Hello all,
New to ejabberd and need some help please. I have ejabberd up and have it set up to integrate with my windows AD. However, when I turn on the windows AD in config file, it works, but I can no longer log into the Web Admin of the jabber server with the old Admin credentials.
When you turn on ldap AD authentication, what changes in the Web Admin auth???
How do I register a Web Admin login after ldap authentication is on???
Thanks, Ron N
I have the exact same
I have the exact same problem. I've tried just about everything I can think of but when I go to the admin page I'm not able to logon. Can someone please help us? Thanks
Why not use an AD account?
I just use an account in AD to admin the server.
{acl, admin, {user, "administrator", "domain.local"}}.then login to the web admin as administrator@domain.local.
Obviously, this would have to be adjusted based on your domain and configuration.
I'm trying to use a domain
I'm trying to use a domain account, it doesn't want to work. How can I verify that it's actually connecting to LDAP?
AD auth to Web Admin
I would think that if your users were able to authenticate via AD, you should be able to login to the web admin via AD. See what the logs show. Try granting admin access to an account that can successfully login to jabber.
Re: AD auth to Web Admin
I have a similar issue. However, no AD users can login. I see multiple connections to my LDAP server in netstat, yet I cannot login with anyone, nor can I get access to the admin console. I've read that multiple people have got this to run against AD, but I've seen no conclusive evidence or any sample configuration files that might serve as a road map to successfully setting up ejabberd with AD. Here's the setup I'm running. Perhaps someone can point out where I might be making mistakes?
ejabberd.cfg
{acl, admin, {user, "myAdminUser", "child.domain.com"}}.{hosts, ["child.domain.com"]}.
{access, pubsub_createnode, [{allow, all}]}.
{access, configure, [{allow, admin}]}.
{access, announce, [{allow, admin}]}.
{access, c2s, [{deny, blocked},
{allow, all}]}.
{access, c2s_shaper, [{none, admin},
{normal, all}]}.
{access, s2s_shaper, [{fast, all}]}.
{access, muc_admin, [{allow, admin}]}.
{access, muc, [{allow, all}]}.
%{access, local, [{allow, local}]}.
{shaper, normal, {maxrate, 1000}}.
{shaper, fast, {maxrate, 50000}}.
{max_user_sessions, 10}.
{language, "en"}.
{auth_method, ldap}.
{ldap_servers, ["child.domain.com"]}. % List of LDAP nervers
%{ldap_uidattr, "uid"}. % LDAP attribute that holds user ID (is this necessary for AD?)
{ldap_port, 389}.
{ldap_base, "dc=child,dc=domain,dc=com"}. % Search base of LDAP directory
{ldap_rootdn, "cn=myServiceAccount,cn=Service Accounts OU,cn=Organization,dc=child,dc=domain,dc=com"}. % LDAP manager
{ldap_password, "*******"}. % Password to LDAP manager
{ldap_uids, [{"sAMAccountName", "%u"}]}.
{ldap_filter, "(&(objectClass=user)(objecCategory=person))"}.
{listen,
% Ordinary client-2-server service
[{5222, ejabberd_c2s, [{access, c2s},
{max_stanza_size, 65536},
starttls, {certfile, "/etc/ejabberd/ejabberd.pem"},
{shaper, c2s_shaper}]},
% SSL-enabled client-2-server service
{5223, ejabberd_c2s, [{access, c2s},
{max_stanza_size, 65536},
tls, {certfile, "/etc/ejabberd/ejabberd.pem"},
{shaper, c2s_shaper}]},
% Server-2-server service
{5269, ejabberd_s2s_in, [{shaper, s2s_shaper},
{max_stanza_size, 131072}]},
{5280, ejabberd_http, [http_poll, web_admin]}
]}.
{outgoing_s2s_port, 5269}.
