In this guide we explain how to setup LDAP authentication for murmurd (aka mumble-server).
- A mumble server with a DNS record (mumble.example.com)
- Enable ICE with password protection in ''/etc/mumble-server.ini'':
ice="tcp -h 127.0.0.1 -p 6502" icesecretread=MySecretIcePass icesecretwrite=MySecretIcePass
- An LDAP service account (cn=mumble,ou=dsa,dc=example,dc=com):
$ ldapsearch -ZZ -x -H ldap://ldap.example.com -D "cn=mumble,ou=dsa,dc=example,dc=com" -b ou=people,dc=example,dc=com -W -s sub '(uid=myldapusername)' -LLL Enter LDAP Password: dn: uid=myldapusername,ou=people,dc=example,dc=com cn: User Name sn: Name givenName: User uid: myldapusername displayName: User Name objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person mail: myldapusername@example.com roomNumber: 111 userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
NOTE: Setting up a unique roomNumber in LDAP is important since this is the field we are using for uniqueness in Mumble.
- Download the LDAP authenticator and sample configuration:
# curl -s -OL https://raw.github.com/mumble-voip/mumble-scripts/master/Authenticators/LDAP/LDAPauth.py # curl -s -OL https://raw.github.com/mumble-voip/mumble-scripts/master/Authenticators/LDAP/LDAPauth.ini
- Install the authenticator script:
# cp LDAPauth.py /usr/local/sbin/ # chmod +x /usr/local/sbin/LDAPauth.py
- Install the config file:
# mkdir /etc/mumble-scripts # cp LDAPauth.ini /etc/mumble-scripts
- Edit the configuration (''/etc/mumble-scripts/LDAPauth.ini'') appropriately:
[user] id_offset = 1000000000 reject_on_error = True reject_on_miss = True [ice] host = 127.0.0.1 port = 6502 slice = /usr/share/slice/Murmur.ice secret = MySecretIcePass watchdog = 30 [ldap] bind_dn = cn=mumble,ou=dsa,dc=example,dc=com bind_pass = MySecretLDAPPass ldap_uri = ldaps://ldap.example.com users_dn = ou=people,dc=example,dc=com discover_dn = false username_attr = uid number_attr = roomNumber display_attr = cn group_cn = cn=all,ou=groups,dc=example,dc=com group_attr = member provide_info = True mail_attr = mail provide_users = True [murmur] servers = [log] level = file = /var/log/mumble-server/LDAPauth.log [iceraw] Ice.ThreadPool.Server.Size = 5
NOTE: If you don't use ldap'''s''':// all the LDAP communication will be in the clear!
- Create a systemd service file under ''/etc/systemd/system/mumble-ldapauth.service'':
[Unit] Description=LDAP Authentication Service for Mumble Server Documentation=https://github.com/mumble-voip/mumble-scripts/issues/19 After=network.target mumble-server.service [Service] Type=simple User=mumble-server Group=mumble-server WorkingDirectory=/etc/mumble-scripts ExecStart=/usr/local/sbin/LDAPauth.py StandardOutput=syslog StandardError=syslog [Install] WantedBy=multi-user.target
- Start and enable the service:
# systemctl daemon-reload # systemctl enable mumble-ldapauth.service # systemctl start mumble-ldapauth.service
- Verify:
# systemctl status mumble-ldapauth.service * mumble-ldapauth.service - LDAP Authentication Service for Mumble Server Loaded: loaded (/etc/systemd/system/mumble-ldapauth.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2019-09-01 00:29:50 PDT; 3s ago Docs: https://github.com/mumble-voip/mumble-scripts/issues/19 Main PID: 2544 (python) Tasks: 12 (limit: 4915) Memory: 44.4M CGroup: /system.slice/mumble-ldapauth.service `-2544 python /usr/local/sbin/LDAPauth.py Sep 01 00:29:50 chat systemd[1]: Started LDAP Authentication Service for Mumble Server.
- Restart both services:
# systemctl restart mumble-{server,ldapauth}.service
Use these client settings:
- Address: '''mumble.example.com'''
- Port: '''64738'''
- Username: '''myldapusername'''
- Label: '''My Mumble Server'''