LDAP (active directory)

I got SRV records working (had to replace Windows NT 4.0 DNS server with Bind), so now name@myserver.com addresses work great, same as the email addresses, and it communicates without problems with all the public jabber servers that I tried, including google-talk.

I still have no idea about whether LDAP is supposed to work with active-directory, I see some forum posts that say that it works, so is that patch that I mentioned below relevant?

Also, would LDAP prevent me from using shared-roster? It's a very nice feature... The shared-roster tutorial says that it won't work, but the comments below it say that it does work?

BTW, I tried Psi and Exodus with shared-roster (everybody group created with @all@), and they both also show myself (as offline) in the everybody group, is there a way to remove that? If I remove it, it re-appears when I reconnect. (Tkabber works correctly and doesn't show my own account as part of the group, but I'm interested in Psi for jingle/VoIP).

Also, another question: is there a good way to deny connection to the ejabberd server for anyone who doesn't connect from within the company, i.e. for anyone whose current host doesn't match the ejabberd server host, or if he's not in the domain or something like that?

Thanks in advance for any comments,
Iddo

Could anyone please explain whether ejabberd 1.0.0 is supposed to have built-in support for LDAP authentication that works, or there's something missing in the 1.0.0 release? I came across this page:
http://www.ejabberd.im/ejabberd_ad
Is this patch needed for using active directory authentication in windows, or ejabberd is supposed to work without it and I just haven't figured out how to configure it correcly?
Any help?
Thank you

Hello,
I tried the suggestion (and variations of it) of Paco, but it didn't work. I think that it works for him in win2003, but I'm using win2000, and in win2000 the default for active directory is "{ldap_uidattr, "uid"}." I think?
Could anyone else please try to help with getting LDAP to work according to my configuration, or help me with how to find out other parameters of my configuration, as I asked above?
Thanks a lot.

I think this gonna help:

{auth_method, ldap}.
{ldap_servers, ["myserver.com"]}. % List of LDAP servers
{ldap_uidattr, "samAccountName"}. % LDAP attribute that holds user ID
{ldap_base, "DC=myserver,DC=com"}. % Base of LDAP directory
{ldap_rootdn, "CN=Administrator,CN=Users,DC=myserver,DC=com"}. % LDAP manager
{ldap_password, "password"}. % Password to LDAP manager

{hosts, ["myserver.com"]}.

In my example, the usernames for Jabber clients (eg. Exodus) are like this:
username@myserver.com

It's working for me. Good luck!
Paco

Thanks for the reply.
I'm away and so I'll test it only the day after tomorrow, and report back here.
But, why is the subject of your reply "Windows 2003 LDAP" ??
As I wrote, my LDAP machine is running win2000, not win2003 - is your reply also supposed to work for win2000 ?
I tried most of what you said, except "samAccountName", and also, I'm still not sure about the hosts line, because it only worked (with internal authentication) with internet.myserver.com - but then it seems that the users addresses are user@internet.myserver.com which isn't what it should be, as the email addresses are user@myserver.com
If others could comment further, please do...
Thank you,
Iddo

You could always make users tell there jabber-clients to use a specific server when they talk to you JID. You could have id@my.domain use a server at jabber.another.domain JID has nothing to do with DNS names (except some of the format).

So you should use the always have that in mind when you set up a Jabber server.

You can do things to make it work transparent.

JID: id@jabber.server.domain
Server machine DNS name: jabber.server.domain

This is easy to set up, but not that flexible. What if you want to change machine to run the server on?

JID: id@jid.domain
Server machine DNS name: jabber.server.domain

Make some changes in DNS for id.domain
That is, put some SRV posts into your DNS server for the jid.domain that points jabber services to jabber.server.domain
You need to look that up

It works like SIP-server and SIP-names.

I'll guess that the last is what you realy want to do.

Thanks, I'll try to figure out the DNS issue.
But I still haven't got LDAP authentication to work:(
Any ideas on how to figure out the correct settings?
I tried to search, and I see mentioned that ejabberd1.0.0 LDAP is perhaps broken? I'm not sure... So I installed ejabberd0.9.8 as well, but neither worked for me so far.
I noticed that microsoft exchange server is also using the active directory in order to get the logins/passwords of users, but because it's a microsoft product, there aren't really any settings in it that I can copy, i.e. it's all just default it seems.
I'm not sure if the output that I pasted above is supposed to be useful, or how else to figure out the correct settings?
Any comments?
Thanks...

