ejabberd - Comments for "Is SASL Authentication Supported?"

Ouch! Not being able to

paddyjoesoap — Thu, 24 Jun 2010 12:17:12 +0000

Ouch!

Not being able to specify a prefered method means the likely outcome will be dialback and this may not be desired. In this situation there is no requirement to use TLS. Thus, all traffic is susceptible to inspection. Mind you, some business-level security policies require this for compliance reasons and will only federate with its own remote office XMPP servers over a VPN ;-)

Thanks badlop for all your help to date.
regards,
paddy.

SASL EXTERNAL not configurable

mfoss — Thu, 24 Jun 2010 10:33:03 +0000

paddyjoesoap wrote:

Does ejabberd have this configuration option where dialback and/or SASL External can be enabled/disabled explicitly?

Not configurable. In fact, I connected to several remote servers, and the code in ejabberd_s2s that negotiates SASL EXTERNAL wasn't executed in any case. I don't know what are exactly the conditions in which ejabberd decides itself to use SAL EXTERNAL.

Interesting! I think the same

paddyjoesoap — Wed, 23 Jun 2010 11:10:30 +0000

Interesting!

I think the same applies to Dialback.

From the ejabbered configuration file there is an option for the following:

{s2s_use_starttls,true} where "true" can be replaced with "false".

I presume that once port 5269 is open, ejabberd will internally enable both dialback and SASL External. And the above command will only provide TLS to the dialback if required.

If this assumption is correct then there may be some issues. For example, what if one wanted to disable dialback entirely or disable SASL External in favour of dialback (perhaps to connect with a legacy XMPP server or an XMPP server over a VPN).

Does ejabberd have this configuration option where dialback and/or SASL External can be enabled/disabled explicitly?

S2S SASL EXTERNAL

mfoss — Tue, 22 Jun 2010 18:51:27 +0000

paddyjoesoap wrote:

Does ejabberd support SASL EXTERNAL for S2S communication

Seems so:
https://git.process-one.net/ejabberd/mainline/commit/f6343f01f7db7aa4665...

And it doesn't seem to need any configuration.

Thanks for that

paddyjoesoap — Tue, 22 Jun 2010 14:23:58 +0000

Thanks for that information.

Does ejabbered support SASL EXTERNAL for S2S communication rather than dialback?

What is the configuration argument for this, given that

{auth_method, internal} is intended for C2S using either SASL PLAIN or SASL MD5.

Unrelated option

mfoss — Mon, 21 Jun 2010 11:06:05 +0000

paddyjoesoap wrote:

Is this the command to have s2s over TLS and SASL EXTERNAL?

{auth_method, external}.

That option tells ejabberd to start a script or program externally to ejabberd, and send all the auth queries to it instead of accessing the database.

That option is unrelated to the SASL EXTERNAL protocol that a client would like to use when negotiating auth with ejabberd.

ejabberd supports SASL PLAIN

mfoss — Mon, 21 Jun 2010 11:02:00 +0000

ejabberd supports SASL PLAIN and SASL DIGEST-MD5 when configured with

{auth_method, internal}.

or odbc, ...

It also supports SASL ANONYMOUS when configured:

{auth_method, anonymous}.
{anonymous_protocol, sasl_anon}.

There is also a contributed SASL GSSAPI patch, but I don't know if that allows other SASL methods, or what exactly it does.

Is this the command to have

paddyjoesoap — Mon, 21 Jun 2010 10:11:00 +0000

Is this the command to have s2s over TLS and SASL EXTERNAL?

{auth_method, external}.