| Author |
Message |
|
| Guest |
 Posted: Mon Jan 01, 2007 7:35 am |
 |
|
|
Guest
|
Hi:
I am testing the ldap autentication using ejabber 1.1.2 on a debian
Sarge,
there is some problem before to put on the production server i want to
be
able to restrict the users who can use ejabberd as a client. Currently
i
found no way to avoid administrator and others accounts to appear on
the
roster and be able to login. I means accounts used by
administrative
purpouses should not appear, maybe can be done using
ldap_filter but i don't
find the way, if there is any help, i preciate
it.
I have no too many accounts , about 250 and five different
organization
units on the Active Directory.
Something i find hard to
understand was that i need to put every user on
some group to appear, for
that a global security group named jabberusers was
created, but any user who
belongs to any other group also appear, that's
what i try to avoid. The
administrative accounts also belongs to some groups
, i found no way to avoid
this.
the relarted ldap part of ejabberd.conf look
like:
{auth_method, ldap}.
{ldap_servers,
["lan.hab.desoft.cu"]}.
{ldap_uidattr, "sAMAccountName"}.
{ldap_base,
"DC=lan,DC=hab,DC=desoft,DC=cu"}.
{ldap_rootdn,
"CN=someuser,CN=Users,DC=lan,DC=hab,DC=desoft,DC=cu"}.
{ldap_filter,
"(memberOf=*)"}.
{ldap_password, "passwordofsomeuser"}.
{mod_vcard_ldap,
[{ldap_vcard_map,
[{"NICKNAME", "%u", []},
{"GIVEN", "%s", ["givenName"]},
{"MIDDLE", "%s", ["initials"]},
{"FAMILY", "%s", ["sn"]},
{"FN", "%s", ["displayName"]},
{"EMAIL",
"%s", ["mail"]},
{"ORGNAME", "%s", ["company"]},
{"ORGUNIT", "%s",
["department"]},
{"CTRY", "%s", ["c"]},
{"LOCALITY", "%s",
["l"]},
{"STREET", "%s", ["streetAddress"]},
{"REGION", "%s",
["st"]},
{"PCODE", "%s", ["postalCode"]},
{"TITLE", "%s",
["title"]},
{"URL", "%s", ["wWWHomePage"]},
{"DESC", "%s",
["description"]},
{"TEL", "%s", ["telephoneNumber"]}]},
{ldap_search_fields,
[{"User", "%u"},
{"Name",
"givenName"},
{"Family Name", "sn"},
{"Email", "mail"},
{"Company", "company"},
{"Department", "department"},
{"Role",
"title"},
{"Description", "description"},
{"Phone",
"telephoneNumber"}]},
{ldap_search_reported,
[{"Full Name",
"FN"},
{"Nickname", "NICKNAME"},
{"Email", "EMAIL"}]}
]
}.
{host_config, "hab.desoft.cu", [{auth_method, [anonymous,
ldap]}]}.
{mod_vcard_ldap, [{search, true},
{allow_return_all, true},
{matches, infinity},
{host,
"jud.hab.desoft.cu"}]},
_______________________________________________
ejabberd mailing list
ejabberd@jabber.ru
http://lists.jabber.ru/mailman/listinfo/ejabberd
Post recived from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Thu Jan 04, 2007 3:06 pm |
|
|
|
Guest
|
Jorge,
You want to pick the ldap_filter to filter on the security group
jabberusers.
{ldap_base, "DC=lan,DC=hab,DC=desoft,DC=cu"}.
{ldap_filter, "(memberOf=Jabberusers)"}.
That should only authenticate just the members of the Jabberusers
security group.
You can also look at the AD with:
ldapsearch -x -b "dc=lan,dc=hab,dc=desoft,dc=cu" -D
user@lan.hab.desoft.cu -h lan.hab.desoft.cu -W
-----------------------
Nathan Faust
Systems Administrator
Merchant Warehouse
Two International Place
Fourth Floor
Boston, MA 02110
Phone: 617.896.5558
Fax: 617.854.8923
http://www.merchantwarehouse.com/
-----Original Message-----
From: ejabberd-bounces@jabber.ru [mailto:ejabberd-bounces@jabber.ru] On
Behalf Of Jorge Luis Becerra Peraza
Sent: Monday, January 01, 2007 2:38 AM
To: ejabberd@jabber.ru
Subject: [ejabberd] Active directory ldap auth problem
Hi:
I am testing the ldap autentication using ejabber 1.1.2 on a debian
Sarge, there is some problem before to put on the production server i
want to be able to restrict the users who can use ejabberd as a client.
