Hello!
I have ejabberd with LDAP auth, and is works for clients, but when I'm trying to add TURN support, it works with "anonymous" auth type only.
When I setup
auth_type: user
I got this message. I've tried to add auth_realm, but is doesn't help.
2015-01-20 16:45:03.780 [info] <0.443.0> failed long-term STUN authentication for
Should the TURN auth work with LDAP?
Thank you!
Hi, I've face the same issue
Hi,
I've face the same issue with external authentication.
If you browse the code of the stun app used by ejabberd you will see that they use a function [auth_fun] to get a password for the user (https://github.com/processone/stun/blob/master/src/stun.erl#L235 ). They do that because the STUN protocol requires it for the long-term STUN authentication (your STUN client doesn't send the password but an hash of it https://tools.ietf.org/html/rfc5389#page-35 ).
That function is set up as get_password_s by the stun ejabberd module (https://github.com/processone/ejabberd/blob/66310788848ef185f3831648b2ab... ) .
Usually the external_auth mechanisms check the password but don't save the password anywhere so get_password_s behavior is "usually" (in the next lines, you will see why I just said usually) the same of a trivial function which returns null (probably also for your LDAP auth, check it in your code).
Fortunately, I wasn't the first to face the issue of a missing get_password_s because other modules need it, so someone clever implemented a cache for externally authenticated user (https://support.process-one.net/browse/EJAB-641 ). If the cache is enabled the get_password_s returns correctly the password.
So, at the end, the solution is to enable the cache and set the timeout to 0 -> extauth_cache: 0
Remember that you need mod_last enabled, further information about ext cache is here -> https://docs.ejabberd.im/admin/guide/configuration/#external-script.
The last thing, I setup cache timeout to 0 because I need the user password only if the user is logged in and not use this feature to reduce the number of calls to my ext auth system (which is a great feature too).
Let me know if you managed to solve your issue.