Vincent Van Houtte
2016-05-06 19:02:04 UTC
Hello,
First of: a big thank you for creating Prosody - I have been using it for
some months now (in a 'lightweight configuration') and it is rocksolid.
That is why I wanted to implement it for our local service club, hoping
that also the more advanced features would be easily configurable - but I
seem to have failed with mod_storage_ldap:
I have:
1. Commented out mod_groups
2. Downloaded ldap.lib.lua and ldap/vcard.lua
3. Configured the ldap-section of my Virtualhost:
plugin_paths = { "/usr/lib/prosody/modules/","/etc/prosody/modules/" };
--groups_file = "/etc/prosody/sharedgroups.txt";
VirtualHost "domain"
enabled = true;
storage = "ldap"
debug = true;
modules_enabled = {
"csi";
"carbons";
-- âcloud_notifyâ;
"smacks";
"lastactivity";
"offline";
"http";
"http_upload";
"pubsub";
"pubsub_feeds";
"storage_ldap";
}
ldap = {
hostname = '127.0.0.1',
bind_dn = 'uid=uname,ou=people,dc=domain,dc=be',
bind_password = 'secret',
use_tls = true,
user = {
usernamefield = 'uid',
basedn = 'ou=people,dc=domain,dc=be',
filter = 'objectClass=posixAccount',
namefield = 'displayName',
},
groups = {
memberfield = 'member',
namefield = 'cn',
basedn = 'ou=groups,dc=domain,dc=be',
{
name = 'Leden',
cn = 'leden',
admin = false,
},
{
name = 'Beheerders',
cn = 'beheerders',
admin = true,
},
},
vcard_format = {
displayname = 'cn',
nickname = 'displayName',
title = 'title',
telephone = {
{
work = 'telephoneNumber',
}
},
address = {
work = {
street = 'street',
locality = 'l',
ctry = 'c',
},
},
email = {
internet = {
userid = 'mail',
},
},
},
}
ssl = {
key = "/etc/letsencrypt/live/<domain>/privkey.pem";
certificate = "/etc/letsencrypt/live/<domain>/fullchain.pem";
}
4. Edited the mod_storage_ldap.lua because I am using rfc2307bis in our
LDAP dir (PosixAccount combined with GroupOfNames):
----------------------------------------
-- Roster Storage Implementation --
----------------------------------------
--inserted
function vvhsplit(source, delimiters)
local elements = {}
local pattern = '([^'..delimiters..']+)'
string.gsub(source, pattern, function(value) elements[#elements + 1] =
value; end);
return elements
end
--end inserted
function adapters.roster:get(username)
local ld = ldap.getconnection();
local contacts = {};
--inserted
local memberelements = vvhsplit(params.groups.memberfield,",=");
local memberfield = memberelements[1];
-- local memberfield = params.groups.memberfield;
--end inserted
5. Restarted Prosody with debug logging
Result: The client does not show any LDAP contacts, while I don't receive
any error in the serverlogs.
Note: The SharedGroups.txt is generated from the LDAP server with the
following PHP-script that I have adapted and is working perfectly:
#!/usr/bin/php
<?php
/*
* The MIT License (MIT)
*
* Copyright (c) 2014 Adam M. Mohr, booshire.com
*
* Permission is hereby granted, free of charge, to any person obtaining a
copy
* of this software and associated documentation files (the "Software"), to
deal
* in the Software without restriction, including without limitation the
rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
* */
// FYI - This script makes a lot of assumptions about your openLDAP
structure being fairly default
// you may need to update some of this to fit your individual needs. Use
ldapsearch -LLL to get a
// basic dump of your schema output to verify if things are not working
correctly
// Make sure you have php-ldap installed!
