[JDEV] (long) Jabber Authenticating from LDAP kludge
beej at bryanland.com
beej at bryanland.com
Wed Jan 17 15:39:10 CST 2001
I've written a replacement for $JABBER/jsm/modules/mod_auth_plain.c
that will attempt to bind to an LDAP server with the username part of
a person's jid and the password they supply. We plan on using this at
my company to make jabber authenticate off of our LDAP
server. Unfortunately my C is limited in that I couldn't create a
mod_auth_ldap.c that seemed to work with JSM. So I just overwrote
mod_auth_plain.c with this file, and that seemed to work. Since we
aren't planning on authenticating any other way than LDAP, it was the
most expedient solution.
This is a kludge at best. It does not attempt to write to the LDAP
server at all, for password resets and such. It doesn't autoprovision
accounts (if they exist in LDAP but not in Jabber, autocreate and
don't require a registration). So folks still have to register a
jabber account, but they do it with ldapuid at jabber/resource and their
LDAP password.
This has been tested with the Jabber2 from CVS as of last Friday (I
haven't updated since then...), and with OpenLDAP 2.0.7. It doesn't do
LDAPS that I can tell. ;-)
If anyone would like to use (or improve) this, you can get the file
from <http://www.comsecmilnavpac.net/jabber/mod_auth_plain.c> This
message will also be saved at:
<http://www.comsecmilnavpac.net/jabber/ldapreadme.txt>.
A couple of caveats:
In $JABBER/platform-settings
Change the line:
LIBS= -lpth -ldl -lresolv
to:
LIBS= -lpth -ldl -lresolv -lldap -llber
And add the following to your jabber.xml file under the
<sessions><jsm xmlns="jabber:config:jsm"> section:
<authldap>
<ldaphost>ldaphostname</ldaphost>
<ldapport>389</ldapport>
<binddnpre>uid=</binddnpre>
<binddnpost>,ou=auth,ou=pseudoaccounts,dc=net</binddnpost>
</authldap>
The binddnpre and binddnpost are strings which are used to make the
binddn in combination with your userid. Example:
I'm beej at jabber/whatever
My binddn would be:
uid=beej,ou=auth,ou=pseudoaccounts,dc=net
Also, my <load main="jsm"> looks like this now:
<load main="jsm">
<jsm>./jsm/jsm.so</jsm>
<mod_echo>./jsm/jsm.so</mod_echo>
<mod_roster>./jsm/jsm.so</mod_roster>
<mod_time>./jsm/jsm.so</mod_time>
<mod_vcard>./jsm/jsm.so</mod_vcard>
<mod_last>./jsm/jsm.so</mod_last>
<mod_version>./jsm/jsm.so</mod_version>
<mod_announce>./jsm/jsm.so</mod_announce>
<mod_agents>./jsm/jsm.so</mod_agents>
<mod_browse>./jsm/jsm.so</mod_browse>
<mod_admin>./jsm/jsm.so</mod_admin>
<mod_filter>./jsm/jsm.so</mod_filter>
<mod_presence>./jsm/jsm.so</mod_presence>
<mod_auth_plain>./jsm/jsm.so</mod_auth_plain>
<!-- LDAP ONLY
<mod_auth_digest>./jsm/jsm.so</mod_auth_digest>
<mod_auth_0k>./jsm/jsm.so</mod_auth_0k>
-->
<mod_log>./jsm/jsm.so</mod_log>
<mod_register>./jsm/jsm.so</mod_register>
<mod_xml>./jsm/jsm.so</mod_xml>
</load>
Since I didn't want to use anything but LDAP.
I think that's about it. I hope those of you wanting to use LDAP like
me can make use of this until someone better does a proper
implementation.
BrYan
More information about the JDev
mailing list