2011-04-27

Настраиваем работу ejabberd сервер (который jabber он-же XMPP) на авторазицию клиентов в IBM Lotus Domino (его LDAP)

В качестве клиента используется PSI.
ejabberd VS IBM Lotus SameTime:

1) Бесплатный клиент и сервер
2) Требует мало ресурсов (клиент и сервер)
3) win32 + linux
3) Работает пересылка файлой неограниченного размера
4) Клиент устанавливается за 2 клика, не требует административных прав



Итак:

1) Дополнительная настройка domino:
(Думаю имеет смысл предположить что домино у вас уже установлен и настроен)
небходимо настроить Directory Assistance что-бы получилось что-то вроде:





С домино сервером идет замечательная документация по настройки Directory Assistance, используйте ее.

Так-же необходимо настроить и включить службу domino сервера - LDAP, так-же процесс настройки описан в документации, я просто включил ее не делая никаких специфических настроек. Единственное, возможно вам придется создать Configuration Document, если вы этого еще не сделали, в любом случае его наличие очень рекомендуется.
(Не забываем открывать нужные порты в настройках брандмауэра)

Не обязательно, но очень рекомендую создать пользователя для управления ejabberd сервером, например im-admin, укажите у него email адрес: im-admin@company.ru



2) Установка jabberd:
Возможна установка на домино сервер, и вам НЕ потребуется дополнительное оборудование.
в моем случае (openSUSE 11.3) установка проста, установить пакет ejabberd из репозитария:
http://download.opensuse.org/repositories/server:/messaging/openSUSE_11.3/
Информацию по установке пакет легко можно найти используя поиск.
Если мне не изменяет память, ejabberd может работать под windows.


3) Настройка сервера ejabberd (самое интересное):
(если у вас используется кластер серверов domino, jabberd может использовать это)
версия сервера ejabberd - 2.1.0

все настройки ejabberd сервера находятся в 3-х файлах в /etc/ejabberd:
ejabberd.cfg, ejabberdctl.cfg и inetrc

вот действующие конфиги: (реальные значения изменены)
company.ru - условный домен компании
COMPANY - Notes домен компании
im-admin - имя пользователя в справочнике domino для управления ejabberd'ом
im-admin@company.ru - email пользователя в справочнике domino для управления ejabberd'ом
domino-1.company.ru - сервер domino с работающим сервисом LDAP


ejabberd.cfg:
%%%
%%%               ejabberd configuration file
%%%
%%%'

%%% The parameters used in this configuration file are explained in more detail
%%% in the ejabberd Installation and Operation Guide.
%%% Please consult the Guide in case of doubts, it is included in
%%% your copy of ejabberd, and is also available online at
%%% http://www.process-one.net/en/ejabberd/docs/

%%% This configuration file contains Erlang terms.
%%% In case you want to understand the syntax, here are the concepts:
%%%
%%%  - The character to comment a line is %
%%%
%%%  - Each term ends in a dot, for example:
%%%      override_global.
%%%
%%%  - A tuple has a fixed definition, its elements are
%%%    enclosed in {}, and separated with commas:
%%%      {loglevel, 4}.
%%%
%%%  - A list can have as many elements as you want,
%%%    and is enclosed in [], for example:
%%%      [http_poll, web_admin, tls]
%%%
%%%  - A keyword of ejabberd is a word in lowercase.
%%%    The strings are enclosed in "" and can have spaces, dots...
%%%      {language, "en"}.
%%%      {ldap_rootdn, "dc=example,dc=com"}.
%%%
%%%  - This term includes a tuple, a keyword, a list and two strings:
%%%      {hosts, ["jabber.example.net", "im.example.com"]}.
%%%


%%%.   =======================
%%%'   OVERRIDE STORED OPTIONS

%%
%% Override the old values stored in the database.
%%

%%
%% Override global options (shared by all ejabberd nodes in a cluster).
%%
%%override_global.

