https://www.ejabberd.im/node/5349 en https://www.ejabberd.im/node/5349#comment-63925 <p>Hi Mike,</p> <p>Looking for your updates..</p> <p>In Exodus we find Search Option.Using through can search rosters in server.But sometimes search doesn't work..</p> <p>Please suggest if anything want to do in server side.</p> <p>Thanks</p> Tue, 29 Apr 2014 15:27:20 +0000 Krishna_vernalis comment 63925 at https://www.ejabberd.im https://www.ejabberd.im/node/5349#comment-63918 <p>Hi Mike,</p> <p>Thanks for your time..your solution works for me.</p> <p>Also i would like to know that is possible to query all rosters which is present in server from client tool and then add required rosters manually by end_user.</p> <p>Thanks You again.</p> <p>Regards<br /> Krishna..</p> Fri, 25 Apr 2014 12:18:18 +0000 Krishna_vernalis comment 63918 at https://www.ejabberd.im https://www.ejabberd.im/node/5349#comment-63917 <div class="quote-msg"> <div class="quote-author"><em>Krishna_vernalis</em> wrote:</div> <p>{ldap_uids, [{"mail", "%u@example.com"}]}.<br /> ...<br /> In My AD mail attribute looks like below<br /> mail = krishna.gopal@example.local </p></div> <p>Then<br /> {ldap_uids, [{"mail", "%u@example.local"}]}.</p> Fri, 25 Apr 2014 11:32:13 +0000 mikekaganski comment 63917 at https://www.ejabberd.im https://www.ejabberd.im/node/5349#comment-63916 <p>Hi Mike,</p> <p>We need favorable help from you..My Query is with AD authentication using mail attribute from Ejabberd.It works fine when i use SamAccountName as JID.But i can't login into web admin console when i use mail as JID.Here is my config</p> <p>{auth_method, ldap}.<br /> {ldap_servers, ["example.com"]}.<br /> {ldap_port, 389}.<br /> {ldap_rootdn, "CN=krishna,OU=Chennai_Users,DC=example,DC=com"}.<br /> {ldap_password, "**************"}.<br /> %%{ldap_uids, [{"sAMAccountName"}]}.<br /> {ldap_uids, [{"mail", "%u@example.com"}]}.<br /> {ldap_base, "dc=example,dc=com"}.<br /> {ldap_filter, "(&amp;(objectCategory=user)(!(objectCategory=computer)))"}.</p> <p>In My AD mail attribute looks like below<br /> mail = krishna.gopal@example.local</p> <p>In ACL includes access to user<br /> {acl, admin, {user, "krishna.gopal", "example.com"}}.</p> <p>Kindly correct me if anything wrong with my configuration</p> <p>Thanks</p> <p>Krishna</p> Fri, 25 Apr 2014 07:50:45 +0000 Krishna_vernalis comment 63916 at https://www.ejabberd.im https://www.ejabberd.im/node/5349#comment-58559 <p>Mike,</p> <p>Huge!</p> <p>Just huge.</p> <p>Thank you so much, sir.</p> <p>Jason</p> Wed, 18 Apr 2012 06:17:45 +0000 anonymous@domain.tld comment 58559 at https://www.ejabberd.im https://www.ejabberd.im/node/5349#comment-58558 <p>The problem is here:<br /> <code>{ldap_filter, &quot;(memberOf=Company Jabber Users)&quot;}.</code><br /> If you look into the real values of "memberOf" attribute in AD, you will see that they contain full distinguished names, like <code>&quot;CN=Company Jabber Users,OU=company name,dc=example,dc=com&quot;</code>. Also note that LDAP doesn't allow using wildcards in DN attributes, so you must use the full DN in your filter, and not something like <code>(memberOf=*Company Jabber Users*)</code>.</p> Wed, 18 Apr 2012 06:03:45 +0000 mikekaganski comment 58558 at https://www.ejabberd.im https://www.ejabberd.im/node/5349#comment-58557 <p>Thanks so much, Mike, </p> <p>We are super close. Thanks so much for getting us to the verge of it. I think we will get it. Please see two frames that I captured with "tethereal" just now using what I hope/think is your correct example from the last post. I can't spot the tiny nuance here, can you? It says in the bottom of the second frame 0 results, but I that is not so, but don't know why it is not finding that one result.