Home » Forums » ejabberd & XMPP » ejabberd Administration

Active Directory and user in multiple groups

Submitted by Dmitry Panoff on Tue, 2011-05-10 13:24

Hello, aLL.

There's AD domain DC=domain,DC=com running Win2003R2, ejabberd-2.0.1-6 on Debian-5.0.7. Trying to understand next: in Domain there are several groups like "00", "01", "02, ... " and users like "user1", "user2", "user3", ...". All of them are in CN=Users.
Domain user can be in several domain groups, for example, "user1" is in "00" and "03", user2 - in "01", "02", "03" etc.
Successfully compiled mod_shared_roster_ldap.erl, get it work - authentication in AD, basing on department field in user properties, is OK.
But setting up a shared roster for all users according groups, they have to be in, is rather complicate task: I don't understand is it possible to set up same user in different groups in roster like in domain?
So, there's a question: can I create domain group, for example, "Jabber" which will include all domain groups I need and create roster basing on this groups. So the shared roster have to consist of domain groups "01" "02" "03", ... and if domain user is in this group - it have to be in shared roster group too.
How LDAP-authentication parameters (ldap_filter, ldap_base, ...) in ejabberd.cfg are have to be set?

‹ Case sensativility in JIDs ejabberdctl srg_user_del (mod_admin_extra) always requires 1 more arguement ›

Hi, you are not alone with

Submitted by SasaXmmp on Fri, 2011-05-13 07:39.

Hi, you are not alone with this problem. I read few posts on this forum about roster_ldap configuration and looks like there is no indications (on forum), that somebody was successfull with combination of AD and roster_ldap module.
I have 2.1.6 with AD, and I havent problem with setup authentification through ldap and vcard_ldap running fine too. But problems with roster_ldap are very frustrating :( .

»

Thanks, SasaXmmp. So, only

Submitted by Dmitry Panoff on Tue, 2011-05-31 07:58.

Thanks, SasaXmmp.
So, only thing I can do with mod_shared_roster_ldap is to create one shared roster for all users, and I can't divide them to groups, according to my needs, f.e. one user in different groups, right?

»

The mod_shared_roster_ldap

Submitted by mikekaganski on Thu, 2011-07-21 11:35.
  1. The mod_shared_roster_ldap can only create one shared roster for a domain. I don't know a way how could you do otherwise, i.e. how to specify the information about which group should get which shared roster. If all this information should be specified in the config file, then it would become huge and error-prone. And what to do when a new group is created in LDAP? And if this information should be in the LDAP, then LDAP needs to fit to the mod_shared_roster_ldap requirements, and that's impossible (directory services are never created to please a jabber server admin).
    The only possible solution would be an option that would for each user create the roster with only those users that are in the same groups that the user is in. This possibility should be considered.
  2. The new version that is available for testing from https://support.process-one.net/browse/EJAB-1480 does support the grouping of users based on AD groups (I modified it specifically for that purpose).
  3. In this version, as well as in previous, and in other configurations, ejabberd does support users being more than in one group. However, as far as I know, most clients don't support this (so even when you will get the roster with a user being in many groups, you will see it in one group only). It's a client-side issue (see http://www.ejabberd.im/node/4855), so neither ejabberd nor mod_shared_roster_ldap can do anything here.
»
Syndicate content

User login