ejabberd - Comments for "Hot wo setup mod_shared_roosters_ldap? "

Thanks for the answers, as

Yaerox — Wed, 20 Aug 2014 11:06:38 +0000

Thanks for the answers, as soon as I'll have time to try this out, I'll reply. Actual trying some alternatives.

Yaerox wrote: That's exactly

voest — Tue, 19 Aug 2014 08:06:00 +0000

Yaerox wrote:

That's exactly what I need to do too, but my research couldn't help me finding a solution.

I'm not even as far as you're :/ If you would be so kind, could u help me out to get as far as you are?

Those might also help you:

http://www.process-one.net/docs/ejabberd/guide_en.html#modsharedrosterldap

http://www.ejabberd.im/node/4722

Is that your whole configuration ? Since i don't see any LDAP Binding ...

Well i consider you left that part out ...
I think your problem is that your ldap filters are strange :)

Your ldap configuration should look something like this:

{auth_method, ldap}.
{ldap_servers, ["server.domain.com"]}.
{ldap_uids, [{"sAMAccountName"}]}.
{ldap_encrypt, tls}.
{ldap_tls_verify, false}. %% for debbugging reasons its easy :P
{ldap_port, 636}.
{ldap_base, "DC=server,DC=com"}.
{ldap_rootdn, "CN=ldapauth,OU=users,DC=domain,DC=com"}.
{ldap_password, "*******"}.
{ldap_filter, "(objectClass=*)"}.

{mod_shared_roster_ldap, [
{ldap_base, "ou=ejabberd,ou=Groups,dc=domain,dc=com"},
{ldap_groupattr, "cn"},
{ldap_groupdesc, "description"},
{ldap_memberattr, "member"},
{ldap_memberattr_format, "CN=%u,OU=Users,DC=domain,DC=com"},
{ldap_useruid, "cn"},
{ldap_userdesc, "displayName"},
{ldap_rfilter, "(objectClass=group)"},
{ldap_gfilter, "(cn=%g)"},
{ldap_ufilter, "(cn=%u)"},
{ldap_filter, ""},
]},

I hope this helps you :)

I'm trying for hours...I read

Yaerox — Fri, 15 Aug 2014 14:46:31 +0000

I'm trying for hours...I read my local documentation which seems different from the actual online version, I tried this the same way they do:

This however seems to be a common DIT layout, so the module keeps supporting it. You can use the following configuration…

modules:
...
mod_shared_roster_ldap:
ldap_base: "ou=flat,dc=nodomain"
ldap_rfilter: "(objectClass=inetOrgPerson)"
ldap_groupattr: "ou"
ldap_memberattr: "cn"
ldap_filter: "(objectClass=inetOrgPerson)"
ldap_userdesc: "displayName"
...

…to be provided with a roster as shown in figure 3.2 upon connecting as user czesio.

My config looked like:

mod_shared_roster_ldap: {
ldap_base: "ou=Benutzer,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de",
ldap_rfilter: "(objectClass=user)",
ldap_groupattr: "ou",
ldap_memberattr: "cn",
ldap_filter: "(objectClass=user)",
ldap_userdesc: "displayName"
}

nothing is happening. Log says stuff like this ... :

2014-08-15 16:06:43.884 [debug] <0.1947.0>@ejabberd_local:do_route:296 local route
from {jid,<<"MYUSERNAME">>,<<"DOMAIN.de">>,<<"IP_ADRESS_MY_PC">>,<<"MYUSERNAME">>,<<"DOMAIN.de">>,<<"IP_ADRESS_MY_PC">>}
to {jid,<<"MYUSERNAME">>,<<"DOMAIN.de">>,<<>>,<<"MYUSERNAME">>,<<"DOMAIN.de">>,<<>>}
packet {xmlel,<<"iq">>,[{<<"xml:lang">>,<<"de">>},{<<"type">>,<<...>>},{<<...>>,...}],[{xmlcdata,<<...>>},{xmlel,...},{...}]}

For me this looks like the result is empty.

