[SOLVED !!] mod_shared_roster_ldap

> Could somone using the mod_shared_roster_ldap paste the part of his ejabberd.cfg please ?
> I'm looking for explanations about this modules, but I can't find any.
>
> Thanks

Finally, I got it working with OpenLdap.
After spending some times looking at the debug output of openldap, and trying blindly some parameters in mod_shared_roster_ldap, I figured out how it works.

Here are the parameters :

- ldap_groupattr : This is the attribute that holds the groups names, and that is used to differentiate them. (cn=technical | cn=sales | cn=external)

- ldap_groupdesc : Not used in my case. Whatever was the value, it always worked.

- ldap_memberattr : the attribute that contains the ID of the members of these groups. In my case, my groups are posixGroup objectClass, and with posixGroup, "memberUid" is used to contain the ID of the members.
If you use groupOfName, it should be "member=uid"
If you use groupOfUniqueNames -> "uniqueMember=uid"
Not 100% sure for the 2 lasts, not tried. Have a look at your schemas.

- ldap_filter : The search filter you want to apply. If you don't want it, set "[ldap_memberattr]=*". It is mostly here for outlook ldap schemas compatibility.

Now we have something like :

Quote:

[{ldap_base, "o=E-Group,dc=electronic-group,dc=com"},
{ldap_groupattr,"cn"},
{ldap_groupdesc,"Groups"},
{ldap_memberattr,"memberUid"},
{ldap_filter, "(memberUid=*)"}
]},

When a user logs in, 2 ldap search are performed :

The first one returns the groups that the user belongs to.

Quote:

SRCH base="o=E-Group,dc=electronic-group,dc=com" scope=2 deref=0 filter="(&(&(memberUid=test)(cn=*))(memberUid=*))"

the first criteria is [ldap_memberattr]+[ejabberd_user]
the second is [ldap_groupattr]+*
the third is [ldap_filter]

The second one returns the members of the groups returned by the first search.
You can see that the second search criteria is replaced with the name of the group.

Quote:

SRCH base="o=E-Group,dc=electronic-group,dc=com" scope=2 deref=0 filter="(&(&(memberUid=*)(cn=egroup))(memberUid=*))"

Finally, this is pretty sweet because you can create groups with everything. For instance, my users are in :
[location_name],ou=Users,o=E-Group,dc=electronic-group,dc=com
I just have to set ldap_groupattr to the location_name attribute : "l" ; and ldap_memberattr to "uid", and my roster will contains all users of my location.

Drawbacks : A much longer login time. The modules makes a lot of identical ldap search. It takes up to 15 seconds.

Sorry for the bad english.
If you have problems, it is good to use ldapsearch or the phpldapadmin search function, to look at the output of your search criteria.

PS : Now I am looking to display groups that I am not part of (so I could see users that are not in the same location than me for instance)

Hello, Thanks for detailed

Hello,

Thanks for detailed explanation (btw I do not insist to continue this thread in English, you can switch to Russian if it is more comfortable for you :)).
I've configured mod_shared_roster_ldap per your example and wondering if there is something else needed to be done? I do not see any changes to roster or ejabberd web-admin interface of shared roster...
How can I put my group neighbours to my roster now?

Likewise, I did not get any results with "you can create groups with everything" method.
Thanks in advance

Hi bodomizer.Normally,

Hi bodomizer.
Thanks for purposing Russian to me. I learned it some years ago but can't remember anything :)
Let's continue to english.

Normally, nothing else needs to be done than configuring those 5 parameters, and of course, checking that the ldap server can be reached by the ejabberd one. If you can, run your ldap server in debug mode, and check the output when you login a user.)
I could help you much better if you could post an ldif of your ldap db.
For instance :

Quote:

ldapsearch -b ou=Groups,dc=my_company,dc=com -v -u -h ldap.server.com -D cn=xxx,dc=my_company,dc=com

and remove or change the personnal informations. Would be great.

still not working

Hi,

you seem to be a professional, maybe you can help me out a bit.

I followed your instructions yet i cannot get it to work by all means.

here's an extract of my ldif file:

Quote:

# entry-id: 43
dn: uid=jdoe,ou=IT,ou=employees,dc=example,dc=com
uid: jdoe
givenName: john
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: doe
cn: john doe
userPassword: [somepassword]
creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoo
t
createTimestamp: 20070303140238Z
modifyTimestamp: 20070303140238Z
nsUniqueId: c0388f01-c98f11db-807482aa-0bf53725

here's what i did to my ejabberd.cfg

Quote:

...
{mod_roster, []},
{mod_shared_roster, [
{ldap_base,"dc=example,dc=com"},
{ldap_groupattr,"ou"},
{ldap_groupdesc,"employees"},
{ldap_memberattr,"uid"},
{ldap_filter,"(uid=*)"}
]
...

Im not really sure about ldap_groupattr what's supposed to be there, but since my groups are ou=IT and ou=employees i figured it should be setup to "ou", was i right?

Also, is the adding "new shared roster group" in the "shared roster" menu on the web admin page necessary when authenticating against LDAP?

Any help would be greatly appreciated.

Greetz,
primski

mod_shared_roster x mod_shared_roster_ldap

primski,

You have to configure mod_shared_roster_ldap and comment the lines referring to mod_shared_roster. So, replace your code with the lines below in ejabberd.cfg and it must work.

Quote:

" {mod_shared_roster, []},
{mod_shared_roster_ldap, [
{ldap_base,"dc=example,dc=com"},
{ldap_groupattr,"ou"},
{ldap_groupdesc,"employees"},
{ldap_memberattr,"uid"},
{ldap_filter,"(uid=*)"}
]

Best regards,
Robson

Syndicate content