Installing and configuring Prosody + LDAP support + Shared groups roster generator

From Fyzix
Jump to: navigation, search

Reference: http://www.sphaero.org/blog:2011:0718_prosody_jabber_and_ldap

Reference: https://wiki.debian.org/InstallingProsody#Cyrus_SASL_with_LDAP

Reference: https://wiki.debian.org/InstallingProsody#SSL_Encryption

Reference: https://wiki.koumbit.net/ProsodyConfiguration

Reference: http://prosody.im/doc/cyrus_sasl

Prerequesites

apt-get install prosody liblua5.1-cyrussasl0 libsasl2-modules-ldap libsasl2-2 libsasl2-modules sasl2-bin

Installation

saslauthd+ldap

Modify /etc/default/saslauthd to get sasl to operate properly. By default it authenticates to PAM.

START=yes
[...]
MECHANISMS="ldap"

Create /etc/saslauthd.conf

ldap_servers: ldap://10.1.38.93:389/
ldap_search_base: ou=people,dc=fyzix,dc=net
  • Reboot the server or restart services
service saslauthd restart

Now let's see if we can let Sasl talk against an LDAP server. Of course you don't do this if you only need PAM authentication….

Read LDAP_SASLAUTHD (google) for more information on configuration parameters.

Restart Sasl and run a test again this time for a user in your ldap tree.

testsaslauthd -u someuser -p somepass
0: OK "Success."

Create sasl directory

mkdir -p /etc/sasl

Create /etc/sasl/xmpp.conf

pwcheck_method: saslauthd
mech_list: PLAIN

SSL Encryption

The key / certificate pair for encryption between client / server and server / server is in « /etc/prosody/certs/ ». During installation the files localhost.cert and localhost.key are created, which are valid only for localhost, since you do not have a specific configuration for openssl yet ("/etc/ssl/openssl.cnf").

If you already have the files for im.example.org just point the configuration above. Else you will have to create them.

The creation of a key / certificate pair is not the subject of this page, for that refer to the documentation of openssl (TODO add link).

For example for a self-signed certificate:

openssl genrsa -out /etc/prosody/certs/ducati.fyzix.net.key 2048
openssl req -new -x509 -key /etc/prosody/certs/ducati.fyzix.net.key -out /etc/prosody/certs/ducati.fyzix.net.cert -days 1095

The footprint md5/sha1 (to distribute to your users to control the identity of the server during the first connection)

openssl x509 -fingerprint -md5 -in /etc/prosody/certs/ducati.fyzix.net.cert
openssl x509 -fingerprint -sha1 -in /etc/prosody/certs/ducati.fyzix.net.cert

Configure Prosody

Right that seems to go well. Let's have a look at Prosody. By default it enables an 'localhost' host. Open /etc/prosody/conf.d/localhost.cfg.lua and edit it correspondingly to enable ldap login on localhost:

Leave localhost as is if you are doing test on a local system. In my case I have setup an domain with the SRV records needed for Jabber. That's a different story. /etc/prosody/conf.d/localhost.cfg.lua:

-- Section for localhost

-- This allows clients to connect to localhost. No harm in it.
VirtualHost "localhost"
	--sasl_backend = "cyrus" -- 0.7
	authentication = "cyrus" -- 0.8
	anonymous_login = false
	allow_unencrypted_plain_auth = false
	cyrus_application_name = "xmpp"
	c2s_require_encryption = true

Prosody runs as the prosody user by default. This user needs to have access to the sasl directory and sockets. This is accomplished by adding the user to the sasl group.

usermod -a -G sasl prosody

Restart Prosody

service prosody restart

Test if your jabber client can login.

Finished Config (single domain)

Debug is ON

/etc/prosody/prosody.cfg.lua

-- Prosody Example Configuration File
--
-- Information on configuring Prosody can be found on our
-- website at http://prosody.im/doc/configure
--
-- Tip: You can check that the syntax of this file is correct
-- when you have finished by running: luac -p prosody.cfg.lua
-- If there are any errors, it will let you know what and where
-- they are, otherwise it will keep quiet.
--
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
-- blanks. Good luck, and happy Jabbering!
 
