ejabberd - Comments for "mod_register/XEP-0077"

betatesting

jacky — Fri, 01 Dec 2006 13:17:59 +0000

After doing protocol debugging, the patch access_registrant works properly. Now only registrant user can create new accounts. All the other registration tries (users authenticated or not), server reply a message like this:

  ...
  ...
  77 6f 72 64 3e 3c 2f 71    75 65 72 79 3e 3c 65 72    word></query><er
  72 6f 72 20 63 6f 64 65    3d 27 34 30 35 27 20 74    ror code='405' t
  79 70 65 3d 27 63 61 6e    63 65 6c 27 3e 3c 6e 6f    ype='cancel'><no
  74 2d 61 6c 6c 6f 77 65    64 20 78 6d 6c 6e 73 3d    t-allowed xmlns=
  27 75 72 6e 3a 69 65 74    66 3a 70 61 72 61 6d 73    'urn:ietf:params
  3a 78 6d 6c 3a 6e 73 3a    78 6d 70 70 2d 73 74 61    :xml:ns:xmpp-sta
  6e 7a 61 73 27 2f 3e 3c    2f 65 72 72 6f 72 3e 3c    nzas'/></error><
  2f 69 71 3e                                           /iq>

Thank you very much for your support.

You're right; try access_registrant patch

mfoss — Wed, 29 Nov 2006 22:06:27 +0000

jacky wrote:

Are you sure? Have your tried?

Umm, now that I tried, you are right: on mod_register, 'access' defines what new JIDs can be registered. I didn't understood the explanation on the ejabberd guide. My fault.

Good news: New option on mod_register: who can register new accounts

I haven't tried your example Perl code. I just tested this patch with Tkabber. Can you beta test this patch and report any problem with it?

jacky wrote:

If it's true, How iq:register requests are authenticated? Only with SetFrom IQ field? Or you must send iq:register over an authenticated connection? This failed for me.

From now, if you set as registrants a JID, the only way to register an account is to login with that JID, and then send the register request.

Try it on Tkabber: login, open the Service Discovery, double click on Register.

Re: Several misconceptions :)

jacky — Wed, 29 Nov 2006 16:52:13 +0000

badlop wrote:

jacky wrote:

means that only admin@domain.org JID could be registered.

Wrong.

{acl, adminjid, {user, "admin", "domain.org"}}.
{access, register, [{allow, adminjid}]}.

{modules, [
  ...
  {mod_register, [{access, register}]},
  ...
}

This allows admin@domain.org to register accounts, any account he wants.

Are you sure? Have your tried? I tried, and that was the final conclusion.
If it's true, How iq:register requests are authenticated? Only with SetFrom IQ field? Or you must send iq:register over an authenticated connection? This failed for me.

This is a code that I used to check this issue:

#!/usr/bin/perl

use Net::Jabber qw(Client);

$Connection = new Net::Jabber::Client;

$status = $Connection->Connect("hostname" => "domain.org",
                               "port" => 5222);

@result = $Connection->AuthSend("username" => "admin",
                                "password" => "pass",
                                "resource" => "jabber");


# Build the IQ register query
my $iq = new Net::Jabber::IQ();
$iq->SetType("set");
$iq->SetFrom("admin\@domain.org");
$iq->SetTo("domain.org");
my $query = $iq->NewQuery("jabber:iq:register");
$query->SetRegistered(1);
$query->SetUsername("john");
$query->SetNick("john");
$query->SetPassword("hello");

$Connection->Send($iq);

$Connection->Disconnect();

Thanks!

Several misconceptions :)

mfoss — Tue, 28 Nov 2006 17:16:58 +0000

jacky wrote:

means that only admin@domain.org JID could be registered.

Wrong.

{acl, adminjid, {user, "admin", "domain.org"}}.
{access, register, [{allow, adminjid}]}.

{modules, [
  ...
  {mod_register, [{access, register}]},
  ...
}

This allows admin@domain.org to register accounts, any account he wants.

jacky wrote:

Anyway, How can I allow web register and disable register of new jid from a jabber client?

Web register? Do you mean the ejabberd web admin? That's independent of mod_register.

Note that JRT is a small Jabber client in PHP to register accounts.

jacky wrote:

Somebody knows where is placed the JRT (Jabber registration tool) nowadays?

I found this: jrt-0.0.2d.tar.bz2.

I didn't explain it

jacky — Tue, 28 Nov 2006 13:41:43 +0000

I didn't explain it properly. Let's imagine that we have a restricted
jabber server, only personal authorized can talk and register. To
register, people have to access to a web page using a login and a
password and if it's correct, access is granted and he/she can register
an account, any other way to register is not allowed.
Allows this ejabberd (or xmpp protocol)? Or there are only two ways:
register available for all, register available only for admin. Are
there a register available for groups?

I hope that this time is clear. Thanks.

Just disable In-Band

sander — Mon, 27 Nov 2006 17:13:26 +0000

Just disable In-Band registration like described in the guide (see examples in the section about mod_register!), then only the administrator can register new users using ejabberdctl or using the web interface.

--
sander