Guys, I really like this chat server and would like to use it, but for a week now I haven't been able to set it up the way I need it. Basically I need it to get the rosters from LDAP as well as to display the full name instead of the JID in the client. I've tried different tutorials on mod_shared_roster_ldap and none of them were of any help, including all the tutorials here.
To be more exact, I am able to connect and authenticate with the LDAP serever, clients are able to too. However I don't see anyone in anyone's roster and if I initiate a chat with someone the client displays the jid, not the full name.
Please find the configuration below (note that domain changed.domain is changed by me on purpose):
{loglevel, 5}.
{watchdog_admins, ["admin@changed.domain"]}.
{hosts, ["changed.domain","ejabber.changed.domain"]}.
{listen,
[
{5222, ejabberd_c2s, [
{certfile, "/opt/ejabberd-2.1.11/conf/server.pem"}, starttls,
{access, c2s},
{shaper, c2s_shaper},
{max_stanza_size, 65536}
]},
{5269, ejabberd_s2s_in, [
{shaper, s2s_shaper},
{max_stanza_size, 131072}
]},
{5280, ejabberd_http, [
captcha,
http_bind,
http_poll,
web_admin
]}
]}.
{auth_method, ldap}.
{ldap_servers, ["ldap.changed.domain"]}.
{ldap_port, 389}.
{ldap_rootdn, "cn=Manager,dc=changed,dc=domain"}.
{ldap_password, "somepassword"}.
{ldap_base, "ou=users,dc=changed,dc=domain"}.
{ldap_uids,[{"uid","%u"}]}.
{ldap_userdesc,"cn"}.
{shaper, normal, {maxrate, 1000}}.
{shaper, fast, {maxrate, 50000}}.
{acl, admin, {user, "admin", "changed.domain"}}.
{acl, local, {user_regexp, ""}}.
{access, max_user_sessions, [{10, all}]}.
{access, local, [{allow, local}]}.
{access, c2s, [{deny, blocked},
{allow, all}]}.
{access, c2s_shaper, [{none, admin},
{normal, all}]}.
{access, s2s_shaper, [{fast, all}]}.
{access, announce, [{allow, admin}]}.
{access, configure, [{allow, admin}]}.
{access, muc_admin, [{allow, admin}]}.
{access, muc, [{allow, all}]}.
{access, muc_create, [{allow, local}]}.
{access, register, [{allow, all}]}.
{access, pubsub_createnode, [{allow, local}]}.
{language, "en"}.
{clusterid, 1}.
{modules,
[
{mod_adhoc, []},
{mod_announce, [{access, announce}]}, % requires mod_adhoc
{mod_caps, []},
{mod_configure,[]}, % requires mod_adhoc
{mod_disco, []},
{mod_http_bind,[]},
{mod_last, []},
{mod_muc, [
{access, muc},
{access_create, muc_create},
{access_persistent, muc_create},
{access_admin, muc_admin}
]},
{mod_offline, []},
{mod_privacy, []},
{mod_private, []},
{mod_pubsub, [ % requires mod_caps
{access_createnode, pubsub_createnode},
{ignore_pep_from_offline, true}, % reduce resource comsumption, but XEP incompliant
{last_item_cache, false},
{plugins, ["flat", "hometree", "pep"]}
]},
{mod_register, [
{welcome_message, {"Welcome!",
"Welcome to this Jabber server."}},
{access, register}
]},
{mod_roster, []},
{mod_time, []},
{mod_vcard_ldap,
[{ldap_vcard_map,
[
{"GIVEN", "%s", ["givenName"]},
{"FAMILY", "%s", ["sn"]}]},
{ldap_search_fields,
[{"User", "%u"},
{"Name", "givenName"},
{"Family Name", "sn"}]},
{ldap_search_reported,
[{"Full Name", "FN"},
{"Nickname", "NICKNAME"}]}
]},
{mod_version, []},
{mod_shared_roster_ldap,[
{ldap_groupattr, "cn"},
{ldap_rfilter, "(objectClass=posixGroup)"},
{ldap_groupattr,"cn"},
{ldap_groupattr_format, "cn=%g,ou=groups,dc=changed,dc=domain"},
{ldap_gfilter,"(&(objectClass=posixGroup)(cn=%g))"},
{ldap_groupdesc, "All users test"},
{ldap_memberattr, "cn"},
{ldap_memberattr_format, "cn=%u,ou=users,dc=changed,dc=domain"},
{ldap_ufilter,"(&(objectClass=posixAccount)(cn=%u))"},
{ldap_useruid,"uid"},
{ldap_userdesc,"cn"},
{ldap_auth_check,"off"},
{ldap_user_cache_validity, "10"},
{ldap_group_cache_validity, "10"}
]}
]}.
