From 2e3576f6ca7bce87c294bea97a75e77223fd1ed5 Mon Sep 17 00:00:00 2001 From: netaskd Date: Wed, 13 Mar 2019 20:10:40 +0300 Subject: [PATCH] prosody: add LDAP authentication via SASL mechanism --- README.md | 20 +++++++- docker-compose.yml | 13 +++++ env.example | 48 +++++++++++++++++++ prosody/Dockerfile | 37 +++++++++----- .../rootfs/defaults/conf.d/jitsi-meet.cfg.lua | 13 +++-- prosody/rootfs/defaults/saslauthd.conf | 21 ++++++++ prosody/rootfs/etc/cont-init.d/10-config | 11 +++++ prosody/rootfs/etc/sasl/xmpp.conf | 2 + .../rootfs/etc/services.d/10-saslauthd/run | 2 + 9 files changed, 151 insertions(+), 16 deletions(-) create mode 100644 prosody/rootfs/defaults/saslauthd.conf create mode 100644 prosody/rootfs/etc/sasl/xmpp.conf create mode 100644 prosody/rootfs/etc/services.d/10-saslauthd/run diff --git a/README.md b/README.md index b031f6b..ecd5b2f 100644 --- a/README.md +++ b/README.md @@ -130,8 +130,26 @@ Variable | Description | Example --- | --- | --- `ENABLE_AUTH` | Enable authentication | 1 `ENABLE_GUESTS` | Enable guest access | 1 +`ENABLE_LDAP_AUTH` | Enable authentication via LDAP. Depends on `ENABLE_AUTH` | 1 -Users must be created with the ``prosodyctl`` utility in the ``prosody`` container. +Variables that might be configured if the `ENABLE_LDAP_AUTH` is set: + +Variable | Description | Example +--- | --- | --- +`LDAP_URL` | URL for ldap connection | ldaps://ldap.domain.com/ +`LDAP_BASE` | LDAP base DN. Can be empty. | DC=example,DC=domain,DC=com +`LDAP_BINDDN` | LDAP user DN. Do not specify this parameter for the anonymous bind. | CN=binduser,OU=users,DC=example,DC=domain,DC=com +`LDAP_BINDPW` | LDAP user password. Do not specify this parameter for the anonymous bind. | LdapUserPassw0rd +`LDAP_FILTER` | LDAP filter. | (sAMAccountName=%u) +`LDAP_AUTH_METHOD` | LDAP authentication method. | bind +`LDAP_VERSION` | LDAP protocol version | 3 +`LDAP_USE_TLS` | Enable LDAP TLS | 1 +`LDAP_TLS_CIPHERS` | Set TLS ciphers list to allow | SECURE256:SECURE128 +`LDAP_TLS_CHECK_PEER` | Require and verify LDAP server certificate | 1 +`LDAP_TLS_CACERT_FILE` | Path to CA cert file. Used when server sertificate verify is enabled | /etc/ssl/certs/ca-certificates.crt +`LDAP_TLS_CACERT_DIR` | Path to CA certs directory. Used when server sertificate verify is enabled. | /etc/ssl/certs + +Internal users must be created with the ``prosodyctl`` utility in the ``prosody`` container. In order to do that, first execute a shell in the corresponding container: ``docker-compose exec prosody /bin/bash`` diff --git a/docker-compose.yml b/docker-compose.yml index 1483fa4..3b63a1d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -39,6 +39,19 @@ services: environment: - ENABLE_AUTH - ENABLE_GUESTS + - ENABLE_LDAP_AUTH + - LDAP_URL + - LDAP_BASE + - LDAP_BINDDN + - LDAP_BINDPW + - LDAP_FILTER + - LDAP_AUTH_METHOD + - LDAP_VERSION + - LDAP_USE_TLS + - LDAP_TLS_CIPHERS + - LDAP_TLS_CHECK_PEER + - LDAP_TLS_CACERT_FILE + - LDAP_TLS_CACERT_DIR - XMPP_DOMAIN - XMPP_AUTH_DOMAIN - XMPP_GUEST_DOMAIN diff --git a/env.example b/env.example index 726f771..759ae08 100644 --- a/env.example +++ b/env.example @@ -81,6 +81,54 @@ TZ=Europe/Amsterdam # Advanced configuration options (you generally don't need to change