[ejabberd] Active directory ldap auth problem

jorge jorge.becerra at hab.desoft.cu
Thu Jan 4 20:31:33 MSK 2007


Thks Nathan,
  i already try this but don't work. I friend suggest to use write the
complete DN of the group and is working now:

{ldap_filter,
"(memberOf=CN=jabberusers,OU=Grupos,DC=lan,DC=hab,DC=desoft,DC=cu)"}.

 Now is te time for me to try on use ACLs based on ldap group, but seems
that is not implemented, or is possible to do?

Jorge Becerra



On Thu, 2007-01-04 at 10:05 -0500, Nathan Faust wrote:
>  Jorge,
> 
> You want to pick the ldap_filter to filter on the security group
> jabberusers.
> 
> {ldap_base, "DC=lan,DC=hab,DC=desoft,DC=cu"}.
> {ldap_filter, "(memberOf=Jabberusers)"}.
> 
> That should only authenticate just the members of the Jabberusers
> security group.
> 
> You can also look at the AD with:
> ldapsearch -x -b "dc=lan,dc=hab,dc=desoft,dc=cu" -D
> user at lan.hab.desoft.cu -h lan.hab.desoft.cu -W
> 
> -----------------------
> Nathan Faust
> Systems Administrator
> Merchant Warehouse
> Two International Place
> Fourth Floor
> Boston, MA  02110 
> Phone:  617.896.5558
> Fax:    617.854.8923
> http://www.merchantwarehouse.com/ 
> 
> 
> -----Original Message-----
> From: ejabberd-bounces at jabber.ru [mailto:ejabberd-bounces at jabber.ru] On
> Behalf Of Jorge Luis Becerra Peraza
> Sent: Monday, January 01, 2007 2:38 AM
> To: ejabberd at jabber.ru
> Subject: [ejabberd] Active directory ldap auth problem
> 
> Hi:
> 
>  I am testing the ldap autentication using ejabber 1.1.2 on a debian
> Sarge, there is some problem before to put on the production server i
> want to be able to restrict the users who can use ejabberd as a client.
> Currently i found no way to avoid administrator and others accounts to
> appear on the roster and be able to login. I means accounts used by
> administrative purpouses should not appear, maybe can be done using
> ldap_filter but i don't find the way, if there is any help, i preciate
> it.
> 
>   I have no too many accounts , about 250 and five different
> organization units on the Active Directory.
>  Something i find hard to
> understand was that i need to put every user on some group to appear,
> for that a global security group named jabberusers was created, but any
> user who belongs to any other group also appear, that's what i try to
> avoid. The administrative accounts also belongs to some groups , i found
> no way to avoid this.
> 
> the relarted ldap part of ejabberd.conf look
> like:
> 
> {auth_method, ldap}.
> {ldap_servers,
> ["lan.hab.desoft.cu"]}.
> {ldap_uidattr, "sAMAccountName"}.
> {ldap_base,
> "DC=lan,DC=hab,DC=desoft,DC=cu"}.
> {ldap_rootdn,
> "CN=someuser,CN=Users,DC=lan,DC=hab,DC=desoft,DC=cu"}.
> {ldap_filter,
> "(memberOf=*)"}.
> {ldap_password, "passwordofsomeuser"}.
> 
> 
>   
> {mod_vcard_ldap,
>     [{ldap_vcard_map,
>     [{"NICKNAME", "%u", []},
>     
> {"GIVEN", "%s", ["givenName"]},
>     {"MIDDLE", "%s", ["initials"]},
>     
> {"FAMILY", "%s", ["sn"]},
>     {"FN", "%s", ["displayName"]},
>     {"EMAIL",
> "%s", ["mail"]},
>     {"ORGNAME", "%s", ["company"]},
>     {"ORGUNIT", "%s",
> ["department"]},
>     {"CTRY", "%s", ["c"]},
>     {"LOCALITY", "%s",
> ["l"]},
>     {"STREET", "%s", ["streetAddress"]},
>     {"REGION", "%s",
> ["st"]},
>     {"PCODE", "%s", ["postalCode"]},
>     {"TITLE", "%s",
> ["title"]},
>     {"URL", "%s", ["wWWHomePage"]},
>     {"DESC", "%s",
> ["description"]},
>     {"TEL", "%s", ["telephoneNumber"]}]},
>     
> {ldap_search_fields,
>     [{"User", "%u"},
>     {"Name",
> "givenName"},
>     {"Family Name", "sn"},
>     {"Email", "mail"},
>     
> {"Company", "company"},
>     {"Department", "department"},
>     {"Role",
> "title"},
>     {"Description", "description"},
>     {"Phone",
> "telephoneNumber"}]},
>     {ldap_search_reported,
>     [{"Full Name",
> "FN"},
>     {"Nickname", "NICKNAME"},
>     {"Email", "EMAIL"}]}
>     
> ]
>     }.
> 
> {host_config, "hab.desoft.cu", [{auth_method, [anonymous, ldap]}]}.
> 
>   {mod_vcard_ldap,      [{search, true},
>       
> {allow_return_all, true},
>       {matches, infinity},
>       {host,
> "jud.hab.desoft.cu"}]},
> 
> 





More information about the ejabberd mailing list