EJabberd_Integration_with_FreeIPA_using_LDAP_Group_memberships#
HOWTO: Configure eJabberd to authenticate IPA users using LDAP Group memberships.
Provided by Dale Macartney
This guide has been written to show how you can integrate ejabberd (XMPP Server) into FreeIPA using LDAP authentication, and to allow user’s based on being a member of an allowed Group.
Please note: This document works, however uses an unencrypted method of validating username and password data. As a result, this is a work in progress. If you wish to use this method in its current state, please do so at your own risk.
Passwords will be transmitted in CLEAR TEXT!, Please be aware of this.
The below details will walk you through how to add a Red Hat Enterprise Linux 6.2 system to an IPA domain, and then configure eJabberd to allow LDAP authentication with Group validation.
Details of this example are as follows
Domain name: example.comIPA Server: ds01.example.comJabber Server: jabber01.example.comIPA Client: workstation01.example.comIPA User: testuserGroup Name = "jabber_users"Bind account = "ejabberd"Bind password = "secret123"Create Bind account in FreeIPA#
Start by logging into your IPA server. If you did not log in as the admin user, optain a tgt for the admin user so we can add what we need to. To do this, run the following.
[root@ds01 ~]# kinit adminPassword for admin@EXAMPLE.COM:You can verify your ticket with the following command.
[root@ds01 ~]# klistTicket cache: ``\ ```FILE:/tmp/krb5cc_0 <FILE:/tmp/krb5cc_0>`__Default principal: admin@EXAMPLE.COMValid starting Expires Service principal06/13/12 23:28:48 06/14/12 23:28:45 krbtgt/EXAMPLE.COM@EXAMPLE.COMCreate a file with the following information. In this example, I created /root/jabber.ldif. Don’t forget to change the userPassword to something secure.
dn: uid=ejabberd,cn=sysaccounts,cn=etc,dc=example,dc=comchangetype: addobjectclass: accountobjectclass: simplesecurityobjectuid: ejabberduserPassword: secret123passwordExpirationTime: 20380119031407ZnsIdleTimeout: 0Once you have saved your file, import the information into LDAP with the following command. Please note, you will need your Directory Manager password here.
[root@ds01 ~]# ldapmodify -h ds01.example.com -p 389 -x -D "cn=Directory Manager" -w redhat123 -f jabber.ldifadding new entry "uid=ejabberd,cn=sysaccounts,cn=etc,dc=example,dc=com"[root@ds01 ~]#Create Group in FreeIPA#
Whilst you are still on the IPA server, add the group to be used for our jabber users.
[root@ds01 ~]# ipa group-addGroup name: jabber_usersDescription: Group used to validate Jabber authentication to allowed users- --------------------------Added group "jabber_users"- --------------------------[root@ds01 ~]#Enable EPEL repository#
As the the ejabberd package is not provided by Red Hat, you will need to configure yum to use the EPEL repostories,
To do this, run the following on your soon to be, jabber server.
[root@jabber02 ~]# rpm -Uvh ``\ ```http://mirror01.th.ifl.net/epel/5/i386/epel-release-5-4.noarch.rpm <http://mirror01.th.ifl.net/epel/5/i386/epel-release-5-4.noarch.rpm>`__
Install ejabberd package#
Install the ejabberd package by running the following
[root@jabber02 ~]# yum install -y ejabberd
Edit Configuration file to use TLS for communication between the Server and your Jabber clients#
Once installed, open /etc/ejabberd/ejabberd.cfg and change the following lines
Change the line
{hosts, ["localhost"]}.
so it reads as follows
{hosts, ["example.com"]}.
Change the line
%%{certfile, "/etc/ejabberd/ejabberd.pem"}, starttls,
so it reads as follows
{certfile, "/etc/ejabberd/ejabberd.pem"}, starttls,
Change the line
%%{s2s_use_starttls, optional}.
so it reads as follows
{s2s_use_starttls, optional}.
Change the line
%%{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
so it reads as follows
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
Make sure you save your configuration file.
Edit Configuration file to enable LDAP authentication and Group validation#
Open /etc/ejabberd/ejabberd.cfg and add the following lines in the Authentication section. Don’t forget to change the password to the one you used earlier for your BIND account.
