Home » Forums » ejabberd & XMPP » ejabberd Administration

Way to use internal DB for user list, but PAM for passwords?

Submitted by gushi on Fri, 2017-10-20 00:28

Hey there all,

Here at $dayjob we'd like to make it so that your jabber password is one fewer to remember, and instead use your Kerberos password.

However, we still want to have control of the user list be via the ejabberd web UI (as we may have users such as consultants who have a valid pam login, but not want them to use jabber).

We don't do LDAP of any sort -- most of our management is static, but only our ops group have accounts on our jabber machine.

Put another way -- this would separate "AUTHENTICATION" (are you actually jsmith@domain.com?) from "AUTHORIZATION" (is jsmith@example.com allowed to XMPP?).

Kerberos really only deals with the first of those. It has no concept of "groups".

Best,

-Gushi

‹ muc mangement Thinks is started but "nodedown" ›

gushi wrote: (as we may have

Submitted by badlop on Mon, 2017-10-23 09:47.
gushi wrote:

(as we may have users such as consultants who have a valid pam login, but not want them to use jabber).

Use the option Access in the ejabberd_c2s listener to prevent some usernames access to login, and grant the others. In the example config file, search for "baduser@example.org" and blocked.

»
Syndicate content

User login