[ejabberd] Re: Extauth - WAS: FreeBSD 6.1 and ejabberd

Riaan Annandale riaan.annandale at is.co.za
Tue Jul 18 13:55:44 MSD 2006


Hi again everyone,

I downloaded the source code for ejabberd and used that - worked first
time. Seems there might be a FreeBSD ports issue...

Anyway, onto the new problem that I have.

I want to use the extauth function to authenticate our users against
Tacacs (which works).

I log the output of the script like this:
### Here i get the variables as discussed on the forum:
    my ($op,$user,$domain,$password) = split /:/,$buf;

### Later in the program:
        $op eq 'auth' and do
          {
                $t= new Authen::TacacsPlus(Host => $tacacshost,
                                 Key => $tacacskey);
                if ($t->authen($user,$password)){
                $result ="0";
                system ("echo Granted - $op, $user, $password, $domain, $result 
>>/tmp/log4me");
}       else {
                $result = "1";
                                system ("echo Denied - $op, $user, $password, $d
omain, $result >>/tmp/log4me");
}
        $t->close();
          },last SWITCH;

### Results pushing back to ejabberd (as per the examples on the site)
        system("echo $result - RESULT >> /tmp/log4me");
    my $out = pack "nn",2,$result ? 1 : 0;
        #system("echo $out >> /tmp/log4me");
    syswrite STDOUT,$out;
  }

closelog;


The contents of my log file looks like this:
Denied - auth, riasdasd, password, localhost, 1
1 - RESULT
Granted - auth, riaana, password, localhost, 0
0 - RESULT

So as you can see - riaana is OK, and riasdasd is just a bogus user.

The problem i have now, is the in Gaim, i still get "logged in" with both accounts. So i'm suspecting a config file issue (attached)

Again, any help will be appreciated.

-- 
riaan annandale, systems engineer, infrastructure
internet solutions, south africa
Direct tel: +27-11-575-4844
Support tel: +27-11-575-0055
-------------- next part --------------
% $Id: ejabberd.cfg.example 538 2006-04-22 04:02:42Z alexey $

%override_acls.


% Users that have admin access.  Add line like one of the following after you
% will be successfully registered on server to get admin access:
%{acl, admin, {user, "aleksey"}}.
%{acl, admin, {user, "ermine"}}.

% Blocked users:
%{acl, blocked, {user, "test"}}.

% Local users:
{acl, local, {user_regexp, ""}}.

% Another examples of ACLs:
%{acl, jabberorg, {server, "jabber.org"}}.
%{acl, aleksey, {user, "aleksey", "jabber.ru"}}.
%{acl, test, {user_regexp, "^test"}}.
%{acl, test, {user_glob, "test*"}}.


% Only admins can use configuration interface:
{access, configure, [{allow, admin}]}.

% Every username can be registered via in-band registration:
% You could replace {allow, all} with {deny, all} to prevent user from using
% in-band registration
{access, register, [{allow, all}]}.

% After successful registration user will get message with following subject
% and body:
{welcome_message,
 {"Welcome!",
  "Welcome to Jabber Service.  "
  "For information about Jabber visit http://jabber.org"}}.
% Replace them with 'none' if you don't want to send such message:
%{welcome_message, none}.

% List of people who will get notifications about registered users
%{registration_watchers, ["admin1 at localhost",
%                         "admin2 at localhost"]}.
{registration_watchers, ["riaana at 10.1.147.7"]}.

% Only admins can send announcement messages:
{access, announce, [{allow, admin}]}.


% Only non-blocked users can use c2s connections:
{access, c2s, [{deny, blocked},
	       {allow, all}]}.

% Set shaper with name "normal" to limit traffic speed to 1000B/s
{shaper, normal, {maxrate, 1000}}.

% Set shaper with name "fast" to limit traffic speed to 50000B/s
{shaper, fast, {maxrate, 50000}}.

% For all users except admins used "normal" shaper
{access, c2s_shaper, [{none, admin},
		      {normal, all}]}.

% For all S2S connections used "fast" shaper
{access, s2s_shaper, [{fast, all}]}.

% Admins of this server are also admins of MUC service:
{access, muc_admin, [{allow, admin}]}.

% All users are allowed to use MUC service:
{access, muc, [{allow, all}]}.