these) # +# Enable LDAP authentication in prosody via SASL mechanism. +# Note: turn on ENABLE_AUTH for get it work. +#ENABLE_LDAP_AUTH=1 + +###################### LDAP settings ############################ +# for detail information please see Cyrus SASL saslauthd.conf man page + +# LDAP url for connection. +#LDAP_URL=ldaps://ldap.domain.com/ + +# LDAP base DN. Can be empty +#LDAP_BASE=DC=example,DC=domain,DC=com + +# LDAP user DN. Do not specify this parameter for the anonymous bind. +#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com + +# LDAP user password. Do not specify this parameter for the anonymous bind. +#LDAP_BINDPW=LdapUserPassw0rd + +# LDAP filter. Tokens example: +# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail. +# %s - %s is replaced by the complete service string. +# %r - %r is replaced by the complete realm string. +#LDAP_FILTER=(sAMAccountName=%u) + +# LDAP authentication method +#LDAP_AUTH_METHOD=bind + +# LDAP version +#LDAP_VERSION=3 + +# LDAP TLS using +#LDAP_USE_TLS=1 + +# List of SSL/TLS ciphers to allow. +#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC + +# Require and verify server certificate +#LDAP_TLS_CHECK_PEER=1 + +# Path to CA cert file. Used when server sertificate verify is enabled. +#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt + +# Path to CA certs directory. Used when server sertificate verify is enabled. +#LDAP_TLS_CACERT_DIR=/etc/ssl/certs + +################################################################# + # Internal XMPP domain. XMPP_DOMAIN=meet.jitsi diff --git a/prosody/Dockerfile b/prosody/Dockerfile index c0551ea..0fa8d5a 100644 --- a/prosody/Dockerfile +++ b/prosody/Dockerfile @@ -7,18 +7,31 @@ ADD https://raw.githubusercontent.com/jitsi/jitsi-meet/fc129d9849ca5e26245d54df6 RUN sed -i s/hook/hook_global/g /prosody-plugins/mod_auth_token.lua RUN \ - apt-dpkg-wrap apt-get update && \ - apt-dpkg-wrap apt-get install -y lua5.2 liblua5.2-dev libssl1.0-dev lua-basexx luarocks gcc git && \ - apt-dpkg-wrap apt-get install -t stretch-backports -y prosody && \ - rm -rf /etc/prosody - -RUN \ - luarocks install lua-cjson 2.1.0-1 && \ - luarocks install luajwtjitsi - -RUN \ - apt-dpkg-wrap apt-get remove -y liblua5.2-dev libssl1.0-dev gcc git && \ - apt-cleanup + apt-dpkg-wrap apt-get update \ + && apt-dpkg-wrap apt-get install -t stretch-backports -y \ + prosody \ + liblua5.2-dev \ + sasl2-bin \ + libsasl2-modules-ldap \ + libsasl2-dev \ + libssl1.0-dev \ + lua-basexx \ + lua-ldap \ + luarocks \ + git \ + gcc \ + && luarocks install cyrussasl 1.1.0-1 \ + && luarocks install lua-cjson 2.1.0-1 \ + && luarocks install luajwtjitsi 1.3-7 \ + && apt-dpkg-wrap apt-get remove -t stretch-backports -y \ + git \ + gcc \ + luarocks \ + libsasl2-dev \ + libssl1.0-dev \ + liblua5.2-dev \ + && apt-cleanup \ + && rm -rf /etc/prosody COPY rootfs/ / diff --git a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua index 8d4002e..a8f64eb 100644 --- a/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua +++ b/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua @@ -12,14 +12,18 @@ asap_accepted_audiences = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_AU VirtualHost "{{ .Env.XMPP_DOMAIN }}" {{ if .Env.ENABLE_AUTH | default "0" | toBool }} - {{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }} + {{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }} authentication = "token" app_id = "{{ .Env.JWT_APP_ID }}" app_secret = "{{ .Env.JWT_APP_SECRET }}" allow_empty_token = false - {{ else }} + {{ else if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }} + authentication = "cyrus" + cyrus_application_name = "xmpp" + allow_unencrypted_plain_auth = true + {{ else }} authentication = "internal_plain" - {{ end }} + {{ end }} {{ else }} authentication = "anonymous" {{ end }} @@ -34,6 +38,9 @@ VirtualHost "{{ .Env.XMPP_DOMAIN }}" {{ if .Env.XMPP_MODULES }} "{{ join "\";\n\"" (splitList "," .Env.XMPP_MODULES) }}"; {{ end }} + {{ if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }} + "auth_cyrus"; + {{end}} } c2s_require_encryption = false diff --git a/prosody/rootfs/defaults/saslauthd.conf b/prosody/rootfs/defaults/saslauthd.conf new file mode 100644 index 0000000..16450ad --- /dev/null +++ b/prosody/rootfs/defaults/saslauthd.conf @@ -0,0 +1,21 @@ +{{ if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }} +ldap_servers: {{ .Env.LDAP_URL }} +ldap_search_base: {{ .Env.LDAP_BASE }} +ldap_bind_dn: {{ .Env.LDAP_BINDDN }} +ldap_bind_pw: {{ .Env.LDAP_BINDPW }} +ldap_filter: {{ .Env.LDAP_FILTER | default "uid=%u" }} +ldap_version: {{ .Env.LDAP_VERSION | default "3" }} +ldap_auth_method: {{ .Env.LDAP_AUTH_METHOD | default "bind" }} + {{ if .Env.LDAP_USE_TLS | default "0" | toBool }} +ldap_tls_key: /config/certs/{{ .Env.XMPP_DOMAIN }}.key +ldap_tls_cert: /config/certs/{{ .Env.XMPP_DOMAIN }}.crt + {{ if .Env.LDAP_TLS_CHECK_PEER | default "0" | toBool }} +ldap_tls_check_peer: yes +ldap_tls_cacert_file: {{ .Env.LDAP_TLS_CACERT_FILE | default "/etc/ssl/certs/ca-certificates.crt" }} +ldap_tls_cacert_dir: {{ .Env.LDAP_TLS_CACERT_DIR | default "/etc/ssl/certs" }} + {{ end }} + {{ if .Env.LDAP_TLS_CIPHERS }} +ldap_tls_ciphers: {{ .Env.LDAP_TLS_CIPHERS }} + {{ end }} + {{ end }} +{{ end }} diff --git a/prosody/rootfs/etc/cont-init.d/10-config b/prosody/rootfs/etc/cont-init.d/10-config index 01b4925..2578f18 100644 --- a/prosody/rootfs/etc/cont-init.d/10-config +++ b/prosody/rootfs/etc/cont-init.d/10-config @@ -1,5 +1,16 @@ #!/usr/bin/with-contenv bash +if [[ ! -f /config/saslauthd.conf ]]; then + cp /defaults/saslauthd.conf /config/ +fi + +if [[ ! -f /etc/saslauthd.conf ]]; then + tpl /config/saslauthd.conf > /etc/saslauthd.conf + mkdir -pm777 /var/run/saslauthd + adduser prosody sasl + echo >> /etc/ldap/ldap.conf "TLS_REQCERT allow" +fi + PROSODY_CFG="/config/prosody.cfg.lua" if [[ ! -d /config/data ]]; then diff --git a/prosody/rootfs/etc/sasl/xmpp.conf b/prosody/rootfs/etc/sasl/xmpp.conf new file mode 100644 index 0000000..c91a0c7 --- /dev/null +++ b/prosody/rootfs/etc/sasl/xmpp.conf @@ -0,0 +1,2 @@ +pwcheck_method: saslauthd +mech_list: PLAIN diff --git a/prosody/rootfs/etc/services.d/10-saslauthd/run b/prosody/rootfs/etc/services.d/10-saslauthd/run new file mode 100644 index 0000000..75199bb --- /dev/null +++ b/prosody/rootfs/etc/services.d/10-saslauthd/run @@ -0,0 +1,2 @@ +#!/usr/bin/with-contenv bash +exec s6-setuidgid root saslauthd -a ldap -O /etc/saslauthd.conf -c -m /var/run/saslauthd -n 5 -d