Home » Forums » ejabberd & XMPP » ejabberd Administration

Hot wo setup mod_shared_roosters_ldap?

Submitted by Yaerox on Wed, 2014-08-13 13:29

Well, I'll first of all tell you guys what I need to do. Maybe you could tell me if this is possible and if it is, could you help me out setting this up?

- I need to setup an ejabberd server (done) and an web-client (done).
- Now I need to group my users. I'm using my AD to get my users on ejabberd (ldap connection is working fine now). Now those Users are member of different groups. I need to create chat-rooms where ONLY users OF THE SAME GROUPS are in and only the users of the same group should be visible. They may don't the people of other groups. This is really the MOST IMPORTANT thing right here!

How do I have to go on now? I'm not sure about what to do. Do I have to Setup all those rosters manually, or can I use the mod_shared_rooster_ldap? If I can use this mod, is it possible to do what I've explained above? Or do I have to setup vhosts for each group because I'm actual feeling like I have to type the explicit groupname in those configurations, and if I have to, it won't work for multiple groups - right? So I need to be able to setup this mod for each vhost?

Actual for practising only, I have a ejabberd, no vhost, just the single one. I now wanna try to create a roster with this mod, where I see all other users in the same group with me.

----------
mod_roster: {}
mod_service_log: {}
mod_shared_roster: {
db_type: internal, ## internal | odbc
}
mod_shared_roster_ldap: {
ldap_rfilter: "(&(objectClass=user)(memberOf=CN=MYGROUP,OU=Users,OU=DOMAIN1/DOMAIN2,DC=DOMAIN1,DC=DOMAIN2,DC=de))",

ldap_gfilter: "(&(objectClass=user)(memberOf=CN=MYGROUP,OU=Users,OU=DOMAIN1/DOMAIN2,DC=DOMAIN1,DC=DOMAIN2,DC=de)(cn=%u))",
ldap_groupattr: "cn",
ldap_groupdesc: "name",

ldap_ufilter: "(&(objectClass=user)(cn=%u))",
ldap_memberattr: "member",
ldap_memberattr_format: "CN=%u,OU=Users,OU=DOMAIN1/DOMAIN2,DC=DOMAIN1,DC=DOMAIN2,DC=de",
ldap_useruid: "cn",
ldap_userdesc: "displayName",

ldap_filter: ""
}
----------

But nothing is happening. In case that all configurations work fine, would this mod create the rosters and I'd see all those users in my Friendlist? In my opinion, there is a lot of documentation missing, I have no idea what this mod will do if everything is configurated fine ...

Regards

‹ Change ejabberd hostname on Windows install 2.1.11 Duplicate JID's appearing. ›

Edited first post.

Submitted by Yaerox on Fri, 2014-08-15 09:20.

Edited first post.

»

@YAerox: So I am not so

Submitted by bedfordr on Thu, 2014-08-14 16:17.

@YAerox:
So I am not so familiar with ejabberd-14.07, but setting aside the formatting differences from 2.1, you are trying the webadmin access -- have you set your ldap account as an administrator?

%% Admin user
{acl, admin, {user, "MyUsername", "DOMAIN1.DOMAIN2.com"}}.

change the domain name to whatever you use

I think that input represents the only users that are allowed to log into webadmin.

My next suggestion is to relegate the ldap_servers to a single server for now. I am less familiar with multiple servers.

»

I'm trying for hours...I read

Submitted by Yaerox on Fri, 2014-08-15 14:46.

I'm trying for hours...I read my local documentation which seems different from the actual online version, I tried this the same way they do:

This however seems to be a common DIT layout, so the module keeps supporting it. You can use the following configuration…

modules:
...
mod_shared_roster_ldap:
ldap_base: "ou=flat,dc=nodomain"
ldap_rfilter: "(objectClass=inetOrgPerson)"
ldap_groupattr: "ou"
ldap_memberattr: "cn"
ldap_filter: "(objectClass=inetOrgPerson)"
ldap_userdesc: "displayName"
...

…to be provided with a roster as shown in figure 3.2 upon connecting as user czesio.

My config looked like:

mod_shared_roster_ldap: {
ldap_base: "ou=Benutzer,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de",
ldap_rfilter: "(objectClass=user)",
ldap_groupattr: "ou",
ldap_memberattr: "cn",
ldap_filter: "(objectClass=user)",
ldap_userdesc: "displayName"
}

nothing is happening. Log says stuff like this ... :

2014-08-15 16:06:43.884 [debug] <0.1947.0>@ejabberd_local:do_route:296 local route
from {jid,<<"MYUSERNAME">>,<<"DOMAIN.de">>,<<"IP_ADRESS_MY_PC">>,<<"MYUSERNAME">>,<<"DOMAIN.de">>,<<"IP_ADRESS_MY_PC">>}
to {jid,<<"MYUSERNAME">>,<<"DOMAIN.de">>,<<>>,<<"MYUSERNAME">>,<<"DOMAIN.de">>,<<>>}
packet {xmlel,<<"iq">>,[{<<"xml:lang">>,<<"de">>},{<<"type">>,<<...>>},{<<...>>,...}],[{xmlcdata,<<...>>},{xmlel,...},{...}]}

For me this looks like the result is empty.

