ejabberd - Comments for "LDAP (active directory)"

Just one question more

nanotopo — Thu, 09 Aug 2007 10:35:02 +0000

When I recompiled eldap.erl the file ELDAPv3.hrl wasn't on the source:

http://svn.process-one.net/ejabberd/trunk/src/eldap/eldap.erl

And I wen't to historical source code to find it, maybe that's the problem? Where I can get it?

Thanks a lot.
Carles.

This patch definitely fixes

mremond — Thu, 09 Aug 2007 09:27:16 +0000

This patch definitely fixes the problem you describe.
You probably miss a step in the recompile / deployment.

If you can wait for a few days, we are preparing a version 1.1.4 that will include this patch among others.

--
Mickaël Rémond
Process-one

After debug I'm in 99%, but still doesn't work:

nanotopo — Thu, 09 Aug 2007 08:43:57 +0000

Hi again,

I get to start in command line, and I get the next log results, it logs onto ldap/AD but it sais:

"I(<0.295.0>:ejabberd_c2s:417): (#Port<0.311>) Failed legacy authentication for dummy@domain.com/Psi"

I checked on the PSI client the plain text conection and it gets the ldap correct autentication.

Here it's the full log:

Eshell V5.5.2.2 (abort with ^G)
(ejabberd@localhost)1> ---- Message:[{'LDAPMessage',1,
{bindRequest,
{'BindRequest',
3,
"CN=Administrador,CN=Users,DC=domain,DC=com",
{simple,"pwdAdministrator"}}},
asn1_NOVALUE}]
(ejabberd@localhost)1> ---- Message:[{'LDAPMessage',1,
{bindRequest,
{'BindRequest',
3,
"CN=Administrador,CN=Users,DC=domain,DC=com",
{simple,"pwdAdministrator"}}},
asn1_NOVALUE}]
(ejabberd@localhost)1> ---- [{'LDAPMessage',1,
{bindResponse,{'BindResponse',
success,
[],
[],
asn1_NOVALUE,
asn1_NOVALUE}},
asn1_NOVALUE}](ejabberd@localhost)1> ---- [{'LDAPMessage',1
,
{bindResponse,{'BindResponse',
success,
[],
[],
asn1_NOVALUE,
asn1_NOVALUE}},
asn1_NOVALUE}](ejabberd@localhost)1>
=INFO REPORT==== 9-Aug-2007::10:24:59 ===
I(<0.226.0>:ejabberd_listener:90): (#Port<0.311>) Accepted connection {{192,168,25,55},2450} -> {{192,168,25,55},5222}
(ejabberd@localhost)1> ---- [{searchRequest,{'SearchRequest',"dc=domain,dc=com"
,
wholeSubtree,
neverDerefAliases,
0,
0,
false,
{'and',
[{equalityMatch,
{'AttributeValueAssertion',
"mail",
"dummy@domain.com"}},
{equalityMatch,
{'AttributeValueAssertion',
"memberOf",
"CN=JabberUsers,CN=Users,DC=domain,DC=com"}},
{'or',
[{equalityMatch,
{'AttributeValueAssertion',
"userAccountControl",
"66050"}},
{equalityMatch,
{'AttributeValueAssertion',
"userAccountControl",
"66048"}}]}]},
[]}}]
(ejabberd@localhost)1> ---- [{searchResRef,["ldap://ForestDnsZones.domain.com/DC=ForestDnsZones,DC=domain,DC=com"]}]
(ejabberd@localhost)1> ---- [{searchResRef,["ldap://DomainDnsZones.domain.com/DC=DomainDnsZones,DC=domain,DC=com"]}]
(ejabberd@localhost)1> ---- [{searchResRef,["ldap://domain.com/CN=Configuration,DC=domain,DC=com"]}]
(ejabberd@localhost)1> ---- [{searchResDone,{'LDAPResult',success,[],[],asn1_NOVALUE}}]
(ejabberd@localhost)1>
=INFO REPORT==== 9-Aug-2007::10:24:59 ===
I(<0.295.0>:ejabberd_c2s:417): (#Port<0.311>) Failed legacy authentication for dummy@domain.com/Psi

I've done and nothing

nanotopo — Wed, 08 Aug 2007 08:50:44 +0000

Hi Mickël,

I've compiled the file but it does the same. The key it's that this eldap.erl file it's the same as 1.1.3.