%%
%% Override local options (specific for this particular ejabberd node).
%%
%%override_local.

%%
%% Remove the Access Control Lists before new ones are added.
%%
%%override_acls.


%%%.   =========
%%%'   DEBUGGING

%%
%% loglevel: Verbosity of log files generated by ejabberd.
%% 0: No ejabberd log at all (not recommended)
%% 1: Critical
%% 2: Error
%% 3: Warning
%% 4: Info
%% 5: Debug
%%
{loglevel, 4}.

%%
%% watchdog_admins: Only useful for developers: if an ejabberd process
%% consumes a lot of memory, send live notifications to these XMPP 
%% accounts.
%%
%%{watchdog_admins, ["bob@example.com"]}.


%%%.   ================
%%%'   SERVED HOSTNAMES

%%
%% hosts: Domains served by ejabberd.
%% You can define one or several, for example:
%% {hosts, ["example.net", "example.com", "example.org"]}.
%%
{hosts, ["company.ru"]}.

%%
%% route_subdomains: Delegate subdomains to other XMPP server.
%% For example, if this ejabberd serves example.org and you want
%% to allow communication with a XMPP server called im.example.org.
%%
%%{route_subdomains, s2s}.


%%%.   ===============
%%%'   LISTENING PORTS

%%
%% listen: Which ports will ejabberd listen, which service handles it
%% and what options to start it with.
%%
{listen,
 [

  {5222, ejabberd_c2s, [

   %%
   %% If TLS is compiled and you installed a SSL
   %% certificate, put the correct path to the
   %% file and uncomment this line:
   %%
   %%{certfile, "/path/to/ssl.pem"}, starttls,

   {access, c2s},
   %% {shaper, c2s_shaper},
   {max_stanza_size, 65536}
         ]},

  %%
  %% To enable the old SSL connection method in port 5223:
  %%
  %%{5223, ejabberd_c2s, [
  %%   {access, c2s},
  %%   {shaper, c2s_shaper},
  %%   {certfile, "/path/to/ssl.pem"}, tls,
  %%   {max_stanza_size, 65536}
  %%         ]},

  {5269, ejabberd_s2s_in, [
      %% {shaper, s2s_shaper},
      {max_stanza_size, 131072}
     ]},

  %%
  %% ejabberd_service: Interact with external components (transports...)
  %%
  %%{8888, ejabberd_service, [
  %%       {access, all},
  %%       {shaper_rule, fast},
  %%       {ip, {127, 0, 0, 1}},
  %%       {hosts, ["icq.example.org", "sms.example.org"],
  %%        [{password, "secret"}]
  %%       }
  %%      ]},

  %%
  %% ejabberd_stun: Handles STUN Binding requests
  %%
  %%{{3478, udp}, ejabberd_stun, []},

  {5280, ejabberd_http, [
    %%{request_handlers,
    %% [
    %%  {["pub", "archive"], mod_http_fileserver}
    %% ]},
    captcha,
    http_bind,
    http_poll,
    web_admin
   ]}

 ]}.

%%
%% s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
%% Allowed values are: true or false.
%% You must specify a certificate file.
%%
%%{s2s_use_starttls, true}.

%%
%% s2s_certfile: Specify a certificate file.
%%
%%{s2s_certfile, "/path/to/ssl.pem"}.

%%
%% domain_certfile: Specify a different certificate for each served hostname.
%%
%%{domain_certfile, "example.org", "/path/to/example_org.pem"}.
%%{domain_certfile, "example.com", "/path/to/example_com.pem"}.

%%
%% S2S whitelist or blacklist
%%
%% Default s2s policy for undefined hosts.
%%
%%{s2s_default_policy, allow}.

%%
%% Allow or deny communication with specific servers.
%%
%%{{s2s_host, "goodhost.org"}, allow}.
%%{{s2s_host, "badhost.org"}, deny}.

