Table des matières

Installation d'Ejabberd sur CentOS

Ejabberd est un serveur xmpp (jabber) robuste, écrit en erlang. Ce how-to décrit l'installation sur une CentOS

Installation d'une CentOS de base

Suivre ce how-to pour l'installation de base

Configuration des dépôts tiers

Suivre ce how-to pour configurer les dépôts tiers

Installer Ejabberd

Le dépôt EPEL propose un paquet pour Ejabberd

yum --enablerepo=epel install ejabberd

On peut aussi installer le serveur mysql pour le stockage des données

yum install mysql-server

Ainsi que les modules supplémentaires pour Ejabberd (intégrant entre autre le driver mysql natif)

yum --enablerepo=fws-testing install ejabberd-modules

Préparations

Par soucis de performance, et de facilité d'administration, nous allons utiliser une base MySQL pour stocker les informations relatives au serveur jabber (par défaut, Ejabberd utilise une base Mnesia, fournit par erlang)

Configuration de mysqld

Ejabberd a besoin du moteur InnoDB, il faut donc l'activer. Il faut aussi activer l'écoute sur le réseau (Ejabberd ne sachant pas communiquer avec un socket UNIX)

Voici un exemple de configuration my.cnf (à ajuster en fonction des besoins)

cp -a /etc/my.cnf /etc/my.cnf.default
echo '' > /etc/my.cnf
vim /etc/my.cnf

Puis y placer les ligne suivantes:

[mysqld]
pid-file=/var/run/mysqld/mysqld.pid
basedir=/usr
datadir=/var/lib/mysql
innodb_data_home_dir = /var/lib/mysql/
innodb_data_file_path = ibdata1:10M:autoextend
innodb_log_group_home_dir = /var/lib/mysql/
innodb_log_arch_dir = /var/lib/mysql/
innodb_buffer_pool_size = 16M
innodb_additional_mem_pool_size = 2M
innodb_log_file_size = 5M
innodb_log_buffer_size = 8M
innodb_flush_log_at_trx_commit = 1
innodb_lock_wait_timeout = 50
innodb_file_per_table

socket=/var/lib/mysql/mysql.sock
# networking is enabled
log-error=/var/log/mysqld.log
max_allowed_packet=16M
user=mysql

[mysqld_safe]

Création d'un mot de passe root (mysql)

/usr/bin/openssl rand -base64 60 | tr -c -d '[:alnum:]' > ~/.my.pw
chmod 600 ~/.my.pw
/usr/bin/mysqladmin -u root password $(cat ~/.my.pw)
echo '[client]' > ~/.my.cnf
echo "password="$(cat ~/.my.pw) >> ~/.my.cnf

Création d'une base de donnée pour Ejabberd

/usr/bin/openssl rand -base64 50 | tr -c -d '[:alnum:]' > /etc/ejabberd/db.pw
chmod 600 /etc/ejabberd/db.pw
mysql -e 'create database ejabberd'
mysql -e "grant all privileges on ejabberd.* to 'ejabberd'@'localhost' identified by $(cat /etc/ejabberd/db.pw)"
mysql -e 'flush privileges'

Importation du schéma pour Ejabberd

mysql ejabberd < /usr/share/doc/ejabberd-modules-0.1/mysql.sql

Configuration de de base

Le fichier de configuration d'Ejabberd est /etc/ejabberd/ejabberd.cfg La syntaxe est en erlang

Voici un exemple:

% Users that have admin access.  Add line like one of the following after you
% will be successfully registered on server to get admin access:
{acl, admin, {user, "admin"}}.
% {acl, admin, {user, "user1"}}.
 
% Local users:
{acl, local, {user_regexp, ""}}.
 
% Blocked users:
%{acl, blocked, {user, "test"}}.
 
% Everybody can create pubsub nodes
{access, pubsub_createnode, [{allow, all}]}.
 
 
% Only admins can use configuration interface:
{access, configure, [{allow, admin}]}.
 
% Registration is disabled
{access, register, [{deny,all}]}.
 
% Only admins can send announcement messages :
{access, announce, [{allow, admin}]}.
 
