In order to use LDAP authentication support we need install additional modules: ldap2, ldap_storage and lib_ldap
download latest versions of extra modules ('mercurial' package muss be installed on system)
to update modules to newer version run
copy required modules to default modules directory (/usr/lib/prosody/modules)
cd prosody-modules
cp mod_auth_ldap2/mod_auth_ldap2.lua /usr/lib/prosody/modules/mod_auth_ldap2.lua
cp mod_storage_ldap/mod_storage_ldap.lua /usr/lib/prosody/modules/mod_storage_ldap.lua
cp -r mod_storage_ldap/ldap/ /usr/lib/prosody/modules/
cp mod_lib_ldap/ldap.lib.lua /usr/lib/prosody/modules/ldap.lib.lua
create new configuration for ldap auth.
vim /etc/prosody/conf.d/ldap.cfg.lua
-- Authentication configuration --
authentication = 'ldap2' -- Indicate that we want to use LDAP for authentication
ldap = {
hostname = 'ldap.example.com' , -- LDAP server location
--use_tls = true ,
bind_dn = 'uid=jabberd,ou=people,dc=example,dc=com' , -- Bind DN for LDAP authentication (optional if anonymous bind is supported)
bind_password = 'xxxxxxxxxxxxxxxxxxxx' , -- Bind password (optional if anonymous bind is supported)
user = {
basedn = 'ou=people,dc=example,dc=com' ,
filter = '(&(objectClass=User)(AccountActive=TRUE))' ,
namefield = 'cn' ,
},
}
|
And enable "ldap2" auth for our "meet.example.com" vhost
vim /etc/prosody/conf.d/meet.example.com.cfg.lua
VirtualHost "meet.example.com"
-- enabled = false -- Remove this line to enable this host
--authentication = "anonymous"
-- authentication = "internal_plain"
authentication = "ldap2"
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section ( if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
key = "/etc/prosody/certs/meet.example.com.key" ;
certificate = "/etc/prosody/certs/meet.example.com.crt" ;
}
-- we need bosh
modules_enabled = {
"bosh" ;
"pubsub" ;
}
VirtualHost "guest.meet.example.com"
authentication = "anonymous"
|
Last thing, activate "consider_bosh_secure = true" in global section of prosody configuration, more info about
here.
vim /etc/prosody/prosody.cfg.lua
...
-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.
consider_bosh_secure = true
c2s_require_encryption = false
-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see http:
s2s_secure_auth = false
...
|
Don't forget add guest domain to your jitis meet config, see https://github.com/jitsi/jicofo
cat /etc/jitsi/meet/meet.example.com-config.js
....
domain:
'meet.example.com'
,
anonymousdomain:
'guest.meet.example.com'
,
....
restart prosody and jicofo
service prosody restart && service jicofo restart