//LDAP Connection Settings
$ldap_host = "127.0.0.1"; //LDAP host IP to query
$ldap_port = "389"; //Port for LDAP queries, default is 389
$base_dn = "dc=domain,dc=be";
$use_start_tls = TRUE;
$binddn = "uid=uname,ou=people,dc=domain,dc=be";
$bindpw = "secret";
$domain = "domain"; //domain to append to users when writing data,
should equal the
$groupMemberAttribute = "member"; //this changes per LDAP instance,
usually member or memberUid
$groupFilterAttribute = "PosixGroup"; //this is the filter for the
group type, PosixGroup is default for openLdap
$userFilterAttribute = "PosixAccount"; //this is the filter for the
user type, PosixAccount is default for opeLdap, or inetPerson
$userNameAttribute = "uid"; //this is the username attribute,
usually is uid but can also be cn I believe
$userAttribute = "uid";
//LDAP connection and binding strings
$connect = ldap_connect($ldap_host,$ldap_port) or die("Cannot connect to
LDAP server".ldap_error($connect));
ldap_set_option($connect,LDAP_OPT_PROTOCOL_VERSION, 3); //may need to
change this but v3 is default now
if( TRUE == $use_start_tls) { ldap_start_tls($connect); }
$bind = ldap_bind($connect, $binddn, $bindpw) or die("Cannot bind to
{$base_dn} LDAP".ldap_error($connect));
//LDAP Group search settings
$groupFilter = "(&(objectClass={$groupFilterAttribute})(cn=*))";
$groupAttributes = array('cn',$groupMemberAttribute);
$groupSearch = ldap_search($connect, $base_dn, $groupFilter,
$groupAttributes) or die("Unable to search {$base_dn}".ldap_error($connect
));
$groupData = ldap_get_entries($connect, $groupSearch) or die("Unable to
get LDAP entries".ldap_error($connect));
//LDAP USER search settings
foreach( $groupData as $group )
{
if( !isset( $group[$groupMemberAttribute] ) )
{
continue;
}
else
{
echo "\n[+{$group['cn']['0']}]\n";
$userSearch = ldap_read( $connect, "{$group['dn']}", "(objectclass=*)"
, array( $groupMemberAttribute ) );
$sr = ldap_get_entries( $connect, $userSearch );
foreach( $sr[0]['member'] as $key )
{
if( is_numeric($key) )
{
continue;
}
$memberSearch = ldap_read( $connect, "{$key}", "(objectclass=*)", array(
"uid","displayname") );
$srm = ldap_get_entries( $connect, $memberSearch );
foreach( $srm as $keym )
{
if( !isset($keym['uid'][0]) )
{
continue;
}
echo $keym['uid'][0]."@{$domain}={$keym['displayname'][0]}\n";
}
}
}
}
// print_r($groupData);
?>
Thank you!
Kr,
Vincent
First of: a big thank you for creating Prosody - I have been using it for
some months now (in a 'lightweight configuration') and it is rocksolid.
That is why I wanted to implement it for our local service club, hoping
that also the more advanced features would be easily configurable - but I
seem to have failed with mod_storage_ldap:
I have:
1. Commented out mod_groups
2. Downloaded ldap.lib.lua and ldap/vcard.lua
3. Configured the ldap-section of my Virtualhost:
plugin_paths = { "/usr/lib/prosody/modules/","/etc/prosody/modules/" };
--groups_file = "/etc/prosody/sharedgroups.txt";
VirtualHost "domain"
enabled = true;
storage = "ldap"
debug = true;
modules_enabled = {
"csi";
"carbons";
-- âcloud_notifyâ;
"smacks";
"lastactivity";
"offline";
"http";
"http_upload";
"pubsub";
"pubsub_feeds";
"storage_ldap";
}
ldap = {
hostname = '127.0.0.1',
bind_dn = 'uid=uname,ou=people,dc=domain,dc=be',
bind_password = 'secret',
use_tls = true,
user = {
usernamefield = 'uid',
basedn = 'ou=people,dc=domain,dc=be',
filter = 'objectClass=posixAccount',
namefield = 'displayName',
},
groups = {
memberfield = 'member',
namefield = 'cn',
basedn = 'ou=groups,dc=domain,dc=be',
{
name = 'Leden',
cn = 'leden',
admin = false,
},
{
name = 'Beheerders',
cn = 'beheerders',
admin = true,
},
},
vcard_format = {
displayname = 'cn',
nickname = 'displayName',
title = 'title',
telephone = {
{
work = 'telephoneNumber',
}
},
address = {
work = {
street = 'street',
locality = 'l',
ctry = 'c',
},
},
email = {
internet = {
userid = 'mail',
},
},
},
}
ssl = {
key = "/etc/letsencrypt/live/<domain>/privkey.pem";
certificate = "/etc/letsencrypt/live/<domain>/fullchain.pem";
}
4. Edited the mod_storage_ldap.lua because I am using rfc2307bis in our
LDAP dir (PosixAccount combined with GroupOfNames):
----------------------------------------
-- Roster Storage Implementation --
----------------------------------------
--inserted
function vvhsplit(source, delimiters)
local elements = {}
local pattern = '([^'..delimiters..']+)'
string.gsub(source, pattern, function(value) elements[#elements + 1] =
value; end);
return elements
end
--end inserted
function adapters.roster:get(username)
local ld = ldap.getconnection();
local contacts = {};
--inserted
local memberelements = vvhsplit(params.groups.memberfield,",=");
local memberfield = memberelements[1];
-- local memberfield = params.groups.memberfield;
--end inserted
5. Restarted Prosody with debug logging
Result: The client does not show any LDAP contacts, while I don't receive
any error in the serverlogs.
