Ceci est une ancienne révision du document !
Options "avancées" pour Ejabberd
HTTP bind et HTTP poll
Ejabberd supporte les méthodes HTTP Bind et HTTP Poll (souvent utilisé par les clients web). Pour l'activer sur SME, il faut créer quelques templates-custom pour ejabberd (pour activer la fonction uniquement sur le loopback), et pour apache, pour permettre d'accéder à l'HTTP Bind ou l'HTTP Poll à travers une directive ProxyPass
mkdir -p /etc/e-smith/templates-custom/etc/ejabberd/ejabberd.cfg/ cat <<'EOF' > /etc/e-smith/templates-custom/etc/ejabberd/ejabberd.cfg/80Ports30http { $OUT .= "\n".' % http_bind interface, restrict it to 127.0.0.1, external access is handled by'."\n". ' % ProxyPass directives in apache'."\n"; $OUT .= ' '; $OUT .= '%' unless (((${'ejabberd'}{'HTTPBind'} || 'disabled') || (${'ejabberd'}{'HTTPPoll'} || 'disabled')) || (${'ejabberd'}{'WebAdmin'} || 'disabled') eq 'enabled'); $OUT .= ',{5280, ejabberd_http, [ '; $OUT .= 'http_bind, ' if ((${'ejabberd'}{'HTTPBind'} || 'disabled') eq 'enabled'); $OUT .= 'http_poll, ' if ((${'ejabberd'}{'HTTPPoll'} || 'disabled') eq 'enabled'); $OUT .= 'web_admin, ' if ((${'ejabberd'}{'WebAdmin'} || 'disabled') eq 'enabled'); $OUT .= '{ip, {127, 0, 0, 1}} ]}'."\n"; } EOF
cat <<'EOF' > /etc/e-smith/templates-custom/etc/ejabberd/ejabberd.cfg/85Modules { $OUT =<<'HERE'; % Used modules: {modules, [ {mod_register, [{access, register}]}, {mod_roster, []}, {mod_privacy, []}, {mod_adhoc, []}, {mod_configure, []}, % Depends on mod_adhoc {mod_configure2, []}, {mod_disco, []}, {mod_stats, []}, {mod_vcard, []}, {mod_caps, []}, {mod_offline, []}, {mod_announce, [{access, announce}]}, % Depends on mod_adhoc {mod_private, []}, {mod_irc, []}, % Default options for mod_muc: % host: "conference." ++ ?MYNAME % access: all % access_create: all % access_admin: none (only room creator has owner privileges) {mod_muc, [{access, muc}, {access_create, muc}, {access_admin, muc_admin}]}, {mod_muc_log, []}, {mod_shared_roster, []}, {mod_pubsub, [{access_createnode, pubsub_createnode}]}, {mod_time, []}, {mod_last, []}, % {mod_xmlrpc,[{port, 4560},{timeout, 5000}]}, {mod_version, []}, {mod_ctlextra, []}, HERE $OUT .= ' {mod_http_bind, []},'."\n" if (${'ejabberd'}{'HTTPBind'} || 'disabled') eq 'enabled'; $OUT .= ' {mod_echo, [{host, "echo.'; $OUT .= ${DomainName}; $OUT .= '"}]}'; $OUT .= "\n"; $OUT .= ' ]}.'; $OUT .= "\n\n"; } EOF
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/ cat <<'EOF' > /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/98ejabberd { $OUT .= ''; if ((${'ejabberd'}{'WebAdmin'} || 'disabled') eq 'enabled'){ $OUT .=<<'HERE'; # ProxyPass requests for /xmpp-admin to ejabberd web_admin interface ProxyPass /xmpp-admin/ http://127.0.0.1:5280/admin/ ProxyPassReverse /xmpp-admin/ http://127.0.0.1:5280/admin/ <Location /xmpp-admin/> SSLRequireSSL on order deny, allow deny from all allow from $localAccess $externalSSLAccess </Location> HERE } if ((${'ejabberd'}{'HTTPBind'} || 'disabled') eq 'enabled'){ $OUT .=<<'HERE'; # ProxyPass requests for /http-bind to ejabberd http-bind interface ProxyPass /http-bind/ http://127.0.0.1:5280/http-bind/ ProxyPassReverse /http-bind/ http://127.0.0.1:5280/http-bind/ <Location /http-bind/> SSLRequireSSL on </Location> HERE } if ((${'ejabberd'}{'HTTPPoll'}) || 'disabled' eq 'enabled'){ $OUT .=<<'HERE'; # ProxyPass requests for /http-poll to ejabberd http-poll interface ProxyPass /http-poll/ http://127.0.0.1:5280/http-poll/ ProxyPassReverse /http-poll/ http://127.0.0.1:5280/http-poll/ <Location /http-poll/> SSLRequireSSL on </Location> HERE } } EOF
