Доброго времени суток, решаю следующую задачу: ejabberd-2.0.5 on Linux based system(Debian lenny) with AD authentication. Прочитал все туториалы, которые смог найти, пошерстил по форумам - не выходит каменный цветок. Демон подключается к ад, но не может найти обьект пользователя, через ldapsearch и LDAPExplorer захожу с теми же ldap_servers,ldap_port,ldap_base,ldap_rootdn,ldap_password и всё вижу.
OS Debian GNU/Linux 5.0
distr ejabberd-2.0.5 from source
######
#cfg:#
######
cat /opt/ejabberd/etc/ejabberd/ejabberd.cfg | grep -v '^%%'
{loglevel, 5}.
{hosts, ["portal"]}.
{listen,
[
{5222, ejabberd_c2s, [
%%
%% If TLS is compiled and you installed a SSL
%% certificate, put the correct path to the
%% file and uncomment this line:
%%
%%{certfile, "/path/to/ssl.pem"}, starttls,
{ip, {192, 168, 1, 55}},
{access, c2s},
{shaper, c2s_shaper},
{max_stanza_size, 65536}
]}
%%
%% To enable the old SSL connection method in port 5223:
%%
%%{5223, ejabberd_c2s, [
%% {access, c2s},
%% {shaper, c2s_shaper},
%% {certfile, "/path/to/ssl.pem"}, tls,
%% {max_stanza_size, 65536}
%% ]},
%%
%% {5269, ejabberd_s2s_in, [
%% {shaper, s2s_shaper},
%% {max_stanza_size, 131072}
%% ]},
%%
%%
%% ejabberd_service: Interact with external components (transports...)
%%
%%{8888, ejabberd_service, [
%% {access, all},
%% {shaper_rule, fast},
%% {ip, {127, 0, 0, 1}},
%% {hosts, ["icq.example.org", "sms.example.org"],
%% [{password, "secret"}]
%% }
%% ]},
%%
%% {5280, ejabberd_http, [
%% http_poll,
%% web_admin
%% ]}
%%
]}.
{auth_method, ldap}.
{ldap_servers, ["baseserv.test.spb.ru"]}.
{ldap_port, 389}.
{ldap_uids, [{"sAMAccountName", "%u"}]}.
{ldap_base, "CN=Users,dc=test,dc=spb,dc=ru"}.
{ldap_rootdn, "CN=jabber,CN=Users,DC=test,DC=spb,DC=ru"}.
{ldap_password, "testpassword"}.
{shaper, normal, {maxrate, 1000}}.
{shaper, fast, {maxrate, 50000}}.
{acl, admin, {user, "greggy"}}.
{acl, local, {user_regexp, ""}}.
{access, max_user_sessions, [{10, all}]}.
{access, local, [{allow, local}]}.
{access, c2s, [{deny, blocked},
{allow, all}]}.
{access, c2s_shaper, [{none, admin},
{normal, all}]}.
{access, s2s_shaper, [{fast, all}]}.
{access, announce, [{allow, admin}]}.
{access, configure, [{allow, admin}]}.
{access, muc_admin, [{allow, admin}]}.
{access, muc, [{allow, all}]}.
{access, pubsub_createnode, [{allow, all}]}.
{access, register, [{allow, all}]}.
{language, "ru"}.
{host_config, "portal", [
]}.
{modules,
[
{mod_adhoc, []},
{mod_announce, [{access, announce}]}, % recommends mod_adhoc
{mod_caps, []},
{mod_configure,[]}, % requires mod_adhoc
{mod_disco, []},
%%{mod_echo, [{host, "echo.localhost"}]},
{mod_irc, []},
{mod_last, []},
{mod_muc, [
%%{host, "conference.@HOST@"},
{access, muc},
{access_create, muc},
{access_persistent, muc},
{access_admin, muc_admin}
]},
%%{mod_muc_log,[]},
{mod_offline, []},
{mod_privacy, []},
{mod_private, []},
%%{mod_proxy65,[]},
{mod_pubsub, [ % requires mod_caps
{access_createnode, pubsub_createnode},
{plugins, ["default", "pep"]}
]},
{mod_register, [
%%
%% After successful registration, the user receives
%% a message with this subject and body.