% Only non-blocked users can use c2s connections:
{access, c2s, [{deny, blocked},
               {allow, all}]}.
 
% Set shaper with name "normal" to limit traffic speed to 1000B/s
{shaper, normal, {maxrate, 1000}}.
 
% Set shaper with name "fast" to limit traffic speed to 50000B/s
{shaper, fast, {maxrate, 50000}}.
 
% For all users except admins used "normal" shaper
{access, c2s_shaper, [{none, admin},
                      {normal, all}]}.
 
% For all S2S connections used "fast" shaper
{access, s2s_shaper, [{fast, all}]}.
 
% Admins of this server are also admins of MUC service:
{access, muc_admin, [{allow, admin}]}.
 
% All users are allowed to use MUC service:
{access, muc, [{allow, all}]}.
{access, muc_log, [{allow, admin}, {deny, all}]}.
 
 
% Allow access only for local users:
{access, local, [{allow, local}]}.
 
 
%% Being Acls for MSN users
 
% This example will deny communication with MSN users, except
% The ones listed in good_msn_users
 
% Requires mod_filter
 
{acl, good_msn_users, {user, "user1\\40hotmail.com", "msn.domain.tld"}}.
{acl, good_msn_users, {user, "user2\\40hotmail.fr", "msn.domain.tld"}}.
{acl, good_msn_users, {user, "", "msn.domain.tld"}}.
{acl, msn_users, {server_glob, "msn*"}}.
 
{access, mod_filter, [{allow, all}]}.
{access, mod_filter_presence, [{allow, all}]}.
{access, mod_filter_message, [{allow, all}]}.
{access, mod_filter_iq, [{allow, all}]}.
 
{access, mod_filter, [
  % Filter incoming messages; allow only good messages
  {allow, good_msn_users},
  {deny, msn_users},
  % Filter the rest, including outgoing messages
  {filter_msn, all}
]}.
 
{access, filter_msn, [
  % Users can send messages to good MSN users
  {allow, good_msn_users},
  % but not to other MSN users
  {deny, msn_users},
  % All non-MSN traffic is allowed
  {allow, all}
]}.
 
%% End filter example
 
% Auth MySQL
{auth_method, odbc}.
 
% mysql database access, with native mysql driver
{odbc_server, {mysql, "localhost", "ejabberd", "ejabberd", "__SECRET__"}}.
 
% Host name:
{hosts, ["domain.tld"]}.
 
 
%% Define the maximum number of time a single user is allowed to connect:
{max_user_sessions, 10}.
 
% Default language for server messages
{language, "fr"}.
 
% Listened ports:
{listen, [
       % Standard port 5222 with TLS support (and required)
       {5222, ejabberd_c2s,     [{access, c2s}, {shaper, c2s_shaper}, starttls_required, {certfile, "/etc/ejabberd/ejabberd.pem"}]},
       % Deprecated SSL port on 5223
       {5223, ejabberd_c2s,     [{access, c2s}, tls, {certfile, "/etc/ejabberd/ejabberd.pem"}]}
 
       % Uncomment this line to allow s2s connections:
       % ,{5269, ejabberd_s2s_in,  [{shaper, s2s_shaper}, {max_stanza_size, 131072}]}
 
       % Example of transport configuration
       % ,{5347, ejabberd_service, [{host, "msn.domain.tld",
       %         [{password, "secret"}]}]}
]}.
 
% If SRV lookup fails, then port 5269 is used to communicate with remote server
% Uncomment this line to allow s2s connections
% {outgoing_s2s_port, 5269}.
 
