Use saslauth for prosody.
This commit is contained in:
parent
63b1ecd671
commit
3c9fa5cf2a
62
roles/prosody/files/default/saslauthd
Normal file
62
roles/prosody/files/default/saslauthd
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
#
|
||||||
|
# Settings for saslauthd daemon
|
||||||
|
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
|
||||||
|
#
|
||||||
|
|
||||||
|
# Should saslauthd run automatically on startup? (default: no)
|
||||||
|
START=yes
|
||||||
|
|
||||||
|
# Description of this saslauthd instance. Recommended.
|
||||||
|
# (suggestion: SASL Authentication Daemon)
|
||||||
|
DESC="SASL Authentication Daemon"
|
||||||
|
|
||||||
|
# Short name of this saslauthd instance. Strongly recommended.
|
||||||
|
# (suggestion: saslauthd)
|
||||||
|
NAME="saslauthd"
|
||||||
|
|
||||||
|
# Which authentication mechanisms should saslauthd use? (default: pam)
|
||||||
|
#
|
||||||
|
# Available options in this Debian package:
|
||||||
|
# getpwent -- use the getpwent() library function
|
||||||
|
# kerberos5 -- use Kerberos 5
|
||||||
|
# pam -- use PAM
|
||||||
|
# rimap -- use a remote IMAP server
|
||||||
|
# shadow -- use the local shadow password file
|
||||||
|
# sasldb -- use the local sasldb database file
|
||||||
|
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
|
||||||
|
#
|
||||||
|
# Only one option may be used at a time. See the saslauthd man page
|
||||||
|
# for more information.
|
||||||
|
#
|
||||||
|
# Example: MECHANISMS="pam"
|
||||||
|
MECHANISMS="ldap"
|
||||||
|
|
||||||
|
# Additional options for this mechanism. (default: none)
|
||||||
|
# See the saslauthd man page for information about mech-specific options.
|
||||||
|
MECH_OPTIONS=""
