ThorneLabs

ejabberd mod_shared_roster_ldap Setup

• Updated March 17, 2019


ejabberd is an extensible XMPP server that allows you to setup an internal chat server for your organization to communicate. It can be integrated with an LDAP server, such as OpenLDAP or Active Directory, to automatically create shared rosters based on LDAP groups when users login. The following post will describe what is needed to setup a shared roster in ejabberd.

Overview

The following configuration will search through the specified base dn for groups containing JabberRosterGroup in the Active Directory info field. This is what ldap_rfilter does.

From there, ldap_gfilter goes through each group returned by ldap_rfilter and uses the ldap_groupattr and ldap_groupdesc attributes to retrieve the group description, which is used for the user roster group name. In addition, when each group returned by ldap_rfilter is parsed for its description, ldap_ufilter is run against that group to retrieve the list of members.

The members are queried using the ldap_memberattr and ldap_memberattr_format attributes. The members’ proper name is queried using the ldap_useruid and ldap_userdesc attributes.

The resulting roster, with all the queried users and groups, will be displayed on the rosters of users who are able to login, regardless if the user is in one of the queried groups or not.

LDAP Authentication Setup

Configure the following in /opt/ejabberd/conf/ejabberd.cfg:

%%
%% Authentication using LDAP
%%
{auth_method, ldap}.
%%
%% List of LDAP servers:
{ldap_servers, ["matrix.example.com"]}.
%%
%% Encrypt the LDAP connection.
%% Do not verify TLS due to encrypted LDAP not working when turned on
{ldap_encrypt, tls}.
{ldap_tls_verify, false}.
{ldap_port, 636}.
%%
%% LDAP attribute that holds user ID:
{ldap_uids, [{"sAMAccountName"}]}.
%%
%% Search base of LDAP directory:
{ldap_base, "ou=Users,dc=matrix,dc=example,dc=com"}.
%%
%% LDAP manager:
{ldap_rootdn, "cn=isldap,ou=Service Accounts,dc=matrix,dc=example,dc=com"}. 
%%
%% Password to LDAP manager:
{ldap_password, "*******"}.
%%
%% In our configuration, this could also be left blank
{ldap_filter, "(objectClass=organizationalPerson)"}.

Add admin User from Active Directory

Configure the following in /opt/ejabberd/conf/ejabberd.cfg:

{acl, admin, {user, "user@example.com"}}.

mod_shared_roster_ldap Configuration

I have included additional module configurations to show that they are blank or disabled.

Configure the following in /opt/ejabberd/conf/ejabberd.cfg:

{mod_roster,   []},
%%{mod_service_log,[]},
%%{mod_shared_roster,[]},
{mod_shared_roster_ldap, [
{ldap_groupattr, "cn"},
{ldap_groupdesc, "description"},
{ldap_memberattr, "member"},
{ldap_memberattr_format, "CN=%u,OU=Users,DC=matrix,DC=example,DC=com"},
{ldap_useruid, "cn"},
{ldap_userdesc, "displayName"},
{ldap_rfilter, "(&(objectClass=group)(info=JabberRosterGroup))"},
{ldap_gfilter, "(&(objectClass=group)(info=JabberRosterGroup)(cn=%g))"},
{ldap_ufilter, "(&(objectClass=user)(cn=%u))"},
{ldap_filter, ""},
]},
%%{mod_stats,    []},
{mod_time,     []},
%%{mod_vcard,    []},

References