%%
%% Outgoing S2S options
%%
%% Preferred address families (which to try first) and connect timeout
%% in milliseconds.
%%
%%{outgoing_s2s_options, [ipv4, ipv6], 10000}.


%%%.   ==============
%%%'   AUTHENTICATION

%%
%% auth_method: Method used to authenticate the users.
%% The default method is the internal.
%% If you want to use a different method,
%% comment this line and enable the correct ones.
%%
%% {auth_method, internal}.
%%%%% ZZZZZZZZZZZZZZZZZZZZZZZZZZzz

%%
%% Authentication using external script
%% Make sure the script is executable by ejabberd.
%%
%%{auth_method, external}.
%%{extauth_program, "/path/to/authentication/script"}.

%%
%% Authentication using ODBC
%% Remember to setup a database in the next section.
%%
%%{auth_method, odbc}.

%%
%% Authentication using PAM
%%
%%{auth_method, pam}.
%%{pam_service, "pamservicename"}.

%%
%% Authentication using LDAP
%%
{auth_method, ldap}.
%%
%% List of LDAP servers:   
{ldap_servers, ["domino-1.company.ru"]}.
%%
%% Encryption of connection to LDAP servers:
{ldap_encrypt, none}.
%%{ldap_encrypt, tls}.
%%
%% Port connect to LDAP servers:
{ldap_port, 389}.
%%{ldap_port, 636}.
%%
%% LDAP manager:
%%{ldap_rootdn, "dc=example,dc=com"}.
{ldap_rootdn, "CN=im-admin,O=COMPANY"}.

%%
%% Password to LDAP manager:
{ldap_password, ""}.
%%
%% Search base of LDAP directory:
{ldap_base, "O=COMPANY"}.


%% LDAP attribute that holds user ID:                   uid - username
%%{ldap_uids, [{"mail", "%u@company.ru"}]}.
%% {ldap_uids, [{"uid", "%u"}]}.
%% {ldap_uids, [{"mail", "%u@company.ru"},{"uid", "%u@company.ru"}]}.
{ldap_uids, [{"mail", "%u@company.ru"},{"uid"}]}.


%%
%% LDAP filter:
{ldap_filter, "(objectClass=dominoPerson)"}.

%%
%% Anonymous login support:
%%   auth_method: anonymous
%%   anonymous_protocol: sasl_anon | login_anon | both
%%   allow_multiple_connections: true | false
%%
%%{host_config, "public.example.org", [{auth_method, anonymous},
%%                                     {allow_multiple_connections, false},
%%                                     {anonymous_protocol, sasl_anon}]}.
%%
%% To use both anonymous and internal authentication:
%%
%%{host_config, "public.example.org", [{auth_method, [internal, anonymous]}]}.


%%%.   ==============
%%%'   DATABASE SETUP

%% ejabberd uses by default the internal Mnesia database,
%% so you can avoid this section.
%% This section provides configuration examples in case
%% you want to use other database backends.
%% Please consult the ejabberd Guide for details about database creation.

%%
%% MySQL server:
%%
%%{odbc_server, {mysql, "server", "database", "username", "password"}}.
%%
%% If you want to specify the port:
%%{odbc_server, {mysql, "server", 1234, "database", "username", "password"}}.

%%
%% PostgreSQL server:
%%
%%{odbc_server, {pgsql, "server", "database", "username", "password"}}.
%%
%% If you want to specify the port:
%%{odbc_server, {pgsql, "server", 1234, "database", "username", "password"}}.
%%
%% If you use PostgreSQL, have a large database, and need a
%% faster but inexact replacement for "select count(*) from users"
%%
%%{pgsql_users_number_estimate, true}.

%%
%% ODBC compatible or MSSQL server:
%%
%%{odbc_server, "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"}.

%%
%% Number of connections to open to the database for each virtual host
%%
%%{odbc_pool_size, 10}.

%%
%% Interval to make a dummy SQL request to keep alive the connections
%% to the database. Specify in seconds: for example 28800 means 8 hours
%%
%%{odbc_keepalive_interval, undefined}.


