Difference between revisions of "User:Frahm"

From Univention Wiki

Jump to: navigation, search
Line 2: Line 2:
 
{{Review-Status}}
 
{{Review-Status}}
 
{{Version|UCS=3.0}}
 
{{Version|UCS=3.0}}
=Jabber Server mit UCS=
+
=eJabberd in UCS=
 
+
Needed softwarepackages: erlang-base, ejabberd, erlang-nox
Dieser Artikel beschreibt die Einrichtung und deren Anbindung an UCS. Da der Funktionsumfang recht groß ist, wird im Artikel auf folgende Themen eingegangen:
 
* LDAP Authentifzierung
 
* SSL/Plaintext (Port 5223)
 
* vCard (aus dem LDAP)
 
* shared roster
 
* Anbindung an andere IM Protokolle (im folgendem Transports genannt)
 
* Chatrooms
 
 
 
Die benötigten Softwarepakete können entweder direkt über UCS installiert werden, oder als Debian Quellcodepaket heruntergeladen, auf dem UCS System übersetzt und mit den UCS üblichen Kommandos installiert werden.
 
 
 
== eJabberd ==
 
 
 
Benötigte Software Pakete: erlang-base, ejabberd, subversion, erlang-nox
 
 
 
eJabberd ist ein Jabber Server der in der Sprache "Erlang" geschrieben wurde, welcher durch diverse Module eine recht große Funktionsvielfalt bietet.
 
 
 
Konfiguriert wird eJabberd über die Datei ''/etc/ejabberd/ejabberd.cfg''. Im folgenden werden die wichtigsten Parameter bearbeitet. FQDN, DOMAINNAME, LDAPBASE müssen angepasst werden.
 
Der wert von FQDN ist die ausgabe zweier UCR Variablen, welche durch einen Punkt getrennt werden
 
<pre>
 
ucr get hostname
 
ucr get domainname
 
</pre>
 
z.B. master.example.org
 
 
 
=== Allgemeine Einstellungen ===
 
<pre>
 
...
 
%% Administrator Account des Jabber Servers auf einen normalen Administrator mappen
 
{acl, admin, {user, "administrator", "FQDN"}}.
 
...
 
%% Der Domainname des Jabber Servers
 
{hosts, ["DOMAINNAME"]}. %Ausgabe von ucr get domainname
 
</pre>
 
 
 
=== Authentifizering (LDAP) ===
 
 
 
<pre>
 
...
 
% Auskommentieren!
 
%{auth_method, internal}
 
 
 
%% LDAP Authentifizerung mit FQDN
 
%% LDAPBASE ist die Ausgabe von "ucr get ldap/base"
 
%% Authentication using LDAP
 
{auth_method, ldap}.
 
%% List of LDAP servers:
 
{ldap_servers, ["FQDN"]}.
 
%% Port connect to LDAP server:
 
{ldap_port, 7389}.
 
%% LDAP manager:
 
{ldap_rootdn, "uid=Administrator,cn=users,LDAPBASE"}.
 
%%
 
%% Password to LDAP manager:
 
{ldap_password, "PASSWORT"}.
 
%%
 
%% Search base of LDAP directory:
 
{ldap_base, "cn=users,LDAPBASE"}.
 
</pre>
 
 
 
=== vCard (LDAP) ===
 
Hier ist noch zu beachten das nur die Werte in ''{ldap_rootdn'', ''{ldap_password'' und den Wert von LDAPBASE veränderz bzw. eingetragen werden sollen. Die Restlichen Werte müssen als Standard bleiben!
 
<pre>
 
%% Used modules:
 
{modules,
 
[
 
  %% Um die vCard an den LDAP Server zu binden
 
  %% Weitere Felder können hinzugefügt werden.
 
  {mod_vcard_ldap, [
 
    {ldap_servers, ["FQDN"]},
 
    {ldap_rootdn, ""}, % Hier muss etwas eingetragen werden! Vorzeugsweise der Administrator!
 
