перерыл весь форум, перечитал гайды
но так и не удалось заставить работать ldap AD аутентификацию
Исходный данные: ОС win 2003 srv r2
ejabberd: ejabberd-1.1.2_2-windows-installer.exe
На машине поднят контроллер домена, dns
установил ejabberd-1.1.2
логинюсь под login: jadmin@home-1 pass:000000 server: home-1 на вэб-интерфейс - логин ОК
меняю hostname на home-1.spring.local
регистрирую пользователя из psi-0.10-win login: jadmin@home-1.spring.local pass:000000
добавляю пользователю права admin
логинюсь под login: jadmin@home-1.spring.local pass:000000 server: home-1.spring.local на вэб-интерфейс - логин ОК
меняю способ аутентификации на ldap - логин умирает.
Вот листинги:
************************* ejabberd.cfg ********************************************
% $Id: $
override_acls.
% Users that have admin access. Add line like one of the following after you
% will be successfully registered on server to get admin access:
{acl, admin, {user, "jadmin"}}.
{acl, admin, {user, "jadmin","home-1.spring.local"}}.
{acl, admin, {user, "jadmin","spring.local"}}.
% Blocked users:
%{acl, blocked, {user, "test"}}.
% Local users:
{acl, local, {user_regexp, ""}}.
% Another examples of ACLs:
%{acl, jabberorg, {server, "jabber.org"}}.
%{acl, aleksey, {user, "aleksey", "jabber.ru"}}.
%{acl, test, {user_regexp, "^test"}}.
%{acl, test, {user_glob, "test*"}}.
% Everybody can create pubsub nodes
{access, pubsub_createnode, [{allow, all}]}.
% Only admins can use configuration interface:
{access, configure, [{allow, admin}]}.
% Every username can be registered via in-band registration:
% You could replace {allow, all} with {deny, all} to prevent user from using
% in-band registration
{access, register, [{allow, all}]}.
% After successful registration user will get message with following subject
% and body:
%{welcome_message,
% {"Welcome!",
% "Welcome to Instant Messaging server localhost. "
% "For information about ejabberd visit http://www.process-one.net/"}}.
% Replace them with 'none' if you don't want to send such message:
{welcome_message, none}.
% List of people who will get notifications about registered users
%{registration_watchers, ["admin1@home-1",
% "admin2@home-1"]}.
% Only admins can send announcement messages:
{access, announce, [{allow, admin}]}.
% Only non-blocked users can use c2s connections:
{access, c2s, [{deny, blocked},
{allow, all}]}.
% Set shaper with name "normal" to limit traffic speed to 1000B/s
{shaper, normal, {maxrate, 1000}}.
% Set shaper with name "fast" to limit traffic speed to 50000B/s
{shaper, fast, {maxrate, 50000}}.
% For all users except admins used "normal" shaper
{access, c2s_shaper, [{none, admin},
{normal, all}]}.
% For all S2S connections used "fast" shaper
{access, s2s_shaper, [{fast, all}]}.
% Admins of this server are also admins of MUC service:
{access, muc_admin, [{allow, admin}]}.
% All users are allowed to use MUC service:
{access, muc, [{allow, all}]}.
% This rule allows access only for local users:
{access, local, [{allow, local}]}.
% Authentication method. If you want to use internal user base, then use
% this line:
%{auth_method, internal}.
% For LDAP authentication use these lines instead of above one:
%{auth_method, ldap}.
%{ldap_servers, ["home-1"]}. % List of LDAP servers
%{ldap_uidattr, "uid"}. % LDAP attribute that holds user ID
%{ldap_base, "dc=example,dc=com"}. % Search base of LDAP directory
%{ldap_rootdn, "dc=example,dc=com"}. % LDAP manager
%{ldap_password, "******"}. % Password to LDAP manager
{auth_method, ldap}.
{ldap_servers, ["home-1.spring.local"]}. % List of LDAP servers
{ldap_uidattr, "sAMAccountName"}. % LDAP attribute that holds user ID
{ldap_base, "DC=spring,DC=local"}. % Base of LDAP directory
{ldap_rootdn, "CN=jadmin,CN=Users,DC=spring,DC=local"}.
{ldap_password, "000000"}.
% For authentication via external script use the following:
%{auth_method, external}.
%{extauth_program, "/path/to/authentication/script"}.