%%%.   ===============
%%%'   TRAFFIC SHAPERS

%%
%% The "normal" shaper limits traffic speed to 1.000 B/s
%%
{shaper, normal, {maxrate, 1000000}}.

%%
%% The "fast" shaper limits traffic speed to 50.000 B/s
%%
{shaper, fast, {maxrate, 5000000}}.


%%%.   ====================
%%%'   ACCESS CONTROL LISTS

%%
%% The 'admin' ACL grants administrative privileges to XMPP accounts.
%% You can put as many accounts as you want.
%%
%%{acl, admin, {user, "aleksey", "localhost"}}.
{acl, admin, {user, "im-admin", "company.ru"}}.

%%
%% Blocked users
%%
%%{acl, blocked, {user, "baduser", "example.org"}}.
%%{acl, blocked, {user, "test"}}.

%%
%% Local users: don't modify this line.
%%
{acl, local, {user_regexp, ""}}.

%%
%% More examples of ACLs
%%
%%{acl, jabberorg, {server, "jabber.org"}}.
%%{acl, aleksey, {user, "aleksey", "jabber.ru"}}.
%%{acl, test, {user_regexp, "^test"}}.
%%{acl, test, {user_glob, "test*"}}.

%%
%% Define specific ACLs in a virtual host.
%%
%%{host_config, "localhost",
%% [
%%  {acl, admin, {user, "bob-local", "localhost"}}
%% ]
%%}.


%%%.   ============
%%%'   ACCESS RULES

%% Maximum number of simultaneous sessions allowed for a single user:
{access, max_user_sessions, [{10, all}]}.

%% Maximum number of offline messages that users can have:
{access, max_user_offline_messages, [{5000, admin}, {100, all}]}. 

%% This rule allows access only for local users:
{access, local, [{allow, local}]}.

%% Only non-blocked users can use c2s connections:
{access, c2s, [{deny, blocked},
        {allow, all}]}.

%% For C2S connections, all users except admins use "normal" shaper
{access, c2s_shaper, [{none, admin},
        {normal, all}]}.

%% All S2S connections use "fast" shaper
{access, s2s_shaper, [{fast, all}]}.

%% Only admins can send announcement messages:
{access, announce, [{allow, admin}]}.

%% Only admins can use configuration interface:
{access, configure, [{allow, admin}]}.

%% Admins of this server are also admins of MUC service:
{access, muc_admin, [{allow, admin}]}.

%% Only accounts of the local ejabberd server can create rooms:
{access, muc_create, [{allow, local}]}.

%% All users are allowed to use MUC service:
{access, muc, [{allow, all}]}.

%% Only accounts in the local ejabberd server can create Pubsub nodes:
{access, pubsub_createnode, [{allow, local}]}.

%% In-band registration allows registration of any possible username.
%% To disable in-band registration, replace 'allow' with 'deny'.
{access, register, [{allow, all}]}.

%% By default frequency of account registrations from the same IP
%% is limited to 1 account every 10 minutes. To disable put: infinity
%%{registration_timeout, 600}.

%%
%% Define specific Access rules in a virtual host.
%%
%%{host_config, "localhost",
%% [
%%  {access, c2s, [{allow, admin}, {deny, all}]},
%%  {access, register, [{deny, all}]}
%% ]
%%}.


%%%.   ================
%%%'   DEFAULT LANGUAGE

%%
%% language: Default language used for server messages.
%%
{language, "ru"}.

%%
%% Set a different default language in a virtual host.
%%
%%{host_config, "localhost",
%% [{language, "ru"}]
%%}.


%%%.   =======
%%%'   CAPTCHA

%%
%% Full path to a script that generates the image.
%%
%%{captcha_cmd, "/lib/ejabberd/priv/bin/captcha.sh"}.

%%
%% Host part of the URL sent to the user.
%%
%%{captcha_host, "example.org:5280"}.