    {ldap_password, ""}, % Passwort des Administrators
 
    {ldap_base, "cn=users,LDAPBASE"},
 
    {ldap_uidattr, "uid"},
 
    {ldap_filter, ""},
 
    {ldap_vcard_map, [
 
      {"NICKNAME", "%u", []},
 
      {"FN", "%s", ["cn"]},
 
      {"EMAIL", "%s", ["mailPrimaryAdress"]},
 
      {"DESC", "%s", ["description"]}
 
    ]},
 
    {ldap_search_fields, [
 
      {"User", "%u"},
 
      {"Name", "givenName"},
 
      {"Family Name", "sn"},
 
      {"Email", "mail"}
 
    ]},
 
 
 
    {ldap_search_reported, [
 
      {"Full Name", "FN"},
 
      {"Nickname", "NICKNAME"},
 
      {"Description", "DESC"}
 
    ]}
 
  ]},
 
  ...
 
  %% Das mod_vcard Modul sollte auskommentiert werden
 
  %{mod_vcard, []},
 
  ...
 
]}.
 
</pre>
 
In neueren eJabberd Versionen sind die Transports bereits in der Konfigurationsdatei enthalten. Um diese zu Aktivieren genügt es die Kommentarzeile zu entfernen. Der Transport für ICQ sieht z.B. folgendermaßen aus:
 
<pre>
 
  %% Jabber ICQ Transport
 
  %%{5555, ejabberd_service, [
 
  %%                        {ip, {127, 0, 0, 1}},
 
  %%                        {access, all},
 
  %%                        {shaper_rule, fast},
 
  %%                        {hosts, ["icq.localhost", "sms.localhost"],
 
  %%                                  [{password, "secret"}]}
 
  %%                        ]},
 
 
 
</pre>
 
Falls ein ältere eJabberd Server verwendet wird müssen die Transports extra angelegt werden. Weiter Informationen dafür in die weiterführenden Links.
 
 
 
=== Shared Roster ===
 
Shared Roster sind verteilte, automatische Kontaktlisten für Jabber Benutzer. Leider funktionieren diese nicht richtig mit anbidung an die LDAP Datenbank. Es gibt aber ein weiteres Modul ''mod_ctlextra'' mit dessen Hilfe man zumindest jeden Account mit jedem bekannt machen kann (push-alltoall).
 
<pre>
 
-> cd /opt
 
-> svn co https://svn.process-one.net/ejabberd-modules
 
-> cd /opt/ejabberd-modules/mod_ctlextra/trunk
 
-> ./build.sh
 
</pre>
 
In neueren eJabberd Versionen
 
<pre>
 
-> cp ebin/mod_ctlextra.beam /usr/lib/ejabberd/ebin
 
</pre>
 
In älteren eJabberd Versionen
 
<pre>
 
-> cp ebin/mod_ctlextra.beam /usr/lib/erlang/lib/ejabberd-1.1.2/ebin
 
</pre>
 
Nach diesen Schritten kann das Modul ''ctl_extra'' in der Konfigurationsdatei aktiviert werden.
 
<pre>
 
% Used modules:
 
{modules, [
 
  ...
 
  {mod_ctlextra, []}, % !!!
 
  ...
 
  {mod_version, []}
 
]}.
 
</pre>
 
Nach einem Neustart des Jabber Servers
 
<pre>
 
-> /etc/init.d/ejabberd restart
 
</pre>
 
kennt das ejabberd Kommandozeilenprogramm "ejabberdctl" zusätzliche Befehle
 
<pre>
 
% Alle Accounts werden allen Accounts in der Gruppe everybody
 
% bekannt gemacht
 
-> ejabberdctl push-alltoall JABBERSERVER everybody
 
 
 
% Alle Authorisierungen löschen
 
-> ejabberdctl rosteritem-purge -remote *.@JABBERSERVER -subs both
 
 
 
% user2 mit "nick" in der Roster Gruppe "group" von user1 mit Subscription Typ
 
% "both"
 
-> ejabberdctl add-rosteritem user1 JABBERSERVER user2 JABBERSERVER nick group both
 
...
 
</pre>
 
Mit diesen Kommandos sind die ''Shared Roster'' relativ schnell zusammengebaut.
 
