[ejabberd] shared roster ldap and search permissions error

Dominik George nik at naturalnet.de
Sun May 13 18:55:31 MSK 2018


> Here my roster configuration:

First of all, it looks syntactically incorrect, and I wonder why your
ejabberd even starts… every setting should be on a separate line.

Also, please do imemdiately change your LDAP password, in case you didn't
replace it with another random string in your mail…

You do not need the LDAP server configuration there, it uses the global
configuration (which I understand you have in a working state).

Now to several options you seem to have misunderstood:

> >     ldap_base: "ou=users, dc=homebox,dc=space"

Leave this out (to use the global base) or set it to the base of the *groups*, not the users.

> >     ldap_rfilter:
> > "(objectClass=inetOrgPerson)"

Again, this filter should find the *groups*.

> >     ldap_groupattr: "ou"     ldap_memberattr: "cn"

I doubt that.  If you are using posixGroup or groupOfNames, groupattr is cn
in both cases, and memberattr is either memberUid or member.

> >     ldap_memberattr_format: "cn=%u,ou=users, dc=homebox,dc=space"

So, taking that into account, the memberattr seems to be member for you.

> >     ldap_filter: "(objectClass=inetOrgPerson)"

I am not sure what you intend here.

Here's my config, tailored to your information:

    ldap_rfilter: "(&(objectClass=posixGroup)(member=cn=%u,ou=users,dc=homebox,dc=space))"

This finds all groups a user is a member of.

    ldap_gfilter: "(&(objectClass=posixGroup)(cn=%g))"

This finds a group by its name.

    ldap_ufilter: "(&(objectClass=posixAccount)(cn=%u,ou=users,dc=homebox,dc=space))"

This finds a specific user by their name.

    ldap_filter: "(cn=*)"

This finds all groups.

    ldap_groupattr: "cn"

This defines the attribute the group name is stored in.

    ldap_userdesc: "displayName"

This is the field the human-readable name of the user is stored in.

    ldap_useruid: "cn"

This is the field that holds the username.

But, I doubt that this is correct, and I think that there is a
misunderstanding about your LDAP structure on a very basic level.  At least,
the fields you intend to use are very uncommon.  The username is normally
stored in the uid field, while cn normally holds the friendly name…

You might want to read up on your LDAP schema again and then double-check
your assumptions.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 902 bytes
Desc: not available
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20180513/3e673310/attachment.sig>

More information about the ejabberd mailing list