Setting up ejabberd server for Zarafa with LDAP integration

From Zarafa wiki

Revision as of 18:16, 7 March 2012 by Milo (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Introduction

This wiki article describes the installation and configuration of the ejabberd XMPP server. Ejabberd can be integrated with Zarafa WebApp to offer instant messaging and presence functionality.

The article is based on the installation on a Red Hat or Centos server, however it can be used for other distributions.

For user management a LDAP or Active Directory can be used, however the example configuration is based on OpenLDAP. For Active Directory some attributes might be different, so basic LDAP knowledge is required when following this howto.

Installation

Before the actual ejabberd package can be installed, the additional EPEL repository has to be added. Whis yum repository is added the package can be installed:

yum update
yum install ejabberd

The system is now ready to be configured.

Configuration

Before the configuration can be done, a domain is required for the jabber server. When the user should be able to connect their jabber clients over the internet, this domainname should be added to the public DNS server.

In this configuration the domain +jabber.example.com+ is used as example.

The main configuration of ejabberd is located in +/etc/ejabberd/ejabberd.cfg+. In the file the following changes have to be made:

Add the jabber domain to the host section. If multiple domains are available the domains can be added seperated by a comma.

{hosts, ["jabber.example.com"]}.

To enable access to the jabber server through an encrypted connection, the certicate line has to be uncommented and the path to the SSL certificate has to be specified. At installation a self signed certificate is created in +/etc/ejabberd/ejabberd.pem+, so this certificate can be used.

 {5222, ejabberd_c2s, [

                        %%
                        %% If TLS is compiled in and you installed a SSL
                        %% certificate, specify the full path to the
                        %% file and uncomment this line:
                        %%
                        {certfile, "/etc/ejabberd/ejabberd.pem"}, starttls,

                        {access, c2s},
                        {shaper, c2s_shaper},
                        {max_stanza_size, 65536}
                       ]},

To authenticate users on the jabber server the authentication method has to be configured. In this setup the authentication can be done against a LDAP server or with the external authentication script when users are connecting from the chat plugin in the Zarafa WebApp.

{auth_method, [ldap, external]}.

To use the external authentication method an external authentication script has to be specified. The authentication for Zarafa WebApp can be found on https://community.zarafa.com/pg/plugins/project/6450/developer/milo/zarafa-webapp-ejabberd-authentication-script. In order to execute the script the php-cli package has to be installed and the script has to executable.

{extauth_program, "/usr/local/bin/jabberauth.php"}.

To further define the LDAP server details change the following lines: In this example only the users with an emailaddress with get access to the jabber server. The filtering can be changed to further limit users from using the jabber server.

{ldap_servers, ["10.0.0.1"]}.
%%
%% Encryption of connection to LDAP servers (LDAPS):
{ldap_encrypt, none}.
%%{ldap_encrypt, tls}.
%%
%% Port connect to LDAP server:
{ldap_port, 389}.
%%{ldap_port, 636}.
%%
%% LDAP manager:
{ldap_rootdn, "cn=binduser,dc=example,dc=com"}.
%%
%% Password to LDAP manager:
{ldap_password, "secret"}.
%%
%% Search base of LDAP directory:
{ldap_base, "ou=People,dc=example,dc=com"}.
%%
%% LDAP attribute that holds user ID:
{ldap_uids, [{"uid", "%u"}]}.
%%
%% LDAP filter:
{ldap_filter, "(mail=*)"}.

