From 3c9fa5cf2a3941f5ec6f56d2f9aa761d918023ef Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Fri, 8 Apr 2016 09:07:06 +0200 Subject: [PATCH] Use saslauth for prosody. --- roles/prosody/files/default/saslauthd | 62 ++++++++++++++++++++++ roles/prosody/files/sasl/xmpp.conf | 2 + roles/prosody/handlers/main.yml | 3 ++ roles/prosody/tasks/main.yml | 38 +++++++++---- roles/prosody/templates/prosody.cfg.lua.j2 | 18 ++----- roles/prosody/templates/saslauthd.conf.j2 | 4 ++ 6 files changed, 103 insertions(+), 24 deletions(-) create mode 100644 roles/prosody/files/default/saslauthd create mode 100644 roles/prosody/files/sasl/xmpp.conf create mode 100644 roles/prosody/templates/saslauthd.conf.j2 diff --git a/roles/prosody/files/default/saslauthd b/roles/prosody/files/default/saslauthd new file mode 100644 index 0000000..250c772 --- /dev/null +++ b/roles/prosody/files/default/saslauthd @@ -0,0 +1,62 @@ +# +# Settings for saslauthd daemon +# Please read /usr/share/doc/sasl2-bin/README.Debian for details. +# + +# Should saslauthd run automatically on startup? (default: no) +START=yes + +# Description of this saslauthd instance. Recommended. +# (suggestion: SASL Authentication Daemon) +DESC="SASL Authentication Daemon" + +# Short name of this saslauthd instance. Strongly recommended. +# (suggestion: saslauthd) +NAME="saslauthd" + +# Which authentication mechanisms should saslauthd use? (default: pam) +# +# Available options in this Debian package: +# getpwent -- use the getpwent() library function +# kerberos5 -- use Kerberos 5 +# pam -- use PAM +# rimap -- use a remote IMAP server +# shadow -- use the local shadow password file +# sasldb -- use the local sasldb database file +# ldap -- use LDAP (configuration is in /etc/saslauthd.conf) +# +# Only one option may be used at a time. See the saslauthd man page +# for more information. +# +# Example: MECHANISMS="pam" +MECHANISMS="ldap" + +# Additional options for this mechanism. (default: none) +# See the saslauthd man page for information about mech-specific options. +MECH_OPTIONS="" + +# How many saslauthd processes should we run? (default: 5) +# A value of 0 will fork a new process for each connection. +THREADS=5 + +# Other options (default: -c -m /var/run/saslauthd) +# Note: You MUST specify the -m option or saslauthd won't run! +# +# WARNING: DO NOT SPECIFY THE -d OPTION. +# The -d option will cause saslauthd to run in the foreground instead of as +# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish +# to run saslauthd in debug mode, please run it by hand to be safe. +# +# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information. +# See the saslauthd man page and the output of 'saslauthd -h' for general +# information about these options. +# +# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd" +# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd" +# +# To know if your Postfix is running chroot, check /etc/postfix/master.cf. +# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd" +# then your Postfix is running in a chroot. +# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT +# running in a chroot. +OPTIONS="-c -m /var/run/saslauthd" diff --git a/roles/prosody/files/sasl/xmpp.conf b/roles/prosody/files/sasl/xmpp.conf new file mode 100644 index 0000000..c91a0c7 --- /dev/null +++ b/roles/prosody/files/sasl/xmpp.conf @@ -0,0 +1,2 @@ +pwcheck_method: saslauthd +mech_list: PLAIN diff --git a/roles/prosody/handlers/main.yml b/roles/prosody/handlers/main.yml index 880304c..08cb4f8 100644 --- a/roles/prosody/handlers/main.yml +++ b/roles/prosody/handlers/main.yml @@ -1,4 +1,7 @@ --- +- name: Restart saslauthd + service: name=saslauthd state=restarted + - name: Restart prosody service: name=prosody state=restarted diff --git a/roles/prosody/tasks/main.yml b/roles/prosody/tasks/main.yml index 4e239e4..aea5ab8 100644 --- a/roles/prosody/tasks/main.yml +++ b/roles/prosody/tasks/main.yml @@ -1,22 +1,38 @@ --- -- name: Install prosody - apt: name=prosody state=present - tags: prosody +- name: Install dependencies + apt: name={{ item }} state=present + with_items: + - prosody + - lua-cyrussasl + - libsasl2-modules-ldap + - sasl2-bin -- name: Enable backports - apt_repository: repo='deb http://httpredir.debian.org/debian jessie-backports main' state=present - tags: prosody +- name: Ensure certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/prosody/certs/{{ prosody_domain }}.key -out /etc/prosody/certs/{{ prosody_domain }}.crt -days 730 -subj "/CN={{ prosody_domain }}" creates=/etc/prosody/certs/{{ prosody_domain }}.crt -- name: Install prosody-modules - apt: name=prosody-modules default_release=jessie-backports state=present - tags: prosody +- name: Ensure prosody is in sasl group + user: name=prosody groups=sasl + +- name: Ensure sasl configuration directory exists + file: path=/etc/sasl/ state=directory + +- name: Configure sasl + copy: src={{ item }} dest=/etc/{{ item }} + with_items: + - default/saslauthd + - sasl/xmpp.conf + +- name: Configure sasl + template: src=saslauthd.conf.j2 dest=/etc/saslauthd.conf + notify: Restart saslauthd - name: Configure prosody template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua notify: Restart prosody - tags: prosody + +- name: Start saslauthd + service: name=saslauthd state=started enabled=yes - name: Start prosody service: name=prosody state=started enabled=yes - tags: prosody diff --git a/roles/prosody/templates/prosody.cfg.lua.j2 b/roles/prosody/templates/prosody.cfg.lua.j2 index 135bba1..4e43d26 100644 --- a/roles/prosody/templates/prosody.cfg.lua.j2 +++ b/roles/prosody/templates/prosody.cfg.lua.j2 @@ -130,7 +130,7 @@ s2s_secure_auth = false -- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed -- for information about using the hashed backend. -authentication = "ldap2" +authentication = "internal_plain" -- Select the storage backend to use. By default Prosody uses flat files -- in its configured data directory, but it also supports more backends @@ -159,24 +159,16 @@ log = { { levels = { "error" }; to = "syslog"; }; } ------- LDAP ------ --- Settings for mod_lib_ldap and mod_auth_ldap2 -ldap = { - hostname = '{{ ldap_host }}', - user = { - basedn = '{{ ldap_base }}', - filter = '(objectClass=posixAccount)', - usernamefield = 'uid', - namefield = 'cn' - } -} - ----------- Virtual hosts ----------- -- You need to add a VirtualHost entry for each domain you wish Prosody to serve. -- Settings under each VirtualHost entry apply *only* to that host. VirtualHost "{{ prosody_domain }}" + authentication = "cyrus" + cyrus_application_name = "xmpp" + cyrus_service_name = "xmpp" + -- Assign this host a certificate for TLS, otherwise it would use the one -- set in the global section (if any). -- Note that old-style SSL on port 5223 only supports one certificate, and will always diff --git a/roles/prosody/templates/saslauthd.conf.j2 b/roles/prosody/templates/saslauthd.conf.j2 new file mode 100644 index 0000000..386387a --- /dev/null +++ b/roles/prosody/templates/saslauthd.conf.j2 @@ -0,0 +1,4 @@ +ldap_servers: {{ ldap_uri }} +ldap_search_base: {{ ldap_base }} +ldap_bind_dn: {{ ldap_binddn }} +ldap_password: {{ ldap_bindpw }}