mod_shared_roster_ldap issues, minimum configuration

Hello all,
I am pretty inexperienced in dealing with LDAP in general and have only had to dive into it to the point of getting IM servers like Openfire or ejabberd to work.
Currently, I am at a point where I have successfully authenticated with the AD server using LDAP, and am able to share the roster to those who log in. The problem is I do not like the syntax of "username@domain.com" and wish it would simply display the displayName attribute from AD. I have been running through the posts here and found that to use displayNames in the roster I have to use the module mod_shared_roster_ldap but am confused over the configuration technique. This thread was probably the closest to what I want, but I when I tried to implement the suggestions given I either was unable to load any users, it would suffer a crash, or would not do anything. http://www.ejabberd.im/node/3852

Currently, I have this:
mod_shared_roster_ldap
{[{ldap_base,
"(same as my base for authentication)"},
{ldap_groupattr, "ou"},
{ldap_memberattr, "uid"},
{ldap_userdesc, "displayName"}]}

From what I understood the only part that really mattered in this configuration was "ldap_userdesc" (I do understand that this will result in some sort of performance degredation after enough people are added to the roster/AD.

If anyone could help guide me through this it would be greatly appreciated,
Thank you,

You cannot use "minimum

You cannot use "minimum configuration" with this module. It doesn't work as a "supplement" to other shared rosters, it only handles entries that it "creates" in rosters.

Rather, if you need pretty names in other entries, you could try mod_vcard_ldap. The logic is that you could configure your client to ask server for additional info of every bare contact, and that module would provide that info. And the generic mod_shared_roster itself is able to use that information.

HTH.

I have tried mod_vcard_ldap

I have tried mod_vcard_ldap and in the end I had my roster completely messed up so my contact list had nothing in it. Also, the many times I have read about mod_shared_roster_ldap I have heard it is intended to accomplish exactly what I am trying to do. Even the instructions say this: This module lets the server administrator automatically populate users' rosters (contact lists)with entries based on users and groups de ned in an LDAP-based directory.

Again, I have learned from sample configurations and have tried applying it (with needed modifications) to my configuration page to retrieve the displayname of my AD domain accounts - but I am still getting the user ids followed by the '@servername' which is not wanted.

If you are seriously into

If you are seriously into msrl, then you need to provide your directory layout and wanted result in order to get help.

base=ou=chatpeople,ou=allpeop

base=ou=chatpeople,ou=allpeople,dc=example,dc=local
Everybody that I want to have included in the roster is under the OU "chatpeople"

I have attributes such as:
cn: Bob Doe
displayName: Bob Doe
givenName: Bob
sn: Doe
sAMAccountName: bdoe

What I currently get when I log into a IM client, I will see
bdoe@xmpp-server.com
jdoe@xmpp-sever.com
...

I would like to have my roster instead read the full name of the users:
Bob Doe
Jane Doe

In attempting to get it to work, when I used the vcard mod, I wouldn't load any accounts in the roster. In msrl, I was able to at least see the accounts in my roster, but no matter what I seem to do it will always output the username@xmpp-server.com

Please post your current msrl

Please post your current msrl config

{mod_shared_roster_ldap,

{mod_shared_roster_ldap, [
{ldap_base,"ou=chatpeople,ou=allpeople,dc=example,dc=local"},
{ldap_useruid, "cn"},
{ldap_userdesc, "displayName"},
{ldap_filter, ""}
]},

The following was an error I caught in my logs if it helps at all.
=ERROR REPORT==== 2012-06-12 16:54:14 ===
E(<0.351.0>:ejabberd_hooks:335) : {function_clause,
[{eldap_filter,parse,[undefined]},
{mod_shared_roster_ldap,eldap_search,3},
{mod_shared_roster_ldap,
get_user_displayed_groups,1},
{mod_shared_roster_ldap,
get_subscription_lists,3},
{ejabberd_hooks,run_fold1,4},
{ejabberd_c2s,wait_for_session,2},
{p1_fsm,handle_msg,10},
{proc_lib,init_p,5}]}
running hook: {roster_get_subscription_lists,["(sterilized)","(xmpp-servername)"]}

So does this config

So does this config authomatically create your roster? I mean, are those items in your roster (bdoe@xmpp-server.com, jdoe@xmpp-sever.com) created authomatically, or have you added them manually? What group are they in?