</p> <p>Thanks again. Jason</p> <div class="codeblock"><code>Frame 1 (250 bytes on wire, 250 bytes captured)<br />&nbsp;&nbsp;&nbsp; Arrival Time: Apr 17, 2012 22:40:03.196905000<br />&nbsp;&nbsp;&nbsp; [Time delta from previous captured frame: 0.000000000 seconds]<br />&nbsp;&nbsp;&nbsp; [Time delta from previous displayed frame: 0.000000000 seconds]<br />&nbsp;&nbsp;&nbsp; [Time since reference or first frame: 0.000000000 seconds]<br />&nbsp;&nbsp;&nbsp; Frame Number: 1<br />&nbsp;&nbsp;&nbsp; Frame Length: 250 bytes<br />&nbsp;&nbsp;&nbsp; Capture Length: 250 bytes<br />&nbsp;&nbsp;&nbsp; [Frame is marked: False]<br />&nbsp;&nbsp;&nbsp; [Protocols in frame: eth:ip:tcp:ldap]<br />Ethernet II, Src: b6:d0:d8:4e:61:90 (b6:d0:d8:4e:61:90), Dst: HewlettP_8d:c9:be (00:17:a4:8d:c9:be)<br />&nbsp;&nbsp;&nbsp; Destination: HewlettP_8d:c9:be (00:17:a4:8d:c9:be)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Address: HewlettP_8d:c9:be (00:17:a4:8d:c9:be)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... ...0 .... .... .... .... = IG bit: Individual address (unicast)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)<br />&nbsp;&nbsp;&nbsp; Source: b6:d0:d8:4e:61:90 (b6:d0:d8:4e:61:90)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Address: b6:d0:d8:4e:61:90 (b6:d0:d8:4e:61:90)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... ...0 .... .... .... .... = IG bit: Individual address (unicast)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)<br />&nbsp;&nbsp;&nbsp; Type: IP (0x0800)<br />Internet Protocol, Src: 10.10.10.148 (10.10.10.148), Dst: 10.10.10.244 (10.10.10.244)<br />&nbsp;&nbsp;&nbsp; Version: 4<br />&nbsp;&nbsp;&nbsp; Header length: 20 bytes<br />&nbsp;&nbsp;&nbsp; Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0000 00.. = Differentiated Services Codepoint: Default (0x00)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... ..0. = ECN-Capable Transport (ECT): 0<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... ...0 = ECN-CE: 0<br />&nbsp;&nbsp;&nbsp; Total Length: 236<br />&nbsp;&nbsp;&nbsp; Identification: 0x4413 (17427)<br />&nbsp;&nbsp;&nbsp; Flags: 0x04 (Don&#039;t Fragment)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0... = Reserved bit: Not set<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .1.. = Don&#039;t fragment: Set<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ..0. = More fragments: Not set<br />&nbsp;&nbsp;&nbsp; Fragment offset: 0<br />&nbsp;&nbsp;&nbsp; Time to live: 64<br />&nbsp;&nbsp;&nbsp; Protocol: TCP (0x06)<br />&nbsp;&nbsp;&nbsp; Header checksum: 0x2871 [correct]<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Good: True]<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Bad : False]<br />&nbsp;&nbsp;&nbsp; Source: 10.10.10.148 (10.10.10.148)<br />&nbsp;&nbsp;&nbsp; Destination: 10.10.10.244 (10.10.10.244)<br />Transmission Control Protocol, Src Port: 41696 (41696), Dst Port: ldap (389), Seq: 1, Ack: 1, Len: 184<br />&nbsp;&nbsp;&nbsp; Source port: 41696 (41696)<br />&nbsp;&nbsp;&nbsp; Destination port: ldap (389)<br />&nbsp;&nbsp;&nbsp; Sequence number: 1&nbsp;&nbsp;&nbsp; (relative sequence number)<br />&nbsp;&nbsp;&nbsp; [Next sequence number: 185&nbsp;&nbsp;&nbsp; (relative sequence number)]<br />&nbsp;&nbsp;&nbsp; Acknowledgement number: 1&nbsp;&nbsp;&nbsp; (relative ack number)<br />&nbsp;&nbsp;&nbsp; Header length: 32 bytes<br />&nbsp;&nbsp;&nbsp; Flags: 0x18 (PSH, ACK)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0... .... = Congestion Window Reduced (CWR): Not set<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .0.. .... = ECN-Echo: Not set<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ..0. .... = Urgent: Not set<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ...1 .... = Acknowledgment: Set<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... 1... = Push: Set<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... .0.. = Reset: Not set<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... ..0. = Syn: Not set<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... ...0 = Fin: Not set<br />&nbsp;&nbsp;&nbsp; Window size: 46<br />&nbsp;&nbsp;&nbsp; Checksum: 0xce66 [incorrect, should be 0xbc6b (maybe caused by &quot;TCP checksum offload&quot;?)]<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Good Checksum: False]<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Bad Checksum: True]<br />&nbsp;&nbsp;&nbsp; Options: (12 bytes)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NOP<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NOP<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Timestamps: TSval 351322431, TSecr 55890048<br />&nbsp;&nbsp;&nbsp; [PDU Size: 184]<br />Lightweight-Directory-Access-Protocol<br />&nbsp;&nbsp;&nbsp; LDAPMessage searchRequest(4) &quot;OU=some company name,dc=example,dc=org&quot; wholeSubtree<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; messageID: 4<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; protocolOp: searchRequest (3)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; searchRequest<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; baseObject: OU=some company name,dc=example,dc=org<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; scope: wholeSubtree (2)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; derefAliases: neverDerefAliases (0)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sizeLimit: 0<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; timeLimit: 0<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; typesOnly: False<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Filter: (&amp;(|(givenName=richard)(mail=richard@example.org))(memberOf=Company Jabber Users))<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; filter: and (0)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; and: (&amp;(|(givenName=richard)(mail=richard@example.org))(memberOf=Company Jabber Users))<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; and: 2 items<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Filter: (|(givenName=richard)(mail=richard@example.org))<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; and: or (1)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; or: (|(givenName=richard)(mail=richard@example.org))<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; or: 2 items<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Filter: (givenName=richard)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; or: equalityMatch (3)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; equalityMatch<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; attributeDesc: givenName<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; assertionValue: richard<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Filter: (mail=richard@example.org)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; or: equalityMatch (3)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; equalityMatch<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; attributeDesc: mail<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; assertionValue: <noindex><a href="mailto:richard@example.org" rel="nofollow" >richard@example.org</a></noindex><br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Filter: (memberOf=Company Jabber Users)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; and: equalityMatch (3)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; equalityMatch<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; attributeDesc: memberOf<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; assertionValue: Company Jabber Users<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; attributes: 2 items<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AttributeDescriptionList: mail<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; AttributeDescriptionList: givenName <p>Frame 2 (88 bytes on wire, 88 bytes captured)<br />&nbsp;&nbsp;&nbsp; Arrival Time: Apr 17, 2012 22:40:03.197064000<br />&nbsp;&nbsp;&nbsp; [Time delta from previous captured frame: 0.000159000 seconds]<br />&nbsp;&nbsp;&nbsp; [Time delta from previous displayed frame: 0.000159000 seconds]<br />&nbsp;&nbsp;&nbsp; [Time since reference or first frame: 0.000159000 seconds]<br />&nbsp;&nbsp;&nbsp; Frame Number: 2<br />&nbsp;&nbsp;&nbsp; Frame Length: 88 bytes<br />&nbsp;&nbsp;&nbsp; Capture Length: 88 bytes<br />&nbsp;&nbsp;&nbsp; [Frame is marked: False]<br />&nbsp;&nbsp;&nbsp; [Protocols in frame: eth:ip:tcp:ldap]<br />Ethernet II, Src: HewlettP_8d:c9:be (00:17:a4:8d:c9:be), Dst: b6:d0:d8:4e:61:90 (b6:d0:d8:4e:61:90)<br />&nbsp;&nbsp;&nbsp; Destination: b6:d0:d8:4e:61:90 (b6:d0:d8:4e:61:90)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Address: b6:d0:d8:4e:61:90 (b6:d0:d8:4e:61:90)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... ...0 .... .... .... .... = IG bit: Individual address (unicast)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)<br />&nbsp;&nbsp;&nbsp; Source: HewlettP_8d:c9:be (00:17:a4:8d:c9:be)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Address: HewlettP_8d:c9:be (00:17:a4:8d:c9:be)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... ...0 .... .... .... .... = IG bit: Individual address (unicast)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)<br />&nbsp;&nbsp;&nbsp; Type: IP (0x0800)<br />Internet Protocol, Src: 10.10.10.244 (10.10.10.244), Dst: 10.10.10.148 (10.10.10.148)<br />&nbsp;&nbsp;&nbsp; Version: 4<br />&nbsp;&nbsp;&nbsp; Header length: 20 bytes<br />&nbsp;&nbsp;&nbsp; Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0000 00.. = Differentiated Services Codepoint: Default (0x00)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... ..0. = ECN-Capable Transport (ECT): 0<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... ...0 = ECN-CE: 0<br />&nbsp;&nbsp;&nbsp; Total Length: 74<br />&nbsp;&nbsp;&nbsp; Identification: 0x5afb (23291)<br />&nbsp;&nbsp;&nbsp; Flags: 0x04 (Don&#039;t Fragment)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0... = Reserved bit: Not set<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .1.. = Don&#039;t fragment: Set<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ..0. = More fragments: Not set<br />&nbsp;&nbsp;&nbsp; Fragment offset: 0<br />&nbsp;&nbsp;&nbsp; Time to live: 128<br />&nbsp;&nbsp;&nbsp; Protocol: TCP (0x06)<br />&nbsp;&nbsp;&nbsp; Header checksum: 0xd22a [correct]<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Good: True]<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Bad : False]<br />&nbsp;&nbsp;&nbsp; Source: 10.10.10.244 (10.10.10.244)<br />&nbsp;&nbsp;&nbsp; Destination: 10.10.10.148 (10.10.10.148)<br />Transmission Control Protocol, Src Port: ldap (389), Dst Port: 41696 (41696), Seq: 1, Ack: 185, Len: 22<br />&nbsp;&nbsp;&nbsp; Source port: ldap (389)<br />&nbsp;&nbsp;&nbsp; Destination port: 41696 (41696)<br />&nbsp;&nbsp;&nbsp; Sequence number: 1&nbsp;&nbsp;&nbsp; (relative sequence number)<br />&nbsp;&nbsp;&nbsp; [Next sequence number: 23&nbsp;&nbsp;&nbsp; (relative sequence number)]<br />&nbsp;&nbsp;&nbsp; Acknowledgement number: 185&nbsp;&nbsp;&nbsp; (relative ack number)<br />&nbsp;&nbsp;&nbsp; Header length: 32 bytes<br />&nbsp;&nbsp;&nbsp; Flags: 0x18 (PSH, ACK)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0... .... = Congestion Window Reduced (CWR): Not set<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .0.. .... = ECN-Echo: Not set<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ..0. .... = Urgent: Not set<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ...1 .... = Acknowledgment: Set<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... 1... = Push: Set<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... .0.. = Reset: Not set<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... ..0. = Syn: Not set<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .... ...0 = Fin: Not set<br />&nbsp;&nbsp;&nbsp; Window size: 258<br />&nbsp;&nbsp;&nbsp; Checksum: 0xb0cf [correct]<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Good Checksum: True]<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Bad Checksum: False]<br />&nbsp;&nbsp;&nbsp; Options: (12 bytes)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NOP<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; NOP<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Timestamps: TSval 55914679, TSecr 351322431<br />&nbsp;&nbsp;&nbsp; [SEQ/ACK analysis]<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [This is an ACK to the segment in frame: 1]<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [The RTT to ACK the segment was: 0.000159000 seconds]<br />&nbsp;&nbsp;&nbsp; [PDU Size: 22]<br />Lightweight-Directory-Access-Protocol<br />&nbsp;&nbsp;&nbsp; LDAPMessage searchResDone(4) success [0 results]<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; messageID: 