{modules,
[
{mod_adhoc, []},
{mod_announce, [{access, announce}]}, % Depends on mod_adhoc
{mod_register, [
{welcome_message,
{"Welcome!", "Welcome to child.domain.com Jabber Service."}},
{access, register}
]
},
{mod_roster, []},
{mod_privacy, []},
{mod_configure, []}, % Depends on mod_adhoc
{mod_configure2, []},
{mod_disco, []},
{mod_stats, []},
{mod_offline, []},
{mod_echo, []},
{mod_private, []},
{mod_irc, []},
{mod_vcard, []},
% LDAP Mappings
{mod_vcard_ldap,
[{ldap_vcard_map,
[{"NICKNAME", "%u", []},
{"GIVEN", "%s", ["givenName"]},
{"MIDDLE", "%s", ["initials"]},
{"FAMILY", "%s", ["sn"]},
{"FN", "%s", ["displayName"]},
{"EMAIL", "%s", ["mail"]},
{"ORGNAME", "%s", ["company"]},
{"ORGUNIT", "%s", ["department"]},
{"CTRY", "%s", ["c"]},
{"LOCALITY", "%s", ["l"]},
{"STREET", "%s", ["streetAddress"]},
{"REGION", "%s", ["st"]},
{"PCODE", "%s", ["postalCode"]},
{"TITLE", "%s", ["title"]},
{"URL", "%s", ["wWWHomePage"]},
{"DESC", "%s", ["description"]},
{"TEL", "%s", ["telephoneNumber"]}]
},
{ldap_search_fields,
[{"User", "%u"},
{"Name", "givenName"},
{"Family Name", "sn"},
{"Email", "mail"},
{"Company", "company"},
{"Department", "department"},
{"Role", "title"},
{"Description", "description"},
{"Phone", "telephoneNumber"}]
},
{ldap_search_reported,
[{"Full Name", "FN"},
{"Nickname", "NICKNAME"},
{"Email", "EMAIL"}]
}]
},
{mod_muc, [{host, "conference.@HOST@"},
{access, muc},
{access_create, muc},
{access_persistent, muc},
{access_admin, muc_admin}]},
{mod_shared_roster, []},
{mod_pubsub, [
{access_createnode, pubsub_createnode},
{plugins, ["default", "pep"]}
]},
{mod_caps, []},
{mod_time, []},
{mod_last, []},
{mod_version, []}
]}.
It took me a while just to get the nonsense worked out of the default config file just to get it to a point where it would stop throwing syntax errors.
I'm running the version of ejabberd that comes with Debian lenny/sid. I believe it's 1.1.4. At least that was what was in my /var/cache/apt/archives/ directory. I have an AD forest with domain.com and child.domain.com, each domain tree having 2 Win2k3 Enterprise domain controllers. I'm connecting to child.domain.com because it has the employee directory. When I start the service I get no errors, only the following:
ejabberd.log
=INFO REPORT==== 2009-12-04 15:19:34 ===I(<0.237.0>:ejabberd_listener:90): (#Port<0.338>) Accepted connection {{10,0,5,60},11133} -> {{10,0,5,10},5280}
=INFO REPORT==== 2009-12-04 15:19:34 ===
I(<0.229.0>:ejabberd_http:78): started: {gen_tcp,#Port<0.338>}
=INFO REPORT==== 2009-12-04 15:19:34 ===
I(<0.320.0>:ejabberd_http:178): (#Port<0.338>) http query: 'GET' /admin
=INFO REPORT==== 2009-12-04 15:19:34 ===
I(<0.320.0>:ejabberd_http:178): (#Port<0.338>) http query: 'GET' /admin
=INFO REPORT==== 2009-12-04 15:19:40 ===
I(<0.320.0>:ejabberd_http:178): (#Port<0.338>) http query: 'GET' /admin
Any ideas on what I'm doing wrong? The ACL for the admin user is mapped to a legitimate AD user. I don't know if it's the config file or the fact that I set it up with a local admin user first and then tried to get it to hook into AD. Do I have to completely uninstall and re-install?
One other question. Is there a way to not put the password in this config file for the myServiceAccount user? I would rather not have that information in a flat text file.
Any insight would be greatly appreicated.
John
You need to open
You need to open "http://your-jabber-server-name-or-ip:5280/admin" in your web browser, as described in , chapter 4.3 "Web Admin". Then you must enter the FULL Jabber ID of the administrator user (as you use AD authentication, you should note that neither "myAdminUser" nor "child.domain.com\myAdminUser" will satisfy ejabberd, only "myAdminUser@child.domain.com" will be ok. Also note that your admin must be in the ejabberd user database, so in your case it must be the member of child.domain.com, not any parent domain).
If you suppose that it may be some previous configuration that ejabberd remembers, than you may try to put these lines in the beginning of the config:
override_global.override_local.
override_acls.
(note that this is also covered in the ejabberd Installation and Operation Guide, chapter 3.1 "Basic Configuration").
If you want to find out the version of ejabberd, refer here.
I don't know if your version of ejabberd supports web-admin, but you may consider installing a current version.
You need to put the password in this config in plain. However, you don't need to use a kind of admin account here, the only privelege it needs is to search the catalog for the users. It even doesn't need to be the "Domain Users" member. So it's a good idea to make a special restricted account in AD for this purpose only, and use it here.
