|
|
| Line 1: |
Line 1: |
| | {{Note|This guide will show you how to use the Diaspora database for authentication, it will not synchronize your contact list or the like}} |
|
| |
|
| = Integrating Prosody with Diaspora = | | = Integrating Prosody with Diaspora = |
|
| |
|
| Here you will find all you need to install and set up a Prosody XMPP server integrated with your Diaspora user database. | | Here you will find all you need to install and set up a Prosody XMPP server integrated with your Diaspora user database. |
| This tutorial was developed using Debain 7 but it will probably work well for all GNU Distributions. | | This guide was tested using Debain 7 and Archlinux, but it will probably work well for all GNU distributions. |
| There are several steps and configurations you will need to perform, so read the instructions carefully. | | There are several steps and configurations you will need to perform, so read the instructions carefully. |
|
| |
|
| = Understanding = | | = Understanding = |
|
| |
|
| The main goal is to set up '''Prosody''' to be capable of comparing the password received by the XMPP client with the hashed password stored on your pod's '''Diaspora''' database. | | The main goal is to set up Prosody to be capable of comparing the password received by the XMPP client with the hashed password stored on your pod's Diaspora database. |
| '''Diaspora''''s password hash is done with the <tt>bcrypt</tt> library, so we need to patch '''Prosody''' to do the same with the received password. To do so, we need to install a modified [https://code.google.com/p/prosody-modules/wiki/mod_auth_sql - <tt>mod_auth_sql</tt>] module, available below.
| | Diasporas password hash is done using <tt>bcrypt</tt>, so we need to extend Prosody to do the same with the received password. To do so, we need to install a modified version of the [https://code.google.com/p/prosody-modules/wiki/mod_auth_sql - <tt>mod_auth_sql</tt>] module, available below. |
|
| |
|
| In this setup '''Prosody''' will use its own SQL database to store users' data, such as friends, etc. It will connect to the '''Diaspora''' database just to compare passwords. Then two database configurations will be required.
| | Since authentication methods can be set per host, you can use an existing Prosody instance with access to Diasporas database. |
| | |
| Follow the tutorial and this should work well.
| |
| | |
| = SQL =
| |
| | |
| Before installing '''Prosody''', create a database and a user for it. You can do it on the same '''Diaspora''' SQL server.
| |
| Just as with '''Diaspora''', you can choose between '''MySQL''' or '''PostgreSQL'''.
| |
|
| |
|
| = Prosody = | | = Prosody = |
|
| |
|
| Prosody is a modern XMPP communication server. It aims to be easy to set up and configure, and efficient with system resources. Additionally, it aims to be easy for developers to extend and to provide a flexible system on which to rapidly develop added functionality, or prototype new protocols. | | If you haven't yet, install Prosody. |
| * [http://prosody.im Prosody] - XMPP Server
| | Follow the official instructions described on their [http://prosody.im/download/start - official site]. |
|
| |
|
| == Installing Prosody ==
| | Once Prosody is installed, you can proceed. |
|
| |
|
| To install '''Prosody''', follow the official instructions described on their official site - [http://prosody.im/download/start - Download]
| | == Install bcrypt Lua library == |
|
| |
|
| Once '''Prosody''' is installed, you can proceed.
| | Lua or Prosody don't ship with the bcrypt library. If it isn't in your repositories, you can install it with the following command: |
| | |
| == Set up <tt>prosody.cfg.lua</tt> ==
| |
| | |
| Here is what you need to do to this file, separated under headings:
| |
| | |
| === <tt>modules_enabled</tt> ===
| |
| | |
| * Disable
| |
|
| |
|
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
| "saslauth"
| | luarocks install bcrypt |
| </syntaxhighlight> | | </syntaxhighlight> |
|
| |
|
| * Enable
| | Prosody still depends on Lua 5.1, if your distribution is already on Lua 5.2 you may need to change the command to <tt>luarocks-5.1</tt> or something similar. |
|
| |
|
| <syntaxhighlight lang="bash"> | | == Changes in <tt>prosody.cfg.lua</tt> == |
| "bosh"
| |
| "legacyauth"
| |
| </syntaxhighlight> | |
|
| |
|
| === Set up and configure SQL ===
| | There are a couple of required changes to your <tt>prosody.cfg.lua</tt>. |
|
| |
|
| The default auth method is <tt>internal</tt> and it must be replaced by <tt>sql</tt>. But <tt>sql</tt> requires configuration of SQL server, database, user and password to access '''Diaspora''' and '''Prosody''' databases.