To get also more user details from the LDAP directory, the vcard module has to be enabled and configured. The following vcard module configuration has to be added in the modules section:

  {mod_vcard_ldap,
   [{ldap_vcard_map,
     [{"NICKNAME", "%u", []},
      {"GIVEN", "%s", ["givenName"]},
      {"MIDDLE", "%s", ["initials"]},
      {"FAMILY", "%s", ["sn"]},
      {"FN", "%s", ["cn"]},
      {"EMAIL", "%s", ["mail"]},
      {"ORGNAME", "%s", ["company"]},
      {"ORGUNIT", "%s", ["department"]},
      {"CTRY", "%s", ["c"]},
      {"LOCALITY", "%s", ["l"]},
      {"STREET", "%s", ["streetAddress"]},
      {"REGION", "%s", ["st"]},
      {"PCODE", "%s", ["postalCode"]},
      {"TITLE", "%s", ["title"]},
      {"URL", "%s", ["wWWHomePage"]},
      {"DESC", "%s", ["description"]},
      {"TEL/CELL", "%s", ["mobile"]},
      {"TEL/NUMBER", "%s", ["telephoneNumber"]}]},
    {ldap_search_fields,
     [{"User", "%u"},
      {"Name", "givenName"},
      {"Family Name", "sn"},
      {"Email", "mail"},
      {"Company", "company"},
      {"Department", "department"},
      {"Role", "title"},
      {"Description", "description"},
      {"Phone", "telephoneNumber"}]},
    {ldap_search_reported,
     [{"Full Name", "FN"},
      {"Nickname", "NICKNAME"},
      {"Email", "EMAIL"}]}

Depending on the type of LDAP server the attributes have to be changed. The user details can be requested from the a fat jabber client. The Zarafa WebApp chat plugin doesn't offer this feature right now.

The second module that has to be configured is the shared roster. The shared roster will create a predefined contact list for all users, so they can directly start chats with colleagues. This shared roster should be added for the WebApp chat plugin, as the plugin can't manage the contact list right now.

Add the following lines to module section:

  {mod_shared_roster_ldap,[
    {ldap_base, "ou=People,dc=example,dc=com"},
    {ldap_rfilter, "(objectClass=posixAccount)"},
    {ldap_groupattr,"department"},
    {ldap_groupdesc,"department"},
    {ldap_memberattr,"uid"},
    {ldap_userdesc,"cn"},
    {ldap_filter,  "(objectClass=posixAccount)"},
    {ldap_useruid, "uid"}
  ]}

This configuration will create a shared roster, where the users are grouped by department name.

To create a shared roster where the users are grouped by their group membership, the following configuration can be used:

  {mod_shared_roster_ldap,[
       {ldap_base, "ou=Groups,dc=example,dc=com"},
       {ldap_rfilter, "(objectClass=posixGroup)"},
       {ldap_filter,""},
       {ldap_ufilter,"(uid=%u)"},
       {ldap_groupattr,"cn"},
       {ldap_groupdesc,"description"},
       {ldap_memberattr,"memberUid"},
       {ldap_memberattr_format,"%u"},
       {ldap_useruid, "uid"},
       {ldap_userdesc,"cn"}
  ]}

For the LDAP and Zarafa integration the configuration file is ready. To further finetune and configure ejabberd, see the documentation on http://www.process-one.net/docs/ejabberd/guide_en.html.


Firewall configuration

To allow access to the jabber server from the internet port 5222 should be forwarded to the jabber server. For access from the WebApp chat plugin default port 5280 is used. If the Apache webserver which serves the WebApp is the DMZ, it might be necessary to allow traffic on port 5280 on the jabber server.


Activate services

When everything is correctly configured, the jabber service can be started.

service ejabberd restart

To enable the jabber service at boot time, enable it:

chkconfig ejabberd on

After the service is started, the logfiles +/var/log/ejabberd/ejabberd.log+ can be checked for errors. If no errors show up, a fat jabber client can be connected to test the setup.

To connect the WebApp chat plugin to the server, please configure the plugin first as describe on http://www.zarafa.com/wiki/index.php/Configuring_instant_messaging_in_Zarafa_WebApp.

When the configuration is done correctly, both the fat client and the WebApp should be able to login and show the configured roster.


Notes

When installing and configuring ejabberd on Debian or Ubuntu the mod_shared_roster_ldap module is missing. To have this module enabled ejabberd has to be installed from source.

Personal tools