If they are created authomatically, then you must be unable to remove them, or at least they must reappear at logoff/logon.

I ask because, based on what you have posted here, the module should not work at all (and the error confirms that).

If I'm right, then I will need yet another piece of information: the module needs a group to place users in, so you need to decide which attribute to use for grouping the contacts.

Confused in generating Shared

Confused in generating Shared Roaster from LDAP

I am very much confused about all shared roaster modules, I hope someone can please direct in proper direction. So here is what I am facing issue, I have debian using ejabberd 2.1.11, installed via binary Package. I am using external auth from LDAP server.
Here is a sneak of my config file

{mod_shared_roster_ldap,[
        {ldap_base, "ou=people,dc=company,dc=com"},
      %%{ldap_groupattr,        "ou"},
        {ldap_rfilter,          "(objectClass=*)"},
        {ldap_filter,           ""},
        {ldap_gfilter,          "(&(objectClass=*)(cn=%g))"},
        {ldap_groupdesc,        "description"},
        {ldap_memberattr,       "memberUid"},
        {ldap_memberattr_format, "uid=%u,ou=people,dc=company,dc=com"},
        {ldap_ufilter,          "(&(objectClass=inetOrgPerson)(uid=%u))"},
      %%{ldap_useruid,          "uid"},
        {ldap_userdesc,         "displayName"}
]},

Well using this I can see all the user via this command ejabberdctl registered_users company.com

I have used vcard_ldap modules also, here is what I have

  {mod_vcard_ldap, [
        {ldap_base, "ou=people,dc=company,dc=com"},
        {ldap_vcar_map,
                [
                {"NICKNAME", "%s", ["displayName"]},
                {"GIVEN", "%s", ["givenName"]},
                {"FAMILY", "%s", ["sn"]},
                {"FN", "%s", ["displayName"]},
                {"EMAIL", "%s", ["mail"]}
                ]},
        {ldap_search_fields, [
             {"User", "%u"},
             {"Name", "givenName"},
             {"Family Name", "sn"},
             {"Email", "mail"}
        ]},
        {ldap_search_reported, [
            {"Full Name", "FN"},
            {"Email", "EMAIL"}
        ]}
]},

NOTE : I have disabled mod_vcard module.

When I login into IM client, tried pandion, spark, pidgin in all I cannot see anyone on the list, even when two users is logged in.. dont know why.

Other thing is when I click for offline user I can see all the user in "Company" Group. But can not in proper groups as of now I have three other group named as "Company IN", "Company AU", "Company EU".

What could be missing here, let me know if anything else is needed, I can not see any error message in logs, by looking at this it seems to be getting properly..
Please any suggesstion

=INFO REPORT==== 2012-06-13 14:28:08 ===
D(<0.5418.0>:eldap:697) : {searchRequest,
                           {'SearchRequest',"ou=people,dc=company,dc=com",
                            wholeSubtree,neverDerefAliases,0,5,false,
                            {'and',
                             [{present,"objectClass"},
                              {equalityMatch,
                               {'AttributeValueAssertion',"cn","Bugs RT"}}]},
                            ["cn","description","memberUid"]}}


=INFO REPORT==== 2012-06-13 14:28:09 ===
D(<0.5418.0>:eldap:768) : {searchResEntry,
                              {'SearchResultEntry',
                                  "uid=brooke,ou=Company,ou=People,dc=company,dc=com",
                                  [{'PartialAttributeList_SEQOF',"cn",
                                       ["Brooke Hunter"]}]}}

ashish1099 wrote: Well using

ashish1099 wrote:

Well using this I can see all the user via this command ejabberdctl registered_users company.com

This has nothing to do with shared rosters: it only confirms that the authentication is OK.

ashish1099 wrote:

Other thing is when I click for offline user I can see all the user in "Company" Group.