| | === Plugin path === |
|
| |
|
| * Modify
| | Since we're going to install a new module, you should pick a location where you want to store it, for example <tt>/etc/prosody/modules</tt>. |
| | Then tell Prosody to look for modules there: |
|
| |
|
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="lua"> |
| authentication = "sql"
| | plugin_paths = { "/etc/prosody/modules" } |
| </syntaxhighlight> | | </syntaxhighlight> |
|
| |
|
| * Add
| | Don't worry, Prosody will continue looking for modules in the standard location. |
| | |
| <syntaxhighlight lang="bash">
| |
| storage = "sql"
| |
| </syntaxhighlight>
| |
|
| |
|
| '''MySQL setup'''
| | Now download the module to your machine: |
|
| |
|
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
| sql = { driver = "MySQL", database = "prosody_xmpp", username = "prosody_xmpp", password = "pass", host = "localhost" }
| | curl https://gist.githubusercontent.com/jhass/948e8e8d87b9143f97ad/raw/mod_auth_diaspora.lua > /etc/prosody/modules/mod_auth_diaspora.lua |
| sql_dsp = { driver = "MySQL", database = "diaspora_production", username = "diaspora", password = "pass", host = "localhost" }
| |
| </syntaxhighlight> | | </syntaxhighlight> |
|
| |
|
| '''PostgreSQL setup'''
| | === Add a virtual host for your pod === |
|
| |
|
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="lua"> |
| sql = { driver = "PostgreSQL", database = "prosody_xmpp", username = "prosody_xmpp", password = "pass", host = "localhost" }
| | VirtualHost "yourpod.example.org" |
| sql_dsp = { driver = "PostgreSQL", database = "diaspora_production", username = "diaspora", password = "pass", host = "localhost" }
| | authentication = "diaspora" |
| | -- Uncomment and adjust username and password for MySQL/MariaDB |
| | --auth_diaspora = { driver = "MySQL", database = "diaspora_production", username = "diaspora", password = "pass", host = "localhost" } |
| | -- Uncomment and adjust username and password for PostgreSQL |
| | --auth_diaspora = { driver = "PostgreSQL", database = "diaspora_production", username = "diaspora", password = "pass", host = "localhost" } |
| </syntaxhighlight> | | </syntaxhighlight> |
|
| |
|
| * <tt>sql</tt>
| | Replace <tt>yourpod.example.org</tt> with your pod's domain and adjust the username and password for the database connection. This is very important! |
|
| |
|
| This is the '''Prosody''' database setup in which '''Prosody''' will store users' friend lists and its own setup. The database user must have write permission on this file:
| | Read in [http://prosody.im/doc/dns Prosodys official documentation] on how to correctly update your nameserver records afterwards. |
|
| |
|
| * <tt>sql_dsp</tt>
| | === Other recommendations === |
|
| |
|
| This is the '''Diaspora''' database setup in which '''Prosody''' will search the user password. The database user only needs read permission.
| | Since we have to transmit the password in plaintext to the server, we strongly recommend to require encryption: |
|
| |
|
| === Set up <tt>c2s_require_encryption</tt> ===
| | <syntaxhighlight lang="lua"> |
| | |
| Modify:
| |
| | |
| <syntaxhighlight lang="bash"> | |
| c2s_require_encryption = true | | c2s_require_encryption = true |
| </syntaxhighlight>
| |
|
| |
| === Add to the file ===
| |
|
| |
| <syntaxhighlight lang="bash">
| |
| VirtualHost "your POD domain.foo"
| |
| </syntaxhighlight>
| |
|
| |
| Replace <tt>your POD domain.foo</tt> with your pod's domain. This is very important!
| |
|
| |
|
| |
| == Modify <tt>mod_auth_sql</tt> ==
| |
|
| |
| Below you get the entire <tt>mod_auth_sql</tt> file, create a file called <tt>mod_auth_sql</tt> in the '''Prosody''' module's directory and paste the following into it:
| |
|
| |
| In Debian 7 this directory is <tt>/usr/lib/prosody/modules/</tt>.
