[ejabberd] shared roster ldap and search permissions error

André Rodier andre at rodier.me
Sun May 13 17:54:54 MSK 2018


Hello,

My question might be trivial for some of you, but I think I am 
struggling a little bit too much.

- I have an OpenLDAP server on Debian stretch, which works perfectly. 
Dovecot, Postfix, pam integration etc.
- I have the authentication working with ejabberd as well, TLS and 
everything.
- I can retrieve a user details from his email address with vcard 
module, like full name, phone number, etc.

However,  I cannot manage to have rosters filled, and I cannot see 
anything in the logs, although the server is configure in debug mode for 
the logs.

Here my roster configuration:

>   mod_roster:
>     versioning: true
>   ## mod_shared_roster: {}
>   mod_shared_roster_ldap:
>     ldap_base: "ou=users, dc=homebox,dc=space" 
>     ldap_rfilter: "(objectClass=inetOrgPerson)"
>     ldap_groupattr: "ou" 
>     ldap_memberattr: "cn"
>     ldap_memberattr_format: "cn=%u,ou=users, dc=homebox,dc=space"
>     ldap_filter: "(objectClass=inetOrgPerson)"
>     ldap_userdesc: "displayName"
>     ldap_servers:
>       - "ldap.homebox.space"
>     ldap_encrypt: none
>     ldap_port: 389
>     ldap_rootdn: "cn=readonly account, ou=users, dc=homebox,dc=space"
>     ldap_password: "ROtmug9kVTBuno22"
>   mod_stats: {}
>   mod_time: {}
> 

However, I have now this in the logs:

> 2018-05-13 15:31:48.561 [debug] <0.450.0>@eldap:send_command:789 {searchRequest,{'SearchRequest',<<"ou=users, dc=homebox,dc=space">>,wholeSubtree,neverDerefAliases,0,5,false,{equalityMatch,{'AttributeValueAssertion',<<"objectClass">>,<<"inetOrgPerson">>}},[<<"ou">>]}}
> 2018-05-13 15:31:48.562 [debug] <0.450.0>@eldap:recvd_packet:849 {searchResEntry,{'SearchResultEntry',<<"cn=André Rodier,ou=users,dc=homebox,dc=space">>,[]}}
> 2018-05-13 15:31:48.562 [debug] <0.450.0>@eldap:recvd_packet:849 {searchResEntry,{'SearchResultEntry',<<"cn=Mirina Rodier,ou=users,dc=homebox,dc=space">>,[]}}
> 2018-05-13 15:31:48.562 [debug] <0.450.0>@eldap:recvd_packet:849 {searchResEntry,{'SearchResultEntry',<<"cn=Lucile Rodier,ou=users,dc=homebox,dc=space">>,[]}}
> 2018-05-13 15:31:48.562 [debug] <0.450.0>@eldap:recvd_packet:849 {searchResEntry,{'SearchResultEntry',<<"cn=Alexandra Rodier,ou=users,dc=homebox,dc=space">>,[]}}
> 2018-05-13 15:31:48.563 [debug] <0.450.0>@eldap:recvd_packet:849 {searchResEntry,{'SearchResultEntry',<<"cn=Maï Rodier,ou=users,dc=homebox,dc=space">>,[]}}
> 2018-05-13 15:31:48.563 [debug] <0.450.0>@eldap:recvd_packet:849 {searchResEntry,{'SearchResultEntry',<<"cn=manager account,ou=users,dc=homebox,dc=space">>,[]}}
> 2018-05-13 15:31:48.563 [debug] <0.450.0>@eldap:recvd_packet:849 {searchResEntry,{'SearchResultEntry',<<"cn=readonly account,ou=users,dc=homebox,dc=space">>,[]}}
> 2018-05-13 15:31:48.563 [debug] <0.450.0>@eldap:recvd_packet:849 {searchResEntry,{'SearchResultEntry',<<"cn=postmaster account,ou=users,dc=homebox,dc=space">>,[]}}
> 2018-05-13 15:31:48.563 [debug] <0.450.0>@eldap:recvd_packet:849 {searchResDone,{'LDAPResult',success,<<>>,<<>>,asn1_NOVALUE}}
> 2018-05-13 15:31:48.564 [debug] <0.476.0>@ejabberd_router:do_route:351 route
>         from {jid,<<"lucile">>,<<"homebox.space">>,<<>>,<<"lucile">>,<<"homebox.space">>,<<>>}
>         to {jid,<<"mirina">>,<<"homebox.space">>,<<"8082155046759842373168">>,<<"mirina">>,<<"homebox.space">>,<<"8082155046759842373168">>}
>         packet {xmlel,<<"iq">>,[{<<"id">>,<<"purple6747b480">>},{<<"type">>,<<"error">>}],[{xmlel,<<"query">>,[{<<"xmlns">>,<<"jabber:iq:last">>}],[]},{xmlel,<<"error">>,[{<<"code">>,<<"403">>},{<<"type">>,<<"auth">>}],[{xmlel,<<"forbidden
> ">>,[{<<"xmlns">>,<<"urn:ietf:params:xml:ns:xmpp-stanzas">>}],[]},{xmlel,<<"text">>,[{<<"xmlns">>,<<"urn:ietf:params:xml:ns:xmpp-stanzas">>}],[{xmlcdata,<<"Not subscribed">>}]}]}]}
> 2018-05-13 15:31:48.564 [debug] <0.476.0>@ejabberd_local:do_route:265 local route
>         from {jid,<<"lucile">>,<<"homebox.space">>,<<>>,<<"lucile">>,<<"homebox.space">>,<<>>}
>         to {jid,<<"mirina">>,<<"homebox.space">>,<<"8082155046759842373168">>,<<"mirina">>,<<"homebox.space">>,<<"8082155046759842373168">>}
>         packet {xmlel,<<"iq">>,[{<<"id">>,<<"purp"...>>},{<<"type">>,<<...>>}],[{xmlel,<<...>>,...},{xmlel,...}]}
> 2018-05-13 15:31:48.565 [debug] <0.476.0>@ejabberd_sm:do_route:463 session manager
>         from {jid,<<"lucile">>,<<"homebox.space">>,<<>>,<<"lucile">>,<<"homebox.space">>,<<>>}
>         to {jid,<<"mirina">>,<<"homebox.space">>,<<"8082155046759842373168">>,<<"mirina">>,<<"homebox.space">>,<<"8082155046759842373168">>}
>         packet {xmlel,<<"iq">>,[{<<"id">>,<<"purp"...>>},{<<"type">>,<<...>>}],[{xmlel,<<...>>,...},{xmlel,...}]}
> 2018-05-13 15:31:48.565 [debug] <0.476.0>@ejabberd_sm:do_route:588 sending to process <0.512.0>

So, the forbidden means I should add an entry somewhere in my 
configuration file, allowing local users to query the list of users?

Thanks,
André


More information about the ejabberd mailing list