[ejabberd] Automatic Roster with Active Directory

Dominik George nik at naturalnet.de
Tue Feb 21 00:22:28 MSK 2017


Hi,

so, let's look at this…

>    mod_shared_roster_ldap:
>             ldap_base: "OU=SBSUsers, OU=Users, OU=MyBusiness, DC=MyDomain,DC=local"

LDAP base, nothing exciting.

>             ldap_rfilter: "(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"

That looks wrong, from the semantics of what you are looking for.

ldap_rfilter is supposed to find *groups* that are turned into roster groups.

Each group with all its members will be pushed to everyone in that group.

>             ldap_groupattr:

Used in combination with the above.

>             ldap_memberattr: "SAMAccountName"

>             ldap_filter: "(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"

Ah, no. Read up gfilter, ufilter and filter again.


In case it is of any help, here's one of my (working) configurations:

  mod_shared_roster_ldap:
    ldap_rfilter: "(&(objectClass=posixGroup)(teckidsRosterGroup=TRUE)(memberUid=%u))"
    ldap_gfilter: "(&(objectClass=posixGroup)(cn=%g))"
    ldap_ufilter: "(&(objectClass=posixAccount)(uid=%u))"
    ldap_filter: "(cn=*)"
    ldap_groupattr: "cn"
    ldap_groupdesc: "description"
    ldap_userdesc: "cn"
    ldap_useruid: "uid"
    ldap_auth_check: off

(On a side note, you can leave ldap_base out if it is the same as for
authentication.)

Cheers,
Nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Mobile: +49-1520-1981389 · https://www.dominik-george.de/

Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer

LPIC-3 Linux Enterprise Professional (Security)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 902 bytes
Desc: not available
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20170220/d384934e/attachment.sig>


More information about the ejabberd mailing list