 
---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts
 
-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see http://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { }
 
-- Enable use of libevent for better performance under high load
-- For more information see: http://prosody.im/doc/libevent
--use_libevent = true;
 
-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation on modules can be found at: http://prosody.im/doc/modules
modules_enabled = {
 
        -- Generally required
                "roster"; -- Allow users to have a roster. Recommended ;)
                "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
                "tls"; -- Add support for secure TLS on c2s/s2s connections
                "dialback"; -- s2s dialback support
                "disco"; -- Service discovery
 
        -- Not essential, but recommended
                "private"; -- Private XML storage (for room bookmarks, etc.)
                "vcard"; -- Allow users to set vCards
                --"privacy"; -- Support privacy lists
                --"compression"; -- Stream compression (Debian: requires lua-zlib module to work)
 
        -- Nice to have
                "legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
                "version"; -- Replies to server version requests
                "uptime"; -- Report how long server has been running
                "time"; -- Let others know the time here on this server
                "ping"; -- Replies to XMPP pings with pongs
                "pep"; -- Enables users to publish their mood, activity, playing music and more
                "register"; -- Allow users to register on this server using a client and change passwords
                "adhoc"; -- Support for "ad-hoc commands" that can be executed with an XMPP client
 
        -- Admin interfaces
                "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
                --"admin_telnet"; -- Opens telnet console interface on localhost port 5582
 
        -- Other specific functionality
                --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
                --"httpserver"; -- Serve static files from a directory over HTTP
                --"groups"; -- Shared roster support
                --"announce"; -- Send announcement to all online users
                --"welcome"; -- Welcome users who register accounts
                --"watchregistrations"; -- Alert admins of registrations
                --"motd"; -- Send a message to users when they log in
        -- Debian: do not remove this module, or you lose syslog
        -- support
                "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
};
 
-- These modules are auto-loaded, should you
-- (for some mad reason) want to disable
-- them then uncomment them below
modules_disabled = {
        -- "presence"; -- Route user/contact status information
        -- "message"; -- Route messages
        -- "iq"; -- Route info queries
        -- "offline"; -- Store offline messages
};
 
-- Disable account creation by default, for security
-- For more information see http://prosody.im/doc/creating_accounts
allow_registration = true;
 
-- Debian:
--   send the server to background.
--
daemonize = true;
 
-- Debian:
--   Please, don't change this option since /var/run/prosody/
--   is one of the few directories Prosody is allowed to write to
--
pidfile = "/var/run/prosody/prosody.pid";
 
-- These are the SSL/TLS-related settings. If you don't want
-- to use SSL/TLS, you may comment or remove this
--ssl = {
--        key = "/etc/prosody/certs/localhost.key";
--        certificate = "/etc/prosody/certs/localhost.cert";
--}
 
-- Only allow encrypted streams? Encryption is already used when
-- available. These options will cause Prosody to deny connections that
-- are not encrypted. Note that some servers do not support s2s
-- encryption or have it disabled, including gmail.com and Google Apps
-- domains.
 
--c2s_require_encryption = false
--s2s_require_encryption = false
 
-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
-- To allow Prosody to offer secure authentication mechanisms to clients, the
-- default provider stores passwords in plaintext. If you do not trust your
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
-- for information about using the hashed backend.
 
authentication = "internal_plain"
 
-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See http://prosody.im/doc/storage for more info.
 
--storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the
-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)
 
-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
 
-- Logging configuration
-- For advanced logging see http://prosody.im/doc/logging
--
-- Debian:
--  Logs info and higher to /var/log
--  Logs errors to syslog also
log = {
        -- Log files (change 'info' to 'debug' for debug logs):
        debug = "/var/log/prosody/prosody.log";
        error = "/var/log/prosody/prosody.err";
        -- Syslog:
        { levels = { "error" }; to = "syslog";  };
}
 
----------- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
-- Settings under each VirtualHost entry apply *only* to that host.
 
