ejabberd - Comments for "LDAP authentification don't work..."

LDAP AD Auth for ldap_rootdn (fixed my probelm)

wolvie724 — Thu, 27 Mar 2008 23:33:25 +0000

I could not get my users to auth to AD. Here is how I fixed my problem, maybe it will help someone else.

this line failed to authenticate my users.
{ldap_rootdn, "CN=ldapreader,OU=Admins,OU=TestOU,DC=Test,DC=local"}. % LDAP manager

this one worked
{ldap_rootdn, "CN=LDAP Reader,OU=Admins,OU=TestOU,DC=Test,DC=local"}. % LDAP manager

I used the AD username, but you must have the AD Full name for it to work.

Hope this helps someone else.

Joe

LDAP AD Auth for ldap_rootdn

wolvie724 — Wed, 26 Mar 2008 20:39:37 +0000

I can auth with AD only if I use administrator for my ldap_rootdn. (this works in my test enviorment)
Any other user will not work.
What do I need to do to build a user account that is not my Domain Admin. But can act as the ldap_rootdn?
Really don't want the administrator password in a text file for the ldap_rootdn. (kinda silly to do that).

Any help would be good.

LDAP - Archlinux 0.8 Authentication Working.

cdowns — Tue, 06 Nov 2007 17:01:55 +0000

I have ejabberd 1.1.4-1 working with OpenLDAP 2.3.37- on Archlinux 0.8.

You must use the objectClass they have defined for authentication.. These are hardcoded... I created a jabber user that can BIND to ldap.. I would not use the manager, admin account for this.

NOTE: make sure your users have the objectClass=shadowAccount or authentication will not work.

Here is my working config.

----- snip ------

% this line:
%{auth_method, internal}.

% For LDAP authentication use these lines instead of above one:
{auth_method, ldap}.
{ldap_servers, ["ldap01.mycompany.com"]}. % List of LDAP servers
{ldap_rootdn, "cn=Jabber Daemon,ou=Users,dc=mycompany_Corp,dc=com"}. % LDAP manager
{ldap_password, "secretpassword"}. % Password to LDAP manager
{ldap_base, "dc=mycompany_Corp,dc=com"}. % Search base of LDAP directory
% as per the Documentation you do not need the uidattr.. It is hardcoded to find it during a ldapsearch.
% however, to authenticate you need the ldap_filter below with shadowAccount objectClass.
%{ldap_uidattr, "uid"}. % LDAP attribute that holds user ID
{ldap_filter, "(objectClass=shadowAccount)"}.

----- snip -------

Hope this helps.

~!>D

It works. I can swear I

Gilbert — Thu, 18 Oct 2007 08:39:42 +0000

It works. I can swear I didn't change the config, it just suddenly began to work. I have no idea what's up with that behavior

(sorry for flaming) and the

Gilbert — Tue, 16 Oct 2007 10:37:50 +0000

(sorry for flaming)

and the ejabberd report:

=INFO REPORT==== 16-Oct-2007::17:18:03 ===
I(<0.315.0>:ejabberd_c2s:418): (#Port<0.372>) Failed legacy authentication for testadmin@jserv/Psi

psi

Gilbert — Tue, 16 Oct 2007 10:16:49 +0000

actually, psi gives 2 "host unknown" errors and 1 "Not authorized" error simultaneously. I'm connecting as "testadmin@jserv"

relevant cfg.line:

"{hosts, ["jserv"]}."

server startting output:

"started_at: 'ejabberd@myname.my.domain"

PSI is configured to connect to "server: myname.my.domain port:5222"

Am I using wrong JID, or something like that?

psi

Gilbert — Tue, 16 Oct 2007 10:08:03 +0000

oh crap, how could I be so blind. I enabled "allow plain text login", but I still can't log in. Now psi gives "Not authorized" error. However, "tcpdump -vv port 3268" shows nothing, ejabberd does not send requests to Active Directory. What could be the problem?

psi

Gilbert — Tue, 16 Oct 2007 10:00:02 +0000

d.k.brazz wrote:

You need to allow plain text authentication in PSI

"use SSL encryption (to server)" flag is unchecked. Is there something else?

soad6938 wrote: And the

d.k.brazz — Tue, 16 Oct 2007 09:45:16 +0000

soad6938 wrote:

And the request of PSI:

There was an error communicating with the Jabber server.
Details: Authentification error: No appropriate mechanism available for given security settings.

Thanks in advance ;o)

You need to allow plain text authentication in PSI

I'm having the same trouble.

Anonymous — Tue, 16 Oct 2007 08:19:27 +0000

I'm having the same trouble. Ldap is Active Directory. Could anyone post working configs for such configuration if there are any?)

ejabberd - Comments for "LDAP authentification don&#039;t work..."