prosody: IMAP authentication
parent
92f8844964
commit
94bc0c9392
|
@ -6,4 +6,5 @@
|
|||
dependencies:
|
||||
- role: cleanupdate
|
||||
- role: ldap
|
||||
- role: dmz_haproxy
|
||||
- role: dmz_nginx
|
||||
|
|
|
@ -30,7 +30,7 @@
|
|||
[
|
||||
"lua52-event",
|
||||
"lua52-lpty",
|
||||
"prosody-mod-auth-external-hg",
|
||||
"prosody-mod-auth-imap-hg",
|
||||
"prosody-mod-auto-accept-subscriptions-hg",
|
||||
"prosody-mod-filter-chatstates-hg",
|
||||
"prosody-mod-http-upload-external-hg",
|
||||
|
@ -152,58 +152,18 @@
|
|||
notify:
|
||||
- restart prosody.service
|
||||
|
||||
- name: set BASH authentication
|
||||
- name: set IMAP authentication
|
||||
lineinfile:
|
||||
path: /etc/prosody/prosody.cfg.lua
|
||||
regexp: '^\s*authentication\s*='
|
||||
line: 'authentication = "external"'
|
||||
line: 'authentication = "imap"'
|
||||
notify:
|
||||
- restart prosody.service
|
||||
|
||||
- name: send authentication script
|
||||
copy:
|
||||
content: |
|
||||
#!/bin/bash
|
||||
function ldap_esc() {
|
||||
printf %s "$1" | (LANG=C
|
||||
grep -o . | while IFS='' read -r c; do
|
||||
[[ "$c" =~ [-.A-Za-z0-9] ]] && printf %s "$c" || printf \\%02x "'$c"
|
||||
done)
|
||||
}
|
||||
function do_auth() {
|
||||
local u d p
|
||||
IFS=: read u d p <<<"$1"
|
||||
ldapwhoami -H 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/' \
|
||||
-D "uid=$(ldap_esc "$u"),ou=Users,{{ldap_root}}" -w "$p"
|
||||
}
|
||||
function do_isuser() {
|
||||
local u d
|
||||
IFS=: read u d <<<"$1"
|
||||
ldapsearch -H 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/' -A -s sub -x \
|
||||
-b 'ou=Users,{{ldap_root}}' "(uid=$(ldap_esc "$u"))" | grep ^uid:
|
||||
}
|
||||
function do_setpass() {
|
||||
false
|
||||
}
|
||||
while true; do
|
||||
IFS=: read fct params || { sleep 1s; continue; }
|
||||
case "$fct" in
|
||||
auth) do_auth "$params" ;;
|
||||
isuser) do_isuser "$params" ;;
|
||||
setpass) do_setpass "$params" ;;
|
||||
*) false ;;
|
||||
esac >/dev/null
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "$fct:${params%%:*} YES" | systemd-cat -t "prosody_auth" -p notice
|
||||
echo 1
|
||||
else
|
||||
echo "$fct:${params%%:*} NO" | systemd-cat -t "prosody_auth" -p notice
|
||||
echo 0
|
||||
fi
|
||||
done
|
||||
- name: remove authentication script
|
||||
file:
|
||||
state: absent
|
||||
dest: /etc/prosody/external_auth.sh
|
||||
owner: prosody
|
||||
mode: 0500
|
||||
|
||||
- name: set SQL storage
|
||||
lineinfile:
|
||||
|
@ -225,13 +185,20 @@
|
|||
password = "{{prosody_db_password}}",
|
||||
host = "/run/shared_sockets"}
|
||||
|
||||
- name: restrict syslog (“debug” may contain passwords!)
|
||||
lineinfile:
|
||||
path: /etc/prosody/prosody.cfg.lua
|
||||
regexp: '^(\s*(?:--\s*)?)"*syslog"'
|
||||
backrefs: true
|
||||
line: '\1{ to = "syslog", levels = { min = "info" } };'
|
||||
|
||||
- name: custom extra configuration
|
||||
blockinfile:
|
||||
path: /etc/prosody/prosody.cfg.lua
|
||||
marker: '-- {mark} Additional configuration'
|
||||
block: |
|
||||
-- configure bash authentication
|
||||
external_auth_command = "/etc/prosody/external_auth.sh"
|
||||
-- configure IMAP authentication
|
||||
auth_imap_verify_certificate = false
|
||||
-- hide OS type from mod_version output
|
||||
hide_os_type = true
|
||||
-- limit registration
|
||||
|
|
Loading…
Reference in New Issue