[ejabberd] ejabberd 0.7.5 for Windows

dragon_sphere at vdsworld.com dragon_sphere at vdsworld.com
Wed Oct 13 19:49:35 MSD 2004


> Hi,
> I didn't try the Ejabberd version for Windows, but if it is the same
> as the Linux one, you can't create/remove user while using a LDAP
> authentification.
>
> For passwords, you must store them in plaintext, because you need them
> in order to bind users on the LDAP server. It may be possible to
> remove password displaying in the WebAdmin pages.
>
> AM
>

Antoine and Everyone else,
  So there is no way to store the users password as encrypted on the
server.  Under mod_auth_crypt for Jabber 1.4.x and I think Jabber 2.x
you can have your client send the password over the wire in plain text
and the Module validate's the plain text password to a hash on the
server.  At least that is how I understand it.  That is why you force
the user to use TLS/SSL so that all trafic between the client and server
is encrypted.  I use both Exodus and PSI clients and they both have the
ability to use SSL but send with in the SSL stream the plain text
password of the user.  Maybe I am missing something here?  Also if you
use LDAP for authentication then how does the client software create a
new account for the user on LDAP or is it up to the admin to create
accounts for the users on the ejabberd server.  Also I noticed that
ejabberd logs into LDAP as anonymous instead of using the directory
managers username and password.  Is there any other options that can be
set for the LDAP module in ejabberd?  I have not fully read this part of
the online docs yet so maybe the answer is in that.  Anyway I am still
trying to understand the relationship between all this stuff.  If you
deploy ejabberd in an enterprise environment you would not want your
Administrator(s) to be able to lurk on an Executives conversation with
HR right?  In any large org there is a potential that someone is not on
the up & up.  Also is there any plans to allow for client side x.509
certificates to be used with ejabberd as an authentication scheme?  Just
a request...  Anyway I guess ejabberd is only as secured as the server
in which it is running but I guess that could be said about any network
aware software and it is up to the admin and developers to make it as
secured as possible.

Thanks,
JKinsey (AKA... DragonSphere)



More information about the ejabberd mailing list