ejabberd - Comments for "LDAPS - SSL Secured LDAP"

Patch updated to SVN trunk.

mfoss — Mon, 12 May 2008 08:42:17 +0000

fox wrote:

does not work against latest svn (1313 revision) (it doesn't need, but you may be interesting it :-))

I've updated the patch to work with ejabberd trunk SVN r1321. It is published with all the others, in the Bugzilla page.

Most likely the eldap.erl

Anonymous — Wed, 30 Apr 2008 22:42:27 +0000

Most likely the eldap.erl and ejabberd_auth_ldap.erl files were changed from ejabberd-2.0.0. This is why you are getting the offset when trying to apply patch.

OK, this patch work against

fox — Wed, 30 Apr 2008 17:56:28 +0000

OK, this patch works against ejabberd-2.0.0:

$ fox@black ~/temp/tmp/ejabberd-2.0.0/src $ patch -p2 < ldaps-2.0.0.diff
patching file eldap/eldap.erl
patching file ejabberd_auth_ldap.erl
patching file mod_vcard_ldap.erl

But, does not work against latest svn (1313 revision) (it doesn't need, but you may be interesting it :-)):

fox@black ~/svn/ejabberd_trunk/trunk $ fox@black ~/svn/ejabberd_trunk/trunk/src $ patch -p2 < ldaps-2.0.0.diff
patching file eldap/eldap.erl
Hunk #1 FAILED at 35.
Hunk #2 FAILED at 82.
Hunk #3 FAILED at 105.
Hunk #4 FAILED at 396.
Hunk #5 succeeded at 510 with fuzz 2 (offset 15 lines).
Hunk #6 FAILED at 560.
Hunk #7 FAILED at 578.
Hunk #8 FAILED at 591.
Hunk #9 FAILED at 602.
Hunk #10 FAILED at 658.
Hunk #11 FAILED at 909.
Hunk #12 succeeded at 1020 with fuzz 2 (offset 86 lines).
Hunk #13 FAILED at 1034.
11 out of 13 hunks FAILED -- saving rejects to file eldap/eldap.erl.rej
patching file ejabberd_auth_ldap.erl
Hunk #2 succeeded at 363 (offset 9 lines).
patching file mod_vcard_ldap.erl

So, I can't to complete test for correctly ldaps working right now. I will do it at monday, 5 may 2008.

I'm waiting for official ldaps supporting too. :-)

Ok; try with the updated patch

mfoss — Wed, 30 Apr 2008 11:33:11 +0000

It seems the patch had some file format problem. In my system, 'patch' applies it correctly but reports some warnings. It seems in your system, 'patch' refused completely to apply it.

I've modified the file format and submitted to Bugzilla:
Working ejabberd-2.0.0 LDAPS patch, without CR

Let's hope this time you can apply it correctly.

BTW, if you try the patch, it would be nice if you comment here your results: does it work correctly? did you find any problem with it?

I downloaded and applied

fox — Wed, 30 Apr 2008 08:51:46 +0000

I downloaded and applied this: http://www.jabber.ru/bugzilla/attachment.cgi?id=259 (Working ejabberd-2.0.0 LDAPS patch). I reviewed link in my download manager

You applied the patch for 1.1.2. Check with detail Bugzilla

mfoss — Wed, 30 Apr 2008 07:17:55 +0000

fox wrote:

I tried to apply this patch against stable ejabberd-2.0.0

The patch is available in two versions: for ejabberd 1.1.2 and for 2.0.0. Check the Bugzilla:

Revised TLS patch against 1.1.2, including auth and vcard modules
Working ejabberd-2.0.0 LDAPS patch

Obviously, you must apply the patch for 2.0.0. It applies correctly.

You applied the 1.1.2 patch in ejabberd 2.0.0, which generates the error messages that you indicated.

Patch does not apply against stable ejabberd 2.0.0

fox — Wed, 30 Apr 2008 06:09:31 +0000

I tried to apply this patch against stable ejabberd-2.0.0 (from here http://www.process-one.net/downloads/ejabberd/2.0.0/ejabberd-2.0.0.tar.gz) and got these errors:

patching file eldap/eldap.erl
Hunk #1 FAILED at 35.
Hunk #2 FAILED at 82.
Hunk #3 FAILED at 105.
Hunk #4 FAILED at 396.
Hunk #5 FAILED at 495.
Hunk #6 FAILED at 545.
Hunk #7 FAILED at 563.
Hunk #8 FAILED at 576.
Hunk #9 FAILED at 587.
Hunk #10 FAILED at 643.
Hunk #11 FAILED at 894.
Hunk #12 FAILED at 934.
Hunk #13 FAILED at 948.
13 out of 13 hunks FAILED -- saving rejects to file eldap/eldap.erl.rej
patching file ejabberd_auth_ldap.erl
Hunk #1 FAILED at 24.
Hunk #2 FAILED at 354.
2 out of 2 hunks FAILED -- saving rejects to file ejabberd_auth_ldap.erl.rej
patching file mod_vcard_ldap.erl
Hunk #1 FAILED at 24.
Hunk #2 FAILED at 677.
2 out of 2 hunks FAILED -- saving rejects to file mod_vcard_ldap.erl.rej

Does it work with this version?
Thanks.

