[Sysadmins] Ejabberd + LDAP
Dmitriy Kruglikov
dmitriy.kruglikov на gmail.com
Пт Янв 14 06:46:12 UTC 2011
14 января 2011 г. 5:03 пользователь Бурко Александр Константинович написал:
> Подскажите как правильно
> настроить конфиг, чтобы авторизация была через LDAP.
Вот мой рабочий конфиг.
Смотрите, меняйте по своему усмотрению.
+++++++
# cat /etc/ejabberd/ejabberd.cfg
%%%
%%% ejabberd configuration file
%%%
{loglevel, 1}.
{watchdog_admins, ["admin на domain.com.ua"]}.
{hosts, ["domain.com.ua"]}.
%%
{listen,
[
{5222, ejabberd_c2s, [
{certfile, "/var/lib/ssl/certs/ejabberd.pem"}, starttls,
{access, c2s},
{shaper, c2s_shaper},
{max_stanza_size, 65536}
]},
{5223, ejabberd_c2s, [
{access, c2s},
{shaper, c2s_shaper},
{certfile, "/var/lib/ssl/certs/ejabberd.pem"}, tls,
{max_stanza_size, 65536}
]},
{5269, ejabberd_s2s_in, [
{shaper, s2s_shaper},
{max_stanza_size, 131072}
]},
{5280, ejabberd_http, [
captcha,
http_poll,
http_bind,
web_admin
]}
]}.
%%% ==============
%%% AUTHENTICATION
%%
%% Authentication using LDAP
%%
{auth_method, ldap}.
%%
%% List of LDAP servers:
{ldap_servers, ["localhost"]}.
%%
%% LDAP attribute that holds user ID:
{ldap_uids, [{"uid", "%u"}]}.
%%
%% Search base of LDAP directory:
{ldap_base, "ou=People,dc=domain,dc=com,dc=ua"}.
{ldap_filter, "(objectClass=person)"}.
%%
%% LDAP manager:
%%{ldap_rootdn, ""}.
%%
%% Password to LDAP manager:
%%{ldap_password, ""}.
%%
%% Anonymous login support:
%% auth_method: anonymous
%% anonymous_protocol: sasl_anon | login_anon | both
%% allow_multiple_connections: true | false
%%
%%{host_config, "public.example.org", [{auth_method, anonymous},
%% {allow_multiple_connections, false},
%% {anonymous_protocol, sasl_anon}]}.
%%
%% To use both anonymous and internal authentication:
%%
%%{host_config, "public.example.org", [{auth_method, [internal, anonymous]}]}.
%%% ===============
%%% TRAFFIC SHAPERS
%%
%% The "normal" shaper limits traffic speed to 1.000 B/s
%%
{shaper, normal, {maxrate, 1000}}.
%%
%% The "fast" shaper limits traffic speed to 50.000 B/s
%%
{shaper, fast, {maxrate, 50000}}.
%%% ====================
%%% ACCESS CONTROL LISTS
%%
%% The 'admin' ACL grants administrative privileges to Jabber accounts.
%% You can put as many accounts as you want.
%%
%%{acl, admin, {user, "aleksey", "localhost"}}.
%%{acl, admin, {user, "ermine", "example.org"}}.
{acl, admin, {user, "admin", "domain.com.ua"}}.
%%
%% Blocked users
%%
%%{acl, blocked, {user, "baduser", "example.org"}}.
%%{acl, blocked, {user, "test"}}.
%%
%% Local users: don't modify this line.
%%
{acl, local, {user_regexp, ""}}.
%%
%% More examples of ACLs
%%
%%{acl, jabberorg, {server, "jabber.org"}}.
%%{acl, aleksey, {user, "aleksey", "jabber.ru"}}.
%%{acl, test, {user_regexp, "^test"}}.
%%{acl, test, {user_glob, "test*"}}.
%%
%% Define specific ACLs in a virtual host.
%%
%%{host_config, "localhost",
%% [
%% {acl, admin, {user, "bob-local", "localhost"}}
%% ]
%%}.
%%% ============
%%% ACCESS RULES
%% Maximum number of simultaneous sessions allowed for a single user:
{access, max_user_sessions, [{10, all}]}.
%% Maximum number of offline messages that users can have:
{access, max_user_offline_messages, [{5000, admin}, {100, all}]}.
%% This rule allows access only for local users:
{access, local, [{allow, local}]}.
%% Only non-blocked users can use c2s connections:
{access, c2s, [{deny, blocked},
{allow, all}]}.
%% For C2S connections, all users except admins use "normal" shaper
{access, c2s_shaper, [{none, admin},
{normal, all}]}.
%% All S2S connections use "fast" shaper
{access, s2s_shaper, [{fast, all}]}.
%% Only admins can send announcement messages:
{access, announce, [{allow, admin}]}.
