Use saslauth for prosody.
This commit is contained in:
parent
63b1ecd671
commit
3c9fa5cf2a
62
roles/prosody/files/default/saslauthd
Normal file
62
roles/prosody/files/default/saslauthd
Normal file
@ -0,0 +1,62 @@
|
||||
#
|
||||
# Settings for saslauthd daemon
|
||||
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
|
||||
#
|
||||
|
||||
# Should saslauthd run automatically on startup? (default: no)
|
||||
START=yes
|
||||
|
||||
# Description of this saslauthd instance. Recommended.
|
||||
# (suggestion: SASL Authentication Daemon)
|
||||
DESC="SASL Authentication Daemon"
|
||||
|
||||
# Short name of this saslauthd instance. Strongly recommended.
|
||||
# (suggestion: saslauthd)
|
||||
NAME="saslauthd"
|
||||
|
||||
# Which authentication mechanisms should saslauthd use? (default: pam)
|
||||
#
|
||||
# Available options in this Debian package:
|
||||
# getpwent -- use the getpwent() library function
|
||||
# kerberos5 -- use Kerberos 5
|
||||
# pam -- use PAM
|
||||
# rimap -- use a remote IMAP server
|
||||
# shadow -- use the local shadow password file
|
||||
# sasldb -- use the local sasldb database file
|
||||
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
|
||||
#
|
||||
# Only one option may be used at a time. See the saslauthd man page
|
||||
# for more information.
|
||||
#
|
||||
# Example: MECHANISMS="pam"
|
||||
MECHANISMS="ldap"
|
||||
|
||||
# Additional options for this mechanism. (default: none)
|
||||
# See the saslauthd man page for information about mech-specific options.
|
||||
MECH_OPTIONS=""
|
||||
|
||||
# How many saslauthd processes should we run? (default: 5)
|
||||
# A value of 0 will fork a new process for each connection.
|
||||
THREADS=5
|
||||
|
||||
# Other options (default: -c -m /var/run/saslauthd)
|
||||
# Note: You MUST specify the -m option or saslauthd won't run!
|
||||
#
|
||||
# WARNING: DO NOT SPECIFY THE -d OPTION.
|
||||
# The -d option will cause saslauthd to run in the foreground instead of as
|
||||
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
|
||||
# to run saslauthd in debug mode, please run it by hand to be safe.
|
||||
#
|
||||
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
|
||||
# See the saslauthd man page and the output of 'saslauthd -h' for general
|
||||
# information about these options.
|
||||
#
|
||||
# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
|
||||
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
|
||||
#
|
||||
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
|
||||
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
|
||||
# then your Postfix is running in a chroot.
|
||||
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
|
||||
# running in a chroot.
|
||||
OPTIONS="-c -m /var/run/saslauthd"
|
2
roles/prosody/files/sasl/xmpp.conf
Normal file
2
roles/prosody/files/sasl/xmpp.conf
Normal file
@ -0,0 +1,2 @@
|
||||
pwcheck_method: saslauthd
|
||||
mech_list: PLAIN
|
@ -1,4 +1,7 @@
|
||||
---
|
||||
|
||||
- name: Restart saslauthd
|
||||
service: name=saslauthd state=restarted
|
||||
|
||||
- name: Restart prosody
|
||||
service: name=prosody state=restarted
|
||||
|
@ -1,22 +1,38 @@
|
||||
---
|
||||
|
||||
- name: Install prosody
|
||||
apt: name=prosody state=present
|
||||
tags: prosody
|
||||
- name: Install dependencies
|
||||
apt: name={{ item }} state=present
|
||||
with_items:
|
||||
- prosody
|
||||
- lua-cyrussasl
|
||||
- libsasl2-modules-ldap
|
||||
- sasl2-bin
|
||||
|
||||
- name: Enable backports
|
||||
apt_repository: repo='deb http://httpredir.debian.org/debian jessie-backports main' state=present
|
||||
tags: prosody
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/prosody/certs/{{ prosody_domain }}.key -out /etc/prosody/certs/{{ prosody_domain }}.crt -days 730 -subj "/CN={{ prosody_domain }}" creates=/etc/prosody/certs/{{ prosody_domain }}.crt
|
||||
|
||||
- name: Install prosody-modules
|
||||
apt: name=prosody-modules default_release=jessie-backports state=present
|
||||
tags: prosody
|
||||
- name: Ensure prosody is in sasl group
|
||||
user: name=prosody groups=sasl
|
||||
|
||||
- name: Ensure sasl configuration directory exists
|
||||
file: path=/etc/sasl/ state=directory
|
||||
|
||||
- name: Configure sasl
|
||||
copy: src={{ item }} dest=/etc/{{ item }}
|
||||
with_items:
|
||||
- default/saslauthd
|
||||
- sasl/xmpp.conf
|
||||
|
||||
- name: Configure sasl
|
||||
template: src=saslauthd.conf.j2 dest=/etc/saslauthd.conf
|
||||
notify: Restart saslauthd
|
||||
|
||||
- name: Configure prosody
|
||||
template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua
|
||||
notify: Restart prosody
|
||||
tags: prosody
|
||||
|
||||
- name: Start saslauthd
|
||||
service: name=saslauthd state=started enabled=yes
|
||||
|
||||
- name: Start prosody
|
||||
service: name=prosody state=started enabled=yes
|
||||
tags: prosody
|
||||
|
@ -130,7 +130,7 @@ s2s_secure_auth = false
|
||||
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
|
||||
-- for information about using the hashed backend.
|
||||
|
||||
authentication = "ldap2"
|
||||
authentication = "internal_plain"
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
@ -159,24 +159,16 @@ log = {
|
||||
{ levels = { "error" }; to = "syslog"; };
|
||||
}
|
||||
|
||||
------ LDAP ------
|
||||
-- Settings for mod_lib_ldap and mod_auth_ldap2
|
||||
ldap = {
|
||||
hostname = '{{ ldap_host }}',
|
||||
user = {
|
||||
basedn = '{{ ldap_base }}',
|
||||
filter = '(objectClass=posixAccount)',
|
||||
usernamefield = 'uid',
|
||||
namefield = 'cn'
|
||||
}
|
||||
}
|
||||
|
||||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "{{ prosody_domain }}"
|
||||
|
||||
authentication = "cyrus"
|
||||
cyrus_application_name = "xmpp"
|
||||
cyrus_service_name = "xmpp"
|
||||
|
||||
-- Assign this host a certificate for TLS, otherwise it would use the one
|
||||
-- set in the global section (if any).
|
||||
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
|
||||
|
4
roles/prosody/templates/saslauthd.conf.j2
Normal file
4
roles/prosody/templates/saslauthd.conf.j2
Normal file
@ -0,0 +1,4 @@
|
||||
ldap_servers: {{ ldap_uri }}
|
||||
ldap_search_base: {{ ldap_base }}
|
||||
ldap_bind_dn: {{ ldap_binddn }}
|
||||
ldap_password: {{ ldap_bindpw }}
|
Loading…
Reference in New Issue
Block a user