Maybe another example explained how I get to my configs:

mod_shared_roster_ldap: {
ldap_base: "ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de", ## Start search here ...
ldap_rfilter: "(&(objectClass=organizationalUnit)(distinguishedName=ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de))", ## Looking for an OU called "Users" in the ldap_base ...
ldap_filter: "", ## this is always empty, I didn't understood why ...

ldap_groupattr: "distinguishedName", ## This is what the rfilter will return.

## ----------------------------------
## Result: Name | Value | > DN
## OU | Users | ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
##
## So I guess ldap_groupattr->distinguishedName is equal Users now
## ==> %g = Users
## ----------------------------------

ldap_gfilter: "(&(objectClass=user)(memberOf=CN=MYGROUP,OU=Groups,OU=DOMAIN1/DOMAIN2,DC=DOMAIN1,DC=DOMAIN2,DC=de))", ## Looking for Users who are memberOf MYGROUP..

ldap_groupdesc: "displayName",
ldap_memberattr: "cn",

## ----------------------------------
## Result: Name | Value | > DN
## CN | User001 | ou=Test,ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
## CN | User002 | ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
## CN | User003 | ou=Test,ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
## CN | User004 | ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
##
## So I guess ldap_groupattr->distinguishedName, ldap_groupdesc->displayName and ldap_memberattr->cn is now running in a loop and changing it's value 4 times.
## #1 ldap_groupattr->distinguishedName = cn=User001,ou=Test,ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
## #1 ldap_groupdesc->displayName = Users_Firstname Users_Lastname
## #1 ldap_memberattr->cn = User001
##
## #2 ldap_groupattr->distinguishedName = cn=User002,ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
## #2 ldap_groupdesc->displayName = Users_Firstname Users_Lastname
## #2 ldap_memberattr->cn = User002
##
## #3 ldap_groupattr->distinguishedName = cn=User003,ou=Test,ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
## #3 ldap_groupdesc->displayName = Users_Firstname Users_Lastname
## #3 ldap_memberattr->cn = User003
##
## #4 ldap_groupattr->distinguishedName = cn=User004,ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
## #4 ldap_groupdesc->displayName = Users_Firstname Users_Lastname
## #4 ldap_memberattr->cn = User004
##
## So I guess ldap_groupdesc->displayName is: ==> %u = Users_Firstname Users_Lastname
## ----------------------------------

ldap_memberattr_format: "cn=%u,ou=Users,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de"

ldap_ufilter: "(&(objectClass=user)(memberOf=CN=MYGROUP,OU=Groups,OU=DOMAIN1/DOMAIN2,DC=DOMAIN1,DC=DOMAIN2,DC=de)(distinguishedName=%g))",

## ----------------------------------
## Result: Name | Value | > DN
## CN | User001 | ou=Test,ou=DOMAIN1/DOMAIN2,dc=DOMAIN1,dc=DOMAIN2,dc=de
##
## So I guess ldap_userdesc->cn: ==> %u = User001
## ----------------------------------

ldap_userdesc: "cn"
}

Do I understand this right? Because it is still nothing happening with this latest configurations ... please help me out.

Edited first post.

Yaerox — Fri, 15 Aug 2014 09:20:34 +0000

Edited first post.

@YAerox: So I am not so

bedfordr — Thu, 14 Aug 2014 16:17:18 +0000

@YAerox:
So I am not so familiar with ejabberd-14.07, but setting aside the formatting differences from 2.1, you are trying the webadmin access -- have you set your ldap account as an administrator?

%% Admin user
{acl, admin, {user, "MyUsername", "DOMAIN1.DOMAIN2.com"}}.

change the domain name to whatever you use

I think that input represents the only users that are allowed to log into webadmin.

My next suggestion is to relegate the ldap_servers to a single server for now. I am less familiar with multiple servers.