prosody: IMAP authentication
parent
92f8844964
commit
94bc0c9392
|
@ -6,4 +6,5 @@
|
||||||
dependencies:
|
dependencies:
|
||||||
- role: cleanupdate
|
- role: cleanupdate
|
||||||
- role: ldap
|
- role: ldap
|
||||||
|
- role: dmz_haproxy
|
||||||
- role: dmz_nginx
|
- role: dmz_nginx
|
||||||
|
|
|
@ -30,7 +30,7 @@
|
||||||
[
|
[
|
||||||
"lua52-event",
|
"lua52-event",
|
||||||
"lua52-lpty",
|
"lua52-lpty",
|
||||||
"prosody-mod-auth-external-hg",
|
"prosody-mod-auth-imap-hg",
|
||||||
"prosody-mod-auto-accept-subscriptions-hg",
|
"prosody-mod-auto-accept-subscriptions-hg",
|
||||||
"prosody-mod-filter-chatstates-hg",
|
"prosody-mod-filter-chatstates-hg",
|
||||||
"prosody-mod-http-upload-external-hg",
|
"prosody-mod-http-upload-external-hg",
|
||||||
|
@ -152,58 +152,18 @@
|
||||||
notify:
|
notify:
|
||||||
- restart prosody.service
|
- restart prosody.service
|
||||||
|
|
||||||
- name: set BASH authentication
|
- name: set IMAP authentication
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/prosody/prosody.cfg.lua
|
path: /etc/prosody/prosody.cfg.lua
|
||||||
regexp: '^\s*authentication\s*='
|
regexp: '^\s*authentication\s*='
|
||||||
line: 'authentication = "external"'
|
line: 'authentication = "imap"'
|
||||||
notify:
|
notify:
|
||||||
- restart prosody.service
|
- restart prosody.service
|
||||||
|
|
||||||
- name: send authentication script
|
- name: remove authentication script
|
||||||
copy:
|
file:
|
||||||
content: |
|
state: absent
|
||||||
#!/bin/bash
|
|
||||||
function ldap_esc() {
|
|
||||||
printf %s "$1" | (LANG=C
|
|
||||||
grep -o . | while IFS='' read -r c; do
|
|
||||||
[[ "$c" =~ [-.A-Za-z0-9] ]] && printf %s "$c" || printf \\%02x "'$c"
|
|
||||||
done)
|
|
||||||
}
|
|
||||||
function do_auth() {
|
|
||||||
local u d p
|
|
||||||
IFS=: read u d p <<<"$1"
|
|
||||||
ldapwhoami -H 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/' \
|
|
||||||
-D "uid=$(ldap_esc "$u"),ou=Users,{{ldap_root}}" -w "$p"
|
|
||||||
}
|
|
||||||
function do_isuser() {
|
|
||||||
local u d
|
|
||||||
IFS=: read u d <<<"$1"
|
|
||||||
ldapsearch -H 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/' -A -s sub -x \
|
|
||||||
-b 'ou=Users,{{ldap_root}}' "(uid=$(ldap_esc "$u"))" | grep ^uid:
|
|
||||||
}
|
|
||||||
function do_setpass() {
|
|
||||||
false
|
|
||||||
}
|
|
||||||
while true; do
|
|
||||||
IFS=: read fct params || { sleep 1s; continue; }
|
|
||||||
case "$fct" in
|
|
||||||
auth) do_auth "$params" ;;
|
|
||||||
isuser) do_isuser "$params" ;;
|
|
||||||
setpass) do_setpass "$params" ;;
|
|
||||||
*) false ;;
|
|
||||||
esac >/dev/null
|
|
||||||
if [ $? -eq 0 ]; then
|
|
||||||
echo "$fct:${params%%:*} YES" | systemd-cat -t "prosody_auth" -p notice
|
|
||||||
echo 1
|
|
||||||
else
|
|
||||||
echo "$fct:${params%%:*} NO" | systemd-cat -t "prosody_auth" -p notice
|
|
||||||
echo 0
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
dest: /etc/prosody/external_auth.sh
|
dest: /etc/prosody/external_auth.sh
|
||||||
owner: prosody
|
|
||||||
mode: 0500
|
|
||||||
|
|
||||||
- name: set SQL storage
|
- name: set SQL storage
|
||||||
lineinfile:
|
lineinfile:
|
||||||
|
@ -225,13 +185,20 @@
|
||||||
password = "{{prosody_db_password}}",
|
password = "{{prosody_db_password}}",
|
||||||
host = "/run/shared_sockets"}
|
host = "/run/shared_sockets"}
|
||||||
|
|
||||||
|
- name: restrict syslog (“debug” may contain passwords!)
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/prosody/prosody.cfg.lua
|
||||||
|
regexp: '^(\s*(?:--\s*)?)"*syslog"'
|
||||||
|
backrefs: true
|
||||||
|
line: '\1{ to = "syslog", levels = { min = "info" } };'
|
||||||
|
|
||||||
- name: custom extra configuration
|
- name: custom extra configuration
|
||||||
blockinfile:
|
blockinfile:
|
||||||
path: /etc/prosody/prosody.cfg.lua
|
path: /etc/prosody/prosody.cfg.lua
|
||||||
marker: '-- {mark} Additional configuration'
|
marker: '-- {mark} Additional configuration'
|
||||||
block: |
|
block: |
|
||||||
-- configure bash authentication
|
-- configure IMAP authentication
|
||||||
external_auth_command = "/etc/prosody/external_auth.sh"
|
auth_imap_verify_certificate = false
|
||||||
-- hide OS type from mod_version output
|
-- hide OS type from mod_version output
|
||||||
hide_os_type = true
|
hide_os_type = true
|
||||||
-- limit registration
|
-- limit registration
|
||||||
|
|
Loading…
Reference in New Issue