% Modules
{modules,
 [  
%  {mod_register,   [{access, register}]},
  {mod_roster_odbc,     []},
  {mod_privacy_odbc,    []},
  {mod_adhoc,      []},
  {mod_configure,  []}, % Depends on mod_adhoc
  {mod_configure2, []},
  {mod_disco,      []},
  {mod_stats,      []},
  {mod_vcard_odbc, []},
  %% if you prefer ldap based vcard service, use the following
  %% adapt it to your needs
%  {mod_vcard_ldap,
%   [
%    {ldap_base, "ou=Users,dc=domain,dc=tld"},
%    {ldap_filter, "(objectClass=inetOrgPerson)"},
%    {ldap_vcard_map,
    %% vcard patterns
%     [{"NICKNAME", "%u", []}, % just use user's part of JID as his nickname
%      {"GIVEN", "%s", ["givenName"]},
%      {"FAMILY", "%s", ["sn"]},
%      {"FN", "%s, %s", ["sn", "givenName"]}, % example: "Smith, John"
%      {"EMAIL", "%s", ["mail"]},
%      {"BDAY", "%s", ["birthDay"]},
%      {"ORGNAME", "%s", ["o"]},
%      {"ORGUNIT", "%s", ["ou"]},
%      {"LOCALITY", "%s", ["l"]},
%      {"STREET", "%s", ["Street"]},
%      {"TEL", "%s", ["Phone"]}
%     ]},
%    %% Search form
%    {ldap_search_fields,
%     [{"User", "%u"},
%      {"Name", "givenName"},
%      {"Family Name", "sn"},
%      {"Email", "mail"}]},
%    %% vCard fields to be reported
%    %% Note that JID is always returned with search results
%    {ldap_search_reported,
%     [{"Full Name", "FN"},
%      {"Nickname", "NICKNAME"}]}
%  ]},
%  {mod_vcard_odbc, []},
  {mod_caps,       []},
  {mod_offline_odbc,    []},
  {mod_announce,   [{access, announce}]}, % Depends on mod_adhoc
  {mod_private_odbc,    []},
  {mod_irc,        []},
% Default options for mod_muc:
%   host: "conference." ++ ?MYNAME
%   access: all
%   access_create: all
%   access_admin: none (only room creator has owner privileges)
  {mod_muc,        [{access, muc}, {access_create, muc}, {access_admin, muc_admin}]},
  {mod_muc_log,    []},
  {mod_shared_roster, []},
  {mod_pubsub,     [
    {access_createnode, pubsub_createnode},
    {plugins, ["flat", "hometree", "pep"]}
  ]},
  {mod_time,       []},
  {mod_last_odbc,       []},
%  {mod_xmlrpc,[{port, 4560},{timeout, 5000}]},
  {mod_version,    []},
  {mod_admin_extra,    []},
%  {mod_archive_odbc, [{database_type, "mysql"},
%                      {default_auto_save, true},
%                      {enforce_default_auto_save, false},
%                      {default_expire, infinity},
%                      {enforce_min_expire, 0},
%                      {enforce_max_expire, infinity},
%                      {replication_expire, 31536000},
%                      {session_duration, 1800},
%                      {wipeout_interval, 86400}]},
% {mod_log_chat,  [{path, "/var/log/ejabberd/chat"}, {format, text}]},
 
 
  {mod_echo,       [{host, "echo.domain.tld"}]}
 ]}.
 
%%% Local Variables:
%%% mode: erlang
%%% End:

On remplace maintenant par le mot de passe mysql pour ejabberd:

export PASS=$(cat /etc/ejabberd/db.pw)
sed -i -e "s/__SECRET/$PASS/g" /etc/ejabberd/ejabberd.cfg
unset PASS

Installer spectrum

Spectrum permet de fournir des passerelles (transports) entre xmpp et d'autres protocoles. Il supportes de nombreux protocoles, dont MSN. Il est disponible dans le dépôt EPEL également

yum --enablerepo=epel install spectrum

Configurer la passerelle MSN

Il faut d'abord créer le fichier de configuration /etc/spectrum/msn.cfg

[service]
# enable this spectrum instance
enable=1

# one of: aim, facebook, gg, icq, irc, msn, myspace, qq, simple, xmpp, yahoo
protocol=msn

# component ip
server=127.0.0.1

# if use_proxy is 1, the http_proxy env var will be used as the proxy server
# for example export http_proxy="http://user:passwd@your.proxy.server:port/"
use_proxy=0

# component JID
jid=$protocol.domain.tld

# component secret
password=secret

# component port
port=5347

config_interface = /var/run/spectrum/$jid.sock

# IP:port where filetransfer proxy binds to. This has to be public IP.
#filetransfer_bind_address=192.0.2.1:12345

# IP:port which will be sent in filetransfer request as stream host.
#filetransfer_public_address=192.0.2.1:12345

# admin JIDs - Jabber IDs of transport administrators who have access to admin adhoc commands
# separated by semicolons
#admins=admin@example.com;foo@bar.cz

