cryptosystem.org

I have updated and modified Nikita Smirnov’s jabberd2 LDAP rosters/vCards patch for my own use, and thought some other people might be interested in it as well. This patch only includes the sm rosters and vCards modifications, and not the c2s ldapfull authentication method. It has been updated to patch cleanly with jabberd2-2.0s3. I have modified the roster publication for people using normal LDAP authentication, so the “@servername” text is appended automatically to the supplied LDAP uid before storing it in the roster (so you don’t have to maintain seperate uid’s and jid’s). I have also modified the sm.xml.dist.in example to be a little more clear. If you use a Debian-style distribution, you should be able to “apt-get source jabberd2″, put this in debian/patches, and run “debian/rules binary” to get a modified package.

All of this information is now being pulled from our LDAP server, which is pretty snazzy. You can get the patch here. So now, I have LDAP working for:

• user logins to Linux
• Samba PDC functionality (shares the same home directory etc. as their Linux account)
• company-wide addressbook (works in mail clients, as well as the copier/scanner machines)
• logins to intranet web apps (including the very cool Trac)
• Jabber authentication, rosters, and vCards
• postfix and Courier IMAP for mail handling
• pureftpd authentication

All in all, kind of a hassle to get going, but definitely worth it. There should be a free Linux distro that assumes you want to do this kind of stuff by default. Novell OES may come close, but it’s non-free in both the monetary sense and in that it relies on the closed-source eDirectory.

At work, my main focus for the present time is getting our massive LTSP/LDAP/HTTP/DHCP/ACRONYM Linux server up and going in to production. I thought it would be a good idea to set up a message server for employees to use for quick office communication, and Jabber seemed the obvious choice. There were a few little hitches getting it integrated with LDAP, so in case anyone else comes across this problem, here’s a small guide to the changes that need to be made to the jabberd2 conf files:

c2s.xml:

• Disable user registration.
• Change <host> in the LDAP section to the appropriate host.
• Hopefully you have your server resolving to a domain name, even if it’s an internal one such as “companyserver” (if you don’t, you should set it up now. You wouldn’t want to have your users showing up as username@192.168.100.1 or something). In the <local> section, set up a new realm such as <id realm='company'>companyserver</id>.
• Now that you’ve set up a new realm, you need to add an LDAP basedn for searching in that realm. In the LDAP section, add <basedn realm='company'>ou=people,dc=company,dc=com</basedn>, adjusting for your specific directory layout.
• There seem to still be some issues with LDAPv3 in the version of jabberd2 (2.0s3) that’s currently in my distro. Setting jabberd2 to use LDAPv3, slapd refuses the connection with “requested protocol version not allowed”. I had to leave v3 commented out and alter my slapd.conf to allow v2 connections.
• Change the backend module in the authreg section to “ldap”.

sm.xml:

• Turn on user auto-create by uncommenting it.
• Change the sm id to the realm you set up earlier. In the example’s case, this would be <id>companyserver</id>.

Now you should be able to restart jabberd2 and have users login as username@companyserver, authenticated against your LDAP directory.

If only I’d had this book beforehand: