Working mod_shared_roster_ldap with Active Directory Configuration

After much time staring at documentation and forum posts, I have managed to successfully populate a user's roster using mod_shared_roster_ldap with Active Directory.

The process is quick and appears to work well with a few caveats. With everything configured, I noticed I had some presence issues. More specifically, if I added a user that was not within any of the LDAP groups the authorization was never sent. This occurred across several clients, iChat, Spark, Adium, and Pidgin.

Also, the LDAP groups are populated across all users that can authenticate to the jabber server. This is not something we want for our organization, so we ended up using mod_shared_roster with manual groups, but with scripts that monitor the LDAP groups and update the shared roster as needed with the ejabberdctl command with the mod_admin_extra module. I do not know if there is a way to do the displayed groups functionality with mod_shared_roster_ldap, but if someone knows how then please let me know!

Anyways, below are the configurations.

Setup LDAP Authentication

%% Authentication using LDAP
{auth_method, ldap}.
%% List of LDAP servers:
{ldap_servers, [""]}.   
%% Encrypt the LDAP connection.
%% Do not verify TLS due to encrypted LDAP not working when turned on
{ldap_encrypt, tls}.
{ldap_tls_verify, false}.
{ldap_port, 636}.
%% LDAP attribute that holds user ID:
{ldap_uids, [{"sAMAccountName"}]}.
%% Search base of LDAP directory:
{ldap_base, "OU=Users,DC=server,DC=com"}.
%% LDAP manager:
{ldap_rootdn, "CN=ldapauth,OU=users,DC=server,DC=com"}.
%% Password to LDAP manager:
{ldap_password, "*******"}.
%% In our configuration, this could also be left blank
{ldap_filter, "(objectClass=organizationalPerson)"}.

Add admin user from Active Directory

%% Change NetID to whatever the actual value of the user CN is.
{acl, admin, {user, "NetID"}}.

mod_shared_roster_ldap Configuration

{mod_roster,   []},
{mod_shared_roster_ldap, [
        {ldap_groupattr, "cn"},
        {ldap_groupdesc, "description"},
        {ldap_memberattr, "member"},
        {ldap_memberattr_format, "CN=%u,OU=Users,DC=server,DC=com"},
        {ldap_useruid, "cn"},
        {ldap_userdesc, "displayName"},
        {ldap_rfilter, "(&(objectClass=group)(info=JabberRosterGroup))"},
        {ldap_gfilter, "(&(objectClass=group)(info=JabberRosterGroup)(cn=%g))"},
        {ldap_ufilter, "(&(objectClass=user)(cn=%u))"},
        {ldap_filter, ""},
%%{mod_stats,    []},
{mod_time,     []},
%%{mod_vcard,    []},

The above configurations will obviously need to be modified to fit your organization, especially the ldap_*filter parameters. Our organization looks for the groups based on "JabberRosterGroup" being in the info field.

Additional Resources

I hope this helps those still in the processing of getting this working. If anyone sees errors, or a better way to do something, do not hesitate to let me know.

Hi, can you help me to


can you help me to Configure mod_shared_roster_ldap .

My AD User details are

objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Aarthi Rajasekar
sn: Rajasekar
description: 1701224
physicalDeliveryOfficeName: Chennai
telephoneNumber: 2414
givenName: Aarthi
initials: R
distinguishedName: CN=Aarthi Rajasekar,OU=Chennai_Users,DC=testing,DC=com
displayName: Aarthi Rajasekar
name: Aarthi Rajasekar
codePage: 0
countryCode: 0
primaryGroupID: 513
sAMAccountName: rajasaa
sAMAccountType: < samUserAccount >
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=testing,DC=com
userCertificate: Aarthi Rajasekar
userCertificate: Aarthi Rajasekar
objectGUID: {F7D43EA8-2891-49A2-8352-26539C2E007B}
objectSid: S-1-5-21-1699561171-4188548150-740795862-4574


Syndicate content