# directory where downloaded files will be saved
filetransfer_cache=/var/lib/spectrum/filetransfer_cache

# URL used to acces filestransfer_cache directory from the web.
filetransfer_web=http://example.com/files/

# name of transport (this will appear in service discovery)
name=MSN Transport

# default language
language=fr

# transport features separated by semicolons
# combination of: avatars, chatstate, filetransfer
# if commented, all features will be used
# This variable is DEPRECATED and will be removed in future versions. Use [features] instead.
#transport_features = avatars;chatstate;filetransfer

# if vip_mode is 1, users are divided to 2 groups according to 'vip' database field
vip_mode=0

# if vip_mode is 1, you can set transport to be availabe only for VIP users by setting only_for_vip to 1.
only_for_vip=0

# if vip_mode is 1 and only_for_vip is 1, users can connect from these servers even they are not VIP.
# This feature is useful, if you want to enable transport only for users from your server, but also want
# to give access to VIP users from other servers (for example from GTalk)
# seperated by semicolons
allowed_servers=localhost;domain.tld

# transport features separated by semicolons which will be used for VIP users.
# combination of: avatars, chatstate, filetransfer
# if commented, all features will be used
# This variable is DEPRECATED and will be removed in future versions.  Use [vip-features] instead.
#vip_features = avatars;chatstate;filetransfer

# pid file
pid_file=/var/run/spectrum/$jid.pid

# require_tls to connect legacy network
#require_tls=false

# Eventloop used by Spectrum. Allows to change default use of poll to epoll,
# which should be faster and handles more connections better.
# WARNING: some 3rd party libpurple protocol plugins are not prepared to be
# used with different eventloop, but protocols included in libpurple by default
# works OK.
#eventloop=glib

[registration]
# Set to 0 to disable transport registration to everyone except
# people from host from allowed_servers list.
enable_public_registration=0

# You can override username registered by transport user. This is useful
# for example if you want to let users to register only their Facebook name
# and internally connect them to facebook_name@chat.facebook.com.
# $username variable is replaced by username which has been registered
# by particular user. 
#username_mask = $username@chat.facebook.com

# This option allows you to white-list newly created accounts according
# to regexp. for example allowed_usernames=*.\.gmail\.com$ will allow only
# GTalk users to register. If you use username_mask, then username_mask is
# applied before this option.
allowed_usernames=*.\.firewall-services\.com$

# Label used to described username field in registration form
#username_label = Facebook username

# This variable overrides default instructions text in registration form.
#instructions = Type your Facebook name here:

# Transport features, all features are enabled by default.
[features]
#filetransfer=1
#avatars=1
#chatstates=1
#statistics=1

# Transport features for VIP users, all features are enabled by default.
[vip-features]
#filetransfer=1
#avatars=1
#chatstates=1

[logging]
# log file, needs to be unique for each spectrum instance
log_file=/var/log/spectrum/$jid.log

# log areas
# combination of: xml, purple
log_areas=xml;purple

[database]
# mysql or sqlite
type=sqlite

# hostname (not needed for sqlite)
#host=localhost

# username (not needed for sqlite)
#user=user

# password (not needed for sqlite)
#password=password
# sqlite: set path to database file here
# mysql: set to name of database
database=/var/lib/spectrum/$jid/database.sqlite
# table prefix for multiple transport instances sharing the same database
#prefix=icq_

[purple]
# avatar, vcard, roster storage
# needs to be unique for each spectrum instance
userdir=/var/lib/spectrum/$jid/userdir

Puis, il faut démarrer spectrum:

/etc/init.d/spectrum start

Les logs d'Ejabberd devraient indiquer qu'un nouveau composant s'est enregistré

Activer les services

Une fois que tout est fonctionnel, il ne reste qu'à configurer les différents services pour qu'ils démarrent automatiquement:

chkconfig ejabberd on
chkconfig mysqld on
chkconfig spectrum on