LDAP (active directory)

Hello,
I have two servers, one is running Windows NT 4 and its address is internet.myname.com, which is the one that has the external ip, i.e. it's the one connected to the internet, and the other server is running Win2000 and its address is server.myname.com and it has the active directory, i.e. all the users have account in the server.myname.com machine.
The internet.myname.com machine also runs e.g. microsoft exchange email server, and it gets the user accounts for the emails from the server.myname.com active directory.
I installed ejabberd (tried both 0.9.8 and 1.0.0) on the internet.myname.com machine, and with the internal authentication it works well. But I didn't manage to get LDAP authentication to work. I have access to everything on these machines, i.e. I know the admin login/password for the active directory machine etc., but I wasn't the one who set it up in the 1st place, and I'm not sure where to look for the correct definitions to use in the ejabberd.cfg file - I tried some obvious settings for uid, base, rootdn etc., and it didn't work. I downloaded PortQry from http://support.microsoft.com/?kbid=310456 and I'm pasting its output below. Could anyone please help me to get the correct LDAP settings, or tell me which other utils I could run (that probably were already installed with win2000?) in order to get the correct settings?
Also, another question: will the addresses for the users of the jabber accounts be user@internet.myname.com or user@myname.com ? In ejabberd.cfg I had to put "{hosts, ["internet.myname.com"]}." for it to work, but the final addresses for each user should really be user@myname.com, like the email addresses.
Thanks a lot in advance,
Iddo

example for ldap ejabberd settings that didn't work:
%{auth_method, internal}.
{auth_method, ldap}.
{ldap_servers, ["server.myname.com"]}.
{ldap_uidattr, "uid"}.
{ldap_base, "dc=myname,dc=com"}.
{ldap_rootdn, "dc=myname,dc=com"}.
{ldap_password, "mypwd"}.
{hosts, ["internet.myname.com"]}.

(I'm not using SSL)

PortQry output:

D:\temp\PortQryV2>PortQry.exe -n server.myname.com -p udp -e 389

Querying target system called:

server.myname.com

Attempting to resolve name to IP address...

Name resolved to 192.168.0.15

querying...

UDP port 389 (unknown service): LISTENING or FILTERED

Using ephemeral source port
Sending LDAP query to UDP port 389...

LDAP query response:

currentdate: 02/06/2006 14:54:50 (unadjusted GMT)
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=myname,DC=com
dsServiceName: CN=NTDS Settings,CN=SERVER,CN=Servers,CN=Primary,CN=Sites,CN=Configuration,DC=myname,DC=com
namingContexts: CN=Schema,CN=Configuration,DC=myname,DC=com
defaultNamingContext: DC=myname,DC=com
schemaNamingContext: CN=Schema,CN=Configuration,DC=myname,DC=com
configurationNamingContext: CN=Configuration,DC=myname,DC=com
rootDomainNamingContext: DC=myname,DC=com
supportedControl: 1.2.840.113556.1.4.319
supportedLDAPVersion: 3
supportedLDAPPolicies: MaxPoolThreads
highestCommittedUSN: 699288
supportedSASLMechanisms: GSSAPI
dnsHostName: SERVER.myname.com
ldapServiceName: myname.com:server$@myname.COM
serverName: CN=SERVER,CN=Servers,CN=Primary,CN=Sites,CN=Configuration,DC=myname,DC=com
supportedCapabilities: 1.2.840.113556.1.4.800
isSynchronized: TRUE
isGlobalCatalogReady: TRUE

======== End of LDAP query response ========

UDP port 389 is LISTENING

Windows 2003 LDAP Authentication

I think this gonna help:

{auth_method, ldap}.
{ldap_servers, ["myserver.com"]}. % List of LDAP servers
{ldap_uidattr, "samAccountName"}. % LDAP attribute that holds user ID
{ldap_base, "DC=myserver,DC=com"}. % Base of LDAP directory
{ldap_rootdn, "CN=Administrator,CN=Users,DC=myserver,DC=com"}. % LDAP manager
{ldap_password, "password"}. % Password to LDAP manager

{hosts, ["myserver.com"]}.

In my example, the usernames for Jabber clients (eg. Exodus) are like this:
username@myserver.com

It's working for me. Good luck!
Paco

Thanks for the reply.I'm

Thanks for the reply.
I'm away and so I'll test it only the day after tomorrow, and report back here.
But, why is the subject of your reply "Windows 2003 LDAP" ??
As I wrote, my LDAP machine is running win2000, not win2003 - is your reply also supposed to work for win2000 ?
I tried most of what you said, except "samAccountName", and also, I'm still not sure about the hosts line, because it only worked (with internal authentication) with internet.myserver.com - but then it seems that the users addresses are user@internet.myserver.com which isn't what it should be, as the email addresses are user@myserver.com
If others could comment further, please do...
Thank you,
Iddo

About id@my.domain => server at jabber.my.domain

You could always make users tell there jabber-clients to use a specific server when they talk to you JID. You could have id@my.domain use a server at jabber.another.domain JID has nothing to do with DNS names (except some of the format).

