[ejabberd] Ejabberd LDAP issues

Konstantin Khomoutov flatworm at users.sourceforge.net
Tue Mar 12 22:10:32 MSK 2013

On Tue, 12 Mar 2013 13:57:42 -0400
Eric K <iggiggitoo at gmail.com> wrote:

> I'm having trouble getting ejabberd to connect up to my openldap
> server. I'm able to run LDAP queries from the server using ldapsearch
> and the line
> ldapsearch -b 'dc=domain,dc=com' -D 'cn=admin,dc=domain,dc=com' -h 
> auth.domain.com -p 389 -x -W -ZZ
> {ldap_encrypt, tls}.

Citation from the ldapsearch manual:

    -Z[Z]  Issue StartTLS (Transport Layer Security) extended
      operation. If you  use  -ZZ, the command will require the
      operation to be successful.

Citation from the Ejabberd Guide:

  {ldap_encrypt, none|tls}
    Type of connection encryption to the LDAP server. Allowed values
    are: none, tls. The value tls enables encryption by using LDAP over
    SSL. Note that STARTTLS encryption is not supported. The default
    value is: none. 

To elaborate: STARTTLS is a protocol which is used to upgrade the
initial plain-text communication channel to TLS (and then restart the
communication over the TLS channel).  Seems like ejabberd does only
support regular TLS, that is, it expects that the server speaks TLS
directly on the specified port.  Conversely, ldapsearch appears to only
support STARTTLS.

To solve the problem, I would search the openldap resources to find out
if slapd can be told to support TLS directly on a separate port.

More information about the ejabberd mailing list