfiguring Prosody
In my case, the config file was copied to "/usr/local/etc/prosody/prosody.cfg.lua". After you configured the usual stuff (hostname, TLS/SSL, admins, ...) you have to put in the config option for the cyrus support to use the proper service to auth against:
cyrus_service_name = "xmpp"Currently, there also is a problem that should be fixed within a couple of days: In the file /util/sasl_cyrus.lua, you have to edit line 34.
pcall(cyrussasl.server_init, "prosody")the "prosody" string has to have the name of your service (e.g. xmpp) for it to work.
This should allow prosody to authenticate against LDAP using cyrus-sasl.
Have fun :)
Update fresh from the prosody chatroom:
(11:35:35 PM) darkrain: One minor thing, is that with the release of 0.7, you'll need to put sasl_backend="cyrus" in the config file (11:35:41 PM) darkrain: and the default value of cyrus_service_name is "xmpp" (11:35:54 PM) darkrain: (and the pcall thing has been fixed) (11:36:01 PM) darkrain: s/One/three/