UPDATE: This feature has been included in ejabberd, and is included in ejabberd 2.1.0 and higher. There is also a patch for ejabberd 2.0.5.
Name: ldaps Purpose: Adds LDAPS support to eldap.erl, ejabberd_auth_ldap.erl, and mod_vcard_ldap.erl Author: roo Type: Patch Requirements: ejabberd 1.1.2, ejabberd 1.1.3, or ejabberd 2.0.0 Download: Bugzilla
How to Install
- Download patch file from the Bugzilla page and copy to ejabberd/src source dir.
- Execute patch -p2 < patchfile
- Add {ldap_encrypt, tls}. to ejabberd.cfg file.
- Recompile, install, and restart ejabberd
Feature Requests
- STARTTLS is not possible right now
Updated 2.0.0 version uploaded.
I just went through and updated the 1.1.2 patch to work with 2.0.0. I haven't done any work with the patch in over a year, and my test environment has gone away, so any debugging assistance is appreciated. You can download the patch from the bugzilla page.
--
-Thomas
They're taking their dog to get its two shots before it's too late. You're taking your dog there too, right?
Having a problem with the
Having a problem with the new patch for version 2.0.0. If I dont use the {ldap_encrypt,tls}. in the ejabberd.cfg everything runs fine but the connection between the ldap and ejabberd server isn't encrypted. If i do however use it i get the following error output:
=ERROR REPORT==== 2008-04-07 11:38:40 ===
** State machine 'eldap_#Ref<0.0.0.8684>' terminating
** Last event in was timeout
** When State == connecting
** Data == {eldap,3,
["dir.test.com"],
null,
636,
null,
[],
[],
0,
#Fun,
undefined,
{dict,0,
16,
16,
8,
80,
48,
{[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[]},
{{[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[],
[]}}},
undefined,
0,
true,
false}
** Reason for termination =
** {{badmatch,
{error,
{asn1,
{'Type not compatible with table constraint',
{{component,'Type'},{value,{3,<<6,64>>}}}}}}},
[{ssl_pkix,transform,1},
{lists,map,2},
{lists,map,2},
{ssl_pkix,transform,1},
{ssl_pkix,transform,1},
{ssl_pkix,decode_cert,2},
{eldap,do_connect,3},
{eldap,connect_bind,1}]}
If anyone has this problem and has resolved it or knows why i may be getting this please let me know.
Thanks
Andy
Got working,I posted new
Got working,
I posted new patch on
Andy
Patch does not apply against stable ejabberd 2.0.0
I tried to apply this patch against stable ejabberd-2.0.0 (from here ) and got these errors:
patching file eldap/eldap.erl
Hunk #1 FAILED at 35.
Hunk #2 FAILED at 82.
Hunk #3 FAILED at 105.
Hunk #4 FAILED at 396.
Hunk #5 FAILED at 495.
Hunk #6 FAILED at 545.
Hunk #7 FAILED at 563.
Hunk #8 FAILED at 576.
Hunk #9 FAILED at 587.
Hunk #10 FAILED at 643.
Hunk #11 FAILED at 894.
Hunk #12 FAILED at 934.
Hunk #13 FAILED at 948.
13 out of 13 hunks FAILED -- saving rejects to file eldap/eldap.erl.rej
patching file ejabberd_auth_ldap.erl
Hunk #1 FAILED at 24.
Hunk #2 FAILED at 354.
2 out of 2 hunks FAILED -- saving rejects to file ejabberd_auth_ldap.erl.rej
patching file mod_vcard_ldap.erl
Hunk #1 FAILED at 24.
Hunk #2 FAILED at 677.
2 out of 2 hunks FAILED -- saving rejects to file mod_vcard_ldap.erl.rej
Does it work with this version?
Thanks.
You applied the patch for 1.1.2. Check with detail Bugzilla
I tried to apply this patch against stable ejabberd-2.0.0
The patch is available in two versions: for ejabberd 1.1.2 and for 2.0.0. Check the Bugzilla:
Obviously, you must apply the patch for 2.0.0. It applies correctly.
You applied the 1.1.2 patch in ejabberd 2.0.0, which generates the error messages that you indicated.
I downloaded and applied
I downloaded and applied this: (Working ejabberd-2.0.0 LDAPS patch). I reviewed link in my download manager
Ok; try with the updated patch
It seems the patch had some file format problem. In my system, 'patch' applies it correctly but reports some warnings. It seems in your system, 'patch' refused completely to apply it.
I've modified the file format and submitted to Bugzilla:
Working ejabberd-2.0.0 LDAPS patch, without CR
Let's hope this time you can apply it correctly.
BTW, if you try the patch, it would be nice if you comment here your results: does it work correctly? did you find any problem with it?
