Uploaded image for project: 'ejabberd development'
  1. ejabberd development
  2. EJAB-1480

Improve mod_shared_roster_ldap to better support AD

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: ejabberd 2.0.5, ejabberd 2.1.0, ejabberd 2.1.1, ejabberd 2.1.2, ejabberd 2.1.3, ejabberd 2.1.4, ejabberd 2.1.5, ejabberd 2.1.6, ejabberd 2.1.7, ejabberd 2.1.8
    • Fix Version/s: ejabberd 16.02
    • Labels:
      None
    • Environment:
      AD-based domain

      Description

      Edit: I decided to write a settings reference for the modified module. It will be updated as needed.

      If you need help using the module, please contact me at mikekaganski@hotmail.com.

      The mod_shared_roster_ldap currently isn't flexible enougn to allow easy integration with Active Directory LDAP. The problem is that it expects that the list of users that belong to a group to contain enough information to construct their jids, while it is often not the case.

      <Quote from http://www.ejabberd.im/mod_shared_roster_ldap#comment-57588>

      Retrieving the roster section of the Installation and Operation Guide (http://www.process-one.net/docs/ejabberd/guide_en.html#msrlconfigroster):
      Step 2.a performs a query on LDAP to get groups data (this step is executed once).
      Step 2.c.i converts the string in ldap_memberattr into the jid.
      Step 2.c.ii (optional) checks for existence of this jid (using auth mechanism; thus, it must depend on jid).
      Step 3.b.ii.A performs a query on LDAP to get the display name of each jid, at the same time retrieving the ldap_useruid attribute.

      Supposedly, the roster is built after the step 3.

      This sequence applies some unnecessary restrictions on the LDAP data. Specifically, there are multiple threads on the ejabberd forum with questions concerning the Active Directory integration. In some environments, it's impossible to use this module as intended, and a workaround needs to be implemented to overcome its deficiency.
      For example, in AD, the [group object] has an attribute "member" that has entries defining the DNs of its members.
      A DN may not contain the necessary information to construct the jid. First, the DN consists of relative distingueshed names, so no part is guaranteed to be unique across the domain, only the DN is. Second, the CN part of DN isn't required to conform to the requirements for the user part of jid. For example, in our environment, I have my DN like "CN=Kaganski Mikhail Borisovich,OU=my_dept,DC=example,DC=com". Note the spaces in the CN.
      [user object] contains an attribute, named "sAMAccountName", that is mandatory, is guaranteed to be unique across the domain, and may be used to construct the user part of the jid (at least we could use it in our environment). But I have no means to get this information if I search for group objects first, to get the list of users in those groups.

      The module could make use of an alternative path to get the user information. If a new optional parameter would be introduced, e.g. "member_is_DN", with a default walue of "no", and if it is set to "yes", then instead of steps 2.c.i, 2.c.ii and 3.b.ii.A, it would get the object with that DN, and look there for the "ldap_useruid" attribute, then apply the ldap_memberattr_format(_re) to it to get the user part of the jid, and for the "ldap_userdesc" attribute. That could be still done using the "User Filter", and looking for the entry with corresponding DN. This way the AD problem could be solved successfully, while maintaining full compatibility with current version, and having (almost) no impact on performance.

      1. ejabberd_15.03-2~bpo8+2_amd64.deb
        4.08 MB
        Jacek Szafarkiewicz
      2. ejabberd_2.1.9-1_amd64.deb
        1.62 MB
        Brian Menges
      3. mod_shared_roster_ldap.erl
        37 kB
        Ailin Nemui
      4. mod_shared_roster_ldap.erl
        37 kB
        Ailin Nemui
      5. mod_shared_roster_ldap.erl
        36 kB
        Mike Kaganski
      6. mod_shared_roster_ldap.erl
        36 kB
        Mike Kaganski
      7. mod_shared_roster_ldap.erl
        30 kB
        Mike Kaganski
      8. mod_shared_roster_ldap.erl
        30 kB
        Mike Kaganski
      9. mod_shared_roster_ldap.erl
        30 kB
        Mike Kaganski
      10. mod_shared_roster_ldap.erl
        29 kB
        Mike Kaganski
      11. mod_shared_roster_ldap.erl
        29 kB
        Mike Kaganski
      12. mod_shared_roster_ldap.erl
        26 kB
        Mike Kaganski
      13. mod_shared_roster_ldap.erl
        26 kB
        Mike Kaganski
      14. mod_shared_roster_ldap.erl
        24 kB
        Mike Kaganski
      15. mod_shared_roster_ldap.erl
        23 kB
        Mike Kaganski
      16. msrl-2.1.8.patch
        8 kB
        Jon Snyder
      17. userdescextra.patch
        3 kB
        Jon Snyder

        Activity

        Hide
        cromain@process-one.net Christophe Romain (Inactive) added a comment -

        please go the pull request way

        Show
        cromain@process-one.net Christophe Romain (Inactive) added a comment - please go the pull request way
        Hide
        Bock Anton Samets added a comment -

        I've created pull request https://github.com/processone/ejabberd/pull/980
        But it seems that all kast pull requests are failed by travis.

        Show
        Bock Anton Samets added a comment - I've created pull request https://github.com/processone/ejabberd/pull/980 But it seems that all kast pull requests are failed by travis.
        Hide
        mremond@process-one.net Mickaël Rémond added a comment -

        Yes, there is an issue in Travis setup that we need to look at. Sorry about that.

        Show
        mremond@process-one.net Mickaël Rémond added a comment - Yes, there is an issue in Travis setup that we need to look at. Sorry about that.
        Hide
        cromain@process-one.net Christophe Romain (Inactive) added a comment -

        Hello, just a comment about missing EJAB-1555 patch on this new code.
        this is patch e616d268, but it can not be applyed on this version of mod_shared_roster_ldap.
        If someone can submit a PR this week, it will be injected in ejabberd 16.03.
        thanks.

        Show
        cromain@process-one.net Christophe Romain (Inactive) added a comment - Hello, just a comment about missing EJAB-1555 patch on this new code. this is patch e616d268, but it can not be applyed on this version of mod_shared_roster_ldap. If someone can submit a PR this week, it will be injected in ejabberd 16.03. thanks.
        Hide
        Murz Alexey Murz Korepov added a comment -

        Is this patch applied on ejabberd 16.08 version and issue is solved for now?

        How can I configure ejabberd 16.08 for working with AD compartible LDAP where user CN does not contain jabber login?

        If patch is not applied to core, can anybody provide the link to current version of patch, that I can try ty apply manually on ejabberd 16.08?

        I have use Zentyal 4.1 server with Samba LDAP that contans user CN record like CN=Familyname Name,CN=Users,DC=example,DC=com, so I can't normally configure user groups.

        Show
        Murz Alexey Murz Korepov added a comment - Is this patch applied on ejabberd 16.08 version and issue is solved for now? How can I configure ejabberd 16.08 for working with AD compartible LDAP where user CN does not contain jabber login? If patch is not applied to core, can anybody provide the link to current version of patch, that I can try ty apply manually on ejabberd 16.08? I have use Zentyal 4.1 server with Samba LDAP that contans user CN record like CN=Familyname Name,CN=Users,DC=example,DC=com, so I can't normally configure user groups.

          Dates

          • Created:
            Updated:
            Resolved:

            Development