ejabberd: external authentication programs

    In an ejabberd note with LDAP authorization, I described the main points for setting up an ejabberd server and connecting it to LDAP. Unfortunately, the capabilities of the standard LDAP authentication module were not enough for us. However, ejabberd allows you to use external, including your own, programs for this purpose.


    So. Last time I settled on this configuration:
    {auth_method, ldap},% Authentication Method - LDAP
    {ldap_servers, ["ldap.company.local"]},% LDAP server address
    {ldap_port, 389},% Its port
    {ldap_base, "ou = people, dc = company, dc = local"}% Base DN of user accounts
    

    Now all users with LDAP accounts can use our server. It doesn’t quite suit me, I want to give this opportunity only to employees. All employees are part of the employees group (cn = employees, ou = groups, dc = company, dc = local).

    At first glance, you can achieve your goal with the ldap_filter parameter . But this is only the first. In all the examples that I found (and I reviewed a lot of them), the memberOf attribute of the account object is used or similar in meaning. Unfortunately in our configuration (based on OpenLDAP) there was no such attribute.

    After hours of studying LDAP filter guides and ejabberd features, I decided to try my own authentication program.

    Connection of an external program


    This is done very simply:
    {auth_method, external}.
    {extauth_program, "/ path / to / program / program_name"}.
    

    Here is the /path/to/program/program_namepath to the authentication program.

    Program device


    Everything is very simple. The program runs in an endless loop, reading requests from standard input and writing the result to standard output.

    Requests and responses are preceded by two bytes containing the length of the request / response.

    Requests may be as follows:
    • auth: User: Server: Password (verify authentication data)
    • isuser: User: Server (check for user presence)
    • setpass: User: Server: Password (set a new password for the user)

    In response, the program should send 1 in case of successful completion of the request and 0 in case of failure.

    References




    Simple example


    Here is a simple example of an external PHP authentication program. PHP was used because we already had a ready-made library for working with our LDAP server for it.

    #! / usr / local / bin / php
     0) {
                    $ result = false;
                    $ account = false;
                    $ data = @fgets (STDIN, $ length + 1);
                    $ data = explode (':', $ data);
                    switch ($ data [0]) {
                            case 'auth':
                                    $ account = $ ldap-> getAccount ($ data [1], $ data [3]);
                            break;
                            case 'isuser':
                                    $ account = $ ldap-> getAccount ($ data [1]);
                            break;
                    }
                    if ($ account) {
                            $ groups = $ account-> membership ();
                            $ result = in_array ('employees', $ groups);
                    }
                    $ result = @pack ('nn', 2, intval ($ result));
                    @fputs (STDOUT, $ result);
            }
    }
    


    Also popular now: