Dear experts,
Does ejabbered support SASL authentication other than SASL Anonymous?
I see from the ejabbered documentation example configuration syntax for TLS + Dialback and SASL Anonymous are given. But I don't see any examples for SASL PLAIN, SASL EXTERNAL etc.
regards,
Paddy.
Is this the command to have
Is this the command to have s2s over TLS and SASL EXTERNAL?
{auth_method, external}.
Unrelated option
Is this the command to have s2s over TLS and SASL EXTERNAL?
{auth_method, external}.
That option tells ejabberd to start a script or program externally to ejabberd, and send all the auth queries to it instead of accessing the database.
That option is unrelated to the SASL EXTERNAL protocol that a client would like to use when negotiating auth with ejabberd.
Thanks for that
Thanks for that information.
Does ejabbered support SASL EXTERNAL for S2S communication rather than dialback?
What is the configuration argument for this, given that
{auth_method, internal} is intended for C2S using either SASL PLAIN or SASL MD5.
S2S SASL EXTERNAL
Does ejabberd support SASL EXTERNAL for S2S communication
Seems so:
https://git.process-one.net/ejabberd/mainline/commit/f6343f01f7db7aa4665...
And it doesn't seem to need any configuration.
Interesting! I think the same
Interesting!
I think the same applies to Dialback.
From the ejabbered configuration file there is an option for the following:
{s2s_use_starttls,true} where "true" can be replaced with "false".
I presume that once port 5269 is open, ejabberd will internally enable both dialback and SASL External. And the above command will only provide TLS to the dialback if required.
If this assumption is correct then there may be some issues. For example, what if one wanted to disable dialback entirely or disable SASL External in favour of dialback (perhaps to connect with a legacy XMPP server or an XMPP server over a VPN).
Does ejabberd have this configuration option where dialback and/or SASL External can be enabled/disabled explicitly?
SASL EXTERNAL not configurable
Does ejabberd have this configuration option where dialback and/or SASL External can be enabled/disabled explicitly?
Not configurable. In fact, I connected to several remote servers, and the code in ejabberd_s2s that negotiates SASL EXTERNAL wasn't executed in any case. I don't know what are exactly the conditions in which ejabberd decides itself to use SAL EXTERNAL.
Ouch! Not being able to
Ouch!
Not being able to specify a prefered method means the likely outcome will be dialback and this may not be desired. In this situation there is no requirement to use TLS. Thus, all traffic is susceptible to inspection. Mind you, some business-level security policies require this for compliance reasons and will only federate with its own remote office XMPP servers over a VPN ;-)
Thanks badlop for all your help to date.
regards,
paddy.
ejabberd supports SASL PLAIN
ejabberd supports SASL PLAIN and SASL DIGEST-MD5 when configured with
or odbc, ...
It also supports SASL ANONYMOUS when configured:
There is also acontributed SASL GSSAPI patch , but I don't know if that allows other SASL methods, or what exactly it does.