%%%.   =======
%%%'   MODULES

%%
%% Modules enabled in all ejabberd virtual hosts.
%%
{modules,
 [
  {mod_adhoc,    []},
  {mod_announce, [{access, announce}]}, % recommends mod_adhoc
  {mod_caps,     []},
  {mod_configure,[]}, % requires mod_adhoc
  {mod_disco,    []},
  %%{mod_echo,   [{host, "echo.localhost"}]},
  {mod_irc,      []},
  {mod_http_bind, []},
  %%{mod_http_fileserver, [
  %%                       {docroot, "/var/www"}, 
  %%                       {accesslog, "/var/log/ejabberd/access.log"}
  %%                      ]},
  {mod_last,     []},
  {mod_muc,      [
    %%{host, "conference.@HOST@"},
    {access, muc},
    {access_create, muc_create},
    {access_persistent, muc_create},
    {access_admin, muc_admin}
   ]},
  %%{mod_muc_log,[]},
  {mod_offline,  [{access_max_user_messages, max_user_offline_messages}]},
  {mod_ping,     []},
  {mod_privacy,  []},
  {mod_private,  []},
  %%{mod_proxy65,[]},
  {mod_pubsub,   [
    {access_createnode, pubsub_createnode},
    {ignore_pep_from_offline, true},
    {last_item_cache, false},
    {plugins, ["flat", "hometree", "pep"]}  % pep requires mod_caps
   ]},
  {mod_register, [
    %%
    %% After successful registration, the user receives
    %% a message with this subject and body.
    %%
    {welcome_message, {"Welcome!",
         "Hi.\nWelcome to Jabber (XMPP) server."}},

    %%
    %% When a user registers, send a notification to
    %% these XMPP accounts.
    %%
    %%{registration_watchers, ["admin1@example.org"]},

    {access, register}
   ]},
  {mod_roster,   []},
  %%{mod_service_log,[]},
  {mod_shared_roster,[]},
  {mod_stats,    []},
  {mod_time,     []},



%%%%  {mod_vcard,    []},
%%  {mod_vcard,    [{search, true},
%%               {matches, infinity},
%%               {allow_return_all, true},
%%               {search_all_hosts, false}]},




{mod_vcard_ldap,
   [

{search, true},
{allow_return_all, true},
{matches, infinity},
{host,"domino-1.company.ru"},

    %% We use the same server and port, but want to bind anonymously because
    %% our LDAP server accepts anonymous requests to
    %% "ou=AddressBook,dc=example,dc=org" subtree.
    {ldap_rootdn, "CN=im-admin,O=COMPANY"},
    {ldap_password, ""},
    %% define the addressbook's base
    {ldap_base, "O=COMPANY"},
    %% uidattr: user's part of JID is located in the "mail" attribute
    %% uidattr_format: common format for our emails
    {ldap_uids, [{"mail","%u@company.ru"},{"uid"}]},
    %% We have to define empty filter here, because entries in addressbook does not
    %% belong to shadowAccount object class
    {ldap_filter, "(objectClass=dominoPerson)"},
    %% Now we want to define vCard pattern
    {ldap_vcard_map,
%%     [{"NICKNAME", "%u", []}, % just use user's part of JID as his nickname
%%      {"FIRST", "%s", ["givenName"]},
%%      {"LAST", "%s", ["sn"]},
%      {"FN", "%s, %s", ["sn", "givenName"]}, % example: "Smith, John"
%%      {"EMAIL", "%s", ["mail"]},
%      {"BDAY", "%s", ["birthDay"]}]

[
%% {"NICKNAME", "%u", []},
 {"NICKNAME", "%s", ["uid"]},
%% {"NICKNAME", "%s", ["altfullname"]},
 {"FN", "%s", ["displayName"]},

