Hi all,
A long time ago I had a question about cross-domain:
http://www.ejabberd.im/node/4992
The solution worked perfectly, but it is very difficult to implement with a large number of domains. For example, looking at Example #2:
% This ejabberd server has three virtual hosts
{hosts, ["example1.org", "example2.org", "example3.org"]}.
% This ACL will match any user or service (MUC, PubSub...) hosted on example3.org
{acl, ex3server, {server_glob, "*example3.net"}}.
% The main mod_filter rule allows any admin, but restricts example3 and the rest of packets
{access, mod_filter, [{allow, admin},
{restrict_ex3, ex3server},
{restrict_nonex3, all}]}.
% This rule, which applies to packets sent from Ex3 non-admin users,
% allows packets sent to Ex3 server (packets internal to the vhost) and denies anything else.
{access, restrict_ex3, [{allow, ex3server},
{deny, all}]}.
% This rule, which applies to the rest of packets (the ones that are not sent from Ex3),
% allows all packets to admins (allowing replies to stanzas from Ex3 admins),
% denies all other access to Ex3, and allows access to anything else.
{access, restrict_nonex3, [{allow, admin},
{deny, ex3server},
{allow, all}]}.
If you had 100 domains, this would be very difficult.
In my case, I have a very predictable LDAP schema. Every "domain"'s users actually live inside of an ou. So, for example:
{ldap_base, "ou=domainB.com,dc=something,dc=com"}Any ou=domain.com should have the following properties:
* all users underneath that ou (ex: uid=john,ou=domainB.com,dc=something,dc=com) should be able to chat with all other users on that domain by default.
* all users underneath that ou should be on everyone's chat list / buddy list by default.
* all users underneath that ou should be restricted from talking to users not in that ou.
There is only one special domain that should have different properties, ex:
{ldap_base, "ou=specialdomain.com,dc=something,dc=com"}Any user in ou=specialdomain.com should have the following properties:
* all other users should initially be hidden by default
* like Google Chat, if someone tells you their username you can add them
* talking to other ou/domain is restricted
I could probably write a Puppet module that would call LDAP and figure out the list of OUs and then generate code snippets and insert them into the ejabberd config file, but that is really extraordinarily ugly. It would be way better if there was some way to set up "wildcard" LDAP-based directives.
Hopefully this makes sense. I am currently using 2.1.10-el5 on erlang R12B-5.10.el5 but would be willing to upgrade as nothing else in this system depends on either of these versions.
Cheers.
