Hello,
I have a running ejabberd installation, with http-bind enabled, nginx proxy, and a mini jappix xmpp client for web browsers. I also have an external authentication program.
I can connect the same user on this server with different ressources if I use the classical 5222 port. But:
- If I have active sessions from classical xmpp clients for a given user I cannot connect this user with http-bind (401 authentication failure).
- I the first connection is made via http-bind no other connection can be done by other classical xmpp clients (and resources are of course different). I sometimes get the 401 already connected message
- I can only connect the same user in one browser, I cannot connect the same user several time on http-bind (resources are different on theses connections, but I also get a 401)
- I'm sure the external authentification program is never launched when I get theses auth failure
- max_user_sessions settings are ok (tested with infinity), and if I'm not connecting in http-bind I can run parallel sessions. But in case of I also tested the new resource_conflict setting values without any success (and it's not a re'source conflict in fact)
installation: ejabberd-2.1.10 Debian (from ejabberd-2.1.10-linux-x86-installer.bin, also tested in x86_64 version).
{5280, ejabberd_http, [
{request_handlers,
[
{["http_bind"], mod_http_bind}
]},
%%captcha,
http_bind,
%%http_poll,
web_admin
]}On the logs, when this is happening I have:
=INFO REPORT==== 2012-01-27 10:18:55 ===
D(<0.335.0>:ejabberd_http_bind:684) : reqlist: [{hbr,154037,
"01775ec6fc089a2b0c84abb80a4b5b7b4bdd958d",
[]},
{hbr,154036,
"01775ec6fc089a2b0c84abb80a4b5b7b4bdd958d",
[{xmlstreamelement,
{xmlelement,
"stream:features",[],
[{xmlelement,
"mechanisms",
[{"xmlns",
"urn:ietf:params:xml:ns:xmpp-sasl"}],
[{xmlelement,
"mechanism",[],
[{xmlcdata,
"PLAIN"}]}]}]}},
{xmlstreamstart,
"stream:stream",
[{"version","1.0"},
{"xml:lang","fr"},
{"xmlns","jabber:client"},
{"xmlns:stream",
"http://etherx.jabber.org/streams"},
{"id","3595609800"},
{"from",
"tchat.example.com"}]}]}]
=INFO REPORT==== 2012-01-27 10:18:55 ===
D(<0.335.0>:ejabberd_http_bind:732) : really sending now: [{xmlelement,
"auth",
[{"xmlns",
"urn:ietf:params:xml:ns:xmpp-sasl"},
{"mechanism",
"PLAIN"}],
[{xmlcdata,
<<"bGRhcHVzZXIzOEB0Y2hhdC5ybGUubGFib3JhbmdlLmNvbQBsZGFwdXNlcjM4ADRmMjI2MGQwMzY2MmM1LjgwNjU3OTE3">>}]}]
=INFO REPORT==== 2012-01-27 10:18:55 ===
I(<0.336.0>:ejabberd_c2s:649) : ({socket_state,ejabberd_http_bind,{http_bind,<0.335.0>,{{127,0,0,1},50992}},ejabberd_http_bind}) Failed authentication for
=INFO REPORT==== 2012-01-27 10:18:55 ===
D(<0.337.0>:ejabberd_http_bind:916) : OutPacket: [{xmlstreamelement,
{xmlelement,"failure",
[{"xmlns",
"urn:ietf:params:xml:ns:xmpp-sasl"}],
[{xmlelement,
"not-authorized",[],
[]}]}}]
=INFO REPORT==== 2012-01-27 10:18:55 ===
D(<0.337.0>:ejabberd_http_bind:1054) : --- outgoing data ---
<body xmlns='http://jabber.org/protocol/httpbind'><failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/></failure></body>
So is this a "feature" in http-bind ? making it the only valid Resource for a given user while activated? And how to run several http-binded sessions for the same user if so? Any hints?
Problem disappear If i
Problem disappear If i set:
{extauth_cache, false}.But this seems to prevent my shared_roster behavior now.
The question is why the extauth_cache is preventing further login with the same user on other resources when I come from http-bind first?
I think I know why... my
I think I know why... my external auth script is handling a token based authentification where the password may differ for the same user on parallel sessions, the authcah is quite cerainly caching the password, which is not OK for further sessions. It would need a fallback on external auth after a caching auth failure.