[ejabberd] Active directory ldap auth problem

Nathan Faust nfaust at merchantwarehouse.com
Thu Jan 4 18:05:30 MSK 2007


You want to pick the ldap_filter to filter on the security group

{ldap_base, "DC=lan,DC=hab,DC=desoft,DC=cu"}.
{ldap_filter, "(memberOf=Jabberusers)"}.

That should only authenticate just the members of the Jabberusers
security group.

You can also look at the AD with:
ldapsearch -x -b "dc=lan,dc=hab,dc=desoft,dc=cu" -D
user at lan.hab.desoft.cu -h lan.hab.desoft.cu -W

Nathan Faust
Systems Administrator
Merchant Warehouse
Two International Place
Fourth Floor
Boston, MA  02110 
Phone:  617.896.5558
Fax:    617.854.8923

-----Original Message-----
From: ejabberd-bounces at jabber.ru [mailto:ejabberd-bounces at jabber.ru] On
Behalf Of Jorge Luis Becerra Peraza
Sent: Monday, January 01, 2007 2:38 AM
To: ejabberd at jabber.ru
Subject: [ejabberd] Active directory ldap auth problem


 I am testing the ldap autentication using ejabber 1.1.2 on a debian
Sarge, there is some problem before to put on the production server i
want to be able to restrict the users who can use ejabberd as a client.
Currently i found no way to avoid administrator and others accounts to
appear on the roster and be able to login. I means accounts used by
administrative purpouses should not appear, maybe can be done using
ldap_filter but i don't find the way, if there is any help, i preciate

  I have no too many accounts , about 250 and five different
organization units on the Active Directory.
 Something i find hard to
understand was that i need to put every user on some group to appear,
for that a global security group named jabberusers was created, but any
user who belongs to any other group also appear, that's what i try to
avoid. The administrative accounts also belongs to some groups , i found
no way to avoid this.

the relarted ldap part of ejabberd.conf look

{auth_method, ldap}.
{ldap_uidattr, "sAMAccountName"}.
{ldap_password, "passwordofsomeuser"}.

    [{"NICKNAME", "%u", []},
{"GIVEN", "%s", ["givenName"]},
    {"MIDDLE", "%s", ["initials"]},
{"FAMILY", "%s", ["sn"]},
    {"FN", "%s", ["displayName"]},
"%s", ["mail"]},
    {"ORGNAME", "%s", ["company"]},
    {"ORGUNIT", "%s",
    {"CTRY", "%s", ["c"]},
    {"LOCALITY", "%s",
    {"STREET", "%s", ["streetAddress"]},
    {"REGION", "%s",
    {"PCODE", "%s", ["postalCode"]},
    {"TITLE", "%s",
    {"URL", "%s", ["wWWHomePage"]},
    {"DESC", "%s",
    {"TEL", "%s", ["telephoneNumber"]}]},
    [{"User", "%u"},
    {"Family Name", "sn"},
    {"Email", "mail"},
{"Company", "company"},
    {"Department", "department"},
    {"Description", "description"},
    [{"Full Name",
    {"Nickname", "NICKNAME"},
    {"Email", "EMAIL"}]}

{host_config, "hab.desoft.cu", [{auth_method, [anonymous, ldap]}]}.

  {mod_vcard_ldap,      [{search, true},
{allow_return_all, true},
      {matches, infinity},

ejabberd mailing list
ejabberd at jabber.ru

More information about the ejabberd mailing list