Hi, I've face the same issue

ebonassi — Fri, 10 Jul 2015 14:22:51 +0000

Hi,
I've face the same issue with external authentication.

If you browse the code of the stun app used by ejabberd you will see that they use a function [auth_fun] to get a password for the user (https://github.com/processone/stun/blob/master/src/stun.erl#L235). They do that because the STUN protocol requires it for the long-term STUN authentication (your STUN client doesn't send the password but an hash of it https://tools.ietf.org/html/rfc5389#page-35).

That function is set up as get_password_s by the stun ejabberd module (https://github.com/processone/ejabberd/blob/66310788848ef185f3831648b2ab...) .

Usually the external_auth mechanisms check the password but don't save the password anywhere so get_password_s behavior is "usually" (in the next lines, you will see why I just said usually) the same of a trivial function which returns null (probably also for your LDAP auth, check it in your code).

Fortunately, I wasn't the first to face the issue of a missing get_password_s because other modules need it, so someone clever implemented a cache for externally authenticated user (https://support.process-one.net/browse/EJAB-641). If the cache is enabled the get_password_s returns correctly the password.

So, at the end, the solution is to enable the cache and set the timeout to 0 -> extauth_cache: 0

Remember that you need mod_last enabled, further information about ext cache is here -> https://docs.ejabberd.im/admin/guide/configuration/#external-script.

The last thing, I setup cache timeout to 0 because I need the user password only if the user is logged in and not use this feature to reduce the number of calls to my ext auth system (which is a great feature too).

Let me know if you managed to solve your issue.

ejabberd - Comments for "failed long-term STUN authentication"

Hi, I've face the same issue