Note: The SharedGroups.txt is generated from the LDAP server with the
following PHP-script that I have adapted and is working perfectly:
#!/usr/bin/php
<?php
/*
* The MIT License (MIT)
*
* Copyright (c) 2014 Adam M. Mohr, booshire.com
*
* Permission is hereby granted, free of charge, to any person obtaining a
copy
* of this software and associated documentation files (the "Software"), to
deal
* in the Software without restriction, including without limitation the
rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included
in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
* */
// FYI - This script makes a lot of assumptions about your openLDAP
structure being fairly default
// you may need to update some of this to fit your individual needs. Use
ldapsearch -LLL to get a
// basic dump of your schema output to verify if things are not working
correctly
// Make sure you have php-ldap installed!
//LDAP Connection Settings
$ldap_host = "127.0.0.1"; //LDAP host IP to query
$ldap_port = "389"; //Port for LDAP queries, default is 389
$base_dn = "dc=domain,dc=be";
$use_start_tls = TRUE;
$binddn = "uid=uname,ou=people,dc=domain,dc=be";
$bindpw = "secret";
$domain = "domain"; //domain to append to users when writing data,
should equal the
$groupMemberAttribute = "member"; //this changes per LDAP instance,
usually member or memberUid
$groupFilterAttribute = "PosixGroup"; //this is the filter for the
group type, PosixGroup is default for openLdap
$userFilterAttribute = "PosixAccount"; //this is the filter for the
user type, PosixAccount is default for opeLdap, or inetPerson
$userNameAttribute = "uid"; //this is the username attribute,
usually is uid but can also be cn I believe
$userAttribute = "uid";
//LDAP connection and binding strings
$connect = ldap_connect($ldap_host,$ldap_port) or die("Cannot connect to
LDAP server".ldap_error($connect));
ldap_set_option($connect,LDAP_OPT_PROTOCOL_VERSION, 3); //may need to
change this but v3 is default now
if( TRUE == $use_start_tls) { ldap_start_tls($connect); }
$bind = ldap_bind($connect, $binddn, $bindpw) or die("Cannot bind to
{$base_dn} LDAP".ldap_error($connect));
//LDAP Group search settings
$groupFilter = "(&(objectClass={$groupFilterAttribute})(cn=*))";
$groupAttributes = array('cn',$groupMemberAttribute);
$groupSearch = ldap_search($connect, $base_dn, $groupFilter,
$groupAttributes) or die("Unable to search {$base_dn}".ldap_error($connect
));
$groupData = ldap_get_entries($connect, $groupSearch) or die("Unable to
get LDAP entries".ldap_error($connect));
//LDAP USER search settings
foreach( $groupData as $group )
{
if( !isset( $group[$groupMemberAttribute] ) )
{
continue;
}
else
{
echo "\n[+{$group['cn']['0']}]\n";
$userSearch = ldap_read( $connect, "{$group['dn']}", "(objectclass=*)"
, array( $groupMemberAttribute ) );
$sr = ldap_get_entries( $connect, $userSearch );
foreach( $sr[0]['member'] as $key )
{
if( is_numeric($key) )
{
continue;
}
$memberSearch = ldap_read( $connect, "{$key}", "(objectclass=*)", array(
"uid","displayname") );
$srm = ldap_get_entries( $connect, $memberSearch );
foreach( $srm as $keym )
{
if( !isset($keym['uid'][0]) )
{
continue;
}
echo $keym['uid'][0]."@{$domain}={$keym['displayname'][0]}\n";
}
}
}
}
// print_r($groupData);
?>
Thank you!
Kr,
Vincent
--
You received this message because you are subscribed to the Google Groups "prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev+***@googlegroups.com.
To post to this group, send email to prosody-***@googlegroups.com.
Visit this group at https://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prosody-dev+***@googlegroups.com.
To post to this group, send email to prosody-***@googlegroups.com.
Visit this group at https://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/d/optout.