Author Topic: [Solved]: zentyal-xmpp upgrade ejabberd to 20.04 ldap authentication  (Read 2041 times)

denis.robel

  • Zen Apprentice
  • *
  • Posts: 44
  • Karma: +3/-0
    • View Profile
Hallo,

I upgraded ejebberd manually to 20.04 now the ldap authentication does not work anymore.

old code
Code: [Select]
auth_method: ldap
ldap_servers:
  - "127.0.0.1"
ldap_port: 389
ldap_rootdn: "CN=zentyal-jabber-zentyal2,CN=Users,DC=dantschke,DC=org"
ldap_password: "-----------------------------"
ldap_base: "DC=dantschke,DC=org"
ldap_uids:
  - "jabberUid": "%u"

Startup ends with error:
2020-06-19 15:19:18.343 [critical] <0.107.0>@ejabberd_app:start:71 Failed to start ejabberd application: Invalid value of option ldap_uids: Expected map, got list instead

I'm not so familar with ldap but I thing ther should be an ldap filter in config, something like that:

Code: [Select]
auth_method: [ldap]
ldap_servers: [office.org]  # List of LDAP servers
ldap_base: "DC=office,DC=org" # Search base of LDAP directory
ldap_rootdn: "CN=Administrator,CN=Users,DC=office,DC=org" # LDAP manager
ldap_password: "*******" # Password to LDAP manager
ldap_uids: [sAMAccountName]
ldap_filter: "(memberOf=*)"

The ejabberd.yml.mas should be modified that it will working again with ejabberd 20.04.

see https://docs.ejabberd.im/admin/configuration/database-ldap/#ldap-authentication

Some help would be appreciated...

best regards Denis
« Last Edit: June 23, 2020, 12:32:57 pm by denis.robel »

denis.robel

  • Zen Apprentice
  • *
  • Posts: 44
  • Karma: +3/-0
    • View Profile
Re: zentyal-xmpp upgrade ejabberd to 20.04 ldap authentication
« Reply #1 on: June 23, 2020, 12:32:25 pm »
Hallo,

here the solution for the problem and I modified the config in that way that conversations is usable as a client with file upload etc...

It would be great if somebody could upgrade the ejabberd for zentyal ....

Code: [Select]
#### This config file is generated by Zentyal.
#### Any modifcation will be resetted by restart of Zentyal Server !!!
#### To configure modify /usr/share/zentyal/stubs/jabber/ejabberd.yml.mas instead
####
#### This config was created by Denis Robel for Ejabberd 20.0.4
####
######################################################################################

hosts:
  - "dmt1.nsupdate.info"


loglevel: 4
log_rotate_size: 10485760
log_rotate_date: ""
log_rotate_count: 1
log_rate_limit: 100

certfiles:
#  - "/opt/ejabberd/conf/server.pem"
  - "/etc/letsencrypt/live/dmt1.nsupdate.info/fullchain.pem"
  - "/etc/letsencrypt/live/dmt1.nsupdate.info/privkey.pem"

#ca_file: "/opt/ejabberd/conf/cacert.pem"
ca_file: "/opt/ejabberd/conf/ejabberd.pem"

auth_method: ldap
ldap_servers:
  - "127.0.0.1"
ldap_port: 389
#ldap_encrypt: tls
ldap_rootdn: "CN=zentyal-jabber-zentyal2,CN=Users,DC=dantschke,DC=org"
ldap_password: "++++++++++++++++++++++++++"
ldap_base: "DC=dantschke,DC=org"
ldap_uids: [jabberUid]
#  "jabberUid": "%u"
ldap_filter: "(&(objectclass=User)(jabberUid=*))"


listen:
  -
    port: 5222
    ip: "0.0.0.0"
    module: ejabberd_c2s
    starttls: true
    certfile: "/opt/ejabberd/conf/ejabberd.pem"
    tls_compression: false
    dhfile: "/opt/ejabberd/conf/dh4096.pem"

    starttls_required: true
    max_stanza_size: 262144
    shaper: c2s_shaper
    access: c2s

