Configuring eJabberd to authenticate FreeIPA users using LDAP Group memberships.

This guide has been written to show how you can integrate ejabberd (XMPP Server) into FreeIPA using LDAP authentication, and to allow user’s based on being a member of an allowed Group.

Please note: This document works, however uses an unencrypted method of validating username and password data. As a result, this is a work in progress. If you wish to use this method in its current state, please do so at your own risk.

Passwords will be transmitted in CLEAR TEXT!, Please be aware of this.
The below details will walk you through how to add a Red Hat Enterprise Linux 6.5 system to an IPA domain, and then configure eJabberd to allow LDAP authentication with Group validation.

Details of this example are as follows

Domain name:
IPA Server:
Jabber Server:
IPA Client:
IPA User: tuser1
Group Name = "jabber_users"
Bind account = "ejabberd"
Bind password = "secret123"


Create Bind account in FreeIPA

Start by logging into your IPA server. If you did not log in as the admin user, optain a tgt for the admin user so we can add what we need to. To do this, run the following.

[root@ds01 ~]# kinit admin
Password for admin@EXAMPLE.COM:

You can verify your ticket with the following command.

[root@ds01 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@EXAMPLE.COM
Valid starting     Expires            Service principal
06/13/12 23:28:48  06/14/12 23:28:45  krbtgt/EXAMPLE.COM@EXAMPLE.COM

Create a file with the following information. In this example, I created /root/jabber.ldif. Don’t forget to change the userPassword to something secure.

dn: uid=ejabberd,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: ejabberd
userPassword: secret123
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

Once you have saved your file, import the information into LDAP with the following command. Please note, you will need your Directory Manager password here.

[root@ds01 ~]# ldapmodify -h -p 389 -x -D "cn=Directory Manager" -w redhat123 -f jabber.ldif
adding new entry "uid=ejabberd,cn=sysaccounts,cn=etc,dc=example,dc=com"
[root@ds01 ~]#


Create Group in FreeIPA

Whilst you are still on the IPA server, add the group to be used for our jabber users.

[root@ds01 ~]# ipa group-add
Group name: jabber_users
Description: Group used to validate Jabber authentication to allowed users
- --------------------------
Added group "jabber_users"
- --------------------------
  Group name: jabber_users
  Description: Group used to validate Jabber authentication to allowed users
  GID: 1668600006
[root@ds01 ~]#

Enable EPEL repository

As the the ejabberd package is not provided by Red Hat, you will need to configure yum to use the EPEL repostories,

To do this, run the following on your soon to be, jabber server.

[root@jabber ~]# yum install -y

Install ejabberd package

Install the ejabberd package by running the following

[root@jabber ~]# yum install -y ejabberd


Edit Configuration file to use TLS for communication between the Server and your Jabber clients

Once installed, open /etc/ejabberd/ejabberd.cfg and change the following lines

Change the line

{hosts, ["localhost"]}.

so it reads as follows

{hosts, [""]}.

Change the line

%%{certfile, "/etc/ejabberd/ejabberd.pem"}, starttls,

so it reads as follows

{certfile, "/etc/ejabberd/ejabberd.pem"}, starttls,

Change the line

%%{s2s_use_starttls, optional}.

so it reads as follows

{s2s_use_starttls, optional}.

Change the line

%%{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.

so it reads as follows

{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.

Make sure you save your configuration file.

Edit Configuration file to enable LDAP authentication and Group validation

Open /etc/ejabberd/ejabberd.cfg and add the following lines in the Authentication section. Don’t forget to change the password to the one you used earlier for your BIND account.

{auth_method, ldap}.
{ldap_servers, [""]}.
{ldap_uids, [{"uid"}]}.
{ldap_filter, "(memberOf=cn=jabber_users,cn=groups,cn=accounts,dc=example,dc=com)"}.
{ldap_base, "dc=example,dc=com"}.
{ldap_rootdn, "uid=ejabberd,cn=sysaccounts,cn=etc,dc=example,dc=com"}.
{ldap_password, "secret123"}.

Save the config file once you have finished and restart ejabberd

[root@jabber ~]# service ejabberd start
Starting ejabberd:                                         [  OK  ]

Verify that your service has started correctly after your changes.

[root@jabber ~]# service ejabberd status
The node ejabberd@jabber is started with status: started
ejabberd 2.1.11 is running in that node
[root@jabber ~]#

Reading user information from FreeIPA

In many environments, a user’s identity in a corporate identity manager will generally have other useful information. Things like an email address, telephone number and even in some cases a display picture.

Lets extend ejabberd to read in this information from FreeIPA as well.

