I’m working on setting up an ejabberd server for our company for intranet communications. My goal is to setup rosters via your work of the mod_shared_roster_ldap. I’m not a computer technician, but a lonely pharmacist with some knowledge of linux and the inner workings thereof. I have compiled the latest version of the module and have it installed on my linux distribution (archlinux, not that matters too much). Ejabberd seems to be running fine, I can connect, add users, groups, and be authenticated via ldap, but the for the life of me I can get my rosters to work.
I have compiled the latest module from this link and it seems to be running just fine. I just don't know where I'm going wrong with the config file.
So far I have the server seeing our all the domains in our forest so I know that the ldap connection is working. I’m having trouble sorting out what I need to put in the msrl portion of the config. Below is the setup so far.
{mod_shared_roster_ldap,[
{ldap_base, "dc=chs,dc=home"},
{ldap_rfilter, "(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"},
{ldap_group_is_dn, "true"},
{ldap_gfilter, "(&(sAMAccountType=805306368)(!(objectClass=computer)))"},
{ldap_groupdesc, "ou"},
{ldap_memberattr, "sAMAccountName"},
{ldap_member_is_dn, "true"},
{ldap_member_selection_mode, memberattr_dn},
{ldap_ufilter, "(objectClass=user)"},
{ldap_useruid, "sAMAccountName"},
{ldap_userdesc, "displayName"},
{ldap_roster_cache_size, "0"}
]}.
A ldap search on an user via this command (ldapsearch -x -LLL -h chssvr02.chs.home -D "user@chs.home" -W -b "dc=CHS,dc=HOME" -s sub "(cn=user)" sends back the response (most of the private information has been removed).
dn: CN=First Last,OU=CHS User Accounts,DC=CHS,DC=HOME
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: First Last
sn: Last
givenName: Kristina
distinguishedName: CN=First Last,OU=CHS User Accounts,DC=CHS,DC=HOME
instanceType: 4
whenCreated: 20090727161301.0Z
whenChanged: 20121207230840.0Z
displayName: First Last
uSNCreated: 1357566
uSNChanged: 25594644
name: First Last
objectGUID:: k5IkX0J1U0eAXTI//6hYmQ==
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 130002480347920234
lastLogoff: 0
lastLogon: 130002480372138984
pwdLastSet: 129979943174322319
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAgoumKB2cOGLnbvN/twgAAA==
accountExpires: 9223372036854775807
logonCount: 1876
sAMAccountName: flast
sAMAccountType: 805306368
userPrincipalName:
and here is a portion of the log showing what I think is DN error:
=INFO REPORT==== 17-Dec-2012::16:04:16 ===
D(<0.346.0>:eldap:697) : {searchRequest,
{'SearchRequest',"flast",baseObject,
neverDerefAliases,0,5,false,
{equalityMatch,
{'AttributeValueAssertion',"objectClass","user"}},
["displayName","sAMAccountName"]}}
=INFO REPORT==== 17-Dec-2012::16:04:16 ===
D(<0.346.0>:eldap:768) : {searchResDone,
{'LDAPResult',invalidDNSyntax,[],
[48,48,48,48,50,48,56,70,58,32,78,97,109,101,
69,114,114,58,32,68,83,73,68,45,48,51,49,48,
48,49,66,65,44,32,112,114,111,98,108,101,
109,32,50,48,48,54,32,40,66,65,68,95,78,65,
77,69,41,44,32,100,97,116,97,32,56,51,53,48,
44,32,98,101,115,116,32,109,97,116,99,104,
32,111,102,58,10,9,39,118,105,99,109,97,117,
39,10,0],
asn1_NOVALUE}}
As far as I can tell MSRL is finding users as on my ssh client it is scrolling through hundreds of usernames before stopping with this error.
Cheers
Sorry to reply too late, but
Sorry to reply too late,
but the error seems to indicate some problem with LDAP itself.
The error name is invalidDNSyntax (invalid Distinguished Name syntax), I suspect some LDAP entity is internally malformed.
The error text is:
This seem to support my idea.
And so do your words that logs show normal operation until this "error" (that is not treated as error by ejabberd, as you may note, it's just =INFO REPORT====)
Hi Team, I have ejabberd
Hi Team,
I have ejabberd Server running with version 2.1.9.Also integrate into AD Server.
Right now i am using Chat JID as Mail attribute in AD server.
{ldap_uids, [{"mail", "%u@domain.com"}]}.
Could you please tell me how to use givenName and SN attribute in AD Server as like below
Please help to come out this issue.
Regards
Moorthy
ejabberd does not implement
ejabberd does not implement this. You only can use one attribute to construct jids.
Maybe there exist some possibility to create an intermediate LDAP server that would take data from AD and internally combine it to change the LDAP representation.
Hi, Thank you so Much. Is
Hi,
Thank you so Much.
Is possible to Display the AD User Full Name in client using mod_shared_roster_ldap
Config Commands
****************
{mod_shared_roster_ldap,
[
{ldap_servers, ["dc.domain.tld"]},
{ldap_base, "ou=location,ou=companyname,dc=domain,dc=tld"},
{ldap_rootdn, "cn=username,cn=Users,dc=domain,dc=tld"},
{ldap_password, "SuperSecret"},
{ldap_groupattr, "department"},
{ldap_groupdesc, "department"},
{ldap_memberattr, "sAMAccountName"},
%%{ldap_memberattr_format, "uid=%u*"},
{ldap_filter, "(sAMAccountName=*)"}
]}
Please confirm
Thanks
Krishna
Your config cannot be
Your config cannot be used.
You haven't specified ldap_rfilter, which is required.
Hi, can you give some more
Hi,
can you give some more explain about ldap_rfilter please...
My User LDAP Config Details
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ezhumalai Desingu
sn: Desingu
description: 17185
physicalDeliveryOfficeName: Chennai
telephoneNumber: 4506
givenName: Ezhumalai
initials: D
distinguishedName: CN=Ezhumalai Desingu,OU=Chennai_Users,DC=testing,DC=com
displayName: Ezhumalai Desingu
wWWHomePage: home.testing.co.in
name: Ezhumalai Desingu
codePage: 0
countryCode: 0
primaryGroupID: 513
sAMAccountName: desinez
sAMAccountType: < samUserAccount >
userPrincipalName:
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=testing,DC=com
mail:
objectGUID: {F92291F3-FA56-445B-B4FF-519734687741}
objectSid: S-1-5-21-1699561171-4188548150-740795862-4482
Regards
Krishna
{mod_shared_roster_ldap, [
{mod_shared_roster_ldap, [
{ldap_servers, ["dc.domain.tld"]},
{ldap_base, "ou=location,ou=companyname,dc=domain,dc=tld"},
{ldap_rootdn, "cn=username,cn=Users,dc=domain,dc=tld"},
{ldap_password, "SuperSecret"},
{ldap_filter, ""},
{ldap_rfilter, "(objectClass=user)"},
{ldap_groupattr, "physicalDeliveryOfficeName"},
{ldap_gfilter, "(&(objectClass=user)(physicalDeliveryOfficeName=%g))"},
{ldap_groupdesc, "department"},
{ldap_memberattr, "sAMAccountName"},
{ldap_ufilter, "(&(objectClass=user)(sAMAccountName=%u))"},
{ldap_useruid, "sAMAccountName"},
{ldap_userdesc, "displayName"}
]}
Hi mikekagansk, Thank you so
Hi mikekagansk,
Thank you so much for your help.
I am getting error while using above config.But after remove the Line *****{ldap_filter, ""},***** no errors in Log file .
Now i am getting single contacts more than 3 times in pidgin.I don't know why..
Any help...sorry
Log report while running above config for your reference
***********************************************************
=INFO REPORT==== 2013-02-06 20:04:02 ===
I(<0.274.0>:eldap:983) : LDAP connection on 10.199.50.2:389
=INFO REPORT==== 2013-02-06 20:04:02 ===
I(<0.289.0>:eldap:983) : LDAP connection on 10.199.50.2:389
=INFO REPORT==== 2013-02-06 20:04:02 ===
I(<0.36.0>:ejabberd_app:202) : Adding machine's DNS IPs to Erlang system:
[]
=ERROR REPORT==== 2013-02-06 20:04:03 ===
E(<0.358.0>:eldap_utils:165) : failed to parse LDAP filter:
** Filter: []
** Reason: {error,["syntax error before: ",[]]}
=INFO REPORT==== 2013-02-06 20:04:03 ===
I(<0.363.0>:eldap:983) : LDAP connection on 10.199.50.2:389
=INFO REPORT==== 2013-02-06 20:04:03 ===
I(<0.384.0>:ejabberd_listener:166) : Reusing listening port for 5222
=INFO REPORT==== 2013-02-06 20:04:03 ===
I(<0.385.0>:ejabberd_listener:166) : Reusing listening port for 5269
=INFO REPORT==== 2013-02-06 20:04:03 ===
I(<0.386.0>:ejabberd_listener:166) : Reusing listening port for 5280
=INFO REPORT==== 2013-02-06 20:04:03 ===
I(<0.36.0>:ejabberd_app:72) : ejabberd 2.1.9 is started in the node ejabberd@chd1veritas
=INFO REPORT==== 2013-02-06 20:05:39 ===
I(<0.384.0>:ejabberd_listener:281) : (#Port<0.441>) Accepted connection {{10,199,50,65},2780} -> {{10,199,50,65},5222}
=INFO REPORT==== 2013-02-06 20:05:39 ===
I(<0.391.0>:ejabberd_c2s:631) : ({socket_state,tls,{tlssock,#Port<0.441>,#Port<0.451>},<0.390.0>}) Accepted authentication for mohan.rasappan by ejabberd_auth_ldap
=INFO REPORT==== 2013-02-06 20:05:40 ===
I(<0.391.0>:ejabberd_c2s:938) : ({socket_state,tls,{tlssock,#Port<0.441>,#Port<0.451>},<0.390.0>}) Opened session for mohan.rasappan@vernalis.com/2404637558136016134091002
=INFO REPORT==== 2013-02-06 20:05:40 ===
I(<0.391.0>:ejabberd_s2s:369) : New s2s connection started <0.392.0>
Which module (and which
Which module (and which module version) do you use?
I mean, there are a original module from http://www.ejabberd.im/mod_shared_roster_ldap, improved module by porridge from , bundled version since 2.1.6 that was prepared by porridge, and an unofficial patch from . As you use ejabberd 2.1.9, it seems sensible that you should be using the bundled version, but the error seems to indicate a very old module, so maybe you have replaced the bundled version?
Hi mike, I am using
Hi mike,
I am using mod_shared_roster_ldap which is included in Ejabberd 2.1.9 package.
you want me to try with some other package?
Thanks
Krishna
No, I would like you to copy
No, I would like you to copy your mod_shared_roster_ldap config here, please use copy/paste, not retyping, just don't forget to remove sensitive data. I suspect some typo in it.
Hi Below mentioned my config
Hi
Below mentioned my config Details...
{mod_shared_roster_ldap, [
{ldap_servers, ["Server IP ADDRESS"]},
{ldap_base, "DC=Domain,DC=com"},
{ldap_rootdn, "CN=Username,CN=Users,DC=Domain,DC=com"},
{ldap_password, "password"},
{ldap_filter, ""},
{ldap_rfilter, "(objectClass=user)"},
{ldap_groupattr, "physicalDeliveryOfficeName"},
{ldap_gfilter, "(&(objectClass=user)(physicalDeliveryOfficeName=%g))"},
{ldap_groupdesc, "department"},
{ldap_memberattr, "sAMAccountName"},
{ldap_ufilter, "(&(objectClass=user)(sAMAccountName=%u))"},
{ldap_useruid, "sAMAccountName"},
{ldap_userdesc, "displayName"}
]},
Also i am having Users in AD below manner
OU=Chennai_Users - > contain chennai Users
OU=Pune_Users - > Contain Pune Users
OU=NYC_Users - > Contain NYC Users
Also Help me to sort Users in Group
Thanks Again
Regards
Krishna
Very strange. I have hoped to
Very strange. I have hoped to find an error there - say, a missing letter. Everything looks OK.
Well then, you say that if you comment out the "ldap_filter" string, it works, but returns triple copies of every account. Could you post here a part of logs where the ldap queries are being made? As the log may be lengthy, you may wish to send it to me to (or put it to a web share and post the link here, but note that this forum may put a message with URLs to moderation). Don't forget to purge sensitive info from there.
Also, please provide the client-server xmpp conversation regarding roster retrieval. You may need to use a client xmpp console (Miranda IM and pidgin have it).
Hi Mike I send the Details
Hi Mike
I send the Details in Mail ....Please check
**********
Also, please provide the client-server xmpp conversation regarding roster retrieval. You may need to use a client xmpp console (Miranda IM and pidgin have it).
*************
you mean asking client side Log file in above line.
Regards
Krishna