% For authentication via ODBC use the following:
%{auth_method, odbc}.
%{odbc_server, "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"}.
% Host name:
{hosts, ["home-1.spring.local"]}.
%% Define the maximum number of time a single user is allowed to connect:
{max_user_sessions, 10}.
%% Anonymous login support:
%% auth_method: anonymous
%% anonymous_protocol: sasl_anon|login_anon|both
%% allow_multiple_connections: true|false
%%{host_config, "public.example.org", [{auth_method, anonymous},
%% {allow_multiple_connections, false},
%% {anonymous_protocol, sasl_anon}]}.
%% To use both anonymous and internal authentication:
%%{host_config, "public.example.org", [{auth_method, [anonymous, internal]}]}.
% Default language for server messages
% TODO: Use installer selection
{language, "en"}.
% Listened ports:
{listen, [
{5222, ejabberd_c2s, [{access, c2s}, {max_stanza_size, 65536}, {shaper, c2s_shaper}]},
%% Use this line to enable SSL:
%%{5223, ejabberd_c2s, [{access, c2s}, {max_stanza_size, 65536}, tls, {certfile, "C:\Program Files\ejabberd-1.1.2/conf/server.pem"}]},
%%
%% Use those lines instead for TLS support:
%%{5222, ejabberd_c2s, [{access, c2s}, {shaper, c2s_shaper}, starttls, {certfile, "C:\Program Files\ejabberd-1.1.2/conf/server.pem"}]},
%%{5223, ejabberd_c2s, [{access, c2s}, tls, {certfile, "C:\Program Files\ejabberd-1.1.2/conf/server.pem"}]},
%% Remove this line if you want to prevent s2s connections:
{5269, ejabberd_s2s_in, [{shaper, s2s_shaper}, {max_stanza_size, 131072}]},
%% remove http_poll to remove support for http polling
%% remove web_admin to disable admin interface:
{5280, ejabberd_http, [http_poll, web_admin]}
%% This is an example on how to define an external service/transport:
%%{8888, ejabberd_service, [{access, all},
%% {hosts, ["icq.home-1", "sms.home-1"],
%% [{password, "secret"}]}]}
]}.
% If SRV lookup fails, then port 5269 is used to communicate with remote server
{outgoing_s2s_port, 5269}.
% Used modules:
{modules,
[
{mod_register, [{access, register}]},
{mod_roster, []},
{mod_privacy, []},
{mod_adhoc, []},
{mod_configure, []}, % Depends on mod_adhoc
{mod_configure2, []},
{mod_disco, []},
{mod_stats, []},
{mod_vcard, []},
{mod_offline, []},
{mod_announce, [{access, announce}]}, % Depends on mod_adhoc
{mod_echo, [{host, "echo.home-1"}]},
{mod_private, []},
{mod_irc, []},
%%*********************************
%%*********************************
% Default options for mod_muc:
% host: "conference." ++ ?MYNAME
% access: all
% access_create: all
% access_admin: none (only room creator has owner privileges)
{mod_muc, [{access, muc}, {access_create, muc}, {access_admin, muc_admin}]},
% {mod_muc_log, []},
% {mod_shared_roster, []},
{mod_pubsub, [{access_createnode, pubsub_createnode}]},
{mod_time, []},
{mod_last, []},
% {mod_xmlrpc,[{port, 4560},{timeout, 5000}]},
{mod_version, []}
]}.
% Local Variables:
% mode: erlang
% End:
********************************************************
*************** логи неудачных попыток логина *********
=INFO REPORT==== 2007-05-09 12:13:01 ===
I(<0.240.0>:ejabberd_listener:90): (#Port<0.415>) Accepted connection {{192,168,44,21},1718} -> {{192,168,44,21},5222}
=INFO REPORT==== 2007-05-09 12:13:01 ===
I(<0.339.0>:ejabberd_c2s:417): (#Port<0.415>) Failed legacy authentication for jadmin@home-1.spring.local/Psi
******************************************************
*******************настройки win *********************
контейнер с пользователем jadmin: CN=Users,DC=spring,DC=local
пользователь SPRING\jadmin (jadmin@spring.local)
имя компьютера: home-1
основной днс суффикс: spring.local
PS пароль указывал в psi как plaintext
Заранее спасибо за помощь иолодому админу)!