[ejabberd] Active directory ldap auth problem

Jorge Luis Becerra Peraza jorge.becerra at hab.desoft.cu
Mon Jan 1 10:38:15 MSK 2007


Hi:

 I am testing the ldap autentication using ejabber 1.1.2 on a debian 
Sarge,
there is some problem before to put on the production server i want to 
be
able to restrict the users who can use ejabberd as a client. Currently 
i
found no way to avoid administrator and others accounts to appear on 
the
roster and be able to login. I means accounts used by 
administrative
purpouses should not appear, maybe can be done using 
ldap_filter but i don't
find the way, if there is any help, i preciate 
it.

  I have no too many accounts , about 250 and five different 
organization
units on the Active Directory.
 Something i find hard to 
understand was that i need to put every user on
some group to appear, for 
that a global security group named jabberusers was
created, but any user who 
belongs to any other group also appear, that's
what i try to avoid. The 
administrative accounts also belongs to some groups
, i found no way to avoid 
this.

the relarted ldap part of ejabberd.conf look 
like:

{auth_method, ldap}.
{ldap_servers, 
["lan.hab.desoft.cu"]}.
{ldap_uidattr, "sAMAccountName"}.
{ldap_base, 
"DC=lan,DC=hab,DC=desoft,DC=cu"}.
{ldap_rootdn, 
"CN=someuser,CN=Users,DC=lan,DC=hab,DC=desoft,DC=cu"}.
{ldap_filter, 
"(memberOf=*)"}.
{ldap_password, "passwordofsomeuser"}.


  
{mod_vcard_ldap,
    [{ldap_vcard_map,
    [{"NICKNAME", "%u", []},
    
{"GIVEN", "%s", ["givenName"]},
    {"MIDDLE", "%s", ["initials"]},
    
{"FAMILY", "%s", ["sn"]},
    {"FN", "%s", ["displayName"]},
    {"EMAIL", 
"%s", ["mail"]},
    {"ORGNAME", "%s", ["company"]},
    {"ORGUNIT", "%s", 
["department"]},
    {"CTRY", "%s", ["c"]},
    {"LOCALITY", "%s", 
["l"]},
    {"STREET", "%s", ["streetAddress"]},
    {"REGION", "%s", 
["st"]},
    {"PCODE", "%s", ["postalCode"]},
    {"TITLE", "%s", 
["title"]},
    {"URL", "%s", ["wWWHomePage"]},
    {"DESC", "%s", 
["description"]},
    {"TEL", "%s", ["telephoneNumber"]}]},
    
{ldap_search_fields,
    [{"User", "%u"},
    {"Name", 
"givenName"},
    {"Family Name", "sn"},
    {"Email", "mail"},
    
{"Company", "company"},
    {"Department", "department"},
    {"Role", 
"title"},
    {"Description", "description"},
    {"Phone", 
"telephoneNumber"}]},
    {ldap_search_reported,
    [{"Full Name", 
"FN"},
    {"Nickname", "NICKNAME"},
    {"Email", "EMAIL"}]}
    
]
    }.

{host_config, "hab.desoft.cu", [{auth_method, [anonymous, 
ldap]}]}.

  {mod_vcard_ldap,      [{search, true},
      
{allow_return_all, true},
      {matches, infinity},
      {host, 
"jud.hab.desoft.cu"}]},




More information about the ejabberd mailing list