Edit /etc/ejabberd/ejabberd.conf and add the following under the line “{mod_vcard,    []},”

                {"NICKNAME", "%u", ["cn"]},
                {"GIVEN", "%s", ["givenName"]},
                {"MIDDLE", "%s", ["initials"]},
                {"FAMILY", "%s", ["sn"]},
                {"FN", "%s", ["cn"]},
                {"EMAIL", "%s", ["mail"]},
                {"ORGNAME", "%s", ["company"]},
                {"ORGUNIT", "%s", ["department"]},
                {"CTRY", "%s", ["c"]},
                {"LOCALITY", "%s", ["l"]},
                {"STREET", "%s", ["streetAddress"]},
                {"REGION", "%s", ["st"]},
                {"PCODE", "%s", ["postalCode"]},
                {"TITLE", "%s", ["title"]},
                {"URL", "%s", ["wWWHomePage"]},
                {"DESC", "%s", ["description"]},
                {"PHOTO", "%s", ["jpegPhoto"]},
                {"TEL", "Ph: %s | M: %s", ["telephonenumber", "mobile"]}
                {"User", "%u"},
                {"Name", "givenName"},
                {"Family Name", "sn"},
                {"Email", "mail"},
                {"Company", "company"},
                {"Department", "department"},
                {"Role", "title"},
                {"Description", "description"},
                {"Phone", "telephoneNumber"}
                {"Full Name", "FN"},
                {"Nickname", "NICKNAME"},
                {"Email", "EMAIL"}

Once you have added the above, save the file and restart your ejabberd service.

[root@jabber ~]# service ejabberd restart
Shutting down ejabberd:                                    [  OK  ]
Starting ejabberd:                                         [  OK  ]
[root@jabber ~]#

Open TCP ports on local Server

Now we need to open our firewall for a few ports for jabber to work with our clients.

[root@jabber ~]# for x in 5269 5222 5223 5280 ; do iptables -I INPUT -p tcp --dport $x -j ACCEPT ; done
[root@jabber ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@jabber ~]#

Add SRV principles to FreeIPA DNS

By adding SRV records to your domain, you can enable your Jabber Clients to automatically discover what the server name is for your Jabber service. This will allow your user to simply enter their username and password, and your jabber client software will automatically determine which server to login to.

To add your SRV records, simply run the following on your FreeIPA server.

[root@ds01 ~]# ipa dnsrecord-add _xmpp-client._tcp --srv-rec="0 5 5222"
  Record name: _xmpp-client._tcp
  SRV record: 0 5 5222
[root@ds01 ~]# ipa dnsrecord-add _xmpp-server._tcp --srv-rec="0 5 5269"
  Record name: _xmpp-server._tcp
  SRV record: 0 5 5269

Configure XMPP Client on a Workstation

Next we need to configure our jabber client. For the purpose of this exercise, I have used empathy, which comes as the standard messaging client for Gnome3 and is default in most Linux distributions.

Open Empathy on your workstation. If this is the first time you have launched Pidgin, it will prompt you to add an account.

Select Jabber and add your user account as if it were your email address, also enter your password.

See the below picture for comparison.


If you were unable to add the above DNS records into your zone, auto-discovery may not be available to your environment. If this is the case, click Advanced and enter your jabber server name.

See the below picture for comparison.


Once you have finished, click the Apply button. If you enable the account, it will attempt to connect and ask you to accept the SSL certificate that we enabled earlier.

Once you have accepted the certificate, you will see that your login attempt failed. This is because we have not added any users to the “jabber_users” group yet.

Add user(s) to the “jabber_users” group

If you tail the logs of the jabber server as follows, you will see the failed authentication attempt in the above step.

[root@jabber ~]# tail -f /var/log/ejabberd/ejabberd.log
=INFO REPORT==== 2012-06-14 00:03:30 ===
I(<0.376.0>:ejabberd_listener:281) : (#Port<0.4119>) Accepted connection  {{10,0,1,101},60643} -> {{10,0,1,32},5222}
=INFO REPORT==== 2012-06-14 00:03:30 ===
I(<0.380.0>:ejabberd_c2s:657) : ({socket_state,tls,  {tlssock,#Port<0.4119>,#Port<0.4141>},<0.379.0>}) Failed authentication for

Leave the tailing log running and switch back to your IPA server and add your test user.

You can do this by doing the following.

[root@ds01 ~]# ipa group-add-member
Group name: jabber_users
[member user]: testuser
[member group]:
  Group name: jabber_users
  Description: Group used to validate Jabber authentication to allowed users
  GID: 1668600006
  Member users: testuser
- -------------------------
Number of members added 1
- -------------------------
[root@ds01 ~]#

Jump back to your workstation and click the reconnect button. You should see that your client has now logged in, and the following will appear in the tailing logs on the jabber server.

=INFO REPORT==== 2012-06-14 00:08:35 ===
I(<0.376.0>:ejabberd_listener:281) : (#Port<0.4159>) Accepted connection {{10,0,1,101},60644} -> {{10,0,1,32},5222}
=INFO REPORT==== 2012-06-14 00:08:35 ===
I(<0.393.0>:ejabberd_c2s:639) : ({socket_state,tls, {tlssock,#Port<0.4159>,#Port<0.4161>},<0.392.0>}) Accepted authentication for testuser by ejabberd_auth_ldap
=INFO REPORT==== 2012-06-14 00:08:36 ===
I(<0.393.0>:ejabberd_c2s:946) : ({socket_state,tls,{tlssock,#Port<0.4159>,#Port<0.4161>},<0.392.0>}) Opened session for

Thats all folks, your jabber server is now finished and validating your “jabber_users” Group.

Verify your setup

Once you have added the above configuration and added your user’s to the jabber_users group, not only will you see the above log files showing successful login, your user’s will see the following when they add their accounts to Empathy.

See below screenshot.

ejabberd_accountsNote: Please be aware that a user’s display picture will only appear if that user has a photo stored in FreeIPA. For details in achieving this, please follow the guide here.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>