What do you mean? Do you see users after turning on the "display offline users" option in your client?

ashish1099 wrote:
{mod_shared_roster_ldap,[
        {ldap_base, "ou=people,dc=company,dc=com"},
      %%{ldap_groupattr,        "ou"},
        {ldap_rfilter,          "(objectClass=*)"},
        {ldap_filter,           ""},
        {ldap_gfilter,          "(&(objectClass=*)(cn=%g))"},
        {ldap_groupdesc,        "description"},
        {ldap_memberattr,       "memberUid"},
        {ldap_memberattr_format, "uid=%u,ou=people,dc=company,dc=com"},
        {ldap_ufilter,          "(&(objectClass=inetOrgPerson)(uid=%u))"},
      %%{ldap_useruid,          "uid"},
        {ldap_userdesc,         "displayName"}
]},

Your rfilter basically selects everything below the base, while it should only select those objects that will represent groups.

You should post your LDAP layout.

mikekaganski wrote: What do

mikekaganski wrote:

What do you mean? Do you see users after turning on the "display offline users" option in your client?

Yes after enabling display offline user in my Client

And here is my ldif export..
Basically my base search is

 ou=People
  • ou=Company IN
  • ou=Company AU
  • ou=Company EU

I want all these three group to see each other

for ou=People
dn: ou=People,dc=trellian,dc=com
objectClass: organizationalUnit
objectClass: uidPool
ou: People

This export is of user.

version: 1

# LDIF Export for: uid=ashish,ou=Company IN,ou=People,dc=company,dc=com
# Generated by phpLDAPadmin ( http://phpldapadmin.sourceforge.net/ ) on June 13, 2012 7:19 pm
# Server: Trellian (ldap.company.com)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Total Entries: 1

dn: uid=ashish,ou=Company IN,ou=People,dc=company,dc=com
givenName: Ashish
sn: Jaiswal
cn: Ashish Jaiswal
uid: ashish
userPassword: {CRYPT}$1$wuTZ2OAM$jDmUiSVOPN34sjfjIMFFZ.
uidNumber: 10052
gidNumber: 100
homeDirectory: /home/users/ashish
loginShell: /bin/bash
mail: ashish@company.com
mailLocalAddress: ashish@company.com
mailHost: mail.company.com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetLocalMailRecipient
objectClass: top
structuralObjectClass: inetOrgPerson
entryUUID: 9dd2fd7a-9033-1030-990a-cf928cdb75f8
creatorsName: cn=admin,dc=company,dc=com
createTimestamp: 20111021132332Z
entryCSN: 20111021132332.000000Z#000001#000#000000
modifiersName: cn=admin,dc=company,dc=com
modifyTimestamp: 20111021132332Z
entryDN: uid=ashish,ou=Company IN,ou=People,dc=company,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

Unfortunately, you cannot do

Unfortunately, you cannot do what you want using this module. The reason is that there are no fields in ou that point to users; and no fields in user pointing to ou. (dn cannot be used for this).

You have to either group users by some common attribute, or use a modified version of mod_shared_roster_ldap.

Hi, i'm having a similar

Hi, i'm having a similar problem, i'm trying to use the Zimbra Distribution Lists as shared roster. I have ldap auth and vcard working, but for the shared roster, i don't even see ldap searches. I'm using

{mod_shared_roster,[]},
{mod_shared_roster_ldap,[
{ldap_rfilter, "(objectClass=zimbraDistributionList)"},
%{ldap_filter,""},
%{ldap_ufilter,"(uid=%u)"},
{ldap_groupattr,"cn"},
{ldap_groupdesc,"description"},
{ldap_memberattr,"zimbraMailForwardingAddress"}
%{ldap_memberattr_format,"%u"},
%{ldap_useruid, "uid"},
%{ldap_userdesc,"displayName"}
]},

(The Zimbra Distribution lists have an objectClass=zimbraDistributionList and the members are under multiple zimbraMailForwardingAdress with entrys like user1@domain.com, user2@domain.com etc)

Do i have to enter something into the ejabberd Web Admin Shared roster to enable ldap shared roster, or should this work...?

First, you don't need

First, you don't need mod_shared_roster at all to make mod_shared_roster_ldap work; but you definitely do need mod_roster (from your config excerpt, I cannot see if it is enabled, but the absence of LDAP searches is often explained by absence of mod_roster in config). Web admin is not used to configure msrl.

