https://www.ejabberd.im/node/7953 en https://www.ejabberd.im/node/7953#comment-59240 <p>I too struggled with mod_shared_roster_ldap for a long time. What I have found works best for me is to filter the users by a single standard LDAP parameter. This parameter will be displayed in the XMPP client as the name of the group. </p> <p>I use Windows Active Directory as my LDAP source, the sAMAccountName as the UID and make sure all users have the physicalDeliveryOfficeName attribute filled out. (If they don't they won't be displayed in the roster at all) I use the following module config:</p> <p>{mod_shared_roster_ldap,[<br /> {ldap_filter, "(objectClass=user)"},<br /> {ldap_rfilter, "(objectClass=user)"},<br /> {ldap_groupattr, "physicalDeliveryOfficeName"},<br /> {ldap_groupdesc, "physicalDeliveryOfficeName"},<br /> {ldap_memberattr, "sAMAccountName"},<br /> {ldap_userdesc, "displayName"}<br /> ]}</p> Fri, 02 Nov 2012 01:43:10 +0000 dsalzedo comment 59240 at https://www.ejabberd.im https://www.ejabberd.im/node/7953#comment-59199 <p>Your groups and your users seem to only relate by gidNumber attribute. So you cannot get the group names for your groups from LDAP group objects using mod_shared_roster_ldap (this is its functional limitation; it's something that needs to be fixed, maybe as a part of <noindex><a href="https://support.process-one.net/browse/EJAB-1480" rel="nofollow" >EJAB-1480</a></noindex>).</p> <p>You seem to have tried many variants of configuration, and even invented your own configuration parameters :) Your configuration (at least the possible one) should look like this:</p> <div class="codeblock"><code>{mod_shared_roster_ldap,[<br /> %1. Disable useless defaults<br /> {ldap_filter, &quot;&quot;},<br /> %2. Prepare the list of group identifiers<br /> {ldap_rfilter, &quot;(objectClass=posixGroup)&quot;},<br /> %3. Which attribute of the returned objects represent the identifiers<br /> {ldap_groupattr, &quot;gidNumber&quot;},<br /> %4. Now we have the list of all oug group ids (in this case, gidNumbers). Now we need to ask each group individually for its name and its member ids. Unfortunately, there&#039;s only one query that must give us both these pieces of info, thus the limitation mentioned above. As a workaround, we will use the departmentNumber as the group name. So, our query will be used only to give us users:<br /> {ldap_gfilter,&quot;(&amp;(objectClass=posixAccount)(gidNumber=%g))&quot;},<br /> %5. Where is the group name? The query above will give us multiple user objects, and each will hold the attribute. We need only one name. In this case, the module will just take the value of a last object. You cannot pass an arbitrary string here; it MUST be an attribute name.<br /> {ldap_groupdesc, &quot;departmentNumber&quot;},<br /> %6. Where is the member users ids. Note that this MUST be the uid part of jid, so it MUST NOT contain spaces It should be the same as you use for auth.<br /> {ldap_memberattr, &quot;uid&quot;},<br /> %7. Now we have list of groups, each has its name and its users ids list. Now we will ask each user for its display name.<br /> {ldap_ufilter,&quot;(&amp;(objectClass=posixAccount)(uid=%u))&quot;},<br /> %8. Where is user display name<br /> {ldap_userdesc,&quot;cn&quot;}, <p> {ldap_auth_check,&quot;off&quot;},<br /> {ldap_user_cache_validity, &quot;10&quot;},<br /> {ldap_group_cache_validity, &quot;10&quot;}<br />]}</p></code></div> Fri, 19 Oct 2012 03:40:46 +0000 mikekaganski comment 59199 at https://www.ejabberd.im