Active Directory, win2k3, eJabberd 1.1.4
part of config:
% For LDAP authentication use these lines instead of above one:
{auth_method, ldap}.
{ldap_servers, ["192.168.30.97","192.168.30.13"]}.
{ldap_uidattr, "sAMAccountName"}.
{ldap_base, "dc=company,dc=com"}.
{ldap_rootdn, "cn=ejabberd,cn=Users,dc=company,dc=com"}.
{ldap_password, "secret"}.
{ldap_filter, "(&(objectCategory=person)(objectClass=user)(memberOf=CN=Jabber Users,CN=Builtin,DC=company,DC=com)(!userAccountControl:1.2.840.113556.1.4.803:=2))"}.
Errors in log
=CRASH REPORT==== 21-Sep-2007::09:48:59 ===
crasher:
pid: <0.239.0>
registered_name: 'ejabberd_mod_vcard_ldap_jabber.company.com'
error_info: {{badmatch,{error,bad_filter}},
[{mod_vcard_ldap,parse_options,2},
{mod_vcard_ldap,init,1},
{gen_server,init_it,6},
{proc_lib,init_p,5}]}
initial_call: {gen,
init_it,
[gen_server,
<0.191.0>,
<0.191.0>,
{local,'ejabberd_mod_vcard_ldap_jabber.company.com'},
mod_vcard_ldap,
["jabber.company.com",
[{ldap_vcard_map,
[{"NICKNAME","%u",[]},
{"GIVEN","%s",["givenName"]},
{"MIDDLE","%s",["initials"]},
{"FAMILY","%s",["sn"]},
{"FN","%s",["displayName"]},
{"EMAIL","%s",["mail"]},
{"ORGNAME","%s",["company"]},
{"ORGUNIT","%s",["department"]},
{"CTRY","%s",["c"]},
{"LOCALITY","%s",["l"]},
{"STREET","%s",["streetAddress"]},
{"REGION","%s",["st"]},
{"PCODE","%s",["postalCode"]},
{"TITLE","%s",["title"]},
{"URL","%s",["wWWHomePage"]},
{"DESC","%s",["description"]},
{"TEL","%s",["telephoneNumber"]}]},
{ldap_search_fields,
[{"User","%u"},
{"Name","givenName"},
{"Family Name","sn"},
{"Email","mail"},
{"Company","company"},
{"Department","department"},
{"Role","title"},
{"Description","description"},
{"Phone","telephoneNumber"}]},
{ldap_search_reported,
[{"Full Name","FN"},
{"Nickname","NICKNAME"},
{"Email","EMAIL"}]}]],
[]]}
ancestors: [ejabberd_sup,<0.36.0>]
messages: []
links: [<0.191.0>]
dictionary: []
trap_exit: false
status: running
heap_size: 2584
stack_size: 21
reductions: 19896
neighbours:
with this filter all ok:
{ldap_filter, "(&(objectCategory=person)(objectClass=user)(memberOf=CN=Jabber Users,CN=Builtin,DC=company,DC=com))"}.
So problem in parse this expression: (!userAccountControl:1.2.840.113556.1.4.803:=2)
I tried to put query whith this filter directly to LDAP server, it correct and it working
I think problem in Erlang or eJabberd filter parser
Maybe some character is not
Maybe some character is not acceptable: there are: ! . :
You could try to put \! or things like that.
same result
Maybe some character is not acceptable: there are: ! . :
You could try to put \! or things like that.
I tryed \! \. \: - same result
Re: LDAP filter parse error
So problem in parse this expression: (!userAccountControl:1.2.840.113556.1.4.803:=2)
I tried to put query whith this filter directly to LDAP server, it correct and it working
I think problem in Erlang or eJabberd filter parser
You are right. Currently it is not possible to parse such expressions.
BTW. Is it possible to avoid such filters at all?
LDAP filter
BTW. Is it possible to avoid such filters at all?
MS AD stores info about Account state in bitwise form
1.2.840.113556.1.4.803 - is OID for bitwise AND operator (in MS AD)
userAccountControl:1.2.840.113556.1.4.803:=2 - the only way to search for disabled users in MS AD
!userAccountControl:1.2.840.113556.1.4.803:=2 - the only way to search for not disabled (enabled) users in MS AD
another way - manually removing disabled users from "Jabber Users" group
Negation in LDAP search request filters
While LDAPv3 extensible match is really , your search filter is invalid according to — you should use
form.
So for instance "accounts of all users which are not disabled" will be