Browse Source

prosody: IMAP authentication

master
Yves G 1 year ago
parent
commit
94bc0c9392
2 changed files with 16 additions and 48 deletions
  1. +1
    -0
      roles/dmz_prosody_front/meta.OK/main.yml
  2. +15
    -48
      roles/dmz_prosody_front/tasks/main.yml

+ 1
- 0
roles/dmz_prosody_front/meta.OK/main.yml View File

@ -6,4 +6,5 @@
dependencies:
- role: cleanupdate
- role: ldap
- role: dmz_haproxy
- role: dmz_nginx

+ 15
- 48
roles/dmz_prosody_front/tasks/main.yml View File

@ -30,7 +30,7 @@
[
"lua52-event",
"lua52-lpty",
"prosody-mod-auth-external-hg",
"prosody-mod-auth-imap-hg",
"prosody-mod-auto-accept-subscriptions-hg",
"prosody-mod-filter-chatstates-hg",
"prosody-mod-http-upload-external-hg",
@ -152,58 +152,18 @@
notify:
- restart prosody.service
- name: set BASH authentication
- name: set IMAP authentication
lineinfile:
path: /etc/prosody/prosody.cfg.lua
regexp: '^\s*authentication\s*='
line: 'authentication = "external"'
line: 'authentication = "imap"'
notify:
- restart prosody.service
- name: send authentication script
copy:
content: |
#!/bin/bash
function ldap_esc() {
printf %s "$1" | (LANG=C
grep -o . | while IFS='' read -r c; do
[[ "$c" =~ [-.A-Za-z0-9] ]] && printf %s "$c" || printf \\%02x "'$c"
done)
}
function do_auth() {
local u d p
IFS=: read u d p <<<"$1"
ldapwhoami -H 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/' \
-D "uid=$(ldap_esc "$u"),ou=Users,{{ldap_root}}" -w "$p"
}
function do_isuser() {
local u d
IFS=: read u d <<<"$1"
ldapsearch -H 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/' -A -s sub -x \
-b 'ou=Users,{{ldap_root}}' "(uid=$(ldap_esc "$u"))" | grep ^uid:
}
function do_setpass() {
false
}
while true; do
IFS=: read fct params || { sleep 1s; continue; }
case "$fct" in
auth) do_auth "$params" ;;
isuser) do_isuser "$params" ;;
setpass) do_setpass "$params" ;;
*) false ;;
esac >/dev/null
if [ $? -eq 0 ]; then
echo "$fct:${params%%:*} YES" | systemd-cat -t "prosody_auth" -p notice
echo 1
else
echo "$fct:${params%%:*} NO" | systemd-cat -t "prosody_auth" -p notice
echo 0
fi
done
- name: remove authentication script
file:
state: absent
dest: /etc/prosody/external_auth.sh
owner: prosody
mode: 0500
- name: set SQL storage
lineinfile:
@ -225,13 +185,20 @@
password = "{{prosody_db_password}}",
host = "/run/shared_sockets"}
- name: restrict syslog (“debug” may contain passwords!)
lineinfile:
path: /etc/prosody/prosody.cfg.lua
regexp: '^(\s*(?:--\s*)?)"*syslog"'
backrefs: true
line: '\1{ to = "syslog", levels = { min = "info" } };'
- name: custom extra configuration
blockinfile:
path: /etc/prosody/prosody.cfg.lua
marker: '-- {mark} Additional configuration'
block: |
-- configure bash authentication
external_auth_command = "/etc/prosody/external_auth.sh"
-- configure IMAP authentication
auth_imap_verify_certificate = false
-- hide OS type from mod_version output
hide_os_type = true
-- limit registration


Loading…
Cancel
Save