So you should use the always have that in mind when you set up a Jabber server.

You can do things to make it work transparent.

JID: id@jabber.server.domain
Server machine DNS name: jabber.server.domain

This is easy to set up, but not that flexible. What if you want to change machine to run the server on?

JID: id@jid.domain
Server machine DNS name: jabber.server.domain

Make some changes in DNS for id.domain
That is, put some SRV posts into your DNS server for the jid.domain that points jabber services to jabber.server.domain
You need to look that up

It works like SIP-server and SIP-names.

I'll guess that the last is what you realy want to do.

LDAP again

Thanks, I'll try to figure out the DNS issue.
But I still haven't got LDAP authentication to work:(
Any ideas on how to figure out the correct settings?
I tried to search, and I see mentioned that ejabberd1.0.0 LDAP is perhaps broken? I'm not sure... So I installed ejabberd0.9.8 as well, but neither worked for me so far.
I noticed that microsoft exchange server is also using the active directory in order to get the logins/passwords of users, but because it's a microsoft product, there aren't really any settings in it that I can copy, i.e. it's all just default it seems.
I'm not sure if the output that I pasted above is supposed to be useful, or how else to figure out the correct settings?
Any comments?
Thanks...

I am having the same problem.

I am also attempting to make my local area messaging service be integrated into our existing Active Directory infrastructure. As per documented here and based on a friend of mine's suggestions i have come up with the following LDAP configuration:

{auth_method, ldap}.
{ldap_servers, ["10.100.0.20"]}. % List of LDAP servers
{ldap_uidattr, "samAccountName"}. % LDAP attribute that holds user ID
{ldap_base, "ou=Usuarios,ou=Corporativo,dc=metrored,dc=local"}. % Search base of LDAP directory
{ldap_rootdn, "cn=Administrador,dc=metrored,dc=local"}. % LDAP manager
{ldap_password, "XXXXXXXX"}. % Password to LDAP manager

However i have had many problems and to this point in time the authentication does not work against the AD yet. I am certain that i have configured the ldap_base and the ldap_password; but i am not sure that my ldap_base is correct by just adding the dc's or if it needs the ou's as well.

This is what my ejabberd.log has to say about it:

=INFO REPORT==== 2006-04-28 10:46:33 ===
I(<0.1193.0>:ejabberd_listener:90): (#Port<0.2157>) Accepted connection {{10,100,3,91},42672} -> {{10,100,0,8},5222}

=INFO REPORT==== 2006-04-28 10:46:33 ===
I(<0.1270.0>:ejabberd_c2s:417): (#Port<0.2157>) Failed legacy authentication for diego.defuentes@metrored.com.mx/Psi

I will go to my AD server to check if it has any kind of logs available, in the meantime; can anyone please clarify my question?

Thanks in advance.

Fixed It!

I made an export of my Active Directory structure and found our that the rootdn was incomplete, here goes my final working configuration:

{auth_method, ldap}.
{ldap_servers, ["10.100.0.20"]}. % List of LDAP servers
{ldap_uidattr, "samAccountName"}. % LDAP attribute that holds user ID
{ldap_base, "OU=Usuarios,OU=Corporativo,DC=metrored,DC=local"}. % Search base of LDAP directory
{ldap_rootdn, "CN=Administrador,CN=Users,DC=metrored,DC=local"}. % LDAP manager
{ldap_password, "XXXXXXXXXXX"}. % Password to LDAP manager

I hope this saves someone some grief in the future when dealing with this...

With or without ejabberd_ad patch?

Hi all,

I am trying to get this running, too, unfortunately without success.
So my first question: do I need this ejabberd_ad patch and if so, why?
My ejabberd package comes with LDAP support I think, so AD authentication should be ok?

I have the following configuration:
{auth_method, ldap}.
{ldap_servers, ["server1.arkona.local"]}. % List of LDAP servers
{ldap_uidattr, "samAccountName"}. % LDAP attribute that holds user ID
{ldap_base, "OU=Users OU,DC=arkona,DC=local"}. % Search base of LDAP directory
{ldap_rootdn, "CN=Administrator,OU=Groups and Buildins,DC=arkona,dc=local"}. % LDAP manager
{ldap_password, "OurPassword"}. % Password to LDAP manager

The Users OU is definitely right, the Administrator also.
So what the hack am I doing wrong?
Is it because of the spaces in the basedn and rootdn?