VirtualHost "fyzix.net"
        enabled = true -- Remove this line to enable this host
        authentication = "cyrus"
        anonymous_login = false
        allow_unencrypted_plain_auth = false
        cyrus_application_name = "xmpp"
        cyrus_service_name = "xmpp"
        c2s_require_encryption = true
        debug = true; -- Log debug messages?
        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/etc/prosody/certs/fyzix.net.key";
                certificate = "/etc/prosody/certs/fyzix.net.cert";
        }
 
------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
-- For more information on components, see http://prosody.im/doc/components
 
---Set up a MUC (multi-user chat) room server on conference.example.com:
--Component "conference.example.com" "muc"
 
-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers:
--Component "proxy.example.com" "proxy65"
 
---Set up an external component (default component port is 5347)
--
-- External components allow adding various services, such as gateways/
-- transports to other networks like ICQ, MSN and Yahoo. For more info
-- see: http://prosody.im/doc/components#adding_an_external_component
--
--Component "gateway.example.com"
--      component_secret = "password"
 
------ Additional config files ------
-- For organizational purposes you may prefer to add VirtualHost and
-- Component definitions in their own config files. This line includes
-- all config files in /etc/prosody/conf.d/
 
Include "conf.d/*.cfg.lua"

Finished config (single domain) with roster

Debug is off

MOTD is disabled.

/etc/prosody/prosody.cfg.lua

-- Prosody Example Configuration File
--
-- Information on configuring Prosody can be found on our
-- website at http://prosody.im/doc/configure
--
-- Tip: You can check that the syntax of this file is correct
-- when you have finished by running: luac -p prosody.cfg.lua
-- If there are any errors, it will let you know what and where
-- they are, otherwise it will keep quiet.
--
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
-- blanks. Good luck, and happy Jabbering!
 
 
---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts
 
-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see http://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { }
 
-- Enable use of libevent for better performance under high load
-- For more information see: http://prosody.im/doc/libevent
--use_libevent = true;
 
-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation on modules can be found at: http://prosody.im/doc/modules
modules_enabled = {
 
        -- Generally required
                "roster"; -- Allow users to have a roster. Recommended ;)
                "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
                "tls"; -- Add support for secure TLS on c2s/s2s connections
                "dialback"; -- s2s dialback support
                "disco"; -- Service discovery
 
        -- Not essential, but recommended
                "private"; -- Private XML storage (for room bookmarks, etc.)
                "vcard"; -- Allow users to set vCards
                --"privacy"; -- Support privacy lists
                --"compression"; -- Stream compression (Debian: requires lua-zlib module to work)
 
        -- Nice to have
                "legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
                "version"; -- Replies to server version requests
                "uptime"; -- Report how long server has been running
                "time"; -- Let others know the time here on this server
                "ping"; -- Replies to XMPP pings with pongs
                "pep"; -- Enables users to publish their mood, activity, playing music and more
                --"register"; -- Allow users to register on this server using a client and change passwords
                "adhoc"; -- Support for "ad-hoc commands" that can be executed with an XMPP client
 
        -- Admin interfaces
                "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
                "admin_telnet"; -- Opens telnet console interface on localhost port 5582
 
        -- Other specific functionality
                --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
                --"httpserver"; -- Serve static files from a directory over HTTP
                "groups"; -- Shared roster support
                -- "default_bookmarks"; -- Default Bookmarks
                "group_bookmarks"; -- Group Bookmarks
                --"announce"; -- Send announcement to all online users
                --"welcome"; -- Welcome users who register accounts
                --"watchregistrations"; -- Alert admins of registrations
                -- "motd"; -- Send a message to users when they log in
        -- Debian: do not remove this module, or you lose syslog
        -- support
                "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
};
 
groups_file = "/etc/prosody/sharedgroups.txt"
group_bookmarks_file = "/etc/prosody/sharedbookmarks.txt"
-- motd_text = [[Welcome to fyzix.net XMPP Chat.
-- To join a chat room use
-- Server: conference.ducati.fyzix.net]]
--default_bookmarks = {
--        { jid = "fyzix@conference.ducati.fyzix.net", name = "fyzix.net" };
--};
 
-- These modules are auto-loaded, should you
-- (for some mad reason) want to disable
-- them then uncomment them below
modules_disabled = {
        -- "presence"; -- Route user/contact status information
        -- "message"; -- Route messages
        -- "iq"; -- Route info queries
        -- "offline"; -- Store offline messages
};
 