  -
    port: 5269
    ip: "0.0.0.0"
    module: ejabberd_s2s_in
    max_stanza_size: 524288

  -
    port: 3478
    ip: "192.168.1.1"
    transport: udp
    module: ejabberd_stun
    use_turn: true
    turn_ip: "192.168.1.1"
    ## The server's public IPv4 address:
    # turn_ipv4_address: "203.0.113.3"
    ## The server's public IPv6 address:
    # turn_ipv6_address: "2001:db8::3"

  -
    port: 5443
    ip: "::"
    module: ejabberd_http
    tls: true
    request_handlers:
      "/admin": ejabberd_web_admin
      "/api": mod_http_api
      "/bosh": mod_bosh
      "/captcha": ejabberd_captcha
      "/upload": mod_http_upload
      "/ws": ejabberd_http_ws
      "/oauth": ejabberd_oauth


  -
    port: 5280
    ip: "::"
    module: ejabberd_http
    request_handlers:
      "/admin": ejabberd_web_admin
  -
    port: 1883
    ip: "::"
    module: mod_mqtt
    backlog: 1000


s2s_use_starttls: optional

acl:
  local:
    user_regexp: ""
  loopback:
    ip:
      - 127.0.0.0/8
      - ::1/128
      - ::FFFF:127.0.0.1/128
  admin:
    user:
      - "robel": "dmt1.nsupdate.info"
      - "domainadmin": "dmt1.nsupdate.info"

access_rules:
  local:
    allow: local
  c2s:
    deny: blocked
    allow: all
  announce:
    allow: admin
  configure:
    allow: admin
  muc_create:
    allow: local
  pubsub_createnode:
    allow: local
  trusted_network:
    allow: loopback

api_permissions:
  "console commands":
    from:
      - ejabberd_ctl
    who: all
    what: "*"
  "admin access":
    who:
      access:
        allow:
          acl: loopback
          acl: admin
      oauth:
        scope: "ejabberd:admin"
        access:
          allow:
            acl: loopback
            acl: admin
    what:
      - "*"
      - "!stop"
      - "!start"
  "public commands":
    who:
      ip: 127.0.0.1/8
    what:
      - status
      - connected_users_number

shaper:
  normal: 1000
  fast: 50000

shaper_rules:
  max_user_sessions: 10
  max_user_offline_messages:
    5000: admin
    100: all
  c2s_shaper:
    none: admin
    normal: all
  s2s_shaper: fast

max_fsm_queue: 10000

acme:
   contact: "mailto:d.robel@dantschke-med.de"
   ca_url: "https://acme-v01.api.letsencrypt.org"


language: "de"

