Software /
code /
prosody-modules
Diff
mod_auth_cyrus/README.md @ 4710:099dcdb732b1
mod_auth_cyrus: Import from Prosody rev 8f1e7fd55e7b
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 17 Oct 2021 17:08:07 +0200 |
child | 4926:b8366e31c829 |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_auth_cyrus/README.md Sun Oct 17 17:08:07 2021 +0200 @@ -0,0 +1,125 @@ +--- +title: Cyrus SASL +rockspec: + build: + modules: + util.sasl_cyrus: sasl_cyrus.lua +--- + +# Introduction + +XMPP uses a standard authentication protocol called 'SASL' to validate +client credentials. Prosody has a built-in SASL library, and uses this +by default to validate credentials against Prosody's internal account +store. + +Alternatively Prosody supports using Cyrus SASL, an external SASL +provider which can validate user-supplied credentials against other +sources, such as PAM, LDAP, SQL and more. It also allows the use of +GSSAPI for single-sign-on services. + +# Usage + +## lua-cyrussasl + +To allow Prosody to access Cyrus SASL you need to install lua-cyrussasl. +Information on how to do that on most platforms can be found on our +[dependencies page](/doc/depends). Those running Debian/Ubuntu can +simply: + +``` {.code} + sudo apt-get install lua-cyrussasl +``` + +On Redhat/CentOS, the [EPEL +repository](https://fedoraproject.org/wiki/EPEL) needs to be enabled, +after which you can install the package: + +``` {.code} + sudo yum install lua-cyrussasl +``` + +## Configuration + +Enable the cyrus backend by adding the following line to your config +file: + +``` {.code .lua} + authentication = "cyrus" + cyrus_service_name = "xmpp" -- Optional, defaults to "xmpp" +``` + +Configuring Cyrus SASL itself is currently beyond the scope of this +documentation. If you feel you could contribute a simple how-to, or know +the link of a good one to add below then [let us know](/discuss) +[:smile:]{.icon} + +Prosody's Cyrus SASL-related options: + + Option Default Description + ---------------------------- --------- -------------------------------------------------------------------------------------------------------------- + cyrus_service_name xmpp The service name to pass to Cyrus SASL. + cyrus_service_realm (auto) The realm to pass to Cyrus SASL, the virtual host the user is signing into if not specified. + cyrus_require_provisioning false If true then Prosody requires user accounts to exist in Prosody, even if successfully authenticated via SASL + cyrus_application_name prosody The application name to pass to Cyrus SASL. Determines the Cyrus SASL configuration file name. + cyrus_server_fqdn hostname passed to Cyrus + +## Troubleshooting + +### Permissions + +One of the most common issues is Prosody being unable to access the +saslauthd socket (this is obviously only an issue if you are using the +saslauthd daemon), used to communicate with the authentication daemon. +An example error caused by this would be: + +``` {.code} + Got SASL error condition -1: Password verification failed +``` + +This can be confirmed by trying testsaslauthd as root and then as the +user prosody runs as (typically 'prosody'); the former should succeed +and the latter should fail. + +The solution is to make sure that prosody can access the socket +(typically in /var/run/saslauthd/) by adding the 'prosody' user to the +'sasl' group (or otherwise ensuring that the prosody user has filesystem +permissions to access the socket). + +### Cyrus SASL Configuration file {#cyrus_sasl_configuration_file} + +Cyrus SASL needs a configuration file in order to know where to look for +user credentials. For Prosody, the file will be named prosody.conf by +default. Its location varies by OS and distribution; refer to the table +below or your local system documentation for where it should go. + + Location Platforms + ------------ ------------------- + /etc/sasl Debian and Ubuntu + /etc/sasl2 Arch, RHEL/CentOS + +The contents of the configuration file depend on what you want to +authenticate against. If you want to authenticate against local +accounts, you'll want to set up saslauthd (the configuration of +saslauthd varies from system to system), and your prosody.conf will look +like this: + +``` {.code} +pwcheck_method: saslauthd +mech_list: PLAIN +``` + +If using saslauthd, you must specify only PLAIN in the mech_list, as it +only supports plaintext authentication methods. + +## Other references {#other_references} + +- [Setting up Prosody to authenticate against LDAP (blog + post)](http://blog.marc-seeger.de/2009/12/30/setting-up-prosody-to-authenticate-against-ldap/) + - This post uses xmpp.conf, but the name is now prosody.conf (see + cyrus_application_name above) +- [Surviving Cyrus SASL + (PDF)](http://www.arschkrebs.de/slides/surviving_cyrus_sasl-handout.pdf) + [(view)](http://docs.google.com/viewer?url=http%3A%2F%2Fwww.arschkrebs.de%2Fslides%2Fsurviving_cyrus_sasl-handout.pdf) +- [Cyrus SASL error + codes](http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libsasl/include/sasl.h#186)