-- Disable account creation by default, for security
-- For more information see http://prosody.im/doc/creating_accounts
allow_registration = false;
 
-- Debian:
--   send the server to background.
--
daemonize = true;
 
-- Debian:
--   Please, don't change this option since /var/run/prosody/
--   is one of the few directories Prosody is allowed to write to
--
pidfile = "/var/run/prosody/prosody.pid";
 
-- These are the SSL/TLS-related settings. If you don't want
-- to use SSL/TLS, you may comment or remove this
--ssl = {
--        key = "/etc/prosody/certs/localhost.key";
--        certificate = "/etc/prosody/certs/localhost.cert";
--}
 
-- Only allow encrypted streams? Encryption is already used when
-- available. These options will cause Prosody to deny connections that
-- are not encrypted. Note that some servers do not support s2s
-- encryption or have it disabled, including gmail.com and Google Apps
-- domains.
 
--c2s_require_encryption = false
--s2s_require_encryption = false
 
-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
-- To allow Prosody to offer secure authentication mechanisms to clients, the
-- default provider stores passwords in plaintext. If you do not trust your
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
-- for information about using the hashed backend.
 
authentication = "internal_plain"
 
-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See http://prosody.im/doc/storage for more info.
 
--storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the
-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)
 
-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
 
-- Logging configuration
-- For advanced logging see http://prosody.im/doc/logging
--
-- Debian:
--  Logs info and higher to /var/log
--  Logs errors to syslog also
log = {
        -- Log files (change 'info' to 'debug' for debug logs):
        info = "/var/log/prosody/prosody.log";
        error = "/var/log/prosody/prosody.err";
        -- Syslog:
        { levels = { "error" }; to = "syslog";  };
}
 
----------- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
-- Settings under each VirtualHost entry apply *only* to that host.
 
VirtualHost "ducati.fyzix.net"
        enabled = true -- Remove this line to enable this host
        authentication = "cyrus"
        anonymous_login = false
        allow_unencrypted_plain_auth = false
        cyrus_application_name = "xmpp"
        cyrus_service_name = "xmpp"
        c2s_require_encryption = true
        debug = true; -- Log debug messages?
        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/etc/prosody/certs/ducati.fyzix.net.key";
                certificate = "/etc/prosody/certs/ducati.fyzix.net.cert";
        }
 
------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
-- For more information on components, see http://prosody.im/doc/components
 
---Set up a MUC (multi-user chat) room server on conference.example.com:
Component "conference.ducati.fyzix.net" "muc"
 
-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers:
--Component "proxy.example.com" "proxy65"
 
---Set up an external component (default component port is 5347)
--
-- External components allow adding various services, such as gateways/
-- transports to other networks like ICQ, MSN and Yahoo. For more info
-- see: http://prosody.im/doc/components#adding_an_external_component
--
--Component "gateway.example.com"
--      component_secret = "password"
 
------ Additional config files ------
-- For organizational purposes you may prefer to add VirtualHost and
-- Component definitions in their own config files. This line includes
-- all config files in /etc/prosody/conf.d/
 
Include "conf.d/*.cfg.lua"

Notes

Don't use these. But note the variables if needed.

/etc/saslauthd.conf

ldap_servers: ldap://10.1.38.93:389/
ldap_search_base: ou=people,dc=fyzix,dc=net
ldap_bind_dn: cn=admin,ou=people,dc=fyzix,dc=net
ldap_password: password
ldap_filter: (cn=%u)

Or

ldap_servers: ldap://10.1.38.93:389/
ldap_search_base: ou=people,dc=fyzix,dc=net

Or

ldap_servers: ldap://10.1.38.93:389/
ldap_search_base: ou=people,dc=fyzix,dc=net
ldap_bind_dn: cn=administrator,DC=fyzix,DC=net
ldap_password: the_administrator_password
ldap_group_attr: memberUid
ldap_group_match_method: filter
ldap_group_filter: (memberUid=%u)
ldap_group_search_base: ou=people,dc=fyzix,dc=net

Parse LDAP and create shared roster groups

/mnt/ext/bin/runphpldaplist.php

#!/usr/bin/php
<?php
/*
 * The MIT License (MIT)
 *
 * Copyright (c) 2014 Adam M. Mohr, booshire.com
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in
 * all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 * THE SOFTWARE.
 * */
 
// FYI - This script makes a lot of assumptions about your openLDAP structure being fairly default
// you may need to update some of this to fit your individual needs. Use ldapsearch -LLL to get a
// basic dump of your schema output to verify if things are not working correctly
// Make sure you have php-ldap installed!
 