4<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; protocolOp: searchResDone (5)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; searchResDone<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; resultCode: success (0)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; matchedDN: <br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; errorMessage: <br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Response To: 1]<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Time: 0.000159000 seconds]</p></code></div> Wed, 18 Apr 2012 05:48:09 +0000 anonymous@domain.tld comment 58557 at https://www.ejabberd.im https://www.ejabberd.im/node/5349#comment-58556 <p><code>{ldap_uids, [{&quot;givenName&quot;, &quot;%u&quot;, &quot;uid&quot;, &quot;mail&quot;}]}.</code><br /> is incorrect. You need to make it look something like<br /> <code>{ldap_uids, [{&quot;givenName&quot;}, {&quot;mail&quot;, &quot;%u@example.com&quot;}]}.</code><br /> Here, we tell ejabberd to try to match uid part of JID to the whole "givenName" attribute, or to the first part (up to and excluding "@") of "mail" attribute.<br /> Though I don't understand what "uid" stands for in your example. If your LDAP users have "uid" attribute, that you want to use as yet another alternative, then you would need to add ', {"uid"}' before ']}' (without single quotes, of course).</p> Wed, 18 Apr 2012 03:42:34 +0000 mikekaganski comment 58556 at https://www.ejabberd.im https://www.ejabberd.im/node/5349#comment-58555 <p>Thank you, Mike, appreciate it. </p> <p>I am edging closer. Still not there though. </p> <p>Here is a snippet from my configuration:<br /> {auth_method, ldap}.<br /> {ldap_servers, ["host.example.com"]}.<br /> {ldap_encrypt, none}.<br /> {ldap_port, 389}.<br /> {ldap_rootdn, "ldap@example.com"}.<br /> {ldap_password, "***************"}.<br /> {ldap_base, "OU=company,dc=example,dc=com"}.<br /> {ldap_uids, [{"givenName", "%u", "uid", "mail"}]}.<br /> {ldap_filter, "(memberOf=Company Jabber Users)"}.</p> <p>For comparison, this query works:</p> <p>ldapsearch -h host.example.com -x -W -D "ldap@example.com" -v -b "ou=company,DC=domain,DC=com" "(&amp;(mail=richard@example.com)(memberOf=*))" -vvvvv</p> <p>I would like to get this to work next:</p> <p>ldapsearch -h host.example.com -x -W -D "ldap@example.com" -v -b "ou=company,DC=domain,DC=com" "(&amp;(mail=richard@example.com)(memberOf=company jabber users))" -vvvvv</p> <p>Then, last, enter that configuration to ejabberd.cfg &amp; ride in to the sunset, a cowboy, a hero.</p> <p>Thank you again, Jason</p> Wed, 18 Apr 2012 01:02:05 +0000 anonymous@domain.tld comment 58555 at https://www.ejabberd.im https://www.ejabberd.im/node/5349#comment-58552 <p>in ejabberd auth section, you can only define the user id part of JID (i.e., in "user_id@xmpp_domain", you only can define "user_id" part). The "xmpp_domain" part is authomatically added from the virtual host name configured in ejabberd. So, when you use "ldap_uids" parameter, you must make sure that it will return only user parts. That's why there is {ldap_uids, [{ldap_uidattr, ldap_uidattr_format}]} syntax (see <noindex><a href="https://git.process-one.net/ejabberd/mainline/blobs/raw/v2.1.10/doc/guide.html#ldapauth" rel="nofollow" >LDAP authentication</a></noindex> in the guide). The "givenName" attribute looks like fits perfectly to the simplier syntax, while "mail" will need to strip the "@example.com" out.</p> <p>When a user tries to log in (and the server part of JID indicates that this server must process the authentication), the jid that is sent to server is split to get user part, and then the following happens: server performs a series of LDAP queries, one for each entry in "ldap_uids" list:</p> <ul> <li>if this entry is simple {ldap_uidattr}, then this query is formed: "(&amp;(&lt;ldap_filter&gt;)(&lt;ldap_uidattr&gt;=logging_on_user_part))". </li><li>otherwise, the query looks like "(&amp;(&lt;ldap_filter&gt;)(&lt;ldap_uidattr&gt;=&lt;ldap_uidattr_format with %u substituted with logging_on_user_part&gt;))".