(3.5) Jabber Shared Roster

[ippillihplm]

Hello,

I am having issues with Shared Rosters not showing up for my Jabber server.  When I look into the /var/log/ejabber/ejabberd.log I find this coming up:

Code: [Select]

=ERROR REPORT==== 2014-08-14 02:33:17 ===
E(<0.351.0>:eldap_utils:166) : failed to parse LDAP filter:
** Filter: []
** Reason: {error,["syntax error before: ",[]]}
Looking at the basic /etc/ejabberd/ejabberd.cfg the shared roster config looks to be as follows:

Code: [Select]

  {mod_shared_roster_ldap, [
    {ldap_filter, ""},
    {ldap_rfilter, "(objectClass=group)"},
    {ldap_gfilter, "(&(objectClass=group)(cn=%g))"},
    {ldap_ufilter, "(&(jabberUid=%u)(objectClass=userJabberAccount))"},
    {ldap_groupattr, "cn"},
    {ldap_groupdesc, "description"},
    {ldap_memberattr, "member"},
    {ldap_memberattr_format, "jabberUid=%u,DC=otmns,DC=net"},
    {ldap_useruid, "jabberUid"},
    {ldap_userdesc, "cn"}
  ]},
the /usr/share/zentyal/stubs/jabber/ejabberd.cfg.mas show the roster config at:

Code: [Select]

% if ($sharedroster) {
  {mod_shared_roster_ldap, [
    {ldap_filter, ""},
    {ldap_rfilter, "(objectClass=group)"},
    {ldap_gfilter, "(&(objectClass=group)(cn=%g))"},
    {ldap_ufilter, "(&(jabberUid=%u)(objectClass=userJabberAccount))"},
    {ldap_groupattr, "cn"},
    {ldap_groupdesc, "description"},
    {ldap_memberattr, "member"},
    {ldap_memberattr_format, "jabberUid=%u,<% $usersDn %>"},
    {ldap_useruid, "jabberUid"},
    {ldap_userdesc, "cn"}
  ]},
% }
And of course the Roster is enabled in the Jabber settings...

I have tried replacing the ldap_filter line with after perusing ejabberd docs, but this failed as well:

Code: [Select]

    {ldap_filter, "(sAMAccountName=*)"},
Any other ideas?

Thanks!
Michael

[shurale]

I have this problem too. Pidgin does not show shared roster.

[jgould]

I think I know why this doesn't work, and it isn't really related to Zentyal.
However they should probably just remove the option if it won't do anything.

According to ejabberd https://www.ejabberd.im/shared-roster-all

As of version 1.0.0, ejabberd allows the administrator to add all users on a virtual host to a shared roster group. When he creates a shared roster group on a virtual host, and specifies the members, he can put @all@, and ejabberd will add all users on the current virtual host.

This feature requires internal authentication. If you use external authentication, LDAP... then adding @all@ to a shared roster group will do nothing.do nothing.

Checking the /etc/ejabberd/ejabberd.cfg file it shows {auth_method, ldap}. So LDAP not internal, thus no shared roster support.

EDIT:
Correction, it appears mod_shared_roster_ldap was added in 2.1.6 so this SHOULD work. No idea why it doesn't but will be looking into this as well.

[jgould]

This is what I found over the weekend.
My Zentyal 3.5 install was using ejabberd 2.1.13. Zentyal 4.0+ seems to be using 2.1.10. Seems pretty strange that they would go "backwards" unless something was wrong. My guess is their is an issue with 2.1.13 and Zentyal.

Outside of that everything looked right on my 3.5 install and it should have worked. I tried to uninstall Jabber and reinstall but that didn't solve the issue. So after making sure nothing else I rely on would break moving to 4.0 I upgraded. During that process jabber was removed and reinstalled, now as ejabberd 2.1.10. Shared rosters now worked. The configuration file also changed when upgrading, but that wasn't the reason it worked since I had already changed the mason file (created a custom mason file like I've done in the past). The new file only changed some filters to ignore system groups.