% This rule allows access only for local users:
{access, local, [{allow, local}]}.


% Authentication method.  If you want to use internal user base, then use
% this line:
%{auth_method, internal}.

% For LDAP authentication use these lines instead of above one:
%{auth_method, ldap}.
%{ldap_servers, ["localhost"]}.    % List of LDAP servers
%{ldap_uidattr, "uid"}.            % LDAP attribute that holds user ID
%{ldap_base, "dc=example,dc=com"}. % Search base of LDAP directory
%{ldap_rootdn, "dc=example,dc=com"}. % LDAP manager
%{ldap_password, "******"}. % Password to LDAP manager

% For authentication via external script use the following:
%{auth_method, external}.
%{extauth_program, "/path/to/authentication/script"}.

% For authentication via external script use the following:
{auth_method, [external, internal]}.
{extauth_program, "/home/riaana/work/ejabberd/ejabberd-1.1.1/src/authen.pl"}.

% For authentication via ODBC use the following:
%{auth_method, odbc}.
%{odbc_server, "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"}.


% Host name:
{hosts, ["localhost"]}.
%{hosts, ["osiris.mundane.co.za"]}.

%% Anonymous login support:
%%  auth_method: anonymous
%%  anonymous_protocol: sasl_anon|login_anon|both
%%  allow_multiple_connections: true|false
%%{host_config, "public.example.org", [{auth_method, anonymous},
%%                                     {allow_multiple_connections, false},
%%                                     {anonymous_protocol, sasl_anon}]}.
%% To use both anonymous and internal authentication:
%%{host_config, "public.example.org", [{auth_method, [anonymous, internal]}]}.

% Default language for server messages
{language, "en"}.

% Listened ports:
{listen,
 [{5222, ejabberd_c2s,     [{access, c2s}, {shaper, c2s_shaper},
			    {max_stanza_size, 65536},
			    starttls, {certfile, "./ssl.pem"}]},
  {5223, ejabberd_c2s,     [{access, c2s},
			    {max_stanza_size, 65536},
			    tls, {certfile, "./ssl.pem"}]},
  % Use these two lines instead if TLS support is not compiled
  %{5222, ejabberd_c2s,     [{access, c2s}, {shaper, c2s_shaper}]},
  %{5223, ejabberd_c2s,     [{access, c2s}, ssl, {certfile, "./ssl.pem"}]},
  {5269, ejabberd_s2s_in,  [{shaper, s2s_shaper},
			    {max_stanza_size, 131072}
			   ]},
  {5280, ejabberd_http,    [http_poll, web_admin]},
  {8888, ejabberd_service, [{access, all},
			    {hosts, ["icq.localhost", "sms.localhost"],
			     [{password, "secret"}]}]}
 ]}.


% Use STARTTLS+Dialback for S2S connections
{s2s_use_starttls, true}.
{s2s_certfile, "./ssl.pem"}.
%{domain_certfile, "example.org", "./example_org.pem"}.
%{domain_certfile, "example.com", "./example_com.pem"}.

% If SRV lookup fails, then port 5269 is used to communicate with remote server
{outgoing_s2s_port, 5269}.


% Used modules:
{modules,
 [
  {mod_register,   [{access, register}]},
  {mod_roster,     []},
  {mod_privacy,    []},
  {mod_adhoc,      []},
  {mod_configure,  []}, % Depends on mod_adhoc
  {mod_configure2, []},
  {mod_disco,      []},
  {mod_stats,      []},
  {mod_vcard,      []},
  {mod_offline,    []},
  {mod_announce,   [{access, announce}]}, % Depends on mod_adhoc
  {mod_echo,       [{host, "echo.localhost"}]},
  {mod_private,    []},
  {mod_irc,        []},
% Default options for mod_muc:
%   host: "conference." ++ ?MYNAME
%   access: all
%   access_create: all
%   access_admin: none (only room creator has owner privileges)
  {mod_muc,        [{access, muc},
		    {access_create, muc},
		    {access_admin, muc_admin}]},
%  {mod_muc_log,    []},
%  {mod_shared_roster, []},
  {mod_pubsub,     []},
  {mod_time,       []},
  {mod_last,       []},
  {mod_version,    []}
 ]}.




% Local Variables:
% mode: erlang
% End:


More information about the ejabberd mailing list