Also, the msrl config is incomplete. There's no gfilter and ufilter in it.
I would expect this to be close:

{mod_shared_roster_ldap,[
        {ldap_filter,           ""},
        {ldap_rfilter,          "(objectClass=zimbraDistributionList)"},
        {ldap_groupattr,        "cn"},
        {ldap_gfilter,          "(&(objectClass=zimbraDistributionList)(cn=%g))"},
        {ldap_memberattr,       "zimbraMailForwardingAdress"},
        {ldap_ufilter,          "(&(objectClass=inetOrgPerson)(uid=%u))"},
        {ldap_useruid,          "uid"},
        {ldap_userdesc,         "displayName"}
]},

But note that this requires that after you get zimbraMailForwardingAdress, you can search for a inetOrgPerson with this uid. Also, your group must have an id (that I guessed to be cn).

As you have a grip on your Zimbra schema, you could adjust this as needed.

Hi mikekaganski, thanks for

Hi mikekaganski, thanks for your help!

mikekaganski wrote:

First, you don't need mod_shared_roster at all to make mod_shared_roster_ldap work; but you definitely do need mod_roster (from your config excerpt, I cannot see if it is enabled, but the absence of LDAP searches is often explained by absence of mod_roster in config). Web admin is not used to configure msrl.

No, the mod_roster is there in the config, but no matter what i enter into the msrl config, it does not seem to touch the ldap-server, i can see the auth stuff when a user goes online, but *noting* beside that (on tcpdump)...

mikekaganski wrote:

But note that this requires that after you get zimbraMailForwardingAdress, you can search for a inetOrgPerson with this uid. Also, your group must have an id (that I guessed to be cn).

As you have a grip on your Zimbra schema, you could adjust this as needed.

Don't think i can do that (the idea was to be able to use the zimbra-webadmin-gui to configure the shared roster, but as far as i think i'm understanding it now, it can't be done how i wanted with the current Zimbra schema 'cause Zimbra does not have a concept of user groups (beside the distribution lists, but they contain mailadresses, not users)...

zimbranut wrote: I have ldap

zimbranut wrote:

I have ldap auth and vcard working

zimbranut wrote:

... i can see the auth stuff when a user goes online, but *noting* beside that (on tcpdump)...

This implies that you use LDAP auth; and this definitely means that there is an object in LDAP that may be used as a user representation.
So, it seems like what you want is doable, but requires knowing more about your layout.

Also, to understand the problem with nothing from msrl on the wire, you should inspect the ejabberd logs. The startup or operation may encounter problems that prevent the module from operating.

In playing with the

In playing with the mod_vcard_ldap settings, I made significant progress using a setting I must have mistyped or not tried.

{mod_vcard_ldap, [
{ldap_vcard_map,
[
{"NICKNAME", "%s, %s",["givenname", "sn"]}, %%This is probably what got me...but why I can't use the displayName confuses me
{"FN", "%s", ["displayName"]}
]},
{ldap_search_fields,
[
{"User", "%u"},
{"Name", "givenName"}
]}
]},

I can now at least get most of the users to show up with their full name. My apologies to mikekaganski for being difficult or thick headed on the matter of using this module.

Here is config that works for

Here is config that works for me at the moment (I use AD, too):

  {mod_vcard_ldap,    [
    {matches, infinity},
    {ldap_vcard_map, [
      {"NICKNAME", "%s", ["displayName"]},
      {"GIVEN", "%s", ["givenName"]},
      {"MIDDLE", "%s", ["initials"]},
      {"FAMILY", "%s", ["sn"]},
      {"FN", "%s", ["displayName"]},
      {"EMAIL", "%s", ["mail"]},
      {"ORGNAME", "%s", ["company"]},
      {"ORGUNIT", "%s", ["department"]},
      {"CTRY", "%s", ["c"]},
      {"LOCALITY", "%s", ["l"]},
      {"STREET", "%s", ["streetAddress"]},
      {"REGION", "%s", ["st"]},
      {"PCODE", "%s", ["postalCode"]},
      {"TITLE", "%s", ["title"]},
      {"DESC", "%s", ["description"]},
      {"TEL", "%s", ["telephoneNumber"]},
      {"BDAY", "%s", ["birthDate"]},
      {"PHOTO", "%s", ["jpegPhoto"]}
    ]},
    {ldap_search_fields, [
      {"Name", "givenName"},
      {"Family Name", "sn"},
      {"Department", "department"}
    ]},
    {ldap_search_reported, [
      {"Full Name", "FN"},
      {"Department", "ORGUNIT"},
      {"Phone", "TEL"}
    ]}
  ]},
Syndicate content