In order to use LDAP authentication support we need install additional modules: ldap2, ldap_storage and lib_ldap
download latest versions of extra modules ('mercurial' package muss be installed on system)
to update modules to newer version run
copy required modules to default modules directory (/usr/lib/prosody/modules)
cd prosody-modules
cp mod_auth_ldap2/mod_auth_ldap2.lua /usr/lib/prosody/modules/mod_auth_ldap2.lua
cp mod_storage_ldap/mod_storage_ldap.lua /usr/lib/prosody/modules/mod_storage_ldap.lua
cp -r mod_storage_ldap/ldap/ /usr/lib/prosody/modules/
cp mod_lib_ldap/ldap.lib.lua /usr/lib/prosody/modules/ldap.lib.lua
create new configuration for ldap auth.
vim /etc/prosody/conf.d/ldap.cfg.lua
-- Authentication configuration --
authentication = 'ldap2' -- Indicate that we want to use LDAP for authentication
ldap = {
hostname = 'ldap.example.com', -- LDAP server location
--use_tls = true,
bind_dn = 'uid=jabberd,ou=people,dc=example,dc=com', -- Bind DN for LDAP authentication (optional if anonymous bind is supported)
bind_password = 'xxxxxxxxxxxxxxxxxxxx', -- Bind password (optional if anonymous bind is supported)
user = {
basedn = 'ou=people,dc=example,dc=com',
filter = '(&(objectClass=User)(AccountActive=TRUE))',
namefield = 'cn',
},
}
|
And enable "ldap2" auth for our "meet.example.com" vhost
vim /etc/prosody/conf.d/meet.example.com.cfg.lua
VirtualHost "meet.example.com"
-- enabled = false -- Remove this line to enable this host
--authentication = "anonymous"
--authentication = "internal_plain"
authentication = "ldap2"
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
key = "/etc/prosody/certs/meet.example.com.key";
certificate = "/etc/prosody/certs/meet.example.com.crt";
}
-- we need bosh
modules_enabled = {
"bosh";
"pubsub";
}
VirtualHost "guest.meet.example.com"
authentication = "anonymous"
|
Last thing, activate "consider_bosh_secure = true" in global section of prosody configuration, more info about
here.
vim /etc/prosody/prosody.cfg.lua
...
-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.
consider_bosh_secure = true
c2s_require_encryption = false
-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see http:
s2s_secure_auth = false
...
|
Don't forget add guest domain to your jitis meet config, see https://github.com/jitsi/jicofo
cat /etc/jitsi/meet/meet.example.com-config.js
....
domain: 'meet.example.com',
anonymousdomain: 'guest.meet.example.com',
....
restart prosody and jicofo
service prosody restart && service jicofo restart