|
||||||
|
|
||||||
|
# How many saslauthd processes should we run? (default: 5)
|
||||||
|
# A value of 0 will fork a new process for each connection.
|
||||||
|
THREADS=5
|
||||||
|
|
||||||
|
# Other options (default: -c -m /var/run/saslauthd)
|
||||||
|
# Note: You MUST specify the -m option or saslauthd won't run!
|
||||||
|
#
|
||||||
|
# WARNING: DO NOT SPECIFY THE -d OPTION.
|
||||||
|
# The -d option will cause saslauthd to run in the foreground instead of as
|
||||||
|
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
|
||||||
|
# to run saslauthd in debug mode, please run it by hand to be safe.
|
||||||
|
#
|
||||||
|
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
|
||||||
|
# See the saslauthd man page and the output of 'saslauthd -h' for general
|
||||||
|
# information about these options.
|
||||||
|
#
|
||||||
|
# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
|
||||||
|
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
|
||||||
|
#
|
||||||
|
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
|
||||||
|
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
|
||||||
|
# then your Postfix is running in a chroot.
|
||||||
|
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
|
||||||
|
# running in a chroot.
|
||||||
|
OPTIONS="-c -m /var/run/saslauthd"
|
2
roles/prosody/files/sasl/xmpp.conf
Normal file
2
roles/prosody/files/sasl/xmpp.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
pwcheck_method: saslauthd
|
||||||
|
mech_list: PLAIN
|
@ -1,4 +1,7 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
|
- name: Restart saslauthd
|
||||||
|
service: name=saslauthd state=restarted
|
||||||
|
|
||||||
- name: Restart prosody
|
- name: Restart prosody
|
||||||
service: name=prosody state=restarted
|
service: name=prosody state=restarted
|
||||||
|
@ -1,22 +1,38 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
- name: Install prosody
|
- name: Install dependencies
|
||||||
apt: name=prosody state=present
|
apt: name={{ item }} state=present
|
||||||
tags: prosody
|
with_items:
|
||||||
|
- prosody
|
||||||
|
- lua-cyrussasl
|
||||||
|
- libsasl2-modules-ldap
|
||||||
|
- sasl2-bin
|
||||||
|
|
||||||
- name: Enable backports
|
- name: Ensure certificates are available
|
||||||
apt_repository: repo='deb http://httpredir.debian.org/debian jessie-backports main' state=present
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/prosody/certs/{{ prosody_domain }}.key -out /etc/prosody/certs/{{ prosody_domain }}.crt -days 730 -subj "/CN={{ prosody_domain }}" creates=/etc/prosody/certs/{{ prosody_domain }}.crt
|
||||||
tags: prosody
|
|
||||||
|
|
||||||
- name: Install prosody-modules
|
- name: Ensure prosody is in sasl group
|
||||||
apt: name=prosody-modules default_release=jessie-backports state=present
|
user: name=prosody groups=sasl
|
||||||
tags: prosody
|
|
||||||
|
- name: Ensure sasl configuration directory exists
|
||||||
|
file: path=/etc/sasl/ state=directory
|
||||||
|
|
||||||
|
- name: Configure sasl
|
||||||
|
copy: src={{ item }} dest=/etc/{{ item }}
|
||||||
|
with_items:
|
||||||
|
- default/saslauthd
|
||||||
|
- sasl/xmpp.conf
|
||||||
|
|
||||||
|
- name: Configure sasl
|
||||||
|
template: src=saslauthd.conf.j2 dest=/etc/saslauthd.conf
|
||||||
|
notify: Restart saslauthd
|
||||||
|
|
||||||
- name: Configure prosody
|
- name: Configure prosody
|
||||||
template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua
|
template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua
|
||||||
notify: Restart prosody
|
notify: Restart prosody
|
||||||
tags: prosody
|
|
||||||
|
- name: Start saslauthd
|
||||||
|
service: name=saslauthd state=started enabled=yes
|
||||||
|
|
||||||
- name: Start prosody
|
- name: Start prosody
|
||||||
service: name=prosody state=started enabled=yes
|
service: name=prosody state=started enabled=yes
|
||||||
tags: prosody
|
|
||||||
|
@ -130,7 +130,7 @@ s2s_secure_auth = false
|
|||||||
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
|
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
|
||||||
-- for information about using the hashed backend.
|
-- for information about using the hashed backend.
|
||||||
|
|
||||||
authentication = "ldap2"
|
authentication = "internal_plain"
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
-- in its configured data directory, but it also supports more backends
|
-- in its configured data directory, but it also supports more backends
|
||||||
@ -159,24 +159,16 @@ log = {
|
|||||||
{ levels = { "error" }; to = "syslog"; };
|
{ levels = { "error" }; to = "syslog"; };
|
||||||
}
|
}
|
||||||
|
|
||||||
------ LDAP ------
|
|
||||||
-- Settings for mod_lib_ldap and mod_auth_ldap2
|
|
||||||
ldap = {
|
|
||||||
hostname = '{{ ldap_host }}',
|
|
||||||
user = {
|
|
||||||
basedn = '{{ ldap_base }}',
|
|
||||||
filter = '(objectClass=posixAccount)',
|
|
||||||
usernamefield = 'uid',
|
|
||||||
namefield = 'cn'
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
----------- Virtual hosts -----------
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
VirtualHost "{{ prosody_domain }}"
|
VirtualHost "{{ prosody_domain }}"
|
||||||
|
|
||||||
|
authentication = "cyrus"
|
||||||
|
cyrus_application_name = "xmpp"
|
||||||
|
cyrus_service_name = "xmpp"
|
||||||
|
|
||||||
-- Assign this host a certificate for TLS, otherwise it would use the one
|
-- Assign this host a certificate for TLS, otherwise it would use the one
|
||||||
-- set in the global section (if any).
|
-- set in the global section (if any).
|
||||||
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
|
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
|
||||||
|
4
roles/prosody/templates/saslauthd.conf.j2
Normal file
4
roles/prosody/templates/saslauthd.conf.j2
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
ldap_servers: {{ ldap_uri }}
|
||||||
|
ldap_search_base: {{ ldap_base }}
|
||||||
|
ldap_bind_dn: {{ ldap_binddn }}
|
||||||
|
ldap_password: {{ ldap_bindpw }}
|
Loading…
Reference in New Issue
Block a user