Currently i found no way to avoid administrator and others accounts to
appear on the roster and be able to login. I means accounts used by
administrative purpouses should not appear, maybe can be done using
ldap_filter but i don't find the way, if there is any help, i preciate
it.
I have no too many accounts , about 250 and five different
organization units on the Active Directory.
Something i find hard to
understand was that i need to put every user on some group to appear,
for that a global security group named jabberusers was created, but any
user who belongs to any other group also appear, that's what i try to
avoid. The administrative accounts also belongs to some groups , i found
no way to avoid this.
the relarted ldap part of ejabberd.conf look
like:
{auth_method, ldap}.
{ldap_servers,
["lan.hab.desoft.cu"]}.
{ldap_uidattr, "sAMAccountName"}.
{ldap_base,
"DC=lan,DC=hab,DC=desoft,DC=cu"}.
{ldap_rootdn,
"CN=someuser,CN=Users,DC=lan,DC=hab,DC=desoft,DC=cu"}.
{ldap_filter,
"(memberOf=*)"}.
{ldap_password, "passwordofsomeuser"}.
{mod_vcard_ldap,
[{ldap_vcard_map,
[{"NICKNAME", "%u", []},
{"GIVEN", "%s", ["givenName"]},
{"MIDDLE", "%s", ["initials"]},
{"FAMILY", "%s", ["sn"]},
{"FN", "%s", ["displayName"]},
{"EMAIL",
"%s", ["mail"]},
{"ORGNAME", "%s", ["company"]},
{"ORGUNIT", "%s",
["department"]},
{"CTRY", "%s", ["c"]},
{"LOCALITY", "%s",
["l"]},
{"STREET", "%s", ["streetAddress"]},
{"REGION", "%s",
["st"]},
{"PCODE", "%s", ["postalCode"]},
{"TITLE", "%s",
["title"]},
{"URL", "%s", ["wWWHomePage"]},
{"DESC", "%s",
["description"]},
{"TEL", "%s", ["telephoneNumber"]}]},
{ldap_search_fields,
[{"User", "%u"},
{"Name",
"givenName"},
{"Family Name", "sn"},
{"Email", "mail"},
{"Company", "company"},
{"Department", "department"},
{"Role",
"title"},
{"Description", "description"},
{"Phone",
"telephoneNumber"}]},
{ldap_search_reported,
[{"Full Name",
"FN"},
{"Nickname", "NICKNAME"},
{"Email", "EMAIL"}]}
]
}.
{host_config, "hab.desoft.cu", [{auth_method, [anonymous, ldap]}]}.
{mod_vcard_ldap, [{search, true},
{allow_return_all, true},
{matches, infinity},
{host,
"jud.hab.desoft.cu"}]},
_______________________________________________
ejabberd mailing list
ejabberd@jabber.ru
http://lists.jabber.ru/mailman/listinfo/ejabberd
_______________________________________________
ejabberd mailing list
ejabberd@jabber.ru
http://lists.jabber.ru/mailman/listinfo/ejabberd
Post recived from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Thu Jan 04, 2007 5:33 pm |
|
|
|
Guest
|
Thks Nathan,
i already try this but don't work. I friend suggest to use write the
complete DN of the group and is working now:
{ldap_filter,
"(memberOf=CN=jabberusers,OU=Grupos,DC=lan,DC=hab,DC=desoft,DC=cu)"}.
Now is te time for me to try on use ACLs based on ldap group, but seems
that is not implemented, or is possible to do?
Jorge Becerra
On Thu, 2007-01-04 at 10:05 -0500, Nathan Faust wrote:
> Jorge,
>
> You want to pick the ldap_filter to filter on the security group
> jabberusers.
>
> {ldap_base, "DC=lan,DC=hab,DC=desoft,DC=cu"}.
> {ldap_filter, "(memberOf=Jabberusers)"}.
>
> That should only authenticate just the members of the Jabberusers
> security group.
