Use saslauth for prosody.

roles/prosody/files/default/saslauthd

@@ -0,0 +1,62 @@
+#
+# Settings for saslauthd daemon
+# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
+#
+
+# Should saslauthd run automatically on startup? (default: no)
+START=yes
+
+# Description of this saslauthd instance. Recommended.
+# (suggestion: SASL Authentication Daemon)
+DESC="SASL Authentication Daemon"
+
+# Short name of this saslauthd instance. Strongly recommended.
+# (suggestion: saslauthd)
+NAME="saslauthd"
+
+# Which authentication mechanisms should saslauthd use? (default: pam)
+#
+# Available options in this Debian package:
+# getpwent  -- use the getpwent() library function
+# kerberos5 -- use Kerberos 5
+# pam       -- use PAM
+# rimap     -- use a remote IMAP server
+# shadow    -- use the local shadow password file
+# sasldb    -- use the local sasldb database file
+# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
+#
+# Only one option may be used at a time. See the saslauthd man page
+# for more information.
+#
+# Example: MECHANISMS="pam"
+MECHANISMS="ldap"
+
+# Additional options for this mechanism. (default: none)
+# See the saslauthd man page for information about mech-specific options.
+MECH_OPTIONS=""
+
+# How many saslauthd processes should we run? (default: 5)
+# A value of 0 will fork a new process for each connection.
+THREADS=5
+
+# Other options (default: -c -m /var/run/saslauthd)
+# Note: You MUST specify the -m option or saslauthd won't run!
+#
+# WARNING: DO NOT SPECIFY THE -d OPTION.
+# The -d option will cause saslauthd to run in the foreground instead of as
+# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
+# to run saslauthd in debug mode, please run it by hand to be safe.
+#
+# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
+# See the saslauthd man page and the output of 'saslauthd -h' for general
+# information about these options.
+#
+# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
+# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
+#
+# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
+# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
+# then your Postfix is running in a chroot.
+# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
+# running in a chroot.
+OPTIONS="-c -m /var/run/saslauthd"

roles/prosody/files/sasl/xmpp.conf

@@ -0,0 +1,2 @@
+pwcheck_method: saslauthd
+mech_list: PLAIN

roles/prosody/handlers/main.yml

@@ -1,4 +1,7 @@
 ---
 
+- name: Restart saslauthd
+  service: name=saslauthd state=restarted
+
 - name: Restart prosody
   service: name=prosody state=restarted

roles/prosody/tasks/main.yml

@@ -1,22 +1,38 @@
 ---
 
-- name: Install prosody
-  apt: name=prosody state=present
-  tags: prosody
+- name: Install dependencies
+  apt: name={{ item }} state=present
+  with_items:
+  - prosody
+  - lua-cyrussasl
+  - libsasl2-modules-ldap
+  - sasl2-bin
 
-- name: Enable backports
-  apt_repository: repo='deb http://httpredir.debian.org/debian jessie-backports main' state=present
-  tags: prosody
+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/prosody/certs/{{ prosody_domain }}.key -out /etc/prosody/certs/{{ prosody_domain }}.crt -days 730 -subj "/CN={{ prosody_domain }}" creates=/etc/prosody/certs/{{ prosody_domain }}.crt
 
-- name: Install prosody-modules
-  apt: name=prosody-modules default_release=jessie-backports state=present
-  tags: prosody
+- name: Ensure prosody is in sasl group
+  user: name=prosody groups=sasl
+
+- name: Ensure sasl configuration directory exists
+  file: path=/etc/sasl/ state=directory
+
+- name: Configure sasl
+  copy: src={{ item }} dest=/etc/{{ item }}
+  with_items:
+  - default/saslauthd
+  - sasl/xmpp.conf
+
+- name: Configure sasl
+  template: src=saslauthd.conf.j2 dest=/etc/saslauthd.conf
+  notify: Restart saslauthd
 
 - name: Configure prosody
   template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua
   notify: Restart prosody
-  tags: prosody
+
+- name: Start saslauthd
+  service: name=saslauthd state=started enabled=yes
 
 - name: Start prosody
   service: name=prosody state=started enabled=yes
-  tags: prosody

roles/prosody/templates/prosody.cfg.lua.j2

@@ -130,7 +130,7 @@ s2s_secure_auth = false
 -- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
 -- for information about using the hashed backend.
 
-authentication = "ldap2"
+authentication = "internal_plain"
 
 -- Select the storage backend to use. By default Prosody uses flat files
 -- in its configured data directory, but it also supports more backends
@@ -159,24 +159,16 @@ log = {
 	{ levels = { "error" }; to = "syslog";  };
 }
 
------- LDAP ------
--- Settings for mod_lib_ldap and mod_auth_ldap2
-ldap = {
-	hostname = '{{ ldap_host }}',
-	user = {
-		basedn = '{{ ldap_base }}',
-		filter = '(objectClass=posixAccount)',
-		usernamefield = 'uid',
-		namefield = 'cn'
-	}
-}
-
 ----------- Virtual hosts -----------
 -- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
 -- Settings under each VirtualHost entry apply *only* to that host.
 
 VirtualHost "{{ prosody_domain }}"
 
+	authentication = "cyrus"
+	cyrus_application_name = "xmpp"
+	cyrus_service_name = "xmpp"
+
 	-- Assign this host a certificate for TLS, otherwise it would use the one
 	-- set in the global section (if any).
 	-- Note that old-style SSL on port 5223 only supports one certificate, and will always

roles/prosody/templates/saslauthd.conf.j2

@@ -0,0 +1,4 @@
+ldap_servers: {{ ldap_uri }}
+ldap_search_base: {{ ldap_base }}
+ldap_bind_dn: {{ ldap_binddn }}
+ldap_password: {{ ldap_bindpw }}