</li></ul> <p>Each such query is performed using the credentials defined by "ldap_rootdn" and "ldap_password", under the "ldap_base". If a query returns a result, then ejabberd uses the returned distinguished name to try to bind to LDAP using the password that user has sent during logon. If this bind attempt succeeds, then logon is successful. If no binds were successful, then logon fails. (I omit some advanced options to keep things simple.)</p> <p>Also, when the server needs the complete user list (such as when using webadmin), it makes queries like those above, but with "*" instead of "logging_on_user_part".</p> <p>I don't know why your server fails using "givenName", but it may be traced by setting log level to 5 and running ejabberd in live mode. There you may see the XML exchange, as well as LDAP queries and results.</p> Tue, 17 Apr 2012 05:05:43 +0000 mikekaganski comment 58552 at https://www.ejabberd.im https://www.ejabberd.im/node/5349#comment-58551 <p>Mike,</p> <p>Fantastic reply! I mean that. Just what i had hope for &amp; expected here. And I laughed too. You make some good points. I wish HRM would only uniquely named people, both firstname &amp; surname, because, dang it, what happened when the second "smith" gets hired here? :)</p> <p>{ldap_base, "OU=company name,dc=example,dc=com"}.<br /> {ldap_uids, [{"givenName"}]}.<br /> {ldap_filter, "(memberOf=Company Jabber Users)"}.</p> <p>This ought to give a unique list of results about 30 entries. We expect results that look like this:<br /> <noindex><a href="mailto:rob@example.com" rel="nofollow" >rob@example.com</a></noindex><br /> <noindex><a href="mailto:bob@example.com" rel="nofollow" >bob@example.com</a></noindex><br /> <noindex><a href="mailto:richard@example.com" rel="nofollow" >richard@example.com</a></noindex><br /> <noindex><a href="mailto:richard.smith@example.com" rel="nofollow" >richard.smith@example.com</a></noindex><br /> <noindex><a href="mailto:sue@example.com" rel="nofollow" >sue@example.com</a></noindex><br /> <noindex><a href="mailto:susan@example.com" rel="nofollow" >susan@example.com</a></noindex><br /> <noindex><a href="mailto:suzanne@example.com" rel="nofollow" >suzanne@example.com</a></noindex><br /> <noindex><a href="mailto:susie@example.com" rel="nofollow" >susie@example.com</a></noindex><br /> <noindex><a href="mailto:und.so.weiter@example.com" rel="nofollow" >und.so.weiter@example.com</a></noindex></p> <p>Right now ejabberd seems to be passing its query to the AD server perfectly &amp; getting a response but ..... it is not matching up on:</p> <p>JID = <noindex><a href="mailto:richard@example.com" rel="nofollow" >richard@example.com</a></noindex><br /> mail = <noindex><a href="mailto:richard@example.com" rel="nofollow" >richard@example.com</a></noindex></p> <p>And when I say "mail", I am referring to the name of the LDAP field named "mail".</p> <p>One clarification, in the above LDAP configuration example that I pasted in, I used "givenName", which is one of my many many many tests, but I (of course) have tried "mail". Neither work. I will say that this same LDAP configuration over in OpenFire using "givenName" works like a charm. I expected same here but I know understand that there is some other logic or expectations inside of that system &amp; this system that differ. I actually considering reading the source code for that one &amp; this one to see if I could spot the different expectations but I failed at that. Alas, I throw myself on the mercy of this forum for assistance. Here is hoping.</p> <p>Thanks again.</p> <p>Jason</p> Tue, 17 Apr 2012 03:49:32 +0000 anonymous@domain.tld comment 58551 at https://www.ejabberd.im https://www.ejabberd.im/node/5349#comment-58550 <p>Give the auth config that you expect to work, and what errors it gives when a user tries to log in.<br /> I'm sure you know what you are doing, and your HRM makes their best to hire only people having unique names across your organization... :) Or have I misunderstood your intentions? If so, please use less refined, and more strict, formal and unambiguous language.</p> Mon, 16 Apr 2012 10:03:39 +0000 mikekaganski comment 58550 at https://www.ejabberd.im