prosody: add LDAP authentication via SASL mechanism

README.md

@@ -130,8 +130,26 @@ Variable | Description | Example
 --- | --- | ---
 `ENABLE_AUTH` | Enable authentication | 1
 `ENABLE_GUESTS` | Enable guest access | 1
+`ENABLE_LDAP_AUTH` | Enable authentication via LDAP. Depends on `ENABLE_AUTH` | 1
 
-Users must be created with the ``prosodyctl`` utility in the ``prosody`` container.
+Variables that might be configured if the `ENABLE_LDAP_AUTH` is set:
+
+Variable | Description | Example
+--- | --- | ---
+`LDAP_URL` | URL for ldap connection | ldaps://ldap.domain.com/
+`LDAP_BASE` | LDAP base DN. Can be empty. | DC=example,DC=domain,DC=com
+`LDAP_BINDDN` | LDAP user DN. Do not specify this parameter for the anonymous bind. | CN=binduser,OU=users,DC=example,DC=domain,DC=com
+`LDAP_BINDPW` | LDAP user password. Do not specify this parameter for the anonymous bind. | LdapUserPassw0rd
+`LDAP_FILTER` | LDAP filter. | (sAMAccountName=%u)
+`LDAP_AUTH_METHOD` | LDAP authentication method. | bind
+`LDAP_VERSION` | LDAP protocol version | 3
+`LDAP_USE_TLS` | Enable LDAP TLS | 1
+`LDAP_TLS_CIPHERS` | Set TLS ciphers list to allow | SECURE256:SECURE128
+`LDAP_TLS_CHECK_PEER` | Require and verify LDAP server certificate | 1
+`LDAP_TLS_CACERT_FILE` | Path to CA cert file. Used when server sertificate verify is enabled | /etc/ssl/certs/ca-certificates.crt
+`LDAP_TLS_CACERT_DIR` | Path to CA certs directory. Used when server sertificate verify is enabled. | /etc/ssl/certs
+
+Internal users must be created with the ``prosodyctl`` utility in the ``prosody`` container.
 In order to do that, first execute a shell in the corresponding container:
 
 ``docker-compose exec prosody /bin/bash``

docker-compose.yml

@@ -39,6 +39,19 @@ services:
         environment:
             - ENABLE_AUTH
             - ENABLE_GUESTS
+            - ENABLE_LDAP_AUTH
+            - LDAP_URL
+            - LDAP_BASE
+            - LDAP_BINDDN
+            - LDAP_BINDPW
+            - LDAP_FILTER
+            - LDAP_AUTH_METHOD
+            - LDAP_VERSION
+            - LDAP_USE_TLS
+            - LDAP_TLS_CIPHERS
+            - LDAP_TLS_CHECK_PEER
+            - LDAP_TLS_CACERT_FILE
+            - LDAP_TLS_CACERT_DIR
             - XMPP_DOMAIN
             - XMPP_AUTH_DOMAIN
             - XMPP_GUEST_DOMAIN

env.example

@@ -81,6 +81,54 @@ TZ=Europe/Amsterdam
 # Advanced configuration options (you generally don't need to change these)
 #
 
+# Enable LDAP authentication in prosody via SASL mechanism.
+# Note: turn on ENABLE_AUTH for get it work.
+#ENABLE_LDAP_AUTH=1
+
+###################### LDAP settings ############################
+# for detail information please see Cyrus SASL saslauthd.conf man page
+
+# LDAP url for connection.
+#LDAP_URL=ldaps://ldap.domain.com/
+
+# LDAP base DN. Can be empty
+#LDAP_BASE=DC=example,DC=domain,DC=com
+
+# LDAP user DN. Do not specify this parameter for the anonymous bind.
+#LDAP_BINDDN=CN=binduser,OU=users,DC=example,DC=domain,DC=com
+
+# LDAP user password. Do not specify this parameter for the anonymous bind.
+#LDAP_BINDPW=LdapUserPassw0rd
+
+# LDAP filter. Tokens example:
+# %1-9 - if the input key is user@mail.domain.com, then %1 is com, %2 is domain and %3 is mail.
+# %s - %s is replaced by the complete service string.
+# %r - %r is replaced by the complete realm string.
+#LDAP_FILTER=(sAMAccountName=%u)
+
+# LDAP authentication method
+#LDAP_AUTH_METHOD=bind
+
+# LDAP version
+#LDAP_VERSION=3
+
+# LDAP TLS using
+#LDAP_USE_TLS=1
+
+# List of SSL/TLS ciphers to allow.
+#LDAP_TLS_CIPHERS=SECURE256:SECURE128:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
+
+# Require and verify server certificate
+#LDAP_TLS_CHECK_PEER=1
+
+# Path to CA cert file. Used when server sertificate verify is enabled.
+#LDAP_TLS_CACERT_FILE=/etc/ssl/certs/ca-certificates.crt
+
+# Path to CA certs directory. Used when server sertificate verify is enabled.
+#LDAP_TLS_CACERT_DIR=/etc/ssl/certs
+
+#################################################################
+
 # Internal XMPP domain.
 XMPP_DOMAIN=meet.jitsi
 

prosody/Dockerfile

@@ -7,18 +7,31 @@ ADD https://raw.githubusercontent.com/jitsi/jitsi-meet/fc129d9849ca5e26245d54df6
 RUN sed -i s/hook/hook_global/g /prosody-plugins/mod_auth_token.lua
 