For those unaware, the way that Zentyal configures ejabberd to identifies groups and users to add to the shared roster is by adding custom attributes or values to the attributes in your Active Directory objects. So if you are using Windows RSAT go to "Active Directory Users and Computers", click the View menu and check Advanced Features. Now double click a user account and go to Attribute Editor. I like to click the filter button and say "show only attributes that have values".

Start by looking at a user account. Look for Attribute "objectClass". There should be a value of "userJabberAccount". For user accounts there should also be custom attributes "jabberAdmin" and "jabberUid". The admin option is TRUE/FALSE to provide user accounts with admin capabilities. The Uid option is to make sure that jabber has a correctly formatted name to use for the user account. Pretty sure they do this to prevent any issue with the regular uid attribute since jabber can't have spaces and things in the username.


For groups the zentyal ejabberd configuration looks for two attributes. The first is that ObjectClass has "group" as a value. Second is that you have a "member" attribute that should contain all user accounts that belong to that group.


Another thing of importance. The Zentyal web admin won't allow you to set jabber options if the user account is in anything but the default Users folder. There is a possibility that if you add a user through RSAT or not to the default Users folder that they won't have the correct attributes for jabber. You could add/edit them in or just move the user back to the default Users folder, go into the web admin and make sure the jabber option is on. Then move the user back to wherever you wanted. This is something that anyone who really uses Active Directory and Group Policies will run into. Interestingly enough though, it doesn't seem to matter to ejabberd where user accounts are located, it picks them up fine if those attributes are there (or you change the config to look for different attributes). Personally though I don't understand why Zentyal can't allow jabber settings in the web admin outside the default User folder. Honestly, the web admin for managing Active Directory is pretty much useless as it stands. It also doesn't show computers outside the default OU.

[jgould]

Should also add that the mod_vcard_ldap mapping is also incorrect.
In the config file there are references to TEL/WORK & TEL/CELL. Ejabberd is supposed to support XEP-0054 but currently it doesn't seem to fully support it. It appears these phone number references don't work. To get the "telephoneNumber" from AD just use TEL instead for now. There is a improvement/bug listed for ejabberd which I believe explains why you can't get the multiple phone numbers out of AD currently.

https://support.process-one.net/browse/EJAB-1557

Sounds like once they do implement it it will be CELL not TEL/CELL.

Zentyal group might want to fix this until the fixes are implemented. If not no telephone numbers populate.

[jgould]

ALSO, if anyone is out there listening, it would be GREAT to get a more recent ejabberd version. Pretty sure 2.X is obsolete. Current stable is 14.07 (https://www.ejabberd.im/).

From what I've read 2.X doesn't come with SASL GSSAPI out of the box. You have to patch it (don't think Zentyal version is patched but anyone have confirmation?) as noted at, https://www.ejabberd.im/cyrsasl_gssapi. Pretty sure the current releases come with this by default.

Considering Zentyal is using Samba 4 as an AD replacement it would make sense to use as many tools as you can to provide SSO capabilities. Openfire has had this capability for a long time and as stated ejabberd should as well. Zentyal just needs to use a current stable release.

[murz]

Same problem with shared roster on Zentyal 4.0 version. Is anybody find some solution or workaround?

[jgould]

The posts I made were for 4.0. I've had a functional ejabberd server since posting following the info I posted above.

Is there an official way to request for Zentyal to upgrade ejabberd to a more recent version? Because this is starting to cause me some issues. For instance the old versions don't seem to support some of the new XEP. A big one for me is carbon copy.

[jbahillo]

Zentyal 4.0 Shared roaster is working (I have one working). 3.5 will not be touched since 3.5 has reached its end of life around octuber 2014...

Regarding ejabberd binaries, it is on the lastest binaries Ubuntu provides