%%
{welcome_message, {"Welcome!",
"Hi\nWelcome to this Jabber server."}},
%%
%% When a user registers, send a notification to
%% these Jabber accounts.
%%
{registration_watchers, ["admin@test.spb.ru"]},
{access, register}
]},
{mod_roster, []},
%%{mod_service_log,[]},
{mod_shared_roster,[]},
{mod_stats, []},
{mod_time, []},
{mod_vcard, []},
{mod_version, []},
{mod_vcard_ldap,
[
{ldap_vcard_map,
[{"NICKNAME", "%s", ["displayname"]},
{"GIVEN", "%s", ["givenName"]},
{"MIDDLE", "%s", ["initials"]},
{"FAMILY", "%s", ["sn"]},
{"FN", "%s", ["displayName"]},
{"EMAIL", "%s", ["mail"]},
{"ORGNAME", "%s", ["company"]},
{"ORGUNIT", "%s", ["department"]},
{"CTRY", "%s", ["c"]},
{"LOCALITY", "%s", ["l"]},
{"STREET", "%s", ["streetAddress"]},
{"REGION", "%s", ["st"]},
{"PCODE", "%s", ["postalCode"]},
{"TITLE", "%s", ["title"]},
{"URL", "%s", ["wWWHomePage"]},
{"DESC", "%s", ["description"]},
{"TEL", "%s", ["telephoneNumber"]}]},
{ldap_search_fields,
[{"User", "%u"},
{"Name", "givenName"},
{"Family Name", "sn"},
{"Email", "mail"},
{"Company", "company"},
{"Department", "department"},
{"Role", "title"},
{"Description", "description"},
{"Phone", "telephoneNumber"}]},
{ldap_search_reported,
[{"Full Name", "FN"},
{"Nickname", "NICKNAME"},
{"Email", "EMAIL"}]}
]},
{mod_shared_roster_ldap,
[{ldap_base, "dc=test,dc=spb,dc=ru"},
{ldap_groupattr, "department"},
{ldap_groupdesc, "department"},
{ldap_memberattr, "sAMAccountName"},
{ldap_userdesc, "cn"}]}
]}.
######
#log:#
######
=INFO REPORT==== 2009-11-06 12:04:17 ===
I(<0.37.0>:ejabberd_rdbms:37) : ejabberd has not been compiled with relational database support. Skipping database startup.
=INFO REPORT==== 2009-11-06 12:04:18 ===
I(<0.262.0>:eldap:856) : LDAP connection on baseserv.test.spb.ru:389
=INFO REPORT==== 2009-11-06 12:04:18 ===
I(<0.265.0>:eldap:856) : LDAP connection on baseserv.test.spb.ru:389
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.265.0>:eldap:886) : Bind Request Message:{'LDAPMessage',1,
{bindRequest,
{'BindRequest',3,
"CN=jabber,CN=Users,DC=test,DC=spb,DC=ru",
{simple,"testpassword"}}},
asn1_NOVALUE}
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.262.0>:eldap:886) : Bind Request Message:{'LDAPMessage',1,
{bindRequest,
{'BindRequest',3,
"CN=jabber,CN=Users,DC=test,DC=spb,DC=ru",
{simple,"testpassword"}}},
asn1_NOVALUE}
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.265.0>:eldap:752) : {'LDAPMessage',1,
{bindResponse,
{'BindResponse',success,[],[],asn1_NOVALUE,
asn1_NOVALUE}},
asn1_NOVALUE}
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.262.0>:eldap:752) : {'LDAPMessage',1,
{bindResponse,
{'BindResponse',success,[],[],asn1_NOVALUE,
asn1_NOVALUE}},
asn1_NOVALUE}
=INFO REPORT==== 2009-11-06 12:04:18 ===
I(<0.304.0>:mod_pubsub:155) : pubsub init "portal" [{access_createnode,
pubsub_createnode},
{plugins,
["default","pep"]}]
=INFO REPORT==== 2009-11-06 12:04:18 ===
I(<0.304.0>:mod_pubsub:212) : ** tree plugin is nodetree_default
=INFO REPORT==== 2009-11-06 12:04:18 ===
I(<0.304.0>:mod_pubsub:216) : ** init default plugin
=INFO REPORT==== 2009-11-06 12:04:18 ===
I(<0.304.0>:mod_pubsub:216) : ** init pep plugin
=INFO REPORT==== 2009-11-06 12:04:18 ===
I(<0.347.0>:eldap:856) : LDAP connection on baseserv.test.spb.ru:389
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.347.0>:eldap:886) : Bind Request Message:{'LDAPMessage',1,
{bindRequest,
{'BindRequest',3,
"CN=jabber,CN=Users,DC=test,DC=spb,DC=ru",
{simple,"testpassword"}}},
asn1_NOVALUE}
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.347.0>:eldap:752) : {'LDAPMessage',1,
{bindResponse,
{'BindResponse',success,[],[],asn1_NOVALUE,
asn1_NOVALUE}},
asn1_NOVALUE}
=ERROR REPORT==== 2009-11-06 12:04:18 ===
E(<0.37.0>:gen_mod:73) : {undef,
[{mod_shared_roster_ldap,start,
["portal",
[{ldap_base,"dc=test,dc=spb,dc=ru"},
{ldap_groupattr,"department"},
{ldap_groupdesc,"department"},
{ldap_memberattr,"sAMAccountName"},
{ldap_userdesc,"cn"}]]},
{gen_mod,start_module,3},
{lists,foreach,2},
{ejabberd_app,start,2},
{application_master,start_it_old,4}]}
=INFO REPORT==== 2009-11-06 12:04:18 ===
I(<0.260.0>:ejabberd_listener:116) : (#Port<0.434>) Accepted connection {{192,168,1,182},1457} -> {{192,168,1,55},5222}
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.348.0>:ejabberd_receiver:306) : Received XML on stream = "<?xml version='1.0' encoding='UTF-8'?>"
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.349.0>:ejabberd_c2s:1352) : Send XML on stream = "<?xml version='1.0'?>"
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.349.0>:ejabberd_c2s:1352) : Send XML on stream = "PLAIN"
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.348.0>:ejabberd_receiver:306) : Received XML on stream = "dGVzdEBwb3J0YWwAdGVzdABlbGVwaGFudDEyMw=="
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.348.0>:shaper:61) : State: {maxrate,1000,0,1257498258668020}, Size=112
M=56.0, I=4.82
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.262.0>:eldap:593) : {searchRequest,
{'SearchRequest',
"CN=Users,dc=test,dc=spb,dc=ru",wholeSubtree,
neverDerefAliases,0,0,false,
{'and',
[{equalityMatch,
{'AttributeValueAssertion',"sAMAccountName",
"test"}},
{equalityMatch,
{'AttributeValueAssertion',"memberOf",
"CN=JabberUsers,DC=test,DC=spb,DC=ru"}},
{'or',
[{equalityMatch,
{'AttributeValueAssertion',
"userAccountControl","66050"}},
{equalityMatch,
{'AttributeValueAssertion',
"userAccountControl","66048"}}]}]},
[]}}
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.262.0>:eldap:654) : {searchResDone,
{'LDAPResult',success,[],[],asn1_NOVALUE}}
=INFO REPORT==== 2009-11-06 12:04:18 ===
I(<0.349.0>:ejabberd_c2s:576) : ({socket_state,gen_tcp,#Port<0.434>,<0.348.0>}) Failed authentication for test@portal
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.349.0>:ejabberd_c2s:1352) : Send XML on stream = ""
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.348.0>:ejabberd_receiver:306) : Received XML on stream = ""
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.348.0>:shaper:61) : State: {maxrate,1000,984.8404910133305,
1257498258724882}, Size=16
M=15.761069918924537, I=1.926
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.349.0>:ejabberd_c2s:1352) : Send XML on stream = ""
=INFO REPORT==== 2009-11-06 12:04:18 ===