Thanks for any help,

Matthias

I think you might want to

I think you might want to take a look at this patch to improve LDAP support in ejabberd. Check the included README and ldap_guide.txt files.

@badlop: maybe that patch should be listed on the contribs page?

--
sander

done

sander wrote:

@badlop: maybe that patch should be listed on the contribs page?

Done, but even better: include in ejabberd svn, or at least bugzilla

Active Directory authentication

I've been struggling with this for days ... and I'm *sure* that I'm missing something basic.

I'm using the latest version of ejabberd from ProcessOne (1.1.2 I believe).

I've installed this to an XP machine, which belongs to the domain as a workstation, with the firewall off.

I want to be able to authenticate users who exist in the AD, using their AD credentials.

The logs for ejabberd don't seem to tell me anything useful. (i.e. It may be useful information, but not for me.) :)

I have followed the examples from this site, as well as a translated version of this page: http://realloc.spb.ru/share/ejabberd112ad.html

I'm using Pidgin to connect to the ejabberd server, and could be doing something wrong on the client side. I'm not sure what "screen name" equates to in the AD. In Pidgin, I get authentication failed errors when I try and use an AD account.

I do have ejabberd set to allow LDAP and internal, and I'm able to register new accounts.

Does there exist somewhere a comprehensive overview of "active directory" authentication, including client side stuff? If not, does anyone have suggestions as to what stupid thing I might be doing wrong?

If I can get this working, I'd be happy to contribute an english language document detailing the steps I take, client side config, etc.

Thank you for your time and consideration. :)

James

Do you use? {auth_method, ldap}.

I have never used LDAP/AD auth on ejabberd.

james wrote:

The logs for ejabberd don't seem to tell me anything useful. (i.e. It may be useful information, but not for me.) :)

Umm, so they don't show any ERROR, CRASH... reports for you.

james wrote:

I do have ejabberd set to allow LDAP and internal, and I'm able to register new accounts.

So, you have something like this?

{auth_method, [internal, ldap]}.

Please note that the guide and the russian article from realloc use this:

{auth_method, ldap}.

I'm in the same problem

Hi all,

I'm in the same problem, my case:

Server with ejabbered: pepe.domain.com
Server with active directory: ad.domain.com

Configuration file:

{auth_method, ldap}.
{ldap_servers, ["ad.domain.com"]}. % List of LDAP servers
{ldap_base, "dc=domain,dc=com"}. % Search base of LDAP directory
{ldap_rootdn, "cn=Administrador,cn=Users,dc=domain,dc=com"}. % LDAP manager
{ldap_password, "pwdAdministrator"}. % Password to LDAP manager
{ldap_uidattr, "samAccountName"}.

{hosts, ["pepe.domain.com","domain.com"]}.

User on Active Directory:
user name: dummy
user login: dummy
user email: dummy@domain.com

Client:
PSI
Configuration:
jid: dummy@domain.com
server: pepe.domain.com
* One question about he client side, I have to register the user, or just login?

Please what I have to do to make it work, I left 4 hours allready.

Thanks in advance

Regarding LDAP, the

Regarding LDAP, the development version contains a fix that could help you (SVN).
Which version are you using ?

--
Mickaël Rémond
Process-one

I'm using the last one,

I'm using the last one, 1.1.3.

Where I have to go to look for SVN?

Thanks.

Try to replace eldap.erl

Try to replace eldap.erl with this file from the development version and recompile ejabberd:
http://svn.process-one.net/ejabberd/trunk/src/eldap/eldap.erl

--
Mickaël Rémond
Process-one

I've done and nothing

Hi Mickël,

I've compiled the file but it does the same. The key it's that this eldap.erl file it's the same as 1.1.3.

How I can get a better log to look for what's happening?

Carles.

After debug I'm in 99%, but still doesn't work:

Hi again,

I get to start in command line, and I get the next log results, it logs onto ldap/AD but it sais:

"I(<0.295.0>:ejabberd_c2s:417): (#Port<0.311>) Failed legacy authentication for dummy@domain.com/Psi"

I checked on the PSI client the plain text conection and it gets the ldap correct autentication.

