I've moved my server from jabberd2 to ejabberd last weekend. So far, things are improving.
I use LDAP authentication and it works. I couldn't get mod_shared_roster_ldap to work, but I don't really need it, actually the plain mod_shared_roster is more convenient.
However, my efforts in getting the SIP proxy/registrar to work have been fruitless. I don't know what's wrong, it appears to have almost no configuration.
What I suspect is LDAP authentication. I wonder if there is some impossibility with that up front, can anybody tell me?
I use LDAP bind authentication on other services (postfix, dovecot). It forces me to use the PLAIN/LOGIN SASL mechanisms because I feel pudic about storing passwords in cleartext in the LDAP database, even though this is a family server (plaintext equivalents are no problem in this case, because they don't reveal anything personal of your relatives). I'm using the {SSHA} scheme.
This works with ejabberd. But maybe it is an obstacle for mod_sip?
Thank you for any answer,
Miguel
PS: I had real trouble getting through the CAPTCHA for registering in this forum.
So, I found out myself by
So, I found out myself by reading the source. It's not possible to use ldap authentication with mod_sip.
mod_sip uses a get_passwd2 authentication method, and silently fails if it returns an empty password. That's exactly what the ldap auth module does.
Of course, this could only be implemented for ldap in the case that ejabberd would bind with priviledges enough to read this password, but it could be done easily.
Other possibilities would include making the SIP digest-md5 authentication work with LDAP using SASL digest-md5... It sounds possible.
Finally, this can be worked around using external authentication and an authentication script that authenticates against LDAP. external authentication keeps the password in a cache, and this is used. I tried it and it works. I still don't have SIP fully working, but registration works and I'm on to the next obstacle.
One problem of this work around is that while password change worked fine with LDAP authentication, it's not so fine with external authentication, because the external script is given only the new password, so it would only be able to change the user's password with administrative priviledges.
The Erlang source is pretty easy to read and probably to modify. However, who would want to keep patches...
SIP authentication is
SIP authentication is performed via DIGEST, so it's indeed not possible to use it with LDAP. I don't see how DIGEST-MD5 will work when the passwords are not stored in plain.