| |
|
| |
| <syntaxhighlight lang="lua">
| |
| -- Simple SQL Authentication module for Prosody IM
| |
| -- Copyright (C) 2011 Tomasz Sterna <tomek@xiaoka.com>
| |
| -- Copyright (C) 2011 Waqas Hussain <waqas20@gmail.com>
| |
| --
| |
| -- Modified by Anahuac de Paula Gil - anahuac@anahuac.eu
| |
| -- This will make prosody able to use Diaspora database users and passwords
| |
| -- 25/05/2014
| |
|
| |
| local log = require "util.logger".init("auth_sql");
| |
| local new_sasl = require "util.sasl".new;
| |
| local DBI = require "DBI"
| |
|
| |
| local connection;
| |
| local params = module:get_option("auth_sql", module:get_option("sql_dsp"));
| |
|
| |
| local resolve_relative_path = require "core.configmanager".resolve_relative_path;
| |
|
| |
| local function test_connection()
| |
| if not connection then return nil; end
| |
| if connection:ping() then
| |
| return true;
| |
| else
| |
| module:log("debug", "Database connection closed");
| |
| connection = nil;
| |
| end
| |
| end
| |
| local function connect()
| |
| if not test_connection() then
| |
| prosody.unlock_globals();
| |
| local dbh, err = DBI.Connect(
| |
| params.driver, params.database,
| |
| params.username, params.password,
| |
| params.host, params.port
| |
| );
| |
| prosody.lock_globals();
| |
| if not dbh then
| |
| module:log("debug", "Database connection failed: %s", tostring(err));
| |
| return nil, err;
| |
| end
| |
| module:log("debug", "Successfully connected to database");
| |
| dbh:autocommit(true); -- don't run in transaction
| |
| connection = dbh;
| |
| return connection;
| |
| end
| |
| end
| |
|
| |
| do -- process options to get a db connection
| |
| params = params or { driver = "SQLite3" };
| |
|
| |
| if params.driver == "SQLite3" then
| |
| params.database = resolve_relative_path(prosody.paths.data or ".", params.database or "prosody.sqlite");
| |
| end
| |
|
| |
| assert(params.driver and params.database, "Both the SQL driver and the database need to be specified");
| |
|
| |
| assert(connect());
| |
| end
| |
|
| |
| local function getsql(sql, ...)
| |
| if params.driver == "PostgreSQL" then
| |
| sql = sql:gsub("`", "\"");
| |
| end
| |
| if not test_connection() then connect(); end
| |
| -- do prepared statement stuff
| |
| local stmt, err = connection:prepare(sql);
| |
| if not stmt and not test_connection() then error("connection failed"); end
| |
| if not stmt then module:log("error", "QUERY FAILED: %s %s", err, debug.traceback()); return nil, err; end
| |
| -- run query
| |
| local ok, err = stmt:execute(...);
| |
| if not ok and not test_connection() then error("connection failed"); end
| |
| if not ok then return nil, err; end
| |
|
| |
| return stmt;
| |
| end
| |
|
| |
| local function mydebug(value,file)
| |
| fho,err = io.open("/tmp/" .. file,"w")
| |
| fho:write(value)
| |
| fho:write("\n")
| |
| fho:close()
| |
| end
| |
|
| |
| local function mydebug2(value)
| |
| fho,err = io.open("/tmp/teste2","w")
| |
| fho:write(value)
| |
| fho:write("\n")
| |
| fho:close()
| |
| end
| |
|
| |
| local function getsql_dsp(sql, ...)
| |
| if params.driver == "PostgreSQL" then
| |
| sql = sql:gsub("`", "\"");
| |
| end
| |
| if not test_connection() then connect(); end
| |
| -- do prepared statement stuff
| |
| local stmt, err = connection:prepare(sql);
| |
| if not stmt and not test_connection() then error("connection failed"); end
| |
| if not stmt then module:log("error", "QUERY FAILED: %s %s", err, debug.traceback()); return nil, err; end
| |
| -- run query
| |
| local ok, err = stmt:execute(...);
| |
| if not ok and not test_connection() then error("connection failed"); end
| |
| if not ok then return nil, err; end
| |
|
| |
| return stmt;
| |
| end
| |
|
| |
|
| |
| local function get_password(username)
| |
| local stmt, err = getsql_dsp("SELECT encrypted_password FROM users WHERE username = '" .. username .. "'");
| |
| if stmt then
| |
| for row in stmt:rows(true) do
| |
| return row.encrypted_password;
| |
| end
| |
| end
| |
| end
| |
|
| |
|
| |
| provider = {};
| |
|
| |
| function provider.test_password(username, password)
| |
| local bcrypt = require( "bcrypt" )
| |
|
| |
| -- pepper imported from diaspora/config/initializers/devise.rb
| |
| local pepper = "065eb8798b181ff0ea2c5c16aee0ff8b70e04e2ee6bd6e08b49da46924223e39127d5335e466207d42bf2a045c12be5f90e92012a4f05f7fc6d9f3c875f4c95b"
| |
| -- adding pepper to the regular password
| |
| local pw_plus_pepper = password .. pepper
| |
|
| |
| -- Getting password from Diaspora database
| |
| local pw_stored_dsp = get_password(username)
| |
|
| |
| -- Comparing password. If fail aborts
| |
| return password and assert( bcrypt.verify( pw_plus_pepper, pw_stored_dsp ))
| |
|
| |
| --return password and get_password(username) == password;
| |
| end
| |
| function provider.get_password(username)
| |
| return get_password(username);
| |
| end
| |
| function provider.set_password(username, password)
| |
| return nil, "Setting password is not supported.";