%% Only admins can use configuration interface:
{access, configure, [{allow, admin}]}.
%% Admins of this server are also admins of MUC service:
{access, muc_admin, [{allow, admin}]}.
%% All users are allowed to use MUC service:
{access, muc, [{allow, all}]}.
%% Everybody can create pubsub nodes
{access, pubsub_createnode, [{allow, all}]}.
%% In-band registration allows registration of any possible username.
%% To disable in-band registration, replace 'allow' with 'deny'.
{access, register, [{deny, all}]}.
%% By default frequency of account registrations from a the same IP
%% is limited to 1 account every 10 minutes. To disable put: infinity
%%{registration_timeout, 600}.
%%
%% Define specific Access rules in a virtual host.
%%
%%{host_config, "localhost",
%% [
%% {access, c2s, [{allow, admin}, {deny, all}]},
%% {access, register, [{deny, all}]}
%% ]
%%}.
%%% ================
%%% DEFAULT LANGUAGE
%%
%% language: Default language used for server messages.
%%
{language, "ru"}.
%%
%% Set a different default language in a virtual host.
%%
%%{host_config, "localhost",
%% [{language, "ru"}]
%%}.
%%% =======
%%% MODULES
%%
%% Modules enabled in all ejabberd virtual hosts.
%%
{modules,
[
{mod_http_bind, []},
{mod_adhoc, []},
{mod_admin_extra, []},
{mod_announce, [{access, announce}]}, % recommends mod_adhoc
{mod_caps, []},
{mod_configure,[]}, % requires mod_adhoc
{mod_disco, []},
%%{mod_echo, [{host, "echo.localhost"}]},
{mod_last, []},
{mod_muc, [
{default_room_options, [{persistent, true}]},
%%{host, "conference. на HOST@"},
{access, muc},
{access_create, muc},
{access_persistent, muc},
{access_admin, muc_admin}
]},
{mod_muc_log,[]},
{mod_offline, []},
{mod_ping, []},
{mod_privacy, []},
{mod_private, []},
%%{mod_proxy65,[]},
%% {mod_pubsub, [ % requires mod_caps
%% {access_createnode, pubsub_createnode},
%% {plugins, ["default", "pep"]}
%% ]},
{mod_vcard_ldap, [
{ldap_uidattr, "uid"},
{ldap_uidattr_format, "%u"},
{ldap_vcard_map, [
{"NICKNAME", "%s", ["cn"]},
{"GIVEN", "%s", ["givenName"]},
{"MIDDLE", "%s", ["initials"]},
{"FAMILY", "%s", ["sn"]},
{"FN", "%s", ["displayName"]},
{"EMAIL", "%s", ["mail"]},
{"ORGNAME", "%s", ["o"]},
{"ORGUNIT", "%s", ["ou"]},
{"LOCALITY", "%s", ["l"]},
{"STREET", "%s", ["street"]},
{"REGION", "%s", ["st"]},
{"PCODE", "%s", ["postalCode"]},
{"TITLE", "%s", ["title"]},
{"DESC", "%s", ["description"]},
{"PHOTO", "%s", ["jpegPhoto"]},
{"TEL", "%s", ["mobile"]}
]},
{ldap_search_fields, [
{"Пользователь", "%u"},
{"Псевдоним", "displayName"},
{"Имя", "givenName"},
{"Фамилия", "sn"},
{"E-Mail", "mail"},
{"Город", "l"}
]},
{ldap_search_reported, [
{"Псевдоним", "NICKNAME"},
{"Телефоны", "TEL"},
{"E-Mail", "EMAIL"}
]}
]},
{mod_roster, []},
%%{mod_service_log,[]},
%% {mod_shared_roster,[]},
{mod_shared_roster_ldap, [
{ldap_base, "ou=People,dc=domain,dc=com,dc=ua"},
{ldap_groupattr, "ou"},
{ldap_rfilter, "(objectClass=person)"},
{ldap_memberattr, "uid"},
{ldap_useruid, "uid"},
{ldap_userdesc, "cn"}
]},
{mod_stats, []},
{mod_time, []},
%% {mod_vcard, []},
{mod_version, []}
]}.
%%
%% Enable modules with custom options in a specific virtual host
%%
%%{host_config, "localhost",
%% [{{add, modules},
%% [
%% {mod_echo, [{host, "mirror.localhost"}]}
%% ]
%% }
%% ]}.
%%% $Id$
%%% Local Variables:
%%% mode: erlang
%%% End:
%%% vim: set filetype=erlang tabstop=8:
+++++++
Учите детей хорошему ;)
--
Best regards,
Dmitriy Kruglikov.
QString at, dot, mail, XMPP;
at = "@";
dot = ".";
mail = "Dmitriy.Kruglikov" + $at +"gmail" + $dot + "com";
XMPP = $mail;
Подробная информация о списке рассылки Sysadmins