Установка Prosody v0.8 (Jabber-сервер) с аутентификацией из LDAP

local new_sasl = require "util.sasl".new; local nodeprep = require "util.encodings".stringprep.nodeprep; local log = require "util.logger".init("auth_ldap");  local ldap_server = module:get_option("ldap_server") or "localhost"; local ldap_rootdn = module:get_option("ldap_rootdn") or ""; local ldap_password = module:get_option("ldap_password") or ""; local ldap_tls = module:get_option("ldap_tls"); local ldap_base = assert(module:get_option("ldap_base"), "ldap_base is a required option for ldap"); local ldap_scope = module:get_option("ldap_scope") or "onelevel"; local ldap_filter = module:get_option("ldap_filter") or "";  local lualdap = require "lualdap"; local ld = assert(lualdap.open_simple(ldap_server, ldap_rootdn, ldap_password, ldap_tls)); module.unload = function() ld:close(); end  local function ldap_filter_escape(s) return (s:gsub("[\\*\\(\\)\\\\%z]", function(c) return ("\\%02x"):format(c:byte()) end)); end  local function find_userdn(username) 	local iter, err = ld:search { 		base = ldap_base; 		-- we need to set scope here, else ldap-search may fail (silently!!) 		scope = ldap_scope; 		filter = "(&(uid="..ldap_filter_escape(username)..")"..ldap_filter..")"; 	} 	if not iter then 	    module:log("error", "LDAP usersearch failed (%s): %s", username, err); 	    return false; 	end 	for dn, attribs in iter do 	   return dn; 	end 	return false; end  local provider = { name = "ldap" };  function provider.test_password(username, password) 	local userdn = find_userdn(username); 	if not userdn then return false; end 	 	local ldu = lualdap.open_simple(ldap_server, userdn, password, ldap_tls); 	if not ldu then return false; end  	ldu:close(); 	return true; end  function provider.user_exists(username) 	return find_userdn(username); end  function provider.get_password(username) return nil, "Passwords unavailable for LDAP."; end function provider.set_password(username, password) return nil, "Passwords unavailable for LDAP."; end function provider.create_user(username, password) return nil, "Account creation/modification not available with LDAP."; end  function provider.get_sasl_handler() 	local realm = module:get_option("sasl_realm") or module.host; 	local testpass_authentication_profile = { 		plain_test = function(sasl, username, password, realm) 			local prepped_username = nodeprep(username); 			if not prepped_username then 				log("debug", "NODEprep failed on username: %s", username); 				return "", nil; 			end 			return provider.test_password(prepped_username, password), true; 		end 	}; 	return new_sasl(realm, testpass_authentication_profile); end  module:add_item("auth-provider", provider); 