I successfully run an AD/ejabberd 2.0.5 configuration, and use WebAdmin. My config goes here:
override_global.override_local.
override_acls.
{loglevel, 4}.
{hosts, ["pi.local"]}.
{listen,
[
{5222, ejabberd_c2s, [
{certfile, "/usr/local/etc/ejabberd/ejabberd.pem"}, starttls,
{access, c2s},
{shaper, c2s_shaper},
{max_stanza_size, 65536}
]},
{5269, ejabberd_s2s_in, [
{shaper, s2s_shaper},
{max_stanza_size, 131072}
]},
{5280, ejabberd_http, [
http_poll,
web_admin
]}
]}.
{auth_method, ldap}.
{ldap_servers, ["dc2.pi.local", "dc.pi.local"]}. % List of LDAP servers
{ldap_base, "OU=pi,DC=pi,DC=local"}. % Search base of LDAP directory
{ldap_rootdn, "CN=jabber,CN=Users,DC=pi,DC=local"}. % LDAP manager
{ldap_password, "********"}. % Password to LDAP manager
{ldap_uids, [{"userPrincipalName","%u@pi.local"}]}.
{ldap_filter, "(&(objectCategory=person)(objectClass=user))"}.
{shaper, normal, {maxrate, 1000}}.
{shaper, fast, {maxrate, 50000}}.
{acl, admin, {user, "admin", "pi.local"}}.
{acl, admin, {user, "avv", "pi.local"}}.
{acl, local, {user_regexp, ""}}.
{acl, announcer, {user, "В.В.Пупкин", "pi.local"}}.
{acl, announcer, {user, "М.Б.Каганский", "pi.local"}}.
{access, max_user_sessions, [{10, all}]}.
{access, local, [{allow, local}]}.
{access, c2s, [{deny, blocked},
{allow, all}]}.
{access, c2s_shaper, [{none, admin},
{normal, all}]}.
{access, s2s_shaper, [{fast, all}]}.
{access, announce, [{allow, admin},{allow, announcer}]}.
{access, configure, [{allow, admin}]}.
{access, muc_admin, [{allow, admin}]}.
{access, muc, [{allow, all}]}.
{access, pubsub_createnode, [{allow, all}]}.
{access, register, [{allow, all}]}.
{language, "en"}.
{modules,
[
{mod_adhoc, []},
{mod_announce, [{access, announce}]}, % recommends mod_adhoc
{mod_caps, []},
{mod_configure,[]}, % requires mod_adhoc
{mod_disco, []},
{mod_last, []},
{mod_offline, []},
{mod_private, []},
{mod_pubsub, [ % requires mod_caps
{access_createnode, pubsub_createnode},
{plugins, ["default", "pep"]}
]},
{mod_roster, []},
{mod_stats, []},
{mod_time, []},
{mod_version, []},
{mod_vcard_ldap, [
{matches, infinity},
{ldap_filter, "(&(objectCategory=person)(objectClass=user)(memberOf=CN=jabber_users,CN=Users,DC=pi,DC=local))"},
{ldap_vcard_map, [
{"NICKNAME", "%s", ["displayName"]},
{"GIVEN", "%s", ["givenName"]},
{"MIDDLE", "%s", ["initials"]},
{"FAMILY", "%s", ["sn"]},
{"FN", "%s", ["displayName"]},
{"EMAIL", "%s", ["mail"]},
{"ORGNAME", "%s", ["company"]},
{"ORGUNIT", "%s", ["department"]},
{"CTRY", "%s", ["c"]},
{"LOCALITY", "%s", ["l"]},
{"STREET", "%s", ["streetAddress"]},
{"REGION", "%s", ["st"]},
{"PCODE", "%s", ["postalCode"]},
{"TITLE", "%s", ["title"]},
{"DESC", "%s", ["description"]},
{"TEL", "%s", ["telephoneNumber"]}
]},
{ldap_search_fields, [
{"Name", "givenName"},
{"Family Name", "sn"},
{"Department", "department"}
]},
{ldap_search_reported, [
{"Full Name", "FN"},
{"Department", "ORGUNIT"},
{"Phone", "TEL"}
]}
]},
{mod_shared_roster_ldap, [
{ldap_filter, "(memberOf=CN=jabber_users,CN=Users,DC=pi,DC=local)"},
{ldap_rfilter, "(&(objectCategory=person)(objectClass=user)(memberOf=CN=jabber_users,CN=Users,DC=pi,DC=local))"},
{ldap_groupattr, "department"},
{ldap_groupdesc, "department"},
{ldap_memberattr, "sAMAccountName"},
{ldap_userdesc, "displayName"}
]}
]}.