 
 
Noch ein Hinweis zur Konfigurationsdatei des ejabberd. Leider ist die Syntax etwas kompliziert und die Fehlermeldungen bei falscher Syntax sind nicht sehr aussagekräftig. Man sollte also auf jeden Punkt und jedes Komma achten.
 
<pre>
 
{aaa, bbb, [
 
  {auth, method, anonymous}, %hier muss ein Komma stehen
 
  {allow_multipble_connections, false}, %hier muss ein Komma stehen
 
  {anonymous_protocol, sasl_anon} %hier darf kein Komma stehen
 
  ]
 
}. %hier muss ein Punkt stehen
 
</pre>
 
Hiernach müssen wir prüfen ob der eJabberd Server auch richtig läuft.
 
<pre>
 
ejabberctl status
 
</pre>
 
Die richtige Ausgabe sollte folgendermaßen aussehen:
 
<pre>
 
The node ejabberd@example is started with status: started
 
ejabberd 2.1.5 is running in that node
 
</pre>
 
Wenn der Jabber Server richtig läuft müssen noch einige Ports in der Firewall freigeschaltet werden. Benötigt werden die Ports ''5222'' und ''5269''. Im folgenden prüfen wir ob diese Ports schon freigeschalted sind und schalten diese frei wenn die Ports noch geschlossen sind.
 
Prüfen ob die Ports bereits offen sind:
 
<pre>
 
netstat -plna | grep 5222
 
netstat -plna | grep 5269
 
</pre>
 
Ports in der Firewall öffnen
 
<pre>
 
ucr set security/packetfilter/ejabberd/tcp/5222/all=ACCEPT
 
ucr set security/packetfilter/ejabberd/tcp/5269/all=ACCEPT
 
</pre>
 
Nachdem die Ports geöffnet wurden muss die Firewall neugestartet werden:
 
<pre>
 
/etc/init.d/univention-firewall restart
 
</pre>
 
Jetzt sollte der Jabber Server korrekt laufen.
 
 
 
= English Version =
 
 
 
{{Cool Solutions Disclaimer}}
 
{{Review-Status}}
 
{{Version|UCS=3.0}}
 
=Jabber Server with UCS=
 
  
 
This article describes the set up of an eJabberd server and the binding to UCS. Because the scope of functions is quite large,  we will respond the following themes in this article:
 
This article describes the set up of an eJabberd server and the binding to UCS. Because the scope of functions is quite large,  we will respond the following themes in this article:
Line 210: Line 10:
 
* SSl/Plaintext (Port 5223)
 
* SSl/Plaintext (Port 5223)
 
* vCard (from the LDAP)
 
* vCard (from the LDAP)
* shared roster
 
* Binding to other IM protocols (called transports in the following)
 
* Chatrooms
 
  
 
The needed Softwarepackages can be installed directly via UCS, or downloaded as a Debian sourcecodepackage, translated on the UCS system and with the usual UCS commands installed.
 
The needed Softwarepackages can be installed directly via UCS, or downloaded as a Debian sourcecodepackage, translated on the UCS system and with the usual UCS commands installed.
 
== eJabberd ==
 
 
Needed softwarepackages: erlang-base, ejabberd, subversion, erlang-nox
 
  
 
eJabberd is a Jabber server whichs is written in the programing language ''Erlang'' which has through various modules a quite large scope of functions.
 
eJabberd is a Jabber server whichs is written in the programing language ''Erlang'' which has through various modules a quite large scope of functions.
Line 228: Line 21:
 
ucr get domainname
 
ucr get domainname
 
</pre>
 
</pre>
e.g. master.example.org
+
e.g. master.example.org, the output from ''ucr get domainname'' is also the value for DOMAINNAME.
 +
The value of LDAPBASE is the output from
 +
<pre>
 +
ucr get ldap/base
 +
</pre>
  
 
=== General settings ===
 
=== General settings ===
Line 237: Line 34:
 
...
 
...
 
%% The domainname of the Jabber server
 
%% The domainname of the Jabber server
{hosts, ["DOMAINNAME"]}. %output from uct get domainname
+
{hosts, ["DOMAINNAME"]}.
 