>
> You can also look at the AD with:
> ldapsearch -x -b "dc=lan,dc=hab,dc=desoft,dc=cu" -D
> user@lan.hab.desoft.cu -h lan.hab.desoft.cu -W
>
> -----------------------
> Nathan Faust
> Systems Administrator
> Merchant Warehouse
> Two International Place
> Fourth Floor
> Boston, MA 02110
> Phone: 617.896.5558
> Fax: 617.854.8923
> http://www.merchantwarehouse.com/
>
>
> -----Original Message-----
> From: ejabberd-bounces@jabber.ru [mailto:ejabberd-bounces@jabber.ru] On
> Behalf Of Jorge Luis Becerra Peraza
> Sent: Monday, January 01, 2007 2:38 AM
> To: ejabberd@jabber.ru
> Subject: [ejabberd] Active directory ldap auth problem
>
> Hi:
>
> I am testing the ldap autentication using ejabber 1.1.2 on a debian
> Sarge, there is some problem before to put on the production server i
> want to be able to restrict the users who can use ejabberd as a client.
> Currently i found no way to avoid administrator and others accounts to
> appear on the roster and be able to login. I means accounts used by
> administrative purpouses should not appear, maybe can be done using
> ldap_filter but i don't find the way, if there is any help, i preciate
> it.
>
> I have no too many accounts , about 250 and five different
> organization units on the Active Directory.
> Something i find hard to
> understand was that i need to put every user on some group to appear,
> for that a global security group named jabberusers was created, but any
> user who belongs to any other group also appear, that's what i try to
> avoid. The administrative accounts also belongs to some groups , i found
> no way to avoid this.
>
> the relarted ldap part of ejabberd.conf look
> like:
>
> {auth_method, ldap}.
> {ldap_servers,
> ["lan.hab.desoft.cu"]}.
> {ldap_uidattr, "sAMAccountName"}.
> {ldap_base,
> "DC=lan,DC=hab,DC=desoft,DC=cu"}.
> {ldap_rootdn,
> "CN=someuser,CN=Users,DC=lan,DC=hab,DC=desoft,DC=cu"}.
> {ldap_filter,
> "(memberOf=*)"}.
> {ldap_password, "passwordofsomeuser"}.
>
>
>
> {mod_vcard_ldap,
> [{ldap_vcard_map,
> [{"NICKNAME", "%u", []},
>
> {"GIVEN", "%s", ["givenName"]},
> {"MIDDLE", "%s", ["initials"]},
>
> {"FAMILY", "%s", ["sn"]},
> {"FN", "%s", ["displayName"]},
> {"EMAIL",
> "%s", ["mail"]},
> {"ORGNAME", "%s", ["company"]},
> {"ORGUNIT", "%s",
> ["department"]},
> {"CTRY", "%s", ["c"]},
> {"LOCALITY", "%s",
> ["l"]},
> {"STREET", "%s", ["streetAddress"]},
> {"REGION", "%s",
> ["st"]},
> {"PCODE", "%s", ["postalCode"]},
> {"TITLE", "%s",
> ["title"]},
> {"URL", "%s", ["wWWHomePage"]},
> {"DESC", "%s",
> ["description"]},
> {"TEL", "%s", ["telephoneNumber"]}]},
>
> {ldap_search_fields,
> [{"User", "%u"},
> {"Name",
> "givenName"},
> {"Family Name", "sn"},
> {"Email", "mail"},
>
> {"Company", "company"},
> {"Department", "department"},
> {"Role",
> "title"},
> {"Description", "description"},
> {"Phone",
> "telephoneNumber"}]},
> {ldap_search_reported,
> [{"Full Name",
> "FN"},
> {"Nickname", "NICKNAME"},
> {"Email", "EMAIL"}]}
>
> ]
> }.
>
> {host_config, "hab.desoft.cu", [{auth_method, [anonymous, ldap]}]}.
>
> {mod_vcard_ldap, [{search, true},
>
> {allow_return_all, true},
> {matches, infinity},
> {host,
> "jud.hab.desoft.cu"}]},
>
>
_______________________________________________
ejabberd mailing list
ejabberd@jabber.ru
http://lists.jabber.ru/mailman/listinfo/ejabberd
Post recived from mailinglist |
|
|
| Back to top |
|
|
|
All times are GMT
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum
|
|
|
Digg It
Del.icio.us
Reddit
Facebook
Stumble Upon
Technorati
