I have been working on getting mod_shared_roster_ldap to work for a couple days and just can't figure this thing out. I can ldap auth and get shared rosters fine but I see all groups, not just the groups my user is part of. My understanding is that this should be the default behaviour: your shared roster should only be the groups you are part of.
I can see all my companies and users using ldapsearch and I can see ejabberd hitting my ldap server and querying tons of stuff but I can't make 'just my groups' show up. For example, when I login as randy I see groups for every objectclass=company and all users in the system when I want to only see the company that randy is part of.
Am I misunderstanding the intent of mod_shared_roster_ldap or do I have one of my config settings wrong? both the config and the ldap server output are completely under my control so whatever I need to tweak is on the table.
Thanks so much, getting very frustrated with this ;)
jabberd 2.1.8
Roster Config:
{mod_shared_roster_ldap, [
{ldap_auth_check, off},
{ldap_rfilter, "(objectclass=company)"},
{ldap_filter, ""},
{ldap_gfilter, "(&(objectclass=company)(cn=%g))"},
{ldap_groupattr, "cn"},
{ldap_memberattr, "uniquemember"},
{ldap_memberattr_format, "cn=%u, ou=users, o=foo"},
{ldap_ufilter, "(&(objectclass=user)(cn=%u))"},
{ldap_userdesc, "displayname"}
]}
ldapsearch -H ldap://localhost:1389 -x -D 'cn=root,ou=users,o=foo' -w '******' -LLL -b "o=foo" objectclass=company
dn: cn=4752cc57-761e-4e34-a75b-55a6c5138b26, ou=companies, o=foo objectclass: company cn: 4752cc57-761e-4e34-a75b-55a6c5138b26 uniquemember: cn=test_user, ou=users, o=foo uniquemember: cn=braswellthatendswell, ou=users, o=foo uniquemember: cn=hugeharp, ou=users, o=foo uniquemember: cn=joeham, ou=users, o=foo uniquemember: cn=manfox, ou=users, o=foo uniquemember: cn=mildred, ou=users, o=foo uniquemember: cn=pearce, ou=users, o=foo uniquemember: cn=randy, ou=users, o=foo uniquemember: cn=spinmeatune, ou=users, o=foo uniquemember: cn=warcraft, ou=users, o=foo dn: cn=183692f8-7f4a-4e2d-b482-d64279d6afe3, ou=companies, o=foo objectclass: company cn: 183692f8-7f4a-4e2d-b482-d64279d6afe3 uniquemember: cn=mmarian2, ou=users, o=foo uniquemember: cn=robin_hood, ou=users, o=foo dn: cn=4ae6eca7-def6-4aeb-935c-338d4845b71e, ou=companies, o=foo objectclass: company cn: 4ae6eca7-def6-4aeb-935c-338d4845b71e uniquemember: cn=testetstest, ou=users, o=foo dn: cn=eaf74b57-ac0c-4752-8cc6-5de0543a8e84, ou=companies, o=foo objectclass: company cn: eaf74b57-ac0c-4752-8cc6-5de0543a8e84 uniquemember: cn=Test, ou=users, o=foo
ldapsearch -H ldap://localhost:1389 -x -D 'cn=root,ou=users,o=foo' -w '*******' -LLL -b "o=foo" objectclass=user
// ...snip... // dn: cn=randy, ou=users, o=foo cn: randy uuid: 8082c150-6b21-4eca-ae7a-fb007f9f0909 title: Mr. firstname: Randy lastname: Bobandy displayname: Randy Bobandy email: im: objectclass: user // ...snip... //
The version of this module
The version of this module included in the ejabberd distribution isn't able to achieve this. An attempt was made to improve this module, its address is posted here.
Note that the configuration options for that newer module have changed greatly compared to the vanilla module. The detailed description of them is given in the comments on its development page (they have not been consolidated into single manual yet, this work is still to be done, and only if developers of ejabberd will decide that this version is worth of merging to ejabberd). The specific configuration parameter that makes what you want is ldap_user_groups_only.