ldap over ssl

____________________________________________________________
SETUP

* Windows XP SP2
* OpenSSL for Win32 0.9.8a
* Erlang R10B-9
* ejabberd 1.0.0
* OpenLDAP for Win32 2.2.29 (Matthias Mohr's build)

____________________________________________________________
BACKGROUND

Thus far, I have been able to get the following to work:

* ejabberd with basic config (e.g., using Mnesia db)
* Various Jabber/XMPP clients work
(Exodus, GAIM, JAJC, Miranda, Pandion, Psi)
* ejabberd working with STARTTLS on port 5222 and SSL on 5223;
all clients work using their respective secured capabilities
* ejabberd federating with Google Talk and communicating fine
between ejabberd users and Google Talk users, configured both with
standard s2s and even when set to force STARTTLS on s2s sessions
* ejabberd authenticating against OpenLDAP using basic port 389 config
(need to test more, as I don't have OpenLDAP ACLs tightened down,
but thus far works as I would like)

The final piece in the puzzle is the ability to connect from ejabberd to LDAP using LDAP over SSL (LDAPS) on port 636. As mentioned by jperegrino, there is no information in the documentation nor the config comments to indicate how one might do this.

So the first question is, does ejabberd 1.0.0 support connecting to an LDAP server via LDAPS/port 636? If so, what must one do to make this work?

I plan to write up what all I've done in a tutorial when I get a chance, mostly for myself and those I work with (in case they need to do the same in the future). If anyone is interested, let me know and when I've done so, I'll post it.

ejabberd uses a library to get LDAP support: ELDAP. The port is hard coded on the file ejabberd_auth_ldap.erl, line 39:

    eldap:start_link(get_eldap_id(Host, ejabberd),
             LDAPServers, 389, RootDN, Password),
    eldap:start_link(get_eldap_id(Host, ejabberd_bind),
             LDAPServers, 389, RootDN, Password),

You can try to modify that file, recompile and restart. However, the fact that nowehere on the ejabberd guide or the example ejabberd.cfg is a place to change the port or enable LDAPS indicates that it's not mean to be possible right now.

The second option: they are for client and server connections, and also for the web interface.

Unfortunately, it isn't at all. However, there are several extauth scripts on the Contributions page that you can use as example code. As soon as you or anybody else writes such a script and sends the code to the mailing list, or here, we will publish it on that page.

I've got a perl script working for external auth to our LDAP server over SSL. I'll post it once it is cleaned up. If anyone wants a copy they can email me at james_peregrino@harvard.edu

I recently finished adding LDAPS to my ejabberd. I have attached the modified eldap.erl to bugzilla id #255. To make use of it, you will need to specify port 636 instead of 389 in ejabberd_auth_ldap.erl and mod_vcard_ldap.erl.