OK, this patch work against
OK, this patch works against ejabberd-2.0.0:
$ fox@black ~/temp/tmp/ejabberd-2.0.0/src $ patch -p2 < ldaps-2.0.0.diff
patching file eldap/eldap.erl
patching file ejabberd_auth_ldap.erl
patching file mod_vcard_ldap.erl
But, does not work against latest svn (1313 revision) (it doesn't need, but you may be interesting it :-)):
fox@black ~/svn/ejabberd_trunk/trunk $ fox@black ~/svn/ejabberd_trunk/trunk/src $ patch -p2 < ldaps-2.0.0.diff
patching file eldap/eldap.erl
Hunk #1 FAILED at 35.
Hunk #2 FAILED at 82.
Hunk #3 FAILED at 105.
Hunk #4 FAILED at 396.
Hunk #5 succeeded at 510 with fuzz 2 (offset 15 lines).
Hunk #6 FAILED at 560.
Hunk #7 FAILED at 578.
Hunk #8 FAILED at 591.
Hunk #9 FAILED at 602.
Hunk #10 FAILED at 658.
Hunk #11 FAILED at 909.
Hunk #12 succeeded at 1020 with fuzz 2 (offset 86 lines).
Hunk #13 FAILED at 1034.
11 out of 13 hunks FAILED -- saving rejects to file eldap/eldap.erl.rej
patching file ejabberd_auth_ldap.erl
Hunk #2 succeeded at 363 (offset 9 lines).
patching file mod_vcard_ldap.erl
So, I can't to complete test for correctly ldaps working right now. I will do it at monday, 5 may 2008.
I'm waiting for official ldaps supporting too. :-)
Patch updated to SVN trunk.
does not work against latest svn (1313 revision) (it doesn't need, but you may be interesting it :-))
I've updated the patch to work with ejabberd trunk SVN r1321. It is published with all the others, in the .
Most likely the eldap.erl
Most likely the eldap.erl and ejabberd_auth_ldap.erl files were changed from ejabberd-2.0.0. This is why you are getting the offset when trying to apply patch.
Has anyone tried this with
Has anyone tried this with ejabberd-2.0.0? Also is there any other way to do this without having to recompile? For some reason I couldn't compile ejabberd and had to install it using the binary installation. If anyone has a workaround or an example of an external authentication script it would be greatly appreciated.
Andy
LDAPs does not work for me
I get following error when trying to enable ldaps:
** Reason for termination =
** {{badmatch,{error,{asn1,{'Type not compatible with table constraint',
{{component,'Type'},
{value,
{22,<<"OpenSSL Generated Certificate">>}}}}}
}},
[{ssl_pkix,transform,1},
{lists,map,2},
{lists,map,2},
{ssl_pkix,transform,1},
{ssl_pkix,transform,1},
{ssl_pkix,decode_cert,2},
{eldap,do_connect,3},
{eldap,connect_bind,1}]}
In LDAP server logs, I see that ejabberd is connected on 636 port; "TLS established tls_ssf=256 ssf=256"; "closed (connection lost)".
Can anybody give me any hints?
ejabberd=1.1.2 with the patch from bugzilla;
erlang=11.b.2
LDAP
LDAP is better in version 1.1.4. You should upgrade to this one.
It is probably not related to your problem. LDAP depends heavily on making your configuration right with your LDAP schema.
--
Mickaël Rémond
LDAPs does not work for me
> LDAP depends heavily on making your configuration right with your LDAP schema.
Sorry, I do not understand what do you mean. I do not have any problem with LDAP. ejabberd worked with the local LDAP server, and it works with stunneled LDAP now. This ldap server is used by pam, nss, apache, and i-forget-what-else. It is TLS support in ejabberd for LDAP that does not work. Moreover, it does not work and, at the same time, it fails to tell me what is the problem by showing erlang trace instead of human-readable message. How do you propose to solve this problem by tuning LDAP schema (which is OK, I'm sure). May be, I've missed something in your message?
Error using this patch
I got the following error message when trying to use this patch:
** {{badmatch,
{error,
{asn1,
{'Type not compatible with table constraint',
{{component,'Type'},{value,{3,<<6,192>>}}}}}}},
[{ssl_pkix,transform,1},
{lists,map,2},
{lists,map,2},
{ssl_pkix,transform,1},
{ssl_pkix,transform,1},
{ssl_pkix,decode_cert,2},
{eldap,do_connect,3},
{eldap,connect_bind,1}]}
According to strace, the program tries to read /etc/pki/tls/cert.pem, which seems to be a default value hardcoded somewhere I couldn't find. Even putting there a real certificate doesn't help, I still have this error which seems to be related to ASN encoding, not with certificate validation.
Is there a plan to add this feature to an uncoming release?
Plaintext passwords sent to the LDAP server are easily snooped without this feature.
Otherwise ejabberd's LDAP support is excellent - better than other FOSS options.
It seems so; look in the
It seems so; look in the roadmap.
--
sander