I am also attempting to make my local area messaging service be integrated into our existing Active Directory infrastructure. As per documented here and based on a friend of mine's suggestions i have come up with the following LDAP configuration:

{auth_method, ldap}.
{ldap_servers, ["10.100.0.20"]}. % List of LDAP servers
{ldap_uidattr, "samAccountName"}. % LDAP attribute that holds user ID
{ldap_base, "ou=Usuarios,ou=Corporativo,dc=metrored,dc=local"}. % Search base of LDAP directory
{ldap_rootdn, "cn=Administrador,dc=metrored,dc=local"}. % LDAP manager
{ldap_password, "XXXXXXXX"}. % Password to LDAP manager

However i have had many problems and to this point in time the authentication does not work against the AD yet. I am certain that i have configured the ldap_base and the ldap_password; but i am not sure that my ldap_base is correct by just adding the dc's or if it needs the ou's as well.

This is what my ejabberd.log has to say about it:

=INFO REPORT==== 2006-04-28 10:46:33 ===
I(<0.1193.0>:ejabberd_listener:90): (#Port<0.2157>) Accepted connection {{10,100,3,91},42672} -> {{10,100,0,8},5222}

=INFO REPORT==== 2006-04-28 10:46:33 ===
I(<0.1270.0>:ejabberd_c2s:417): (#Port<0.2157>) Failed legacy authentication for diego.defuentes@metrored.com.mx/Psi

I will go to my AD server to check if it has any kind of logs available, in the meantime; can anyone please clarify my question?

Thanks in advance.

I made an export of my Active Directory structure and found our that the rootdn was incomplete, here goes my final working configuration:

{auth_method, ldap}.
{ldap_servers, ["10.100.0.20"]}. % List of LDAP servers
{ldap_uidattr, "samAccountName"}. % LDAP attribute that holds user ID
{ldap_base, "OU=Usuarios,OU=Corporativo,DC=metrored,DC=local"}. % Search base of LDAP directory
{ldap_rootdn, "CN=Administrador,CN=Users,DC=metrored,DC=local"}. % LDAP manager
{ldap_password, "XXXXXXXXXXX"}. % Password to LDAP manager

I hope this saves someone some grief in the future when dealing with this...

Hi all,

I am trying to get this running, too, unfortunately without success.
So my first question: do I need this ejabberd_ad patch and if so, why?
My ejabberd package comes with LDAP support I think, so AD authentication should be ok?

I have the following configuration:
{auth_method, ldap}.
{ldap_servers, ["server1.arkona.local"]}. % List of LDAP servers
{ldap_uidattr, "samAccountName"}. % LDAP attribute that holds user ID
{ldap_base, "OU=Users OU,DC=arkona,DC=local"}. % Search base of LDAP directory
{ldap_rootdn, "CN=Administrator,OU=Groups and Buildins,DC=arkona,dc=local"}. % LDAP manager
{ldap_password, "OurPassword"}. % Password to LDAP manager

The Users OU is definitely right, the Administrator also.
So what the hack am I doing wrong?
Is it because of the spaces in the basedn and rootdn?

Thanks for any help,

Matthias

I think you might want to take a look at this patch to improve LDAP support in ejabberd. Check the included README and ldap_guide.txt files.

@badlop: maybe that patch should be listed on the contribs page?

--
sander

Done, but even better: include in ejabberd svn, or at least bugzilla

I've been struggling with this for days ... and I'm *sure* that I'm missing something basic.

I'm using the latest version of ejabberd from ProcessOne (1.1.2 I believe).

I've installed this to an XP machine, which belongs to the domain as a workstation, with the firewall off.

I want to be able to authenticate users who exist in the AD, using their AD credentials.

The logs for ejabberd don't seem to tell me anything useful. (i.e. It may be useful information, but not for me.) :)

I have followed the examples from this site, as well as a translated version of this page: http://realloc.spb.ru/share/ejabberd112ad.html

I'm using Pidgin to connect to the ejabberd server, and could be doing something wrong on the client side. I'm not sure what "screen name" equates to in the AD. In Pidgin, I get authentication failed errors when I try and use an AD account.

I do have ejabberd set to allow LDAP and internal, and I'm able to register new accounts.

Does there exist somewhere a comprehensive overview of "active directory" authentication, including client side stuff? If not, does anyone have suggestions as to what stupid thing I might be doing wrong?

If I can get this working, I'd be happy to contribute an english language document detailing the steps I take, client side config, etc.

Thank you for your time and consideration. :)

James

I have never used LDAP/AD auth on ejabberd.

Umm, so they don't show any ERROR, CRASH... reports for you.

So, you have something like this?

{auth_method, [internal, ldap]}.

Please note that the guide and the russian article from realloc use this:

{auth_method, ldap}.

Hi all,

I'm in the same problem, my case:

Server with ejabbered: pepe.domain.com
Server with active directory: ad.domain.com

Configuration file:

{auth_method, ldap}.
{ldap_servers, ["ad.domain.com"]}. % List of LDAP servers
{ldap_base, "dc=domain,dc=com"}. % Search base of LDAP directory
{ldap_rootdn, "cn=Administrador,cn=Users,dc=domain,dc=com"}. % LDAP manager
{ldap_password, "pwdAdministrator"}. % Password to LDAP manager
{ldap_uidattr, "samAccountName"}.

{hosts, ["pepe.domain.com","domain.com"]}.

User on Active Directory:
user name: dummy
user login: dummy
user email: dummy@domain.com

Client:
PSI
Configuration:
jid: dummy@domain.com
server: pepe.domain.com
* One question about he client side, I have to register the user, or just login?

Please what I have to do to make it work, I left 4 hours allready.

Thanks in advance

Regarding LDAP, the development version contains a fix that could help you (SVN).
Which version are you using ?

--
Mickaël Rémond
Process-one

I'm using the last one, 1.1.3.

Where I have to go to look for SVN?

Thanks.

Try to replace eldap.erl with this file from the development version and recompile ejabberd:
http://svn.process-one.net/ejabberd/trunk/src/eldap/eldap.erl

--
Mickaël Rémond
Process-one

Hi Mickël,

I've compiled the file but it does the same. The key it's that this eldap.erl file it's the same as 1.1.3.

How I can get a better log to look for what's happening?

Carles.

Hi again,

I get to start in command line, and I get the next log results, it logs onto ldap/AD but it sais:

"I(<0.295.0>:ejabberd_c2s:417): (#Port<0.311>) Failed legacy authentication for dummy@domain.com/Psi"

I checked on the PSI client the plain text conection and it gets the ldap correct autentication.

Here it's the full log:

Eshell V5.5.2.2 (abort with ^G)
(ejabberd@localhost)1> ---- Message:[{'LDAPMessage',1,
{bindRequest,
{'BindRequest',
3,
"CN=Administrador,CN=Users,DC=domain,DC=com",
{simple,"pwdAdministrator"}}},
asn1_NOVALUE}]
(ejabberd@localhost)1> ---- Message:[{'LDAPMessage',1,
{bindRequest,
{'BindRequest',
3,
"CN=Administrador,CN=Users,DC=domain,DC=com",
{simple,"pwdAdministrator"}}},
asn1_NOVALUE}]
(ejabberd@localhost)1> ---- [{'LDAPMessage',1,
{bindResponse,{'BindResponse',
success,
[],
[],
asn1_NOVALUE,
asn1_NOVALUE}},
asn1_NOVALUE}](ejabberd@localhost)1> ---- [{'LDAPMessage',1
,
{bindResponse,{'BindResponse',
success,
[],
[],
asn1_NOVALUE,
asn1_NOVALUE}},
asn1_NOVALUE}](ejabberd@localhost)1>
=INFO REPORT==== 9-Aug-2007::10:24:59 ===
I(<0.226.0>:ejabberd_listener:90): (#Port<0.311>) Accepted connection {{192,168,25,55},2450} -> {{192,168,25,55},5222}
(ejabberd@localhost)1> ---- [{searchRequest,{'SearchRequest',"dc=domain,dc=com"
,
wholeSubtree,
neverDerefAliases,
0,
0,
false,
{'and',
[{equalityMatch,
{'AttributeValueAssertion',
"mail",
"dummy@domain.com"}},
{equalityMatch,
{'AttributeValueAssertion',
"memberOf",
"CN=JabberUsers,CN=Users,DC=domain,DC=com"}},
{'or',
[{equalityMatch,
{'AttributeValueAssertion',
"userAccountControl",
"66050"}},
{equalityMatch,
{'AttributeValueAssertion',
"userAccountControl",
"66048"}}]}]},
[]}}]
(ejabberd@localhost)1> ---- [{searchResRef,["ldap://ForestDnsZones.domain.com/DC=ForestDnsZones,DC=domain,DC=com"]}]
(ejabberd@localhost)1> ---- [{searchResRef,["ldap://DomainDnsZones.domain.com/DC=DomainDnsZones,DC=domain,DC=com"]}]
(ejabberd@localhost)1> ---- [{searchResRef,["ldap://domain.com/CN=Configuration,DC=domain,DC=com"]}]
(ejabberd@localhost)1> ---- [{searchResDone,{'LDAPResult',success,[],[],asn1_NOVALUE}}]
(ejabberd@localhost)1>
=INFO REPORT==== 9-Aug-2007::10:24:59 ===
I(<0.295.0>:ejabberd_c2s:417): (#Port<0.311>) Failed legacy authentication for dummy@domain.com/Psi

This patch definitely fixes the problem you describe.
You probably miss a step in the recompile / deployment.

If you can wait for a few days, we are preparing a version 1.1.4 that will include this patch among others.

--
Mickaël Rémond
Process-one