</pre>
 
</pre>
  
Line 247: Line 44:
 
%{auth_method, internal}
 
%{auth_method, internal}
  
%% LDAP authentification with HOSTNAME
+
%% Authentication using LDAP
%% LDAPBASE is the output from "ucr get ldap/base"
 
 
{auth_method, ldap}.
 
{auth_method, ldap}.
 
%% List of LDAP servers:
 
%% List of LDAP servers:
Line 304: Line 100:
 
]}.
 
]}.
 
</pre>
 
</pre>
In newer eJabberd versions the transports already exists in the configuration file. To activate them it is sufficient to comment them in. The transport for ICQ looks e.g. like the following:
 
<pre>
 
  %% Jabber ICQ Transport
 
  %%{5555, ejabberd_service, [
 
  %%                        {ip, {127, 0, 0, 1}},
 
  %%                        {access, all},
 
  %%                        {shaper_rule, fast},
 
  %%                        {hosts, ["icq.localhost", "sms.localhost"],
 
  %%                                  [{password, "secret"}]}
 
  %%                        ]},
 
 
</pre>
 
In that case that older eJabberd versions used, the transports have to added extra. More informations in the link section.
 
 
=== Shared Roster ===
 
Shared Roster are distributed, automatic contact lists for Jabber users. Unfortunately they're don't working with the binding to the LDAP database. But there is a module with that you can acquaint every account to the other accounts (push-alltoall).
 
<pre>
 
-> cd /opt
 
-> svn co https://svn.process-one.net/ejabberd-modules
 
-> ./build.sh
 
</pre>
 
In newer eJabberd versions
 
<pre>
 
-> cp ebin/mod_ctlextra.beam /usr/lib/ejabberd/ebin
 
</pre>
 
In older eJabberd versions
 
<pre>
 
-> cp ebin/mod_ctlextra.beam /usr/lib/erlang/lib/ejabber-1.1.2./ebin
 
</pre>
 
After these steps the modules ''ctl_extra'' can be activated in the configuration file.
 
<pre>
 
% Used modules
 
{modules, [
 
  ...
 
  {mod_ctlextra, []}, % !!!
 
  ...
 
  {mod_version, []}
 
]}.
 
</pre>
 
After restarting the Jabber server
 
<pre>
 
-> /etc/init.d/ejabberd restart
 
</pre>
 
the commandlineprogramm "ejabberdctl" knows a few more commands
 
<pre>
 
%
 
%
 
-> ejabberdctl push-alltoall JABBERSERVEr eberybody
 
 
% Delete all authorizations
 
-> ejabberctl rosteritem-purger -remot *.@JABBERSERVER -subs both
 
 
% user2 with "nick" in the roster group "group" from user1 with subscription type "both"
 
-> ejabberdctl add-rosteritem user1 JABBERSERVER user2 JABBERSERVER nick group both
 
...
 
</pre>
 
 
<pre>
 
% Alle Accounts werden allen Accounts in der Gruppe everybody
 
% bekannt gemacht
 
 
With this commands the "shared roster" are build quite fast.
 
  
Another hin to the configurationfile from the eJabberd. Unfortunaley the syntax is quite complicated and the error messages with incorrect syntax are not very meaningful. So you should pay attention to every point and comma.
+
Another hint to the configurationfile from the eJabberd. Unfortunaley the syntax is quite complicated and the error messages with incorrect syntax are not very meaningful. So you should pay attention to every point and comma.
 
<pre>
 
<pre>
 
{aaa, bbb, [
 
{aaa, bbb, [

Revision as of 09:35, 14 November 2012

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.
Note: This article is not yet reviewed.
Produktlogo UCS Version 3.0

eJabberd in UCS

Needed softwarepackages: erlang-base, ejabberd, erlang-nox

This article describes the set up of an eJabberd server and the binding to UCS. Because the scope of functions is quite large, we will respond the following themes in this article:

  • LDAP authentification
  • SSl/Plaintext (Port 5223)
  • vCard (from the LDAP)

The needed Softwarepackages can be installed directly via UCS, or downloaded as a Debian sourcecodepackage, translated on the UCS system and with the usual UCS commands installed.

eJabberd is a Jabber server whichs is written in the programing language Erlang which has through various modules a quite large scope of functions.