Here it's the full log:

Eshell V5.5.2.2 (abort with ^G)
(ejabberd@localhost)1> ---- Message:[{'LDAPMessage',1,
{bindRequest,
{'BindRequest',
3,
"CN=Administrador,CN=Users,DC=domain,DC=com",
{simple,"pwdAdministrator"}}},
asn1_NOVALUE}]
(ejabberd@localhost)1> ---- Message:[{'LDAPMessage',1,
{bindRequest,
{'BindRequest',
3,
"CN=Administrador,CN=Users,DC=domain,DC=com",
{simple,"pwdAdministrator"}}},
asn1_NOVALUE}]
(ejabberd@localhost)1> ---- [{'LDAPMessage',1,
{bindResponse,{'BindResponse',
success,
[],
[],
asn1_NOVALUE,
asn1_NOVALUE}},
asn1_NOVALUE}](ejabberd@localhost)1> ---- [{'LDAPMessage',1
,
{bindResponse,{'BindResponse',
success,
[],
[],
asn1_NOVALUE,
asn1_NOVALUE}},
asn1_NOVALUE}](ejabberd@localhost)1>
=INFO REPORT==== 9-Aug-2007::10:24:59 ===
I(<0.226.0>:ejabberd_listener:90): (#Port<0.311>) Accepted connection {{192,168,25,55},2450} -> {{192,168,25,55},5222}
(ejabberd@localhost)1> ---- [{searchRequest,{'SearchRequest',"dc=domain,dc=com"
,
wholeSubtree,
neverDerefAliases,
0,
0,
false,
{'and',
[{equalityMatch,
{'AttributeValueAssertion',
"mail",
"dummy@domain.com"}},
{equalityMatch,
{'AttributeValueAssertion',
"memberOf",
"CN=JabberUsers,CN=Users,DC=domain,DC=com"}},
{'or',
[{equalityMatch,
{'AttributeValueAssertion',
"userAccountControl",
"66050"}},
{equalityMatch,
{'AttributeValueAssertion',
"userAccountControl",
"66048"}}]}]},
[]}}]
(ejabberd@localhost)1> ---- [{searchResRef,["ldap://ForestDnsZones.domain.com/DC=ForestDnsZones,DC=domain,DC=com"]}]
(ejabberd@localhost)1> ---- [{searchResRef,["ldap://DomainDnsZones.domain.com/DC=DomainDnsZones,DC=domain,DC=com"]}]
(ejabberd@localhost)1> ---- [{searchResRef,["ldap://domain.com/CN=Configuration,DC=domain,DC=com"]}]
(ejabberd@localhost)1> ---- [{searchResDone,{'LDAPResult',success,[],[],asn1_NOVALUE}}]
(ejabberd@localhost)1>
=INFO REPORT==== 9-Aug-2007::10:24:59 ===
I(<0.295.0>:ejabberd_c2s:417): (#Port<0.311>) Failed legacy authentication for dummy@domain.com/Psi

This patch definitely fixes

This patch definitely fixes the problem you describe.
You probably miss a step in the recompile / deployment.

If you can wait for a few days, we are preparing a version 1.1.4 that will include this patch among others.

--
Mickaël Rémond
Process-one

Just one question more

When I recompiled eldap.erl the file ELDAPv3.hrl wasn't on the source:

http://svn.process-one.net/ejabberd/trunk/src/eldap/eldap.erl

And I wen't to historical source code to find it, maybe that's the problem? Where I can get it?

Thanks a lot.
Carles.

still isn't working

Hello,
I tried the suggestion (and variations of it) of Paco, but it didn't work. I think that it works for him in win2003, but I'm using win2000, and in win2000 the default for active directory is "{ldap_uidattr, "uid"}." I think?
Could anyone else please try to help with getting LDAP to work according to my configuration, or help me with how to find out other parameters of my configuration, as I asked above?
Thanks a lot.

LDAP AD patch needed?

Could anyone please explain whether ejabberd 1.0.0 is supposed to have built-in support for LDAP authentication that works, or there's something missing in the 1.0.0 release? I came across this page:
http://www.ejabberd.im/ejabberd_ad
Is this patch needed for using active directory authentication in windows, or ejabberd is supposed to work without it and I just haven't figured out how to configure it correcly?
Any help?
Thank you

LDAP and a few more questions

I got SRV records working (had to replace Windows NT 4.0 DNS server with Bind), so now name@myserver.com addresses work great, same as the email addresses, and it communicates without problems with all the public jabber servers that I tried, including google-talk.

I still have no idea about whether LDAP is supposed to work with active-directory, I see some forum posts that say that it works, so is that patch that I mentioned below relevant?

Also, would LDAP prevent me from using shared-roster? It's a very nice feature... The shared-roster tutorial says that it won't work, but the comments below it say that it does work?

BTW, I tried Psi and Exodus with shared-roster (everybody group created with @all@), and they both also show myself (as offline) in the everybody group, is there a way to remove that? If I remove it, it re-appears when I reconnect. (Tkabber works correctly and doesn't show my own account as part of the group, but I'm interested in Psi for jingle/VoIP).

Also, another question: is there a good way to deny connection to the ejabberd server for anyone who doesn't connect from within the company, i.e. for anyone whose current host doesn't match the ejabberd server host, or if he's not in the domain or something like that?

Thanks in advance for any comments,
Iddo

Syndicate content