|
|
@ -30,7 +30,7 @@ |
|
|
|
[ |
|
|
|
"lua52-event", |
|
|
|
"lua52-lpty", |
|
|
|
"prosody-mod-auth-external-hg", |
|
|
|
"prosody-mod-auth-imap-hg", |
|
|
|
"prosody-mod-auto-accept-subscriptions-hg", |
|
|
|
"prosody-mod-filter-chatstates-hg", |
|
|
|
"prosody-mod-http-upload-external-hg", |
|
|
@ -152,58 +152,18 @@ |
|
|
|
notify: |
|
|
|
- restart prosody.service |
|
|
|
|
|
|
|
- name: set BASH authentication |
|
|
|
- name: set IMAP authentication |
|
|
|
lineinfile: |
|
|
|
path: /etc/prosody/prosody.cfg.lua |
|
|
|
regexp: '^\s*authentication\s*=' |
|
|
|
line: 'authentication = "external"' |
|
|
|
line: 'authentication = "imap"' |
|
|
|
notify: |
|
|
|
- restart prosody.service |
|
|
|
|
|
|
|
- name: send authentication script |
|
|
|
copy: |
|
|
|
content: | |
|
|
|
#!/bin/bash |
|
|
|
function ldap_esc() { |
|
|
|
printf %s "$1" | (LANG=C |
|
|
|
grep -o . | while IFS='' read -r c; do |
|
|
|
[[ "$c" =~ [-.A-Za-z0-9] ]] && printf %s "$c" || printf \\%02x "'$c" |
|
|
|
done) |
|
|
|
} |
|
|
|
function do_auth() { |
|
|
|
local u d p |
|
|
|
IFS=: read u d p <<<"$1" |
|
|
|
ldapwhoami -H 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/' \ |
|
|
|
-D "uid=$(ldap_esc "$u"),ou=Users,{{ldap_root}}" -w "$p" |
|
|
|
} |
|
|
|
function do_isuser() { |
|
|
|
local u d |
|
|
|
IFS=: read u d <<<"$1" |
|
|
|
ldapsearch -H 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/' -A -s sub -x \ |
|
|
|
-b 'ou=Users,{{ldap_root}}' "(uid=$(ldap_esc "$u"))" | grep ^uid: |
|
|
|
} |
|
|
|
function do_setpass() { |
|
|
|
false |
|
|
|
} |
|
|
|
while true; do |
|
|
|
IFS=: read fct params || { sleep 1s; continue; } |
|
|
|
case "$fct" in |
|
|
|
auth) do_auth "$params" ;; |
|
|
|
isuser) do_isuser "$params" ;; |
|
|
|
setpass) do_setpass "$params" ;; |
|
|
|
*) false ;; |
|
|
|
esac >/dev/null |
|
|
|
if [ $? -eq 0 ]; then |
|
|
|
echo "$fct:${params%%:*} YES" | systemd-cat -t "prosody_auth" -p notice |
|
|
|
echo 1 |
|
|
|
else |
|
|
|
echo "$fct:${params%%:*} NO" | systemd-cat -t "prosody_auth" -p notice |
|
|
|
echo 0 |
|
|
|
fi |
|
|
|
done |
|
|
|
- name: remove authentication script |
|
|
|
file: |
|
|
|
state: absent |
|
|
|
dest: /etc/prosody/external_auth.sh |
|
|
|
owner: prosody |
|
|
|
mode: 0500 |
|
|
|
|
|
|
|
- name: set SQL storage |
|
|
|
lineinfile: |
|
|
@ -225,13 +185,20 @@ |
|
|
|
password = "{{prosody_db_password}}", |
|
|
|
host = "/run/shared_sockets"} |
|
|
|
|
|
|
|
- name: restrict syslog (“debug” may contain passwords!) |
|
|
|
lineinfile: |
|
|
|
path: /etc/prosody/prosody.cfg.lua |
|
|
|
regexp: '^(\s*(?:--\s*)?)"*syslog"' |
|
|
|
backrefs: true |
|
|
|
line: '\1{ to = "syslog", levels = { min = "info" } };' |
|
|
|
|
|
|
|
- name: custom extra configuration |
|
|
|
blockinfile: |
|
|
|
path: /etc/prosody/prosody.cfg.lua |
|
|
|
marker: '-- {mark} Additional configuration' |
|
|
|
block: | |
|
|
|
-- configure bash authentication |
|
|
|
external_auth_command = "/etc/prosody/external_auth.sh" |
|
|
|
-- configure IMAP authentication |
|
|
|
auth_imap_verify_certificate = false |
|
|
|
-- hide OS type from mod_version output |
|
|
|
hide_os_type = true |
|
|
|
-- limit registration |
|
|
|