Hi,
I'm french so scuze me for my english.
I've justed installed ejabberd 1.1.4 but the ldap authentification don't work.
that's my ejabberd configuration:
% $Id: $
%override_acls.
% Users that have admin access. Add line like one of the following after you
% will be successfully registered on server to get admin access:
{acl, admin, {user, "admin"}}.
% Blocked users:
%{acl, blocked, {user, "test"}}.
% Local users:
{acl, local, {user_regexp, ""}}.
% Another examples of ACLs:
%{acl, jabberorg, {server, "jabber.org"}}.
%{acl, aleksey, {user, "aleksey", "jabber.ru"}}.
%{acl, test, {user_regexp, "^test"}}.
%{acl, test, {user_glob, "test*"}}.
% Everybody can create pubsub nodes
{access, pubsub_createnode, [{allow, all}]}.
% Only admins can use configuration interface:
{access, configure, [{allow, admin}]}.
% Every username can be registered via in-band registration:
% You could replace {allow, all} with {deny, all} to prevent user from using
% in-band registration
{access, register, [{allow, all}]}.
% After successful registration user will get message with following subject
% and body:
%{welcome_message,
% {"Welcome!",
% "Welcome to Instant Messaging server localhost. "
% "For information about ejabberd visit http://www.process-one.net/"}}.
% Replace them with 'none' if you don't want to send such message:
{welcome_message, none}.
% List of people who will get notifications about registered users
%{registration_watchers, ["admin1@serveur",
% "admin2@serveur"]}.
% Only admins can send announcement messages:
{access, announce, [{allow, admin}]}.
% Only non-blocked users can use c2s connections:
{access, c2s, [{deny, blocked},
{allow, all}]}.
% Set shaper with name "normal" to limit traffic speed to 1000B/s
{shaper, normal, {maxrate, 1000}}.
% Set shaper with name "fast" to limit traffic speed to 50000B/s
{shaper, fast, {maxrate, 50000}}.
% For all users except admins used "normal" shaper
{access, c2s_shaper, [{none, admin},
{normal, all}]}.
% For all S2S connections used "fast" shaper
{access, s2s_shaper, [{fast, all}]}.
% Admins of this server are also admins of MUC service:
{access, muc_admin, [{allow, admin}]}.
% All users are allowed to use MUC service:
{access, muc, [{allow, all}]}.
% This rule allows access only for local users:
{access, local, [{allow, local}]}.
% Authentication method. If you want to use internal user base, then use
% this line:
{auth_method, internal}.
%For LDAP authentication use these lines instead of above one:
{auth_method, ldap}.
{ldap_servers, ["serverLDAP.loc"]}. % List of LDAP servers
{ldap_port, 389}. % Port of LDAP servers
{ldap_uidattr, [{"sAMAccountName"}]}. % LDAP attribute that holds user ID
{ldap_base, "dc=serverLDAP,dc=loc"}. % Search base of LDAP directory
{ldap_rootdn, "cn=jabber,dc=serverLDAP,dc=loc,ou=Spécial"}. % LDAP manager
{ldap_password, "2b3c4d?"}. % Password to LDAP manager
{ldap_filter, ""}.
% For authentication via external script use the following:
%{auth_method, external}.
%{extauth_program, "/path/to/authentication/script"}.
% For authentication via ODBC use the following:
%{auth_method, odbc}.
%{odbc_server, "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"}.
% Host name:
{hosts, ["serveur"]}.
%% Define the maximum number of time a single user is allowed to connect:
{max_user_sessions, 10}.
%% Anonymous login support:
%% auth_method: anonymous
%% anonymous_protocol: sasl_anon|login_anon|both
%% allow_multiple_connections: true|false
%%{host_config, "public.example.org", [{auth_method, anonymous},
%% {allow_multiple_connections, false},
%% {anonymous_protocol, sasl_anon}]}.
%% To use both anonymous and internal authentication:
%%{host_config, "public.example.org", [{auth_method, [anonymous, internal]}]}.
% Default language for server messages
% TODO: Use installer selection
{language, "fr"}.
% Listened ports:
{listen, [
%%{5222, ejabberd_c2s, [{access, c2s}, {max_stanza_size, 65536}, {shaper, c2s_shaper}]},
%% Use this line to enable SSL:
{5223, ejabberd_c2s, [{access, c2s}, {max_stanza_size, 65536}, tls, {certfile, "/opt/ejabberd-1.1.3/conf/server.pem"}]},
%%
%% Use those lines instead for TLS support:
{5222, ejabberd_c2s, [{access, c2s}, {shaper, c2s_shaper}, starttls, {certfile, "/opt/ejabberd-1.1.3/conf/server.pem"}]},
%%{5223, ejabberd_c2s, [{access, c2s}, tls, {certfile, "/opt/ejabberd-1.1.3/conf/server.pem"}]},
%% Remove this line if you want to prevent s2s connections:
{5269, ejabberd_s2s_in, [{shaper, s2s_shaper}, {max_stanza_size, 131072}]},
%% remove http_poll to remove support for http polling
%% remove web_admin to disable admin interface:
{5280, ejabberd_http, [http_poll, web_admin]}
%% This is an example on how to define an external service/transport:
%%{8888, ejabberd_service, [{access, all},
%% {hosts, ["icq.serveur", "sms.serveur"],
%% [{password, "secret"}]}]}
]}.