I(<0.260.0>:ejabberd_listener:116) : (#Port<0.442>) Accepted connection {{192,168,1,182},1458} -> {{192,168,1,55},5222}
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.350.0>:ejabberd_receiver:306) : Received XML on stream = "<?xml version='1.0' encoding='UTF-8'?>"
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.351.0>:ejabberd_c2s:1352) : Send XML on stream = "<?xml version='1.0'?>"
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.351.0>:ejabberd_c2s:1352) : Send XML on stream = "PLAIN"
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.350.0>:ejabberd_receiver:306) : Received XML on stream = "dGVzdEBwb3J0YWwAdGVzdABlbGVwaGFudDEyMw=="
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.350.0>:shaper:61) : State: {maxrate,1000,0,1257498258870026}, Size=112
M=56.0, I=10.748
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.262.0>:eldap:593) : {searchRequest,
{'SearchRequest',
"CN=Users,dc=test,dc=spb,dc=ru",wholeSubtree,
neverDerefAliases,0,0,false,
{'and',
[{equalityMatch,
{'AttributeValueAssertion',"sAMAccountName",
"test"}},
{equalityMatch,
{'AttributeValueAssertion',"memberOf",
"CN=JabberUsers,DC=test,DC=spb,DC=ru"}},
{'or',
[{equalityMatch,
{'AttributeValueAssertion',
"userAccountControl","66050"}},
{equalityMatch,
{'AttributeValueAssertion',
"userAccountControl","66048"}}]}]},
[]}}
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.262.0>:eldap:654) : {searchResDone,
{'LDAPResult',success,[],[],asn1_NOVALUE}}
=INFO REPORT==== 2009-11-06 12:04:18 ===
I(<0.351.0>:ejabberd_c2s:576) : ({socket_state,gen_tcp,#Port<0.442>,<0.350.0>}) Failed authentication for test@portal
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.351.0>:ejabberd_c2s:1352) : Send XML on stream = ""
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.350.0>:ejabberd_receiver:306) : Received XML on stream = ""
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.350.0>:shaper:61) : State: {maxrate,1000,986.0543738554726,
1257498258926818}, Size=16
M=15.779938871908863, I=0.38
=INFO REPORT==== 2009-11-06 12:04:18 ===
D(<0.351.0>:ejabberd_c2s:1352) : Send XML on stream = ""
Судя по логам, конфиг,
Судя по логам, конфиг, который Вы привели, не полон. В частности,
говорит о том, что в Вашем конфиге в ldap_filter есть фильтрация по значению userAccountControl (66050 = ADS_UF_ACCOUNTDISABLE | ADS_UF_NORMAL_ACCOUNT | ADS_UF_DONT_EXPIRE_PASSWD, 66048 = ADS_UF_NORMAL_ACCOUNT | ADS_UF_DONT_EXPIRE_PASSWD). Ну, и причина, например, может быть в том, что Ваши аккаунты не имеют флага ADS_UF_DONT_EXPIRE_PASSWD.
Это могло получиться, если Вы
Это могло получиться, если Вы указали такое значение фильтра в конфиге, запустили ежа, а потом удалили эту строку из конфига. ejabberd заносит конфиг в мнезию, и потом берёт значения оттуда, даже если они удалены из конфига. Для того, чтобы эти значения убрать из мнезии, нужно в начале конфига добавить (раскомментировать)
override_global.override_local.
override_acls.
(описано в мануале).
спасибо за помощь, в
спасибо за помощь, в понедельник проверю - отпишусь.
Советы оказались, весьма,
Советы оказались, весьма, действенными, задача решена,ещё раз, спасибо.