I've successfully setup ejabberd 1.1.4 binary on Linux to authenticate against an LDAP backend. Any single user can successfully authenticate. The web GUI on port 5280 successfully shows all LDAP users if I view the users list.
However, buddy lists are completely empty, and don't autopopulate, nor am I so far getting mod_shared_rosters working. Even if I tell the jabber clients to show offline users, they show no roster.
Some things I've tried:
* enable mod_roster: result, logged in users can't see each other
* enable mod_shared_roster, go to web gui, and create a few rosters containing valid LDAP users: result, logged in users can't see each other, and they also can't see the so-called "shared rosters".
* I've seen mention of mod_roster_odbc, where I would store roster in an external database. Are there restrictions against using rosters with LDAP authentication.
* http://www.ejabberd.im/node/2689 That forum issue talked about using MySQL as the backend storage, AFTER patching the source. Will rosters work without patching?
* I've also seen http://www.ejabberd.im/node/2618 which suggests there's a "wrong" way to set up shared rosters. I'd pop in a screenshot of my web gui, but I'm not sure the forums support that.
I'm happy to paste in my ejabberd.conf, sanitized to remove mention of my LDAP settings, which are working fine.
cat /opt/ejabberd-1.1.4/conf/ejabberd.cfg
% $Id: ejabberd.cfg.example 577 2006-06-07 08:38:37Z mremond $
%override_acls.
% Users that have admin access. Add line like one of the following after you
% will be successfully registered on server to get admin access:
{acl, admin, {user, "sanitized1"}}.
{acl, admin, {user, "sanitized2"}}.
% Local users:
{acl, local, {user_regexp, ""}}.
% Everybody can create pubsub nodes
{access, pubsub_createnode, [{allow, all}]}.
% Only admins can use configuration interface:
{access, configure, [{allow, admin}]}.
% Every username can be registered via in-band registration:
% You could replace {allow, all} with {deny, all} to prevent user from using
% in-band registration
{access, register, [{allow, all}]}.
% After successful registration user will get message with following subject
% and body:
{welcome_message,
{"Welcome!",
"Welcome to Higher One Jabber Service. "
"For information about Jabber visit http://jabber.org"}}.
% Replace them with 'none' if you don't want to send such message:
%{welcome_message, none}.
% Only admins can send announcement messages:
{access, announce, [{allow, admin}]}.
% Only non-blocked users can use c2s connections:
{access, c2s, [{deny, blocked},
{allow, all}]}.
% Set shaper with name "normal" to limit traffic speed to 1000B/s
{shaper, normal, {maxrate, 1000}}.
% Set shaper with name "fast" to limit traffic speed to 50000B/s
{shaper, fast, {maxrate, 50000}}.
% For all users except admins used "normal" shaper
{access, c2s_shaper, [{none, admin},
{normal, all}]}.
% For all S2S connections used "fast" shaper
{access, s2s_shaper, [{fast, all}]}.
% Admins of this server are also admins of MUC service:
{access, muc_admin, [{allow, admin}]}.
% All users are allowed to use MUC service:
{access, muc, [{allow, all}]}.
% This rule allows access only for local users:
{access, local, [{allow, local}]}.
% Authentication method. If you want to use internal user base, then use
% this line:
%{auth_method, internal}.
% For LDAP authentication use these lines instead of above one:
{auth_method, ldap}.
{ldap_servers, ["sanitized.domain.tld"]}. % List of LDAP servers
{ldap_uidattr, "uid"}. % LDAP attribute that holds user ID
{ldap_base, "ou=foo,ou=bar,dc=bang,dc=baz"}. % Search base of LDAP directory
%{ldap_rootdn, "cn=ding,dc=ding,dc=dang"}. % LDAP manager
%{ldap_password, "secret"}. % Password to LDAP manager
% Host name:
{hosts, ["domain.tld"]}.
%% Define the maximum number of time a single user is allowed to connect:
{max_user_sessions, 5}.
% Default language for server messages
{language, "en"}.
% Listened ports:
{listen,
[
% Use these two lines instead if TLS support is not compiled
{5222, ejabberd_c2s, [{access, c2s}, {shaper, c2s_shaper}]},
{5223, ejabberd_c2s, [{access, c2s}, ssl, {certfile, "/etc/jabber/ssl.pem"}]},
{5269, ejabberd_s2s_in, [{shaper, s2s_shaper},
{max_stanza_size, 131072}
]},
{5280, ejabberd_http, [http_poll, web_admin]},
{8888, ejabberd_service, [{access, all},
{hosts, ["icq.localhost", "sms.localhost"],
[{password, "secret"}]}]}
]}.
% Use STARTTLS+Dialback for S2S connections
{s2s_use_starttls, true}.
{s2s_certfile, "./ssl.pem"}.
% If SRV lookup fails, then port 5269 is used to communicate with remote server
{outgoing_s2s_port, 5269}.
% Used modules:
{modules,
[
{mod_register, [{access, register}]},
%Dave commented out mod_roster out of frustration, not knowing what's going on with ejabberd. It's possible that mod_shared_roster doesn't work with LDAP, which would suck.
{mod_roster, []},
{mod_privacy, []},
{mod_adhoc, []},
{mod_configure, []}, % Depends on mod_adhoc
{mod_configure2, []},
{mod_disco, []},
{mod_stats, []},
{mod_vcard, []},
{mod_offline, []},
{mod_announce, [{access, announce}]}, % Depends on mod_adhoc
{mod_echo, [{host, "echo.localhost"}]},
{mod_private, []},
{mod_irc, []},
% Default options for mod_muc:
% host: "conference." ++ ?MYNAME
% access: all
% access_create: all
% access_admin: none (only room creator has owner privileges)
{mod_muc, [{access, muc},
{access_create, muc},
{access_admin, muc_admin},
{history_size, 1000}
]},
{mod_muc_log, [{access_log,muc},
{dirtype,plain},
{outdir,"/var/log/jabber/conference.log"}
]},
% {mod_shared_roster, []},
{mod_pubsub, [{access_createnode, pubsub_createnode}]},
{mod_time, []},
{mod_last, []},
{mod_version, []}
]}.
% Local Variables:
% mode: erlang
% End:
?
http://www.ejabberd.im/mod_shared_roster_ldap