-- Prosody XMPP Server Configuration -- -- Information on configuring Prosody can be found on our -- website at http://prosody.im/doc/configure -- -- Tip: You can check that the syntax of this file is correct -- when you have finished by running: luac -p prosody.cfg.lua -- If there are any errors, it will let you know what and where -- they are, otherwise it will keep quiet. --  ---------- Server-wide settings ---------- -- Settings in this section apply to the whole server and are the default settings -- for any virtual hosts  -- This is a (by default, empty) list of accounts that are admins -- for the server. Note that you must create the accounts separately -- (see http://prosody.im/doc/creating_accounts for info) -- Example: admins = { "user1@example.com", "user2@example.net" } admins = { }  -- Enable use of libevent for better performance under high load -- For more information see: http://prosody.im/doc/libevent use_libevent = false;  -- This is the list of modules Prosody will load on startup. -- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. -- Documentation on modules can be found at: http://prosody.im/doc/modules modules_enabled = {  	-- Generally required 		"roster"; -- Allow users to have a roster. Recommended ;) 		"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. 		"tls"; -- Add support for secure TLS on c2s/s2s connections 		"dialback"; -- s2s dialback support 		"disco"; -- Service discovery  	-- Not essential, but recommended 		"private"; -- Private XML storage (for room bookmarks, etc.) 		"vcard"; -- Allow users to set vCards 		--"privacy"; -- Support privacy lists 		--"compression"; -- Stream compression  	-- Nice to have 		"legacyauth"; -- Legacy authentication. Only used by some old clients and bots. 		"version"; -- Replies to server version requests 		"uptime"; -- Report how long server has been running 		"time"; -- Let others know the time here on this server 		"ping"; -- Replies to XMPP pings with pongs 		"pep"; -- Enables users to publish their mood, activity, playing music and more 		"register"; -- Allow users to register on this server using a client and change passwords 		"adhoc"; -- Support for "ad-hoc commands" that can be executed with an XMPP client  	-- Admin interfaces 		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands 		--"admin_telnet"; -- Opens telnet console interface on localhost port 5582  	-- Other specific functionality 		"posix"; -- POSIX functionality, sends server to background, enables syslog, etc. 		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" 		--"httpserver"; -- Serve static files from a directory over HTTP 		--"groups"; -- Shared roster support 		--"announce"; -- Send announcement to all online users 		--"welcome"; -- Welcome users who register accounts 		--"watchregistrations"; -- Alert admins of registrations 		--"motd"; -- Send a message to users when they log in };  -- These modules are auto-loaded, should you -- (for some mad reason) want to disable -- them then uncomment them below modules_disabled = { 	-- "presence"; -- Route user/contact status information 	-- "message"; -- Route messages 	-- "iq"; -- Route info queries 	-- "offline"; -- Store offline messages };  -- Disable account creation by default, for security -- For more information see http://prosody.im/doc/creating_accounts allow_registration = false;  -- These are the SSL/TLS-related settings. If you don't want -- to use SSL/TLS, you may comment or remove this ssl = { 	key = "/etc/prosody/certs/localhost.key"; 	certificate = "/etc/prosody/certs/localhost.cert"; }  -- Only allow encrypted streams? Encryption is already used when -- available. These options will cause Prosody to deny connections that -- are not encrypted. Note that some servers do not support s2s -- encryption or have it disabled, including gmail.com and Google Apps -- domains.  c2s_require_encryption = true --s2s_require_encryption = false  -- Select the authentication backend to use. The 'internal' providers -- use Prosody's configured data storage to store the authentication data. -- To allow Prosody to offer secure authentication mechanisms to clients, the -- default provider stores passwords in plaintext. If you do not trust your -- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed -- for information about using the hashed backend.  --authentication = "internal_plain" authentication = "ldap"; ldap_server = "localhost"; ldap_base = "ou=users,dc=example,dc=com"; ldap_rootdn = "cn=manager,dc=example,dc=com"; ldap_password = "password"; --ldap_filter = "(authorizedService=jabber)"; -- optional  Include '/etc/prosody/prosody-posix-ldap.cfg.lua'  -- Select the storage backend to use. By default Prosody uses flat files -- in its configured data directory, but it also supports more backends -- through modules. An "sql" backend is included by default, but requires -- additional dependencies. See http://prosody.im/doc/storage for more info.  --storage = "sql" -- Default is "internal"  -- For the "sql" backend, you can uncomment *one* of the below to configure: --sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename. --sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } --sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }  -- Logging configuration -- For advanced logging see http://prosody.im/doc/logging -- Hint: If you create a new log file or rename them, don't forget  -- to update the logrotate config at /etc/logrotate.d/prosody log = {         -- Log all error messages to prosody.err 	error = "/var/log/prosody/prosody.err";         -- Log everything of level "info" and higher (that is, all except "debug" messages)         -- to prosody.log         info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging         --"*syslog"; -- Uncomment this for logging to syslog }  -- Pidfile, used by prosodyctl and the init.d script pidfile = "/var/run/prosody/prosody.pid";  ----------- Virtual hosts ----------- -- You need to add a VirtualHost entry for each domain you wish Prosody to serve. -- Settings under each VirtualHost entry apply *only* to that host.  VirtualHost "localhost"  VirtualHost "example.com" 	-- enabled = false -- Remove this line to enable this host  	-- Assign this host a certificate for TLS, otherwise it would use the one 	-- set in the global section (if any). 	-- Note that old-style SSL on port 5223 only supports one certificate, and will always 	-- use the global one.         ssl = {                 key = "/etc/prosody/certs/localhost.key";                 certificate = "/etc/prosody/certs/localhost.cert";         }  ------ Components ------ -- You can specify components to add hosts that provide special services, -- like multi-user conferences, and transports. -- For more information on components, see http://prosody.im/doc/components  ---Set up a MUC (multi-user chat) room server on conference.example.com: --Component "conference.example.com" "muc"  -- Set up a SOCKS5 bytestream proxy for server-proxied file transfers: --Component "proxy.example.com" "proxy65"  ---Set up an external component (default component port is 5347) -- -- External components allow adding various services, such as gateways/ -- transports to other networks like ICQ, MSN and Yahoo. For more info -- see: http://prosody.im/doc/components#adding_an_external_component -- --Component "gateway.example.com" --	component_secret = "password" 