How I can get a better log to look for what's happening?

Carles.

Try to replace eldap.erl

mremond — Tue, 07 Aug 2007 13:48:58 +0000

Try to replace eldap.erl with this file from the development version and recompile ejabberd:
http://svn.process-one.net/ejabberd/trunk/src/eldap/eldap.erl

--
Mickaël Rémond
Process-one

I'm using the last one,

nanotopo — Tue, 07 Aug 2007 12:56:49 +0000

I'm using the last one, 1.1.3.

Where I have to go to look for SVN?

Thanks.

Regarding LDAP, the

mremond — Tue, 07 Aug 2007 12:53:17 +0000

Regarding LDAP, the development version contains a fix that could help you (SVN).
Which version are you using ?

--
Mickaël Rémond
Process-one

I'm in the same problem

nanotopo — Tue, 07 Aug 2007 08:38:15 +0000

Hi all,

I'm in the same problem, my case:

Server with ejabbered: pepe.domain.com
Server with active directory: ad.domain.com

Configuration file:

{auth_method, ldap}.
{ldap_servers, ["ad.domain.com"]}. % List of LDAP servers
{ldap_base, "dc=domain,dc=com"}. % Search base of LDAP directory
{ldap_rootdn, "cn=Administrador,cn=Users,dc=domain,dc=com"}. % LDAP manager
{ldap_password, "pwdAdministrator"}. % Password to LDAP manager
{ldap_uidattr, "samAccountName"}.

{hosts, ["pepe.domain.com","domain.com"]}.

User on Active Directory:
user name: dummy
user login: dummy
user email: dummy@domain.com

Client:
PSI
Configuration:
jid: dummy@domain.com
server: pepe.domain.com
* One question about he client side, I have to register the user, or just login?

Please what I have to do to make it work, I left 4 hours allready.

Thanks in advance

Do you use? {auth_method, ldap}.

mfoss — Wed, 04 Jul 2007 14:15:51 +0000

I have never used LDAP/AD auth on ejabberd.

james wrote:

The logs for ejabberd don't seem to tell me anything useful. (i.e. It may be useful information, but not for me.) :)

Umm, so they don't show any ERROR, CRASH... reports for you.

james wrote:

I do have ejabberd set to allow LDAP and internal, and I'm able to register new accounts.

So, you have something like this?

{auth_method, [internal, ldap]}.

Please note that the guide and the russian article from realloc use this:

{auth_method, ldap}.

Active Directory authentication

james — Mon, 02 Jul 2007 18:30:32 +0000

I've been struggling with this for days ... and I'm *sure* that I'm missing something basic.

I'm using the latest version of ejabberd from ProcessOne (1.1.2 I believe).

I've installed this to an XP machine, which belongs to the domain as a workstation, with the firewall off.

I want to be able to authenticate users who exist in the AD, using their AD credentials.

The logs for ejabberd don't seem to tell me anything useful. (i.e. It may be useful information, but not for me.) :)

I have followed the examples from this site, as well as a translated version of this page: http://realloc.spb.ru/share/ejabberd112ad.html

I'm using Pidgin to connect to the ejabberd server, and could be doing something wrong on the client side. I'm not sure what "screen name" equates to in the AD. In Pidgin, I get authentication failed errors when I try and use an AD account.

I do have ejabberd set to allow LDAP and internal, and I'm able to register new accounts.

Does there exist somewhere a comprehensive overview of "active directory" authentication, including client side stuff? If not, does anyone have suggestions as to what stupid thing I might be doing wrong?

If I can get this working, I'd be happy to contribute an english language document detailing the steps I take, client side config, etc.

