In this recipe, we will learn to set up the Ejabberd server to authenticate the user with our LDAP server. Until now, we have set up the LDAP server and used it to log in to the Ubuntu server with a user account created on the LDAP server. This recipe covers the configuration of an external service to work with our LDAP installation.
The Ejabberd server provides built-in support for LDAP-based authentication. You can use LDAP for user authentication as well as vCard storage. As stated in the Ejabberd admin guide, Ejabberd use LDAP as a read-only data source. We cannot create new user accounts in the LDAP directory, but we can change passwords if the mod_register
module is enabled.
You will need the Ejabberd service installed and running. Go through Chapter 10, Communication Server with XMPP, for details on the installation and configuration of the Ejabberd server.
Create a user account on the LDAP server to be used with Ejabberd.
As Ejabberd provides inbuilt support for LDAP-based authentication, we simply need to edit configurations and set the auth
method to LDAP. If you have used a Debian package for the Ejabberd installation, your Ejabberd should be installed in /opt/ejabberd-version
directory and the configuration can be found at /etc/ejabberd-version/conf
. If you have installed Ejabberd from source, all configuration files are located in the /etc/ejabberd
directory:
ejabberd.yml
from your Ejabberd configuration directory and search for Authentication. With the default settings, it should contain the following line indicating internal authentication:auth_method: internal
## auth_method: internal
ldap_servers: - "domain/IP of LDAP server" ldap_port: 389 ldap_rootdn: "cn=admin,dc=example,dc=com" ldap_password: "password" ldap_base: "ou=ejabberd,dc=example,dc=com"
I have used a default admin account to authenticate with the LDAP server itself. In a production environment, you should change it to a different account. With a default LDAP setup, you can skip the ldap_rootdn
and ldap_password
settings to enable anonymous connection.
ldap_base
parameter, I have restricted users to the Organizational Unit named Ejabberd
. Only the user accounts that are configured under the Ejabberd
unit can log in with the Ejabberd server.$ sudo /opt/ejabberd-version/bin/ejabberdctl restart
reload_config
option to ejabberdctl
to update the in-memory configuration without restarting:$ sudo /opt/ejabberd-version/bin/ejabberdctl reload_config
[email protected]
, where uday
is the UID on LDAP and cookbook.com
is the host served by Ejabberd server. The domain entries on the LDAP server and Ejabberd need not match.The following is the default host entry for my Ejabberd installation:
uday@ubuntu
, where uday
is my LDAP user and ubuntu
is the Ejabberd host:Once all things are set up, you should be able to connect to the Ejabberd server using your LDAP user account.
Here, we have set up Ejabberd as an example of LDAP-based authentication. Similar to Ejabberd, various other systems support centralized authentication through LDAP with either built-in support or with a plug-in module. Make sure that you create a proper directory structure with organizational units, roles, and separate users in proper groups. Also use a separate user account for authenticating with the LDAP server itself. You need to set the respective LDAP credentials in the Ejabberd configuration file. If somehow your Ejabberd server gets compromised, then the LDAP server credentials are readily available to an attacker. To limit the risk, using separate and limited accounts is a good idea. Ejabberd also supports anonymous authentication with the LDAP server and mostly uses it as a read-only database. So, even if you skip the authentication details (depending on the LDAP configuration), Ejabberd should work well and authenticate your users.
Ejabberd also provides good enough debug logging, where you can see the actual communication with the LDAP server. You will need to set logging to debug mode in the Ejabberd configuration. The log files are located in the /opt/ejabberd-version/logs
directory or the /var/log/ejabberd
directory, depending on the source of the Ejabberd installation.