Got working,I posted new

Anonymous — Mon, 28 Apr 2008 18:20:10 +0000

Got working,
I posted new patch on http://www.jabber.ru/bugzilla/show_bug.cgi?id=255

Andy

Having a problem with the

Anonymous — Mon, 07 Apr 2008 18:41:59 +0000

Having a problem with the new patch for version 2.0.0. If I dont use the {ldap_encrypt,tls}. in the ejabberd.cfg everything runs fine but the connection between the ldap and ejabberd server isn't encrypted. If i do however use it i get the following error output:

=ERROR REPORT==== 2008-04-07 11:38:40 ===
** State machine 'eldap_#Ref<0.0.0.8684>' terminating
** Last event in was timeout
** When State == connecting
** Data == {eldap,3,
["dir.test.com"],
null,
636,
null,
[],
[],
0,
#Fun,
undefined,
{dict,0,
16,
16,
8,
80,
48,
{[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[]},
{{[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[]}}},
undefined,
0,
true,
false}
** Reason for termination =
** {{badmatch,
{error,
{asn1,
{'Type not compatible with table constraint',
{{component,'Type'},{value,{3,<<6,64>>}}}}}}},
[{ssl_pkix,transform,1},
{lists,map,2},
{lists,map,2},
{ssl_pkix,transform,1},
{ssl_pkix,transform,1},
{ssl_pkix,decode_cert,2},
{eldap,do_connect,3},
{eldap,connect_bind,1}]}

If anyone has this problem and has resolved it or knows why i may be getting this please let me know.

Thanks
Andy

Updated 2.0.0 version uploaded.

roo — Mon, 07 Apr 2008 05:11:57 +0000

I just went through and updated the 1.1.2 patch to work with 2.0.0. I haven't done any work with the patch in over a year, and my test environment has gone away, so any debugging assistance is appreciated. You can download the patch from the bugzilla page.

--
-Thomas
They're taking their dog to get its two shots before it's too late. You're taking your dog there too, right?

Has anyone tried this with

Anonymous — Tue, 04 Mar 2008 22:16:37 +0000

Has anyone tried this with ejabberd-2.0.0? Also is there any other way to do this without having to recompile? For some reason I couldn't compile ejabberd and had to install it using the binary installation. If anyone has a workaround or an example of an external authentication script it would be greatly appreciated.

Andy

LDAPs does not work for me

Alexandra Kossovsky — Mon, 04 Feb 2008 14:02:06 +0000

> LDAP depends heavily on making your configuration right with your LDAP schema.

Sorry, I do not understand what do you mean. I do not have any problem with LDAP. ejabberd worked with the local LDAP server, and it works with stunneled LDAP now. This ldap server is used by pam, nss, apache, and i-forget-what-else. It is TLS support in ejabberd for LDAP that does not work. Moreover, it does not work and, at the same time, it fails to tell me what is the problem by showing erlang trace instead of human-readable message. How do you propose to solve this problem by tuning LDAP schema (which is OK, I'm sure). May be, I've missed something in your message?

LDAP

mremond — Fri, 01 Feb 2008 08:17:17 +0000

LDAP is better in version 1.1.4. You should upgrade to this one.

It is probably not related to your problem. LDAP depends heavily on making your configuration right with your LDAP schema.

--
Mickaël Rémond
Process-one

LDAPs does not work for me

Alexandra Kossovsky — Thu, 31 Jan 2008 13:24:04 +0000

I get following error when trying to enable ldaps:
** Reason for termination =
** {{badmatch,{error,{asn1,{'Type not compatible with table constraint',
{{component,'Type'},
{value,
{22,<<"OpenSSL Generated Certificate">>}}}}}
}},
[{ssl_pkix,transform,1},
{lists,map,2},
{lists,map,2},
{ssl_pkix,transform,1},
{ssl_pkix,transform,1},
{ssl_pkix,decode_cert,2},
{eldap,do_connect,3},
{eldap,connect_bind,1}]}

In LDAP server logs, I see that ejabberd is connected on 636 port; "TLS established tls_ssf=256 ssf=256"; "closed (connection lost)".

Can anybody give me any hints?
ejabberd=1.1.2 with the patch from bugzilla;
erlang=11.b.2

Error using this patch

guillomovitch — Fri, 29 Jun 2007 15:40:08 +0000

I got the following error message when trying to use this patch:
** {{badmatch,
{error,
{asn1,
{'Type not compatible with table constraint',
{{component,'Type'},{value,{3,<<6,192>>}}}}}}},
[{ssl_pkix,transform,1},
{lists,map,2},
{lists,map,2},
{ssl_pkix,transform,1},
{ssl_pkix,transform,1},
{ssl_pkix,decode_cert,2},
{eldap,do_connect,3},
{eldap,connect_bind,1}]}

According to strace, the program tries to read /etc/pki/tls/cert.pem, which seems to be a default value hardcoded somewhere I couldn't find. Even putting there a real certificate doesn't help, I still have this error which seems to be related to ASN encoding, not with certificate validation.