modules:
  mod_adhoc: {}
  mod_admin_extra: {}
  mod_announce:
    access: announce
  mod_avatar: {}
  mod_caps: {}
  mod_carboncopy: {}
  mod_configure: {}
  mod_client_state: {}
  mod_blocking: {}
  mod_disco:
   server_info:
    -
      modules: all
      name: "abuse-addresses"
      urls:
        - "mailto:info@dantschke-med.de"
    -
      modules: all
      name: "support-addresses"
      urls:
        - "mailto:info@dantschke-med.de"
    -
      modules: all
      name: "admin-addresses"
      urls:
        - "mailto:info@dantschke-med.de"
  mod_http_upload: {}
  mod_last: {}
  mod_mam: {}
  mod_mqtt: {}
  mod_muc:
    host: "conference.@HOST@"
    access:
      - allow
    access_admin:
      - allow: admin
    access_create: muc_create
    access_persistent: muc_create
    access_mam:
      - allow
    default_room_options:
      allow_subscription: true  # enable MucSub
      mam: true
      persistent: true
      public: false
      public_list: false
  mod_muc_admin: {}
  mod_offline:
    access_max_user_messages: max_user_offline_messages
  mod_ping: {}
  mod_privacy: {}
  mod_pres_counter:
    count: 5
    interval: 60
  mod_private: {}
  mod_proxy65:
    access: local
    max_connections: 5
  mod_pubsub:
    access_createnode: pubsub_createnode
    ignore_pep_from_offline: true
    last_item_cache: false
    plugins:
      - flat
      - hometree
      - pep
    force_node_config:
      ## Avoid buggy clients to make their bookmarks public
      storage:bookmarks:
        access_model: whitelist
  mod_push: {}
  mod_push_keepalive: {}
  mod_register:
    ## Only accept registration requests from the "trusted"
    ## network (see access_rules section above).
    ## Think twice before enabling registration from any
    ## address. See the Jabber SPAM Manifesto for details:
    ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
    ip_access: trusted_network
  mod_roster:
    versioning: true
  mod_s2s_dialback: {}
  mod_shared_roster_ldap:
    ldap_rfilter: "(&(objectClass=user)(!(isCriticalSystemObject=*)))"
    ldap_ufilter: "(&(objectClass=userJabberAccount)(distinguishedName=%u))"
    ldap_groupattr: "cn"
    ldap_groupdesc: "cn"
    ldap_memberattr: "sAMAccountName"
    ldap_useruid: "jabberUid"
    ldap_userdesc: "sAMAccountName"
  mod_sic: {}
  mod_stats: {}
  mod_stream_mgmt:
    resend_on_timeout: if_offline
  mod_stun_disco: {}
  mod_time: {}
  mod_vcard:
    db_type: ldap
    search: true
    allow_return_all: true
    ldap_vcard_map:
      "NICKNAME": {"%u": []}
      "FIRST": {"%s": ["givenName"]}
      "LAST": {"%s": ["sn"]}
      "FN": {"%s, %s": ["sn", "givenName"]}
      "EMAIL": {"%s": ["mail"]}
      "ORGNAME": {"%s": ["company"]}
      "ORGUNIT": {"%s": ["department"]}
      "CTRY": {"%s": ["c"]}
      "LOCALITY": {"%s": ["l"]}
      "STREET": {"%s": ["streetAddress"]}
      "REGION": {"%s": ["st"]}
      "PCODE": {"%s": ["postalCode"]}
      "TITLE": {"%s": ["title"]}
      "URL": {"%s": ["wWWHomePage"]}
      "DESC": {"%s": ["description"]}
      "TEL/CELL": {"%s": ["mobile"]}
      "TEL/NUMBER": {"%s": ["telephoneNumber"]}
    ## Search form
    ldap_search_fields:
      "User": "%u"
      "Name": "givenName"
      "Family Name": "sn"
      "Email": "mail"
      "Company": "company"
      "Department": "department"
      "Role": "title"
      "Description": "description"
      "Phone": "telephoneNumber"
    ## vCard fields to be reported
    ## Note that JID is always returned with search results
    ldap_search_reported:
      "Full Name": "FN"
      "Nickname": "NICKNAME"
      "Email": "EMAIL"
  mod_vcard_xupdate: {} 

  mod_version: {}


best regards

Denis

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: [Solved]: zentyal-xmpp upgrade ejabberd to 20.04 ldap authentication
« Reply #2 on: June 24, 2020, 02:01:54 pm »
 :)

Zentyal uses the corresponding Ubuntu version packages, so, it isn't a good idea to upgrade "manually" the ubuntu packages used by the zentyal packages. It coul break your APT system consistency now or during future upgrades.

Cheers!
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

Neustradamus

  • Zen Monk
  • **
  • Posts: 92
  • Karma: +0/-5
    • View Profile
Re: [Solved]: zentyal-xmpp upgrade ejabberd to 20.04 ldap authentication
« Reply #3 on: January 18, 2021, 06:32:46 am »
@denis.robel: Thanks for your post and comment :)

Can you publish a ticket on GitHub?
- https://github.com/zentyal/zentyal/issues/

Note that now, there are new ejabberd builds: 20.07 and 20.12 :)

If you can test it...