[ejabberd] Authentication and security problems

Konstantin Khomoutov flatworm at users.sourceforge.net
Sun Apr 17 18:37:08 MSD 2011

On Fri, Apr 15, 2011 at 03:51:34PM +0300, Adriana Moga wrote:

> >>        There is a method to find if STARTTLS isn't successfully used?
> >>My doubts are when I have enabled "{ldap_tls_verify, hard}" I got
> >>"LDAP connection failed" and Active Directory authentication didn't
> >>work. Should be a problem with my self-signed certificate?
> >I don't know, but let's quote the manual: "This option specifies
> >whether to verify LDAP server certificate or not when TLS is enabled.
> >When hard is enabled ejabberd doesn’t proceed if a certificate is
> >invalid."--this basically means that LDAPS will fail if ejabberd fails
> >to verify the certificate presented by your LDAP server.  Now its your
> >turn to figure out why ejabberd fails to verify it.
> >
> In another situation: When I configured openldap server, my ldap
> client had a client_certificate from LDAP server in order to use TLS
> connection on 636.
> I'm not sure about how the things are with Active Directory (is not
> on my administration). So, I guess that AD should present me a
> client certificate for my ejabberd server. I used the same
> self-signed one and maybe this is the problem when ejabberd fails to
> verity the certificate.
> ... need to check more about it.
Appears to be the right direction to think--if you have AD using
LDAPS then you definitely have a CA somewhere; most probably the CA is
a part of your Windows domain infrastracture.  In this case it looks
sensible to:
a) Make your domain admins issue a certificate for your XMPP server
   (and renew it on a periodic basis, this is required for X.509
b) Get the CA's cert from them, install in into the system running
   ejabberd and/or make sure the ejabberd is able to find it; then
   verification should work.
The last point can be tricky.  AFAIK, ejabberd uses the SSL/TLS module
supplied by Erlang and that one uses OpenSSL (at least on POSIX
systems--dunno about Windows).  Unfortunately, I have no idea how
OpenSSL functions in ejabberd (for instance, whether it uses the
system certificate store available in Debian and its derivatives).

More information about the ejabberd mailing list