% If SRV lookup fails, then port 5269 is used to communicate with remote server
{outgoing_s2s_port, 5269}.
% Used modules:
{modules,
[
{mod_register, [{access, register}]},
{mod_roster, []},
{mod_privacy, []},
{mod_adhoc, []},
{mod_configure, []}, % Depends on mod_adhoc
{mod_configure2, []},
{mod_disco, []},
{mod_stats, []},
{mod_vcard, []},
{mod_offline, []},
{mod_announce, [{access, announce}]}, % Depends on mod_adhoc
{mod_echo, [{host, "echo.serveur"}]},
{mod_private, []},
{mod_irc, []},
% Default options for mod_muc:
% host: "conference." ++ ?MYNAME
% access: all
% access_create: all
% access_admin: none (only room creator has owner privileges)
{mod_muc, [{access, muc}, {access_create, muc}, {access_admin, muc_admin}]},
% {mod_muc_log, []},
% {mod_shared_roster, []},
{mod_pubsub, [{access_createnode, pubsub_createnode}]},
{mod_time, []},
{mod_last, []},
% {mod_xmlrpc,[{port, 4560},{timeout, 5000}]},
{mod_version, []}
]}.
% Local Variables:
% mode: erlang
% End:
And the request of PSI:
There was an error communicating with the Jabber server.
Details: Authentification error: No appropriate mechanism available for given security settings.
Thanks in advance ;o)
I'm having the same trouble.
I'm having the same trouble. Ldap is Active Directory. Could anyone post working configs for such configuration if there are any?)
LDAP - Archlinux 0.8 Authentication Working.
I have ejabberd 1.1.4-1 working with OpenLDAP 2.3.37- on Archlinux 0.8.
You must use the objectClass they have defined for authentication.. These are hardcoded... I created a jabber user that can BIND to ldap.. I would not use the manager, admin account for this.
NOTE: make sure your users have the objectClass=shadowAccount or authentication will not work.
Here is my working config.
----- snip ------
% this line:
%{auth_method, internal}.
% For LDAP authentication use these lines instead of above one:
{auth_method, ldap}.
{ldap_servers, ["ldap01.mycompany.com"]}. % List of LDAP servers
{ldap_rootdn, "cn=Jabber Daemon,ou=Users,dc=mycompany_Corp,dc=com"}. % LDAP manager
{ldap_password, "secretpassword"}. % Password to LDAP manager
{ldap_base, "dc=mycompany_Corp,dc=com"}. % Search base of LDAP directory
% as per the Documentation you do not need the uidattr.. It is hardcoded to find it during a ldapsearch.
% however, to authenticate you need the ldap_filter below with shadowAccount objectClass.
%{ldap_uidattr, "uid"}. % LDAP attribute that holds user ID
{ldap_filter, "(objectClass=shadowAccount)"}.
----- snip -------
Hope this helps.
~!>D
LDAP AD Auth for ldap_rootdn
I can auth with AD only if I use administrator for my ldap_rootdn. (this works in my test enviorment)
Any other user will not work.
What do I need to do to build a user account that is not my Domain Admin. But can act as the ldap_rootdn?
Really don't want the administrator password in a text file for the ldap_rootdn. (kinda silly to do that).
Any help would be good.
LDAP AD Auth for ldap_rootdn (fixed my probelm)
I could not get my users to auth to AD. Here is how I fixed my problem, maybe it will help someone else.
this line failed to authenticate my users.
{ldap_rootdn, "CN=ldapreader,OU=Admins,OU=TestOU,DC=Test,DC=local"}. % LDAP manager
this one worked
{ldap_rootdn, "CN=LDAP Reader,OU=Admins,OU=TestOU,DC=Test,DC=local"}. % LDAP manager
I used the AD username, but you must have the AD Full name for it to work.
Hope this helps someone else.
Joe
soad6938 wrote: And the
And the request of PSI:
There was an error communicating with the Jabber server.
Details: Authentification error: No appropriate mechanism available for given security settings.
Thanks in advance ;o)
You need to allow plain text authentication in PSI
psi
You need to allow plain text authentication in PSI
"use SSL encryption (to server)" flag is unchecked. Is there something else?
psi
oh crap, how could I be so blind. I enabled "allow plain text login", but I still can't log in. Now psi gives "Not authorized" error. However, "tcpdump -vv port 3268" shows nothing, ejabberd does not send requests to Active Directory. What could be the problem?
psi
actually, psi gives 2 "host unknown" errors and 1 "Not authorized" error simultaneously. I'm connecting as "testadmin@jserv"
relevant cfg.line:
"{hosts, ["jserv"]}."
server startting output:
"started_at: 'ejabberd@myname.my.domain"
PSI is configured to connect to "server: myname.my.domain port:5222"
Am I using wrong JID, or something like that?
(sorry for flaming) and the
(sorry for flaming)
and the ejabberd report:
=INFO REPORT==== 16-Oct-2007::17:18:03 ===
I(<0.315.0>:ejabberd_c2s:418): (#Port<0.372>) Failed legacy authentication for testadmin@jserv/Psi
It works. I can swear I
It works. I can swear I didn't change the config, it just suddenly began to work. I have no idea what's up with that behavior