Maybe another example explained how I get to my configs:

mod_shared_roster_ldap: {
ldap_base: "ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de", ## Start search here ...
ldap_rfilter: "(&(objectClass=organizationalUnit)(distinguishedName=ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de))", ## Looking for an OU called "Users" in the ldap_base ...
ldap_filter: "", ## this is always empty, I didn't understood why ...

ldap_groupattr: "distinguishedName", ## This is what the rfilter will return.

## ----------------------------------
## Result: Name | Value | > DN
## OU | Users | ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
##
## So I guess ldap_groupattr->distinguishedName is equal Users now
## ==> %g = Users
## ----------------------------------

ldap_gfilter: "(&(objectClass=user)(memberOf=CN=MYGROUP,OU=Groups,OU=DOMAIN1/DOMAIN2,DC=DOMAIN1,DC=DOMAIN2,DC=de))", ## Looking for Users who are memberOf MYGROUP..

ldap_groupdesc: "displayName",
ldap_memberattr: "cn",

## ----------------------------------
## Result: Name | Value | > DN
## CN | User001 | ou=Test,ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
## CN | User002 | ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
## CN | User003 | ou=Test,ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
## CN | User004 | ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
##
## So I guess ldap_groupattr->distinguishedName, ldap_groupdesc->displayName and ldap_memberattr->cn is now running in a loop and changing it's value 4 times.
## #1 ldap_groupattr->distinguishedName = cn=User001,ou=Test,ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
## #1 ldap_groupdesc->displayName = Users_Firstname Users_Lastname
## #1 ldap_memberattr->cn = User001
##
## #2 ldap_groupattr->distinguishedName = cn=User002,ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
## #2 ldap_groupdesc->displayName = Users_Firstname Users_Lastname
## #2 ldap_memberattr->cn = User002
##
## #3 ldap_groupattr->distinguishedName = cn=User003,ou=Test,ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
## #3 ldap_groupdesc->displayName = Users_Firstname Users_Lastname
## #3 ldap_memberattr->cn = User003
##
## #4 ldap_groupattr->distinguishedName = cn=User004,ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
## #4 ldap_groupdesc->displayName = Users_Firstname Users_Lastname
## #4 ldap_memberattr->cn = User004
##
## So I guess ldap_groupdesc->displayName is: ==> %u = Users_Firstname Users_Lastname
## ----------------------------------

ldap_memberattr_format: "cn=%u,ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de"

ldap_ufilter: "(&(objectClass=user)(memberOf=CN=MYGROUP,OU=Groups,OU=DOMAIN1/DOMAIN2,DC=DOMAIN1,DC=DOMAIN2,DC=de)(distinguishedName=%g))",

## ----------------------------------
## Result: Name | Value | > DN
## CN | User001 | ou=Test,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
##
## So I guess ldap_userdesc->cn: ==> %u = User001
## ----------------------------------

ldap_userdesc: "cn"
}

Do I understand this right? Because it is still nothing happening with this latest configurations ... please help me out.

»

Yaerox wrote: That's exactly

Submitted by voest on Tue, 2014-08-19 08:06.
Yaerox wrote:

That's exactly what I need to do too, but my research couldn't help me finding a solution.

I'm not even as far as you're :/ If you would be so kind, could u help me out to get as far as you are?

Those might also help you:

http://www.process-one.net/docs/ejabberd/guide_en.html#modsharedrosterldap

http://www.ejabberd.im/node/4722

Is that your whole configuration ? Since i don't see any LDAP Binding ...

Well i consider you left that part out ...
I think your problem is that your ldap filters are strange :)

Your ldap configuration should look something like this:

{auth_method, ldap}.
{ldap_servers, ["server.domain.com"]}.
{ldap_uids, [{"sAMAccountName"}]}.
{ldap_encrypt, tls}.
{ldap_tls_verify, false}. %% for debbugging reasons its easy :P
{ldap_port, 636}.
{ldap_base, "DC=server,DC=com"}.
{ldap_rootdn, "CN=ldapauth,OU=users,DC=domain,DC=com"}.
{ldap_password, "*******"}.
{ldap_filter, "(objectClass=*)"}.

{mod_shared_roster_ldap, [
{ldap_base, "ou=ejabberd,ou=Groups,dc=domain,dc=com"},
{ldap_groupattr, "cn"},
{ldap_groupdesc, "description"},
{ldap_memberattr, "member"},
{ldap_memberattr_format, "CN=%u,OU=Users,DC=domain,DC=com"},
{ldap_useruid, "cn"},
{ldap_userdesc, "displayName"},
{ldap_rfilter, "(objectClass=group)"},
{ldap_gfilter, "(cn=%g)"},
{ldap_ufilter, "(cn=%u)"},
{ldap_filter, ""},
]},

I hope this helps you :)

»

Thanks for the answers, as

Submitted by Yaerox on Wed, 2014-08-20 11:06.

Thanks for the answers, as soon as I'll have time to try this out, I'll reply. Actual trying some alternatives.

»
Syndicate content

User login