Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

prosody/rootfs/defaults/saslauthd.conf: Append extended LDAP variables #1798

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 39 additions & 1 deletion env.example
Original file line number Diff line number Diff line change
Expand Up @@ -132,26 +132,64 @@ TZ=UTC
#

# LDAP url for connection
#LDAP_URL=ldaps://ldap.domain.com/
# ldaps:// not compatible with LDAP_START_TLS
#LDAP_URL=ldap://ldap.domain.com

# LDAP base DN. Can be empty
le-firehawk marked this conversation as resolved.
Show resolved Hide resolved
#LDAP_BASE=DC=example,DC=domain,DC=com
# FreeIPA should be based at accounts
#LDAP_BASE=CN=accounts,DC=example,DC=domain,DC=com

# LDAP user DN. Do not specify this parameter for the anonymous bind
#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
# FreeIPA uses different scheme
#LDAP_BINDDN=UID=binduser,CN=users,CN=accounts,DC=example,DC=domain,DC=com

# LDAP user password. Do not specify this parameter for the anonymous bind
#LDAP_BINDPW=LdapUserPassw0rd

# Many LDAP providers may obfuscate tree information
# required for advanced filtering when using anonymous
# bind

# LDAP filter. Tokens example:
# %1-9 - if the input key is [email protected], then %1 is com, %2 is domain and %3 is mail
# %s - %s is replaced by the complete service string
# %r - %r is replaced by the complete realm string
# (&(filter1)(filter2)(...)) - require multiple filters to be true
# (|(filter1)(filter2)(...)) - require one filter to be true
# (!(filter1)) - require one or more filters to be false
#LDAP_FILTER=(sAMAccountName=%u)

# FreeIPA, other LDAP providers, use UID
#LDAP_FILTER=(UID=%u)
# FreeIPA group filtering
#LDAP_FILTER=(&(UID=%u)(memberOf=CN=groupname,CN=groups,CN=accounts,DC=example,DC=domain,DC=com))

# LDAP authentication method
#LDAP_AUTH_METHOD=bind

# LDAP group member attribute
#LDAP_GROUP_ATTR=uniqueMember
# FreeIPA, other LDAP providers, use memberOf
#LDAP_GROUP_ATTR=memberOf

# LDAP group membership requirement
#LDAP_GROUP_DN=CN=groupname,CN=groups,CN=accounts,DC=example,DC=domain,DC=com

# LDAP group match method
# filter implies LDAP_GROUP_FILTER. attr implies LDAP_GROUP_SEARCH_BASE
# ignored without LDAP_GROUP_DN
#LDAP_GROUP_MATCH_METHOD=filter

# LDAP group filter
# Respects tokens common to LDAP filtering
#LDAP_GROUP_FILTER=(CN=groupname,CN=groups,CN=accounts,DC=example,DC=domain,DC=com)

# LDAP group search base
# Defaults to LDAP_BASE
#LDAP_GROUP_SEARCH_BASE=CN=groupname,CN=groups,CN=accounts,DC=example,DC=domain,DC=com

# LDAP version
#LDAP_VERSION=3

Expand Down
34 changes: 27 additions & 7 deletions prosody/rootfs/defaults/saslauthd.conf
Original file line number Diff line number Diff line change
Expand Up @@ -4,27 +4,47 @@

{{ if eq $PROSODY_AUTH_TYPE "ldap" }}
ldap_servers: {{ .Env.LDAP_URL }}

ldap_search_base: {{ .Env.LDAP_BASE }}
{{ if .Env.LDAP_BINDDN | default "" }}
le-firehawk marked this conversation as resolved.
Show resolved Hide resolved
ldap_bind_dn: {{ .Env.LDAP_BINDDN }}
ldap_bind_pw: {{ .Env.LDAP_BINDPW }}
{{ end }}
ldap_filter: {{ .Env.LDAP_FILTER | default "uid=%u" }}

ldap_version: {{ .Env.LDAP_VERSION | default "3" }}
ldap_auth_method: {{ .Env.LDAP_AUTH_METHOD | default "bind" }}

{{ if .Env.LDAP_BINDDN }}
ldap_bind_dn: {{ .Env.LDAP_BINDDN }}
ldap_bind_pw: {{ .Env.LDAP_BINDPW | default "MISSING PASSWORD" }}
{{ end }}

ldap_filter: {{ .Env.LDAP_FILTER | default "uid=%u" }}

ldap_group_attr: {{ .Env.LDAP_GROUP_ATTR | default "uniqueMember" }}
{{ if .Env.LDAP_GROUP_DN }}
ldap_group_dn: {{ .Env.LDAP_GROUP_DN }}
ldap_group_match_method: {{ .Env.LDAP_GROUP_MATCH_METHOD | default "attr" }}
{{ end }}
{{ if .Env.LDAP_GROUP_SEARCH_BASE }}
ldap_group_search_base: {{ .Env.LDAP_GROUP_SEARCH_BASE | default .Env.LDAP_BASE }}
{{ end }}
{{ if .Env.LDAP_GROUP_FILTER }}
ldap_group_filter: {{ .Env.LDAP_GROUP_FILTER }}
{{ end }}

{{ if .Env.LDAP_USE_TLS | default "0" | toBool }}
ldap_tls_key: /config/certs/{{ $XMPP_DOMAIN }}.key
ldap_tls_cert: /config/certs/{{ $XMPP_DOMAIN }}.crt

{{ if .Env.LDAP_TLS_CHECK_PEER | default "0" | toBool }}
ldap_tls_check_peer: yes
ldap_tls_cacert_file: {{ .Env.LDAP_TLS_CACERT_FILE | default "/etc/ssl/certs/ca-certificates.crt" }}
ldap_tls_cacert_dir: {{ .Env.LDAP_TLS_CACERT_DIR | default "/etc/ssl/certs" }}
{{ end }}

{{ if .Env.LDAP_TLS_CIPHERS }}
ldap_tls_ciphers: {{ .Env.LDAP_TLS_CIPHERS }}
{{ end }}
{{ end }}
{{ end }}
{{ if .Env.LDAP_START_TLS | default "0" | toBool }}

{{ if .Env.LDAP_START_TLS | default "0" | toBool }}
ldap_start_tls: yes
{{ end }}
{{ end }}