[ejabberd] Active directory ldap auth problem

Nathan Faust nfaust at merchantwarehouse.com
Thu Jan 4 18:05:30 MSK 2007


 
Jorge,

You want to pick the ldap_filter to filter on the security group
jabberusers.

{ldap_base, "DC=lan,DC=hab,DC=desoft,DC=cu"}.
{ldap_filter, "(memberOf=Jabberusers)"}.

That should only authenticate just the members of the Jabberusers
security group.

You can also look at the AD with:
ldapsearch -x -b "dc=lan,dc=hab,dc=desoft,dc=cu" -D
user at lan.hab.desoft.cu -h lan.hab.desoft.cu -W

-----------------------
Nathan Faust
Systems Administrator
Merchant Warehouse
Two International Place
Fourth Floor
Boston, MA  02110 
Phone:  617.896.5558
Fax:    617.854.8923
http://www.merchantwarehouse.com/ 


-----Original Message-----
From: ejabberd-bounces at jabber.ru [mailto:ejabberd-bounces at jabber.ru] On
Behalf Of Jorge Luis Becerra Peraza
Sent: Monday, January 01, 2007 2:38 AM
To: ejabberd at jabber.ru
Subject: [ejabberd] Active directory ldap auth problem

Hi:

 I am testing the ldap autentication using ejabber 1.1.2 on a debian
Sarge, there is some problem before to put on the production server i
want to be able to restrict the users who can use ejabberd as a client.
Currently i found no way to avoid administrator and others accounts to
appear on the roster and be able to login. I means accounts used by
administrative purpouses should not appear, maybe can be done using
ldap_filter but i don't find the way, if there is any help, i preciate
it.

  I have no too many accounts , about 250 and five different
organization units on the Active Directory.
 Something i find hard to
understand was that i need to put every user on some group to appear,
for that a global security group named jabberusers was created, but any
user who belongs to any other group also appear, that's what i try to
avoid. The administrative accounts also belongs to some groups , i found
no way to avoid this.

the relarted ldap part of ejabberd.conf look
like:

{auth_method, ldap}.
{ldap_servers,
["lan.hab.desoft.cu"]}.
{ldap_uidattr, "sAMAccountName"}.
{ldap_base,
"DC=lan,DC=hab,DC=desoft,DC=cu"}.
{ldap_rootdn,
"CN=someuser,CN=Users,DC=lan,DC=hab,DC=desoft,DC=cu"}.
{ldap_filter,
"(memberOf=*)"}.
{ldap_password, "passwordofsomeuser"}.


  
{mod_vcard_ldap,
    [{ldap_vcard_map,
    [{"NICKNAME", "%u", []},
    
{"GIVEN", "%s", ["givenName"]},
    {"MIDDLE", "%s", ["initials"]},
    
{"FAMILY", "%s", ["sn"]},
    {"FN", "%s", ["displayName"]},
    {"EMAIL",
"%s", ["mail"]},
    {"ORGNAME", "%s", ["company"]},
    {"ORGUNIT", "%s",
["department"]},
    {"CTRY", "%s", ["c"]},
    {"LOCALITY", "%s",
["l"]},
    {"STREET", "%s", ["streetAddress"]},
    {"REGION", "%s",
["st"]},
    {"PCODE", "%s", ["postalCode"]},
    {"TITLE", "%s",
["title"]},
    {"URL", "%s", ["wWWHomePage"]},
    {"DESC", "%s",
["description"]},
    {"TEL", "%s", ["telephoneNumber"]}]},
    
{ldap_search_fields,
    [{"User", "%u"},
    {"Name",
"givenName"},
    {"Family Name", "sn"},
    {"Email", "mail"},
    
{"Company", "company"},
    {"Department", "department"},
    {"Role",
"title"},
    {"Description", "description"},
    {"Phone",
"telephoneNumber"}]},
    {ldap_search_reported,
    [{"Full Name",
"FN"},
    {"Nickname", "NICKNAME"},
    {"Email", "EMAIL"}]}
    
]
    }.

{host_config, "hab.desoft.cu", [{auth_method, [anonymous, ldap]}]}.

  {mod_vcard_ldap,      [{search, true},
      
{allow_return_all, true},
      {matches, infinity},
      {host,
"jud.hab.desoft.cu"}]},


_______________________________________________
ejabberd mailing list
ejabberd at jabber.ru
http://lists.jabber.ru/mailman/listinfo/ejabberd




More information about the ejabberd mailing list