The encoding of the file is utf-8, so internationalized strings are ok.
LDAP settings look wonky
I had already added the
override_global.
override_local.
override_acls.
lines in the config file. Thank you for your config example. It was immensely helpful. As well, I am running version 2.1.0 on a Windows server which has much better logging. I'm getting the following error message when I attempt to bind to LDAP.
=INFO REPORT==== 2009-12-07 15:18:52 ===D(<0.285.0>:eldap:945) : Bind Request Message:{'LDAPMessage',1,
{bindRequest,
{'BindRequest',3,
"CN=myServiceUser,CN=Users,DC=child,DC=domain,DC=com",
{simple,"********"}}},
asn1_NOVALUE}
=INFO REPORT==== 2009-12-07 15:18:52 ===
I(<0.36.0>:ejabberd_app:69) : ejabberd 2.1.0 is started in the node ejabberd@localhost
=INFO REPORT==== 2009-12-07 15:18:52 ===
D(<0.336.0>:eldap:793) : {'LDAPMessage',1,
{bindResponse,
{'BindResponse',invalidCredentials,[],
[dataset here],
asn1_NOVALUE,asn1_NOVALUE}},
asn1_NOVALUE}
=ERROR REPORT==== 2009-12-07 15:18:52 ===
W(<0.336.0>:eldap:850) : LDAP bind failed on ad1.child.domain.com:389
Reason: invalidCredentials
The account does exist on the child domain (and the admin account previously mentioned exists on the child domain as well) and the password is correct. I am wondering if this user has to be a part of a specific group or has to be granted permissions somehow to read from AD. I've read through that Guide thoroughly and there's very little helpful information on how to setup this AD connection.
Well, my account used in
Well, my account used in ejabberd (CN=jabber,CN=Users,DC=pi,DC=local) is simply member of "Domain Users" group and it isn't given any special permissions or other tweaks (I could make a special group with only necessary permissions and use it, but I didn't bother).
invalidCredentials (49) LDAP error means non-existent user or wrong password.
You should try to debug bind to LDAP using some tool like Microsoft's ldp.exe on the machine running Windows version of ejabberd (or an equivalent on UN*X one). You should be able to bind using the account you specify in ejabberd.cfg. (Is it "CN=myServiceUser,CN=Users,DC=child,DC=domain,DC=com"? Or "cn=myServiceAccount,cn=Service Accounts OU,cn=Organization,dc=child,dc=domain,dc=com"?)
Also you might try using port 3268 to connest to AD GC (as your configuration is multidomain forest, though it seems not to be necessary, as all your users are in the same domain... Nevertheless, you may give a try).
And one other thing you might check: do you use the password that contains only ASCII symbols (codes 1..127)? If you use some international characters you should check that the file ejabberd.cfg is utf-8-encoded, or you might get wrong password tried by ejabberd.
Thank you immensely
Mike,
Thank you so much for your help. I finally got ejabberd to correctly touch AD. I took your advice and used LDAPBrowser to connect and noticed that I couldn't use standard LDAP notation for the rootDN to connect to my AD servers. So instead of CN=myServiceUser,CN=Users,DC=child,DC=domain,DC=com, I just used CHILD\\myServiceUser and it worked. One thing to note was that one of your LDAP_filters didn't work for me. You had:
{ldap_filter, "(&(objectCategory=person)(objectClass=user))"}.Which caused all users to fail authentication. This is what I had to change it to:
{ldap_filter, "(&(objectClass=user))"}.I believe this is because the objectCategory attribute doesn't contain any values of "person". I ran csvde against one of my AD servers and exported the info to a csv file and found that the objectCategory field values consisted of "CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com". I tried modifying the filter to use this, but it too failed. I'm not certain why, nor is it really important to my plight because removing it altogether allowed users to authenticate against AD and logon. If you wouldn't mind me asking one more question, I noticed you're using mod_shared_roster_ldap. I'm guessing this isn't distributed with the most recent release of ejabberd because I get an undef error everytime I put that mod in. Is there perhaps a how-to somewhere around here that can show me howto compile the module for use with ejabberd so that I can take advantage of shared rosters?
Other than that, man, thanks! I appreciate your insight and hope this helps someone else.
Cheers,
John H
Nevermind the mod_shared_roster_ldap request
I located the instructions on how to download and compile this module. It is now working correctly. So instead, please accept my sincerest gratitude for all your help.
Cheers,
John H
Users in the database
Does the accoount you are trying to register with as administrator actually exist ? I had a similar problem and after manually inserting a user into my database , it worked for me .