 RUN \
-	apt-dpkg-wrap apt-get update && \
-	apt-dpkg-wrap apt-get install -y lua5.2 liblua5.2-dev libssl1.0-dev lua-basexx luarocks gcc git && \
-	apt-dpkg-wrap apt-get install -t stretch-backports -y prosody && \
-	rm -rf /etc/prosody
-
-RUN \
-	luarocks install lua-cjson 2.1.0-1 && \
-	luarocks install luajwtjitsi
-
-RUN \
-	apt-dpkg-wrap apt-get remove -y liblua5.2-dev libssl1.0-dev gcc git && \
-	apt-cleanup
+    apt-dpkg-wrap apt-get update \
+    && apt-dpkg-wrap apt-get install -t stretch-backports -y \
+      prosody \
+      liblua5.2-dev \
+      sasl2-bin \
+      libsasl2-modules-ldap \
+      libsasl2-dev \
+      libssl1.0-dev \
+      lua-basexx \
+      lua-ldap \
+      luarocks \
+      git \
+      gcc \
+    && luarocks install cyrussasl 1.1.0-1 \
+    && luarocks install lua-cjson 2.1.0-1 \
+    && luarocks install luajwtjitsi 1.3-7 \
+    && apt-dpkg-wrap apt-get remove -t stretch-backports -y \
+      git \
+      gcc \
+      luarocks \
+      libsasl2-dev \
+      libssl1.0-dev \
+      liblua5.2-dev \
+    && apt-cleanup \
+    && rm -rf /etc/prosody
 
 COPY rootfs/ /
 

prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua

@@ -12,14 +12,18 @@ asap_accepted_audiences = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_AU
 
 VirtualHost "{{ .Env.XMPP_DOMAIN }}"
 {{ if .Env.ENABLE_AUTH | default "0" | toBool }}
-    {{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }}
+  {{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }}
     authentication = "token"
     app_id = "{{ .Env.JWT_APP_ID }}"
     app_secret = "{{ .Env.JWT_APP_SECRET }}"
     allow_empty_token = false
-    {{ else }}
+  {{ else if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
+    authentication = "cyrus"
+    cyrus_application_name = "xmpp"
+    allow_unencrypted_plain_auth = true
+  {{ else }}
     authentication = "internal_plain"
-    {{ end }}
+  {{ end }}
 {{ else }}
     authentication = "anonymous"
 {{ end }}
@@ -34,6 +38,9 @@ VirtualHost "{{ .Env.XMPP_DOMAIN }}"
         {{ if .Env.XMPP_MODULES }}
         "{{ join "\";\n\"" (splitList "," .Env.XMPP_MODULES) }}";
         {{ end }}
+        {{ if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
+        "auth_cyrus";
+        {{end}}
     }
 
     c2s_require_encryption = false

prosody/rootfs/defaults/saslauthd.conf

@@ -0,0 +1,21 @@
+{{ if .Env.ENABLE_LDAP_AUTH | default "0" | toBool }}
+ldap_servers: {{ .Env.LDAP_URL }}
+ldap_search_base: {{ .Env.LDAP_BASE }}
+ldap_bind_dn: {{ .Env.LDAP_BINDDN }}
+ldap_bind_pw: {{ .Env.LDAP_BINDPW }}
+ldap_filter: {{ .Env.LDAP_FILTER | default "uid=%u" }}
+ldap_version: {{ .Env.LDAP_VERSION | default "3" }}
+ldap_auth_method: {{ .Env.LDAP_AUTH_METHOD | default "bind" }}
+  {{ if .Env.LDAP_USE_TLS | default "0" | toBool }}
+ldap_tls_key: /config/certs/{{ .Env.XMPP_DOMAIN }}.key
+ldap_tls_cert: /config/certs/{{ .Env.XMPP_DOMAIN }}.crt
+    {{ if .Env.LDAP_TLS_CHECK_PEER | default "0" | toBool }}
+ldap_tls_check_peer: yes
+ldap_tls_cacert_file: {{ .Env.LDAP_TLS_CACERT_FILE | default "/etc/ssl/certs/ca-certificates.crt" }}
+ldap_tls_cacert_dir: {{ .Env.LDAP_TLS_CACERT_DIR | default "/etc/ssl/certs" }}
+    {{ end }}
+    {{ if .Env.LDAP_TLS_CIPHERS }}
+ldap_tls_ciphers: {{ .Env.LDAP_TLS_CIPHERS }}
+    {{ end }}
+  {{ end }}
+{{ end }}

prosody/rootfs/etc/cont-init.d/10-config

@@ -1,5 +1,16 @@
 #!/usr/bin/with-contenv bash
 
+if [[ ! -f /config/saslauthd.conf ]]; then
+  cp /defaults/saslauthd.conf /config/
+fi
+
+if [[ ! -f /etc/saslauthd.conf ]]; then
+  tpl /config/saslauthd.conf > /etc/saslauthd.conf
+  mkdir -pm777 /var/run/saslauthd
+  adduser prosody sasl
+  echo >> /etc/ldap/ldap.conf "TLS_REQCERT allow"
+fi
+
 PROSODY_CFG="/config/prosody.cfg.lua"
 
 if [[ ! -d /config/data ]]; then

prosody/rootfs/etc/sasl/xmpp.conf

@@ -0,0 +1,2 @@
+pwcheck_method: saslauthd
+mech_list: PLAIN

prosody/rootfs/etc/services.d/10-saslauthd/run

@@ -0,0 +1,2 @@
+#!/usr/bin/with-contenv bash
+exec s6-setuidgid root saslauthd -a ldap -O /etc/saslauthd.conf -c -m /var/run/saslauthd -n 5 -d