{auth_method, ldap}.{ldap_servers, ["ds01.example.com"]}.{ldap_uids, [{"uid"}]}.{ldap_filter, "(memberOf=cn=jabber_users,cn=groups,cn=accounts,dc=example,dc=com)"}.{ldap_base, "dc=example,dc=com"}.{ldap_rootdn, "uid=ejabberd,cn=sysaccounts,cn=etc,dc=example,dc=com"}.{ldap_password, "secret123"}.Save the config file once you have finished and restart ejabberd
[root@jabber02 ~]# service ejabberd startStarting ejabberd: [ OK ]Verify that your service has started correctly after your changes.
[root@jabber02 ~]# service ejabberd statusThe node ejabberd@jabber02 is started with status: startedejabberd 2.1.11 is running in that node[root@jabber02 ~]#Open TCP ports on local Server#
Now we need to open our firewall for a few ports for jabber to work with our clients.
[root@jabber02 ~]# for x in 5269 5222 5223 5280 ; do iptables -I INPUT -p tcp --dport $x -j ACCEPT ; done[root@jabber02 ~]# service iptables saveiptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ][root@jabber02 ~]#Configure XMPP Client on a Workstation#
Next we need to configure our jabber client. For the purpose of this exercise, I have used pidgin, which is also available via the EPEL repository.
Open Pidgin on your workstation. If this is the first time you have launched Pidgin, it will prompt you to add an account.
Select XMPP and add your username, domain and password.
See the below picture for comparison.
Add_Account.png#
Once you have added your user credentials, click Advanced and enter your jabber server name. (Please note, I took this screenshot whilst testing another server, I will replace this screenshot shortly).
See the below picture for comparison.
Add_Account_-_Server_Settings.png#
Once you have finished, click the add button. If you enable the account, it will attempt to connect and ask you to accept the SSL certificate that we enabled earlier.
See the below picture for comparison.
SSL_Certificate.png#
Once you have accepted the certificate, you will see that your login attempt failed. This is because we have not added any users to the “jabber_users” group yet.
Add user(s) to the “jabber_users” group#
If you tail the logs of the jabber server as follows, you will see the failed authentication attempt in the above step.
[root@jabber02 ~]# tail -f /var/log/ejabberd/ejabberd.log
=INFO REPORT==== 2012-06-14 00:03:30 ===I(<0.376.0>:ejabberd_listener:281) : (#Port<0.4119>) Accepted connection {{10,0,1,101},60643} -> {{10,0,1,32},5222}=INFO REPORT==== 2012-06-14 00:03:30 ===I(<0.380.0>:ejabberd_c2s:657) : ({socket_state,tls, {tlssock,#Port<0.4119>,#Port<0.4141>},<0.379.0>}) Failed authentication for testuser@example.comLeave the tailing log running and switch back to your IPA server and add your test user.
You can do this by doing the following.
[root@ds01 ~]# ipa group-add-memberGroup name: jabber_users[member user]: testuser[member group]:- -------------------------Number of members added 1- -------------------------[root@ds01 ~]#Jump back to your workstation and click the reconnect button. You should see that your client has now logged in, and the following will appear in the tailing logs on the jabber server.
=INFO REPORT==== 2012-06-14 00:08:35 ===I(<0.376.0>:ejabberd_listener:281) : (#Port<0.4159>) Accepted connection {{10,0,1,101},60644} -> {{10,0,1,32},5222}=INFO REPORT==== 2012-06-14 00:08:35 ===I(<0.393.0>:ejabberd_c2s:639) : ({socket_state,tls, {tlssock,#Port<0.4159>,#Port<0.4161>},<0.392.0>}) Accepted authentication for testuser by ejabberd_auth_ldap=INFO REPORT==== 2012-06-14 00:08:36 ===I(<0.393.0>:ejabberd_c2s:946) : ({socket_state,tls,{tlssock,#Port<0.4159>,#Port<0.4161>},<0.392.0>}) Opened session for testuser@example.com/91030605413396289162377Thats all folks, your jabber server is now finished and validating your “jabber_users” Group.