//LDAP Connection Settings
        $ldap_host = "10.1.38.93"; //LDAP host IP to query
        $ldap_port = "389"; //Port for LDAP queries, default is 389
        $base_dn = "dc=fyzix,dc=net";
        $domain = "fyzix.net"; //domain to append to users when writing data, should equal the
        $groupMemberAttribute = "memberuid"; // this changes per LDAP instance, usually member or memberUid
        $groupFilterAttribute = "PosixGroup"; //this is the filter for the group type, PosixGroup is default for openLdap
        $userFilterAttribute = "PosixAccount"; //this is the filter for the user type, PosixAccount is default for opeLdap, or inetPerson
        $userNameAttribute = "uid"; //this is the username attribute, usually is uid but can also be cn I believe
 
//LDAP connection and binding strings
        $connect = ldap_connect($ldap_host,$ldap_port) or die("Cannot connect to LDAP server".ldap_error($connect));
        ldap_set_option($connect,LDAP_OPT_PROTOCOL_VERSION, 3); //may need to change this but v3 is default now
        $bind = ldap_bind($connect) or die("Cannot bind to {$base_dn} LDAP".ldap_error($connect));
 
//LDAP Group search settings
        $groupFilter = "(&(objectClass={$groupFilterAttribute})(cn=*))";
        $groupAttributes = array('cn',$groupMemberAttribute);
        $groupSearch = ldap_search($connect, $base_dn, $groupFilter, $groupAttributes) or die("Unable to search {$base_dn}".ldap_error($connect));
        $groupData = ldap_get_entries($connect, $groupSearch) or die("Unable to get LDAP entries".ldap_error($connect));
 
//LDAP USER search settings
        $userFilter = "(&(objectClass={$userFilterAttribute})({$userNameAttribute}=*))";
        $userAttributes = array($userNameAttribute);
        $userSearch = ldap_search($connect, $base_dn, $userFilter, $userAttributes);
        ldap_sort($connect, $userSearch, $userNameAttribute);
        $userData = ldap_get_entries($connect, $userSearch);
 
//Create an ALL group which contains all users. This is because the default all group in ldap does not actually list all users
        echo "[+All]\n";
        foreach($userData as $key){
                if(!isset($key[$userNameAttribute]['0'])){
                        continue;
                } else {
                        echo $key[$userNameAttribute]['0']."@{$domain}={$key[$userNameAttribute]['0']}\n";
                }
        }
 
//Create a member list for each group, goes through each group and uses the member attribute to grab user names
        foreach($groupData as $group) {
                if(!isset($group[$groupMemberAttribute])){
                        continue;
                } else {
                        echo "\n[+{$group['cn']['0']}]\n";
                        foreach($group[$groupMemberAttribute] as $user){
                                if($user == $group[$groupMemberAttribute]['count']) {
                                        continue;
                                }
                                echo $user."@{$domain}={$user}\n";
                        }
                }
        }
//      print_r($userData);
?>

/bin/rungenroster

rm /etc/prosody/sharedgroups.txt
/bin/runphpldaplist.php > /etc/prosody/sharedgroups.txt
chown prosody:prosody /etc/prosody/sharedgroups.txt

prosodycmd (telnet command wrapper)

Reference: http://sourceforge.net/p/astlinux/code/6041/tree/branches/1.0/package/prosody/prosodycmd

/bin/runprosodycmd

#!/bin/sh

## Issue Prosody Console commands
##
## Requires the mod_admin_telnet module to be enabled.
##
## No arguments drops into a telnet console
##
## Example: prosodycmd 'server:version()' 'server:uptime()' 'c2s:show()' 's2s:show()'

PORT=5582

if [ $# -gt 0 ]; then
  (
    for cmd in "$@"; do
      echo "$cmd"
    done
    echo "quit"
  ) | nc -w1 127.0.0.1 $PORT \
    | tr -d '\x00\x0d' \
    | sed -e '1,/^| http:/ d' \
          -e '/^$/ d' \
          -e 's/^| //' \
          -e 's/^OK: //' \
          -e '/^See you!/ d'
else
  echo "Prosody Console: type 'quit' or 'exit' to return."
  telnet 127.0.0.1 $PORT
fi

rungenroster (advanced with crontab)

This script modifies the ldap domain fyzix.net to ducati.fyzix.net using the replace command.