As for the LDAP structure:
-users
# Alex Austin, users, changed.domain
dn: cn=Alex Austin,ou=users,dc=changed,dcdomain
givenName: Alex
sn: Austin
cn: Alex Austin
uid: aaustin
userPassword:: e01ENX03M2R3S2MybmRSVmg4cWFJMjMzdnFRPT0=
uidNumber: 1001
gidNumber: 500
homeDirectory: /home/users/aaustin
loginShell: /bin/sh
departmentNumber: Sysadmins
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: organizationalPerson
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
-groups
# users, groups, changed.domain
dn: cn=users,ou=groups,dc=changed,dc=domain
cn: users
gidNumber: 500
objectClass: posixGroup
objectClass: top
# search result
search: 2
result: 0 Success
Where am I going wrong?
Thank you very much in advance,
Yours, Alex Austin
Your groups and your users
Your groups and your users seem to only relate by gidNumber attribute. So you cannot get the group names for your groups from LDAP group objects using mod_shared_roster_ldap (this is its functional limitation; it's something that needs to be fixed, maybe as a part of ).
You seem to have tried many variants of configuration, and even invented your own configuration parameters :) Your configuration (at least the possible one) should look like this:
{mod_shared_roster_ldap,[%1. Disable useless defaults
{ldap_filter, ""},
%2. Prepare the list of group identifiers
{ldap_rfilter, "(objectClass=posixGroup)"},
%3. Which attribute of the returned objects represent the identifiers
{ldap_groupattr, "gidNumber"},
%4. Now we have the list of all oug group ids (in this case, gidNumbers). Now we need to ask each group individually for its name and its member ids. Unfortunately, there's only one query that must give us both these pieces of info, thus the limitation mentioned above. As a workaround, we will use the departmentNumber as the group name. So, our query will be used only to give us users:
{ldap_gfilter,"(&(objectClass=posixAccount)(gidNumber=%g))"},
%5. Where is the group name? The query above will give us multiple user objects, and each will hold the attribute. We need only one name. In this case, the module will just take the value of a last object. You cannot pass an arbitrary string here; it MUST be an attribute name.
{ldap_groupdesc, "departmentNumber"},
%6. Where is the member users ids. Note that this MUST be the uid part of jid, so it MUST NOT contain spaces It should be the same as you use for auth.
{ldap_memberattr, "uid"},
%7. Now we have list of groups, each has its name and its users ids list. Now we will ask each user for its display name.
{ldap_ufilter,"(&(objectClass=posixAccount)(uid=%u))"},
%8. Where is user display name
{ldap_userdesc,"cn"},
{ldap_auth_check,"off"},
{ldap_user_cache_validity, "10"},
{ldap_group_cache_validity, "10"}
]}
I too struggled with
I too struggled with mod_shared_roster_ldap for a long time. What I have found works best for me is to filter the users by a single standard LDAP parameter. This parameter will be displayed in the XMPP client as the name of the group.
I use Windows Active Directory as my LDAP source, the sAMAccountName as the UID and make sure all users have the physicalDeliveryOfficeName attribute filled out. (If they don't they won't be displayed in the roster at all) I use the following module config:
{mod_shared_roster_ldap,[
{ldap_filter, "(objectClass=user)"},
{ldap_rfilter, "(objectClass=user)"},
{ldap_groupattr, "physicalDeliveryOfficeName"},
{ldap_groupdesc, "physicalDeliveryOfficeName"},
{ldap_memberattr, "sAMAccountName"},
{ldap_userdesc, "displayName"}
]}