| |
| end
| |
| function provider.user_exists(username)
| |
| return get_password(username) and true;
| |
| end
| |
| function provider.create_user(username, password)
| |
| return nil, "Account creation/modification not supported.";
| |
| end
| |
| function provider.get_sasl_handler()
| |
| local profile = {
| |
| plain = function(sasl, username, realm)
| |
| local password = get_password(username);
| |
| if not password then return "", nil; end
| |
| return password, true;
| |
| end
| |
| };
| |
| return new_sasl(module.host, profile);
| |
| end
| |
|
| |
| function provider.users()
| |
| local stmt, err = getsql_dsp("SELECT username FROM user", module.host);
| |
| if stmt then
| |
| local next, state = stmt:rows(true)
| |
| return function()
| |
| for row in next, state do
| |
| return row.username;
| |
| end
| |
| end
| |
| end
| |
| return stmt, err;
| |
| end
| |
|
| |
|
| |
| module:provides("auth", provider);
| |
| </syntaxhighlight>
| |
|
| |
| == Install bcrypt Lua lib ==
| |
|
| |
| The modified <tt>mod_auth_sql</tt> requires <tt>bcrypt lib</tt> available. To have so, <tt>ru</tt> the command below to install it:
| |
|
| |
| <syntaxhighlight lang="lua">
| |
| luarocks install bcrypt
| |
| </syntaxhighlight> | | </syntaxhighlight> |
|
| |
|
| == Restart Prosody == | | == Restart Prosody == |
|
| |
|
| To complete the setup, just restart '''Prosody''': | | To complete the setup, just restart Prosody. |
| | |
| <syntaxhighlight lang="lua">
| |
| /etc/init.d/prosody restart
| |
| </syntaxhighlight>
| |
|
| |
|
| = Testing = | | = Testing = |
|
| |
|
| Just use your favorite XMMP client to connect to your '''Diaspora''' pod using your regular Diaspora account and password. | | Just use your favorite XMPP client to connect to your pod using your regular Diaspora account and password. |
 Note: | This guide will show you how to use the Diaspora database for authentication, it will not synchronize your contact list or the like |
Integrating Prosody with Diaspora
Here you will find all you need to install and set up a Prosody XMPP server integrated with your Diaspora user database.
This guide was tested using Debain 7 and Archlinux, but it will probably work well for all GNU distributions.
There are several steps and configurations you will need to perform, so read the instructions carefully.
Understanding
The main goal is to set up Prosody to be capable of comparing the password received by the XMPP client with the hashed password stored on your pod's Diaspora database.
Diasporas password hash is done using bcrypt, so we need to extend Prosody to do the same with the received password. To do so, we need to install a modified version of the - mod_auth_sql module, available below.
Since authentication methods can be set per host, you can use an existing Prosody instance with access to Diasporas database.
Prosody
If you haven't yet, install Prosody.
Follow the official instructions described on their - official site.
Once Prosody is installed, you can proceed.
Install bcrypt Lua library
Lua or Prosody don't ship with the bcrypt library. If it isn't in your repositories, you can install it with the following command:
Prosody still depends on Lua 5.1, if your distribution is already on Lua 5.2 you may need to change the command to luarocks-5.1 or something similar.
Changes in prosody.cfg.lua
There are a couple of required changes to your prosody.cfg.lua.
Plugin path
Since we're going to install a new module, you should pick a location where you want to store it, for example /etc/prosody/modules.
Then tell Prosody to look for modules there:
plugin_paths = { "/etc/prosody/modules" }
Don't worry, Prosody will continue looking for modules in the standard location.
Now download the module to your machine:
curl https://gist.githubusercontent.com/jhass/948e8e8d87b9143f97ad/raw/mod_auth_diaspora.lua > /etc/prosody/modules/mod_auth_diaspora.lua
Add a virtual host for your pod
VirtualHost "yourpod.example.org"
authentication = "diaspora"
-- Uncomment and adjust username and password for MySQL/MariaDB
--auth_diaspora = { driver = "MySQL", database = "diaspora_production", username = "diaspora", password = "pass", host = "localhost" }
-- Uncomment and adjust username and password for PostgreSQL
--auth_diaspora = { driver = "PostgreSQL", database = "diaspora_production", username = "diaspora", password = "pass", host = "localhost" }
Replace yourpod.example.org with your pod's domain and adjust the username and password for the database connection. This is very important!
Read in Prosodys official documentation on how to correctly update your nameserver records afterwards.
Other recommendations
Since we have to transmit the password in plaintext to the server, we strongly recommend to require encryption:
c2s_require_encryption = true
Restart Prosody
To complete the setup, just restart Prosody.
Testing
Just use your favorite XMPP client to connect to your pod using your regular Diaspora account and password.