/bin/rungenroster

rm /etc/prosody/sharedgroups.txt
/bin/runphpldaplist.php > /etc/prosody/sharedgroups.txt
chown prosody:prosody /etc/prosody/sharedgroups.txt
replace "fyzix.net" "ducati.fyzix.net" -- /etc/prosody/sharedgroups.txt
sleep 2
runprosodycmd 'module:reload("roster")'
runprosodycmd 'module:reload("groups")'

/etc/crontab

#Daily update roster
0 0    * * *   root    rungenroster &> /dev/null

Default bookmarks

Auto-join chat rooms.

Reference: http://prosody-modules.googlecode.com/hg/mod_default_bookmarks/mod_default_bookmarks.lua

/usr/lib/prosody/modules/mod_default_bookmarks

-- Prosody IM
-- Copyright (C) 2008-2010 Matthew Wild
-- Copyright (C) 2008-2010 Waqas Hussain
-- Copyright (C) 2011 Kim Alvefur
-- 
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--


local st = require "util.stanza"

local dm_load = require "util.datamanager".load
local jid_split = require "util.jid".split

module:hook("iq/self/jabber:iq:private:query", function(event)
	local origin, stanza = event.origin, event.stanza;
	local typ = stanza.attr.type;
	local from = stanza.attr.from;
	local query = stanza.tags[1];
	if #query.tags == 1 and typ == "get" then
		local tag = query.tags[1];
		local key = tag.name..":"..tag.attr.xmlns;
		if key == "storage:storage:bookmarks" then
			local data, err = dm_load(origin.username, origin.host, "private");
			if not(data and data[key]) then
				local bookmarks = module:get_option("default_bookmarks");
				if bookmarks and #bookmarks > 0 then
					local reply = st.reply(stanza):tag("query", {xmlns = "jabber:iq:private"})
						:tag("storage", { xmlns = "storage:bookmarks" });
					local nick = jid_split(from);
					for i=1,#bookmarks do
						local bookmark = bookmarks[i];
						if type(bookmark) ~= "table" then -- assume it's only a jid
							bookmark = { jid = bookmark, name = jid_split(bookmark) };
						end
						reply:tag("conference", {
							jid = bookmark.jid,
							name = bookmark.name,
							autojoin = "1",
						}):tag("nick"):text(nick):up():up();
					end
					origin.send(reply);
					return true;
				end
			end
		end
	end
end, 1);

/usr/lib/prosody/modules/mod_group_bookmarks.lua

-- Prosody IM
-- Copyright (C) 2008-2010 Matthew Wild
-- Copyright (C) 2008-2010 Waqas Hussain
-- 
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--


local st = require "util.stanza"

local datamanager = require "util.datamanager"
local jid, datamanager = require "util.jid", require "util.datamanager";
local jid_bare, jid_prep, jid_split = jid.bare, jid.prep, jid.split;

local module_host = module:get_host();

local rooms;
local members;

local bookmarks_file;

module:add_feature("jabber:iq:private");

function inject_bookmarks(username, host, data)
	local jid = username.."@"..host;
	data:reset();
	if members[jid] then
		for _, room in ipairs(members[jid]) do
			data:tag("conference", {
				name = room;
				jid = room;
				autojoin = "1";
			});
			local nick = rooms[room][jid];
			if nick then
				data:tag("nick"):text(nick):up();
			end
			data:up();
		end
	end
	return data;
end