Thank you for your time and consideration. :)

James

done

mfoss — Mon, 04 Sep 2006 10:56:39 +0000

sander wrote:

@badlop: maybe that patch should be listed on the contribs page?

Done, but even better: include in ejabberd svn, or at least bugzilla

I think you might want to

sander — Mon, 04 Sep 2006 09:56:12 +0000

I think you might want to take a look at this patch to improve LDAP support in ejabberd. Check the included README and ldap_guide.txt files.

@badlop: maybe that patch should be listed on the contribs page?

--
sander

With or without ejabberd_ad patch?

blindzero — Mon, 04 Sep 2006 08:58:33 +0000

Hi all,

I am trying to get this running, too, unfortunately without success.
So my first question: do I need this ejabberd_ad patch and if so, why?
My ejabberd package comes with LDAP support I think, so AD authentication should be ok?

I have the following configuration:
{auth_method, ldap}.
{ldap_servers, ["server1.arkona.local"]}. % List of LDAP servers
{ldap_uidattr, "samAccountName"}. % LDAP attribute that holds user ID
{ldap_base, "OU=Users OU,DC=arkona,DC=local"}. % Search base of LDAP directory
{ldap_rootdn, "CN=Administrator,OU=Groups and Buildins,DC=arkona,dc=local"}. % LDAP manager
{ldap_password, "OurPassword"}. % Password to LDAP manager

The Users OU is definitely right, the Administrator also.
So what the hack am I doing wrong?
Is it because of the spaces in the basedn and rootdn?

Thanks for any help,

Matthias

Fixed It!

havok1977 — Fri, 28 Apr 2006 19:03:27 +0000

I made an export of my Active Directory structure and found our that the rootdn was incomplete, here goes my final working configuration:

{auth_method, ldap}.
{ldap_servers, ["10.100.0.20"]}. % List of LDAP servers
{ldap_uidattr, "samAccountName"}. % LDAP attribute that holds user ID
{ldap_base, "OU=Usuarios,OU=Corporativo,DC=metrored,DC=local"}. % Search base of LDAP directory
{ldap_rootdn, "CN=Administrador,CN=Users,DC=metrored,DC=local"}. % LDAP manager
{ldap_password, "XXXXXXXXXXX"}. % Password to LDAP manager

I hope this saves someone some grief in the future when dealing with this...

I am having the same problem.

havok1977 — Fri, 28 Apr 2006 15:39:03 +0000

I am also attempting to make my local area messaging service be integrated into our existing Active Directory infrastructure. As per documented here and based on a friend of mine's suggestions i have come up with the following LDAP configuration:

{auth_method, ldap}.
{ldap_servers, ["10.100.0.20"]}. % List of LDAP servers
{ldap_uidattr, "samAccountName"}. % LDAP attribute that holds user ID
{ldap_base, "ou=Usuarios,ou=Corporativo,dc=metrored,dc=local"}. % Search base of LDAP directory
{ldap_rootdn, "cn=Administrador,dc=metrored,dc=local"}. % LDAP manager
{ldap_password, "XXXXXXXX"}. % Password to LDAP manager

However i have had many problems and to this point in time the authentication does not work against the AD yet. I am certain that i have configured the ldap_base and the ldap_password; but i am not sure that my ldap_base is correct by just adding the dc's or if it needs the ou's as well.

This is what my ejabberd.log has to say about it:

=INFO REPORT==== 2006-04-28 10:46:33 ===
I(<0.1193.0>:ejabberd_listener:90): (#Port<0.2157>) Accepted connection {{10,100,3,91},42672} -> {{10,100,0,8},5222}

=INFO REPORT==== 2006-04-28 10:46:33 ===
I(<0.1270.0>:ejabberd_c2s:417): (#Port<0.2157>) Failed legacy authentication for diego.defuentes@metrored.com.mx/Psi

I will go to my AD server to check if it has any kind of logs available, in the meantime; can anyone please clarify my question?

Thanks in advance.