 {"FIRST", "%s", ["givenName"]},
 {"LAST", "%s", ["sn"]},

 {"EMAIL", "%s", ["mail"]},

 {"DESC", "%s %s", ["altfullname", "cn"]},
 {"TEL", "%s", ["location"]}


%% {"DESC", "%s", ["description"]},
%% {"TEL", "%s", ["telephoneNumber"]}
%%  {"MIDDLE", "%s", ["initials"]},
%%  {"ORGNAME", "%s", ["o"]},
%%  {"ORGUNIT", "%s", ["ou"]},
%%  {"CTRY", "%s", ["c"]},
%%  {"STREET", "%s", ["street"]},
%%  {"REGION", "%s", ["st"]},
%%  {"PCODE", "%s", ["postalCode"]},
%%  {"TITLE", "%s", ["title"]},
%%  {"URL", "%s", ["labeleduri"]},
%%  {"LOCALITY", "%s", ["l"]},
%%  {"BDAY", "%s", ["birthDay"]},
%%  {"ROLE", "%s", ["employeeType"]},
%%  {"PHOTO", "%s", ["jpegPhoto"]}
]


}

    %% Search form
    ,{ldap_search_fields,
%%     [{"User", "%u"},
%%      {"Name", "givenName"},
%%      {"Family Name", "sn"},
%%      {"Email", "mail"},
%%      {"Birthday", "birthDay"}]
[
{"User", "%u"},
%% {"Full Name", "displayName"},
{"Full Name", "FN"},
{"Given Name", "FIRST"},
{"Middle Name", "MIDDLE"},
{"Family Name", "LAST"},
%% {"Nickname", "%u"},
%% {"Nickname", "uid"},
{"Nickname", "NICKNAME"},
{"Birthday", "BDAY"},
{"Country", "CTRY"},
{"City", "LOCALITY"},
{"Email", "EMAIL"},
{"Organization Name", "ORGNAME"},
{"Organization Unit", "ORGUNIT"}
]
     }



    %% vCard fields to be reported
    %% Note that JID is always returned with search results
    ,{ldap_search_reported,
%%     [{"Full Name", "FN"},
%%      {"Nickname", "NICKNAME"},
%%      {"Birthday", "BDAY"}]
[
{"Full Name", "FN"},
{"Given Name", "FIRST"},
{"Middle Name", "MIDDLE"},
{"Family Name", "LAST"},
{"Nickname", "NICKNAME"},
{"Birthday", "BDAY"},
{"Country", "CTRY"},
{"City", "LOCALITY"},
{"Email", "EMAIL"},
{"Organization Name", "ORGNAME"},
{"Organization Unit", "ORGUNIT"}
]

     }


  ]},




  {mod_version,  []}
 ]}.

%%
%% Enable modules with custom options in a specific virtual host
%%
%%{host_config, "localhost",
%% [{{add, modules},
%%   [
%%    {mod_echo, [{host, "mirror.localhost"}]}
%%   ]
%%  }
%% ]}.


%%%.
%%%'

%%% $Id: ejabberd.cfg.example 2683 2009-10-19 17:02:37Z badlop $

%%% Local Variables:
%%% mode: erlang
%%% End:
%%% vim: set filetype=erlang tabstop=8 foldmarker=%%%',%%%. foldmethod=marker:


ejabberdctl.cfg оставляем без изменений

inetrc:
{lookup,["file","native"]}.
%%% {host,{127,0,0,1}, ["localhost","hostalias"]}.
{host,{127,0,0,1}, ["company.ru","hostalias"]}.
{file, resolv, "/etc/resolv.conf"}.


так-же см.:
http://ru.wikipedia.org/wiki/Ejabberd
http://habrahabr.ru/tag/ejabberd/


Вопросы в комменты.

2 комментария:

  1. Если кому интересно, могу отдельно рассказать как сформировать .exe с преднастроенным PSI, так чтобы пользователю осталось ввести только емаил и пароль.

    ОтветитьУдалить
  2. Расскажите, было бы интересно.

    ОтветитьУдалить