module:hook("iq/self/jabber:iq:private:query", function(event)
	local origin, stanza = event.origin, event.stanza;
	local type = stanza.attr.type;
	local query = stanza.tags[1];
	if #query.tags == 1 then
		local tag = query.tags[1];
		local key = tag.name..":"..tag.attr.xmlns;
		local data, err = datamanager.load(origin.username, origin.host, "private");
		if err then
			origin.send(st.error_reply(stanza, "wait", "internal-server-error"));
			return true;
		end
		if stanza.attr.type == "get" then
			local data = data and data[key];
			if (not data) and key == "storage:storage:bookmarks" then
				data = st.stanza("storage", { xmlns = "storage:bookmarks" });
			end
			if data then
				data = st.deserialize(data);
				if key == "storage:storage:bookmarks" then
					data = inject_bookmarks(origin.username, origin.host, data);
				end
				origin.send(st.reply(stanza):tag("query", {xmlns = "jabber:iq:private"})
					:add_child(data));
			else
				origin.send(st.reply(stanza):add_child(stanza.tags[1]));
			end
			return true;
		end
	end
end, 1);

function module.load()
	bookmarks_file = module:get_option_string("group_bookmarks_file");

	rooms = { default = {} };
	members = { };

	if not bookmarks_file then
		module:log("error", "Please specify group_bookmarks_file in your configuration");
		return;
	end
	
	local curr_room;
	for line in io.lines(bookmarks_file) do
		if line:match("^%s*%[.-%]%s*$") then
			curr_room = line:match("^%s*%[(.-)%]%s*$");
			if curr_room:match("^%+") then
				curr_room = curr_room:gsub("^%+", "");
				if not members[false] then
					members[false] = {};
				end
				members[false][#members[false]+1] = curr_room; -- Is a public group
			end
			module:log("debug", "New group: %s", tostring(curr_room));
			rooms[curr_room] = rooms[curr_room] or {};
		elseif curr_room then
			-- Add JID
			local entryjid, name = line:match("([^=]*)=?(.*)");
			module:log("debug", "entryjid = '%s', name = '%s'", entryjid, name);
			local jid;
			jid = jid_prep(entryjid:match("%S+"));
			if jid then
				module:log("debug", "New member of %s: %s", tostring(curr_room), tostring(jid));
				rooms[curr_room][jid] = name or false;
				members[jid] = members[jid] or {};
				members[jid][#members[jid]+1] = curr_room;
			end
		end
	end
	module:log("info", "Group bookmarks loaded successfully");
end

/etc/prosody/prosody.cfg.lua

-- Prosody Example Configuration File
--
-- Information on configuring Prosody can be found on our
-- website at http://prosody.im/doc/configure
--
-- Tip: You can check that the syntax of this file is correct
-- when you have finished by running: luac -p prosody.cfg.lua
-- If there are any errors, it will let you know what and where
-- they are, otherwise it will keep quiet.
--
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
-- blanks. Good luck, and happy Jabbering!


---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts

-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see http://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { }

-- Enable use of libevent for better performance under high load
-- For more information see: http://prosody.im/doc/libevent
--use_libevent = true;

-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation on modules can be found at: http://prosody.im/doc/modules
modules_enabled = {

        -- Generally required
                "roster"; -- Allow users to have a roster. Recommended ;)
                "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
                "tls"; -- Add support for secure TLS on c2s/s2s connections
                "dialback"; -- s2s dialback support
                "disco"; -- Service discovery

        -- Not essential, but recommended
                "private"; -- Private XML storage (for room bookmarks, etc.)
                "vcard"; -- Allow users to set vCards
                --"privacy"; -- Support privacy lists
                --"compression"; -- Stream compression (Debian: requires lua-zlib module to work)

        -- Nice to have
                "legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
                "version"; -- Replies to server version requests
                "uptime"; -- Report how long server has been running
                "time"; -- Let others know the time here on this server
                "ping"; -- Replies to XMPP pings with pongs
                "pep"; -- Enables users to publish their mood, activity, playing music and more
                --"register"; -- Allow users to register on this server using a client and change passwords
                "adhoc"; -- Support for "ad-hoc commands" that can be executed with an XMPP client

        -- Admin interfaces
                "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
                "admin_telnet"; -- Opens telnet console interface on localhost port 5582

