I need to limit the access to my ejabberd to a series of users defined in a ldap group, let's call it EDY. This LDAP doesn't have memberOf entries for the users. Groups have an uniqueMember entry for each user, holding the DN of each user. This is my config:
auth_method: [ldap, internal]
ldap_servers:
- "annuaire.preprod.inetpsa.com"
ldap_port: 389
ldap_rootdn: "cn=XXXXXXXX,ou=XXXXXXXX,o=XXXXXXXX"
ldap_password: "XXXXXXXX"
ldap_base: "o=XXXXXXXX"
ldap_dn_filter:
- "(&(cn=EDY)(uniqueMember=%D)"
If I have understood how this works properly, this will do two searchs, one with uid, and a second one will run the ldap_dn_filter , use the DN related to the uid, and see if group EDY have an uniqueMember entry with that DN.
But instead, I get this on the log:
2018-02-23 18:13:11.661 [error] <0.66.0>@ejabberd_config:validate_opts:1029 ignoring option 'ldap_dn_filter' with invalid value: [<<"(&(cn=EDY)(uniqueMember=%D)">>]
I have tried a lot of variations but can't get this to work. Any help would be appreciated.
There is other way I can try
There is other way I can try to get this working on my LDAP, with ladp_uids. but this is showing some problems:
If, for example, I filter using a netgroup, I get a list of users in the format:
nisNetgroupTriple: (,USERID,)
But if I setup in my ejabberd.yml file:
ldap_uids:
- "nisNetgroupTriple": "(,%u,)"
This still doesn't work.
The other possibilty is using ldap_uids with the previously mentiones uniqueMember entries, but those are in the format:
USER NAME AND SURNAME - USERID,ou=XXXXXXXX,o=XXXXXXXX
I don't know how the ldap_uidattr_format format is parsed, so I don't know if I can use, i.e., a regular expression to get the USERID from that field.
OK, after a good night of
OK, after a good night of sleep, now I understand why the second option can't work. What I need is probably take the results of ldap_filter , like i.e. the list of nisNetgroupTriple , and feed then to ldap_dn_filter, but parsed somehow. Something like:
(uid=%u): ["nisNetgroupTriple": "(,%u,)"]
But I don't think that is supported.
I also still get the "ignoring option 'ldap_dn_filter' with invalid value" error with different ldap_dn_filter I have tried.
I start to think
I start to think ldap_dn_filter is not working OK. With this configuration:
ldap_uids:
- "uniqueMember"
ldap_filter: "(cn=GROUPNAME)"
ldap_dn_filter: "(%s)": "uniqueMember"
I get:
2018-02-26 11:34:28.698 [error] <0.66.0>@ejabberd_config:get_plain_terms_file:286 Cannot load /users/ejb00/ejb/conf/ejabberd.yml: Syntax error on line 267 at position 23: mapping values are not allowed in this context
Or, I can try with the netgroups:
ldap_uids:
- "nisNetgroupTriple": "(,%u,)"
ldap_filter: "(cn=NETGROUP)"
ldap_dn_filter: "(uid=%u)"
But then I don't get the LDAP query in the log, and I get:
2018-02-26 12:03:41.166 [error] <0.66.0>@ejabberd_config:validate_opts:1029 ignoring option 'ldap_dn_filter' with invalid value: <<"(uid=%u)">>
I get the query in the log if I remove the : "(,%u,)"::
2018-02-26 12:20:22.102 [debug] <0.562.0>@eldap:send_command:776 {searchRequest,{'SearchRequest',<<"o=XXXXXXXX">>,wholeSubtree,neverDerefAliases,0,0,false,{and,[{equalityMatch,{'AttributeValueAssertion',<<"nisNetgroupTriple">>,<<"USERID">>}},{equalityMatch,{'AttributeValueAssertion',<<"cn">>,<<"NETGROUP">>}}]},[<<"nisNetgroupTriple">>]}}
Ok, I have done a lot of
Ok, I have done a lot of progress today, thanks mainly to Airwave and emias on the IRC channel.
ldap_dn_filter parsing issues:
With:
ldap_dn_filter: "(&(cn=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)(uniqueMember=%D))":["uid"]or
ldap_dn_filter: "(&(cn=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)(uniqueMember=%D))": ["uid"]Error:
2018-02-26 13:56:17.636 [error] <0.66.0>@ejabberd_config:get_plain_terms_file:286 Cannot load /users/ejb00/ejb/conf/ejabberd.yml: Syntax error on line 267 at position 82: did not find expected keyWith:
ldap_dn_filter:"(&(cn=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)(uniqueMember=%D))"
Error:
2018-02-26 14:19:18.879 [error] <0.66.0>@ejabberd_config:validate_opts:1029 ignoring option 'ldap_dn_filter' with invalid value: <<"(&(cn=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)(uniqueMember=%D))">>With:
ldap_dn_filter:"(&(cn=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)(uniqueMember=%D))": ["uid"]
SUCCESS
This is the proper format: new line, two spaces, no '-'. The second part -after the ":"- is mandatory: this is the parameter of the first query results that will be used for parsing purposes with %s. Even if you are not usin %s, you should set it up.
If I left ldap_filter blank, all the o=XXXXXXXX uids get queried, and the Virtual Domain tab doesn't get populated. I suppose this behaviour is caused if the LDAP server reply is truncated, i.e. it is set to send a maximum of 2000 results but the query results are bigger than that.
If I filter a little more in the first query, we get the Virtual Domain user list populated. This can be a problem in big organizations, and it will be interesting to confirm if the behaviour is caused by the LDAP config or ejabberd.
To filter by netgroup users with nisNetgroupTriple , there is a problem parsing the ( ) characters. I'm still trying how to figure that out, meanwhile you could use wildcards, but I don't like that from a security point of view.
Also, in my LDAP uid is uppercase and the entry in nisNetgroupTriple is lowercase, so I had to search of a user property that holds the user in lowercase and use that with %s:
"(&(cn=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX)(nisNetgroupTriple=*%s*))": ["uidux"]