-- Use Include 'prosody-posix-ldap.cfg.lua' from prosody.cfg.lua to include this file authentication = 'ldap' -- Indicate that we want to use LDAP for authentication --storage        = 'ldap' -- Indicate that we want to use LDAP for roster/vcard storage storage = {         roster = "ldap";         vcard = "ldap"; }  ldap = {    hostname      = 'localhost',                    -- LDAP server location     bind_dn       = 'cn=manager,dc=example,dc=com', -- Bind DN for LDAP authentication (optional if anonymous bind is supported)     bind_password = 'password',                      -- Bind password (optional if anonymous bind is supported)      user = {       basedn        = 'ou=users,dc=example,dc=com', -- The base DN where user records can be found       filter        = 'objectClass=posixAccount',   -- Filter expression to find user records under basedn       usernamefield = 'uid',                        -- The field that contains the user's ID (this will be the username portion of the JID)       namefield     = 'cn',                         -- The field that contains the user's full name (this will be the alias found in the roster)     },      groups = {       basedn      = 'ou=groups,dc=example,dc=com', -- The base DN where group records can be found       memberfield = 'memberUid',                   -- The field that contains user ID records for this group (each member must have a corresponding entry under the user basedn with the same value in usernamefield)       namefield   = 'cn',                          -- The field that contains the group's name (used for matching groups in LDAP to group definitions below)        {         name  = 'First Group', -- The group name that will be seen in users' rosters         cn    = 'first_group', -- This field's key *must* match ldap.groups.namefield! It's the name of the LDAP group this definition represents         admin = false,      -- (Optional) A boolean flag that indicates whether members of this group should be considered administrators.       },       {         name  = 'Second Group',         cn    = 'second_group',         admin = true,       },     },      vcard_format = {       displayname = 'cn', -- Consult the vCard configuration section in the README       nickname    = 'uid',     }, } 

# Installation directories # System's libraries directory (where binary libraries are installed) LUA_LIBDIR= /usr/lib/lua/5.1 # Lua includes directory LUA_INC= /usr/include/lua5.1 # OpenLDAP includes directory OPENLDAP_INC= /usr/include # OpenLDAP library (an optional directory can be specified with -L<dir>) OPENLDAP_LIB= -lldap  # OS dependent LIB_OPTION= -shared #for Linux #LIB_OPTION= -bundle -undefined dynamic_lookup #for MacOS X  # Lua version number (first and second digits of target version) LUA_VERSION_NUM= 500 LIBNAME= $T.so.$V COMPAT_DIR= ../compat-5.1r5  # Compilation parameters WARN= -O2 -Wall -fPIC -W -Waggregate-return -Wcast-align -Wmissing-prototypes -Wnested-externs -Wshadow -Wwrite-strings -ansi INCS= -I$(LUA_INC) -I$(OPENLDAP_INC) -I$(COMPAT_DIR) CFLAGS= $(WARN) $(INCS) CC= gcc  # $Id: config,v 1.5 2006/07/24 01:42:06 tomas Exp $

# $Id: Makefile,v 1.30 2007/03/13 22:07:33 godinho Exp $  T= lualdap V= 1.1.0 CONFIG= ./config  include $(CONFIG)  ifeq "$(LUA_VERSION_NUM)" "500" COMPAT_O= $(COMPAT_DIR)/compat-5.1.o endif  OBJS= src/lualdap.o $(COMPAT_O)   src/$(LIBNAME): $(OBJS)         export MACOSX_DEPLOYMENT_TARGET="10.3"; $(CC) $(CFLAGS) $(LIB_OPTION) -o src/$(LIBNAME) $(OBJS) $(OPENLDAP_LIB)  $(COMPAT_DIR)/compat-5.1.o: $(COMPAT_DIR)/compat-5.1.c         $(CC) -c $(CFLAGS) -o $@ $(COMPAT_DIR)/compat-5.1.c  install: src/$(LIBNAME)         mkdir -p $(LUA_LIBDIR)         cp src/$(LIBNAME) $(LUA_LIBDIR)         cd $(LUA_LIBDIR); ln -f -s $(LIBNAME) $T.so  clean:         rm -f $(OBJS) src/$(LIBNAME)