        -- Other specific functionality
                --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
                --"httpserver"; -- Serve static files from a directory over HTTP
                "groups"; -- Shared roster support
                -- "default_bookmarks"; -- Default Bookmarks
                "group_bookmarks"; -- Group Bookmarks
                --"announce"; -- Send announcement to all online users
                --"welcome"; -- Welcome users who register accounts
                --"watchregistrations"; -- Alert admins of registrations
                "motd"; -- Send a message to users when they log in
        -- Debian: do not remove this module, or you lose syslog
        -- support
                "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
};

groups_file = "/etc/prosody/sharedgroups.txt"
group_bookmarks_file = "/etc/prosody/sharedbookmarks.txt"
motd_text = [[Welcome to fyzix.net XMPP Chat.
To join a chat room use
Server: conference.ducati.fyzix.net]]
--default_bookmarks = {
--        { jid = "fyzix@conference.ducati.fyzix.net", name = "fyzix.net" };
--};

-- These modules are auto-loaded, should you
-- (for some mad reason) want to disable
-- them then uncomment them below
modules_disabled = {
        -- "presence"; -- Route user/contact status information
        -- "message"; -- Route messages
        -- "iq"; -- Route info queries
        -- "offline"; -- Store offline messages
};

-- Disable account creation by default, for security
-- For more information see http://prosody.im/doc/creating_accounts
allow_registration = false;

-- Debian:
--   send the server to background.
--
daemonize = true;

-- Debian:
--   Please, don't change this option since /var/run/prosody/
--   is one of the few directories Prosody is allowed to write to
--
pidfile = "/var/run/prosody/prosody.pid";

-- These are the SSL/TLS-related settings. If you don't want
-- to use SSL/TLS, you may comment or remove this
--ssl = {
--        key = "/etc/prosody/certs/localhost.key";
--        certificate = "/etc/prosody/certs/localhost.cert";
--}

-- Only allow encrypted streams? Encryption is already used when
-- available. These options will cause Prosody to deny connections that
-- are not encrypted. Note that some servers do not support s2s
-- encryption or have it disabled, including gmail.com and Google Apps
-- domains.

--c2s_require_encryption = false
--s2s_require_encryption = false

-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
-- To allow Prosody to offer secure authentication mechanisms to clients, the
-- default provider stores passwords in plaintext. If you do not trust your
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
-- for information about using the hashed backend.

authentication = "internal_plain"

-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See http://prosody.im/doc/storage for more info.

--storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the
-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)

-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }

-- Logging configuration
-- For advanced logging see http://prosody.im/doc/logging
--
-- Debian:
--  Logs info and higher to /var/log
--  Logs errors to syslog also
log = {
        -- Log files (change 'info' to 'debug' for debug logs):
        info = "/var/log/prosody/prosody.log";
        error = "/var/log/prosody/prosody.err";
        -- Syslog:
        { levels = { "error" }; to = "syslog";  };
}

----------- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
-- Settings under each VirtualHost entry apply *only* to that host.

VirtualHost "ducati.fyzix.net"
        enabled = true -- Remove this line to enable this host
        authentication = "cyrus"
        anonymous_login = false
        allow_unencrypted_plain_auth = false
        cyrus_application_name = "xmpp"
        cyrus_service_name = "xmpp"
        c2s_require_encryption = true
        debug = true; -- Log debug messages?
        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/etc/prosody/certs/ducati.fyzix.net.key";
                certificate = "/etc/prosody/certs/ducati.fyzix.net.cert";
        }

------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
-- For more information on components, see http://prosody.im/doc/components

---Set up a MUC (multi-user chat) room server on conference.example.com:
Component "conference.ducati.fyzix.net" "muc"

-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers:
--Component "proxy.example.com" "proxy65"

---Set up an external component (default component port is 5347)
--
-- External components allow adding various services, such as gateways/
-- transports to other networks like ICQ, MSN and Yahoo. For more info
-- see: http://prosody.im/doc/components#adding_an_external_component
--
--Component "gateway.example.com"
--      component_secret = "password"

------ Additional config files ------
-- For organizational purposes you may prefer to add VirtualHost and
-- Component definitions in their own config files. This line includes
-- all config files in /etc/prosody/conf.d/

Include "conf.d/*.cfg.lua"
</source>