Modules/ldapauth

From Inspire IRCd (InspIRCd)

Description

This module allows you to allow and deny connections to your irc servers using an LDAP server (Lightweight Directory Access Protocol), and is customizable to work with the majority of LDAP setups including Windows 2000 (and later) Active Directory.

Configuration Tags

To use this module you must define a tag as shown below:

<ldapauth baserdn="ou=People,dc=brainbox,dc=cc"
          attribute="uid"
          server="ldap://brainwave.brainbox.cc"
          allowpattern="Guest*"
          killreason="Access denied"
          searchscope="subtree"
          binddn="cn=Manager,dc=brainbox,dc=cc"
          bindauth="mysecretpass"
          verbose="yes"
          useusername="no">

The variables in the tag have the following meanings:

baserdn indicates the base Distinguished Name to search in for users.
attribute indicates the attribute which is used to locate a user account by name. On POSIX systems this is usually 'uid'.
server indicates the LDAP server to connect to. The ldap:// style scheme before the hostname proper is MANDITORY.
allowpattern allows you to specify a wildcard mask which will always be allowed to connect regardless of if they have an account, for example guest users.
killreason indicates the QUIT reason to give to users if they fail to authenticate.
searchscope indicates the depth of search to perform. The default is 'subtree', supported types are 'subtree', 'base' and 'onelevel'.
verbose when set causes an oper notice to be sent out for every failed authentication to the server, with an error string from the LDAP server.
binddn and bindauth indicate the Distinguished Name to bind to for searching, and the password for the distinguished name. Some LDAP servers will allow anonymous searching in which case these two values do not need defining, otherwise they should be set similar to the examples above.
useusername If set to yes, then the connecting user's username/ident field is used as the username field for the LDAP search. The default, with this option set to no, is to use the user's nickname as the username for the LDAP search. (IMPORTANT: It is recommended that you do not run m_ident.so on a server where this value is set to YES. If you do, you may complicate matters for users trying to connect to your server, as the username field may vary in value depending on how long after connecting they authenticate to the LDAP server.)

Additional Modes

None

Additional Commands

None

Special Notes

This module will check the user's nickname against the user field, and their password against the password field. The password is collected using the RFC 1459 notation, e.g.

PASS :password

It is important to note that many LDAP systems will have case sensitive usernames, this will mean that the nickname used to connect to IRC must also match the case of the username, even though IRC nicknames themselves are not case sensitive!

The user will not be prompted for their password, if this is not clear enough to your users, you should place it into the kill message. It is highly recommended that if you are using a system such as this, you should disable nick changing once users are connected with the following syntax in your configuration file:

<disabled commands="NICK">

With such a setting in place, you can be sure that everyone who connects is registered, and they cannot possibly impersonate others. Beware of mixing this system with other systems which may force user nickchanges. If a users nick is changed when such a system is in place, they will be unable to change it back without reconnecting!

When a user is authenticated, the SASL LDAP bind type is used, which in short means the authentication is left to the LDAP server, allowing support for practically any authentication method you may be using internally.

This module is an 'extra' module. This means that by default it is not compiled when you type make to build your IRCd. To enable this module follow these steps.