The eJabberd is configuarable with the file /etc/ejabberd/ejabberd.cfg. In the following the main parameters will be respond. FQDN, DOMAINNAME and LDAPBASE have to be customized. The vaule of NAME is the output from two UCR variables, which were seperated bei comma.

ucr get hostname
ucr get domainname

e.g. master.example.org, the output from ucr get domainname is also the value for DOMAINNAME. The value of LDAPBASE is the output from

ucr get ldap/base

General settings

...
%% mapping the administrator account of the Jabber server to a normal administrator
{acl, admin, {user, "administrator", "FQDN"}].
...
%% The domainname of the Jabber server
{hosts, ["DOMAINNAME"]}.

Authentification (LDAP)

...
% Commenting out!
%{auth_method, internal}

%% Authentication using LDAP
{auth_method, ldap}.
%% List of LDAP servers:
{ldap_servers, ["FQDN"]}.
%% Port connect to LDAP server:
{ldap_port, 7389}.
%% LDAP manager:
{ldap_rootdn, "uid=Administrator,cn=users,LDAPBASE"}.
%%
%% Password to LDAP manager:
{ldap_password, "PASSWORT"}.
%%
%% Search base of LDAP directory:
{ldap_base, "cn=users,LDAPBASE"}.

vCard (LDAP)

Other points to note here that only the values ​​in {ldap_rootdn, {ldap_password and LDAPBASE have to be changed. The remainder values ​​must remain as standard!

%% Used modules:
{modules,
[
  %% To bind the vCard to the LDAP server
  %% More fields can be added
  {mod_vcard_ldap, [
    {ldap_servers, ["FQDN"]},
    {ldap_rootdn, ""}, % Here must be inserted a value. Preferably the administrator!
    {ldap_password, ""}, % Password from the administrator
    {ldap_base, "cn=user,LDAPBASE},
    {ldap_uidattr, "uid"},
    {ldap_filter, ""},
    {ldap_vcard_map, [
      {"NICKNAME", "%u", []},
      {"FN", "%s", ["cn"]},
      {"EMAIL", "%s", ["mailPrimaryAdress"]},
      {"DESC", "%s", ["description"]}
    ]},
    {ldap_search_fields, [
      {"User", "%u"},
      {"Name", "givenName⅛"},
      {"Family Name", "sn"},
      {"Email", "mail"}
    ]},

    {ldap_search_reported, [
      {"Full Name", "FN"},
      {"Nickname", "NICKNAME"},
      {"Description", "DESC"}
    ]}
  ]},    
  ...
  %% The mod_vcard module should be commented out
  %{mod_vcard, []},
  ...
]}.

Another hint to the configurationfile from the eJabberd. Unfortunaley the syntax is quite complicated and the error messages with incorrect syntax are not very meaningful. So you should pay attention to every point and comma.

{aaa, bbb, [
  {auth_method, anonymous}, % here should be a comma
  {allow_multiple_connections, false}, % here should be a comma
  {anonymous_protocol, sasl_anon} % here must be no comma
  ]
}. % here should be a point

After this we have to check if the eJabberd servers is running correct.

ejabberdctl status

The right output should look like the following:

The node ejabberd@example is stared with status: started
ejabberd 2.1.5 is running in that node

If the Jabber server is running correct, some ports in the firewall have to be activated. The ports 5222 and 5269 are needed. In the following we check if the ports are already opened and opens them if they're still closed. Checking if the ports open:

netstat -plna | grep 5222
netstat -plna | grep 5269

Opening ports in the firewall

ucr set security/packetfilter/ejabberd/tcp/5222/all=ACCEPT
ucr set security/packetfilter/ejabberd/tcp/5269/all=ACCEPT

After opening the ports, the firewall have to be restarted:

/etc/init.d/univention-firewall restart

The server should run now correct.

Personal tools