This guide has been written to show how you can integrate ejabberd (XMPP Server) into FreeIPA using LDAP authentication, and to allow user’s based on being a member of an allowed Group.
Please note: This document works, however uses an unencrypted method of validating username and password data. As a result, this is a work in progress. If you wish to use this method in its current state, please do so at your own risk.
Passwords will be transmitted in CLEAR TEXT!, Please be aware of this.
The below details will walk you through how to add a Red Hat Enterprise Linux 6.5 system to an IPA domain, and then configure eJabberd to allow LDAP authentication with Group validation.
Details of this example are as follows
Domain name: example.com IPA Server: ds01.example.com Jabber Server: jabber.example.com IPA Client: workstation01.example.com IPA User: tuser1 Group Name = "jabber_users" Bind account = "ejabberd" Bind password = "secret123"
Create Bind account in FreeIPA
Start by logging into your IPA server. If you did not log in as the admin user, optain a tgt for the admin user so we can add what we need to. To do this, run the following.
[root@ds01 ~]# kinit admin Password for admin@EXAMPLE.COM:
You can verify your ticket with the following command.
[root@ds01 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 06/13/12 23:28:48 06/14/12 23:28:45 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Create a file with the following information. In this example, I created /root/jabber.ldif. Don’t forget to change the userPassword to something secure.
dn: uid=ejabberd,cn=sysaccounts,cn=etc,dc=example,dc=com changetype: add objectclass: account objectclass: simplesecurityobject uid: ejabberd userPassword: secret123 passwordExpirationTime: 20380119031407Z nsIdleTimeout: 0
Once you have saved your file, import the information into LDAP with the following command. Please note, you will need your Directory Manager password here.
[root@ds01 ~]# ldapmodify -h ds01.example.com -p 389 -x -D "cn=Directory Manager" -w redhat123 -f jabber.ldif adding new entry "uid=ejabberd,cn=sysaccounts,cn=etc,dc=example,dc=com" [root@ds01 ~]#
Create Group in FreeIPA
Whilst you are still on the IPA server, add the group to be used for our jabber users.
[root@ds01 ~]# ipa group-add Group name: jabber_users Description: Group used to validate Jabber authentication to allowed users - -------------------------- Added group "jabber_users" - -------------------------- Group name: jabber_users Description: Group used to validate Jabber authentication to allowed users GID: 1668600006 [root@ds01 ~]#
Enable EPEL repository
As the the ejabberd package is not provided by Red Hat, you will need to configure yum to use the EPEL repostories,
To do this, run the following on your soon to be, jabber server.
[root@jabber ~]# yum install -y http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Install ejabberd package
Install the ejabberd package by running the following
[root@jabber ~]# yum install -y ejabberd
Edit Configuration file to use TLS for communication between the Server and your Jabber clients
Once installed, open /etc/ejabberd/ejabberd.cfg and change the following lines
Change the line
{hosts, ["localhost"]}.
so it reads as follows
{hosts, ["example.com"]}.
Change the line
%%{certfile, "/etc/ejabberd/ejabberd.pem"}, starttls,
so it reads as follows
{certfile, "/etc/ejabberd/ejabberd.pem"}, starttls,
Change the line
%%{s2s_use_starttls, optional}.
so it reads as follows
{s2s_use_starttls, optional}.
Change the line
%%{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
so it reads as follows
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
Make sure you save your configuration file.
Edit Configuration file to enable LDAP authentication and Group validation
Open /etc/ejabberd/ejabberd.cfg and add the following lines in the Authentication section. Don’t forget to change the password to the one you used earlier for your BIND account.
{auth_method, ldap}. {ldap_servers, ["ds01.example.com"]}. {ldap_uids, [{"uid"}]}. {ldap_filter, "(memberOf=cn=jabber_users,cn=groups,cn=accounts,dc=example,dc=com)"}. {ldap_base, "dc=example,dc=com"}. {ldap_rootdn, "uid=ejabberd,cn=sysaccounts,cn=etc,dc=example,dc=com"}. {ldap_password, "secret123"}.
Save the config file once you have finished and restart ejabberd
[root@jabber ~]# service ejabberd start Starting ejabberd: [ OK ]
Verify that your service has started correctly after your changes.
[root@jabber ~]# service ejabberd status The node ejabberd@jabber is started with status: started ejabberd 2.1.11 is running in that node [root@jabber ~]#
Reading user information from FreeIPA
In many environments, a user’s identity in a corporate identity manager will generally have other useful information. Things like an email address, telephone number and even in some cases a display picture.
Lets extend ejabberd to read in this information from FreeIPA as well.
Edit /etc/ejabberd/ejabberd.conf and add the following under the line “{mod_vcard, []},”
{mod_vcard_ldap,[ {ldap_vcard_map, [ {"NICKNAME", "%u", ["cn"]}, {"GIVEN", "%s", ["givenName"]}, {"MIDDLE", "%s", ["initials"]}, {"FAMILY", "%s", ["sn"]}, {"FN", "%s", ["cn"]}, {"EMAIL", "%s", ["mail"]}, {"ORGNAME", "%s", ["company"]}, {"ORGUNIT", "%s", ["department"]}, {"CTRY", "%s", ["c"]}, {"LOCALITY", "%s", ["l"]}, {"STREET", "%s", ["streetAddress"]}, {"REGION", "%s", ["st"]}, {"PCODE", "%s", ["postalCode"]}, {"TITLE", "%s", ["title"]}, {"URL", "%s", ["wWWHomePage"]}, {"DESC", "%s", ["description"]}, {"PHOTO", "%s", ["jpegPhoto"]}, {"TEL", "Ph: %s | M: %s", ["telephonenumber", "mobile"]} ]}, {ldap_search_fields,[ {"User", "%u"}, {"Name", "givenName"}, {"Family Name", "sn"}, {"Email", "mail"}, {"Company", "company"}, {"Department", "department"}, {"Role", "title"}, {"Description", "description"}, {"Phone", "telephoneNumber"} ]}, {ldap_search_reported,[ {"Full Name", "FN"}, {"Nickname", "NICKNAME"}, {"Email", "EMAIL"} ]}]},
Once you have added the above, save the file and restart your ejabberd service.
[root@jabber ~]# service ejabberd restart Shutting down ejabberd: [ OK ] Starting ejabberd: [ OK ] [root@jabber ~]#
Open TCP ports on local Server
Now we need to open our firewall for a few ports for jabber to work with our clients.
[root@jabber ~]# for x in 5269 5222 5223 5280 ; do iptables -I INPUT -p tcp --dport $x -j ACCEPT ; done [root@jabber ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@jabber ~]#
Add SRV principles to FreeIPA DNS
By adding SRV records to your domain, you can enable your Jabber Clients to automatically discover what the server name is for your Jabber service. This will allow your user to simply enter their username and password, and your jabber client software will automatically determine which server to login to.
To add your SRV records, simply run the following on your FreeIPA server.
[root@ds01 ~]# ipa dnsrecord-add example.com _xmpp-client._tcp --srv-rec="0 5 5222 jabber.example.com." Record name: _xmpp-client._tcp SRV record: 0 5 5222 jabber.example.com. [root@ds01 ~]# ipa dnsrecord-add example.com _xmpp-server._tcp --srv-rec="0 5 5269 jabber.example.com." Record name: _xmpp-server._tcp SRV record: 0 5 5269 jabber.example.com.
Configure XMPP Client on a Workstation
Next we need to configure our jabber client. For the purpose of this exercise, I have used empathy, which comes as the standard messaging client for Gnome3 and is default in most Linux distributions.
Open Empathy on your workstation. If this is the first time you have launched Pidgin, it will prompt you to add an account.
Select Jabber and add your user account as if it were your email address, also enter your password.
See the below picture for comparison.
If you were unable to add the above DNS records into your zone, auto-discovery may not be available to your environment. If this is the case, click Advanced and enter your jabber server name.
See the below picture for comparison.
Once you have finished, click the Apply button. If you enable the account, it will attempt to connect and ask you to accept the SSL certificate that we enabled earlier.
Once you have accepted the certificate, you will see that your login attempt failed. This is because we have not added any users to the “jabber_users” group yet.
Add user(s) to the “jabber_users” group
If you tail the logs of the jabber server as follows, you will see the failed authentication attempt in the above step.
[root@jabber ~]# tail -f /var/log/ejabberd/ejabberd.log =INFO REPORT==== 2012-06-14 00:03:30 === I(<0.376.0>:ejabberd_listener:281) : (#Port<0.4119>) Accepted connection {{10,0,1,101},60643} -> {{10,0,1,32},5222} =INFO REPORT==== 2012-06-14 00:03:30 === I(<0.380.0>:ejabberd_c2s:657) : ({socket_state,tls, {tlssock,#Port<0.4119>,#Port<0.4141>},<0.379.0>}) Failed authentication for testuser@example.com
Leave the tailing log running and switch back to your IPA server and add your test user.
You can do this by doing the following.
[root@ds01 ~]# ipa group-add-member Group name: jabber_users [member user]: testuser [member group]: Group name: jabber_users Description: Group used to validate Jabber authentication to allowed users GID: 1668600006 Member users: testuser - ------------------------- Number of members added 1 - ------------------------- [root@ds01 ~]#
Jump back to your workstation and click the reconnect button. You should see that your client has now logged in, and the following will appear in the tailing logs on the jabber server.
=INFO REPORT==== 2012-06-14 00:08:35 === I(<0.376.0>:ejabberd_listener:281) : (#Port<0.4159>) Accepted connection {{10,0,1,101},60644} -> {{10,0,1,32},5222} =INFO REPORT==== 2012-06-14 00:08:35 === I(<0.393.0>:ejabberd_c2s:639) : ({socket_state,tls, {tlssock,#Port<0.4159>,#Port<0.4161>},<0.392.0>}) Accepted authentication for testuser by ejabberd_auth_ldap =INFO REPORT==== 2012-06-14 00:08:36 === I(<0.393.0>:ejabberd_c2s:946) : ({socket_state,tls,{tlssock,#Port<0.4159>,#Port<0.4161>},<0.392.0>}) Opened session for testuser@example.com/91030605413396289162377
Thats all folks, your jabber server is now finished and validating your “jabber_users” Group.
Verify your setup
Once you have added the above configuration and added your user’s to the jabber_users group, not only will you see the above log files showing successful login, your user’s will see the following when they add their accounts to Empathy.
See below screenshot.
Note: Please be aware that a user’s display picture will only appear if that user has a photo stored in FreeIPA. For details in achieving this, please follow the guide here.