Maintenant, les deux fonctions peuvent être contrôlé via une clef dans la DB
db configuration setprop ejabberd HTTPBind enabled expand-template /etc/httpd/conf/httpd.conf sv t /service/httpd-e-smith signal-event ejabberd-update
db configuration setprop ejabberd HTTPPoll enabled expand-template /etc/httpd/conf/httpd.conf sv t /service/httpd-e-smith signal-event ejabberd-update
Authentification pam
Ejabberd supporte l'authentification basée sur PAM, pour l'activer, il faut créer un petit templates-custom:
mkdir -p /etc/e-smith/templates-custom/etc/ejabberd/ejabberd.cfg/ cat <<'EOF' > /etc/e-smith/templates-custom/etc/ejabberd/ejabberd.cfg/55AuthConf { $OUT =<<'HERE'; % Authentication method. If you want to use internal user base, then use % this line: {auth_method, [internal,pam]}. HERE } EOF
Suivit d'un petit
signal-event ejabberd-update
Authentification LDAP
Sur SME8, on peut activer l'authentification LDAP (et on évite d'utiliser un binaire en SUID)
mkdir -p /etc/e-smith/templates-custom/etc/ejabberd/ejabberd.cfg/ cat <<'EOF' > /etc/e-smith/templates-custom/etc/ejabberd/ejabberd.cfg/55AuthConf { use esmith::util; our $base = esmith::util::ldapBase ($DomainName); $OUT =<<"HERE"; % LDAP Auth {auth_method, ldap}. % LDAP conf {ldap_servers, ["localhost"]}. {ldap_base, "ou=Users,$base"}. HERE } EOF
Puis:
signal-event ejabberd-update
Configurer mod_vcard_ldap
Allons-y gaiment, on a un serveur LDAP maintenant, on peut donc configurer le module mod_vcard_ldap, qui permettra (via vjud) de faire des recherches sur nos utilisateurs déclarés dans SME , il suffit d'éditer le template 85Modules, et de remplacer la ligne
{mod_vcard, []},
Par:
{mod_vcard_ldap, [ {ldap_base, "ou=Users,$base"}, {ldap_filter, "(objectClass=inetOrgPerson)"}, {ldap_vcard_map, %% vcard patterns [{"NICKNAME", "%u", []}, % just use user's part of JID as his nickname {"GIVEN", "%s", ["givenName"]}, {"FAMILY", "%s", ["sn"]}, {"FN", "%s, %s", ["sn", "givenName"]}, % example: "Smith, John" {"EMAIL", "%s", ["mail"]}, {"BDAY", "%s", ["birthDay"]}, {"ORGNAME", "%s", ["o"]}, {"ORGUNIT", "%s", ["ou"]}, {"LOCALITY", "%s", ["l"]}, {"STREET", "%s", ["Street"]}, {"TEL", "%s", ["Phone"]} ]}, %% Search form {ldap_search_fields, [{"User", "%u"}, {"Name", "givenName"}, {"Family Name", "sn"}, {"Email", "mail"}]}, %% vCard fields to be reported %% Note that JID is always returned with search results {ldap_search_reported, [{"Full Name", "FN"}, {"Nickname", "NICKNAME"}]} ]},
Configurer mod_shared_roster_ldap
mod_shared_roster_ldap permet de créer automatiquement un roster pour les nouveaux utilisateurs, basé sur un annuaire LDAP. Pour le configurer, il faut rajouter une section comme ceci dans la partie modules du ficheir ejabberd.cfg:
{mod_shared_roster_ldap,[ {ldap_base, "dc=firewall-services,dc=com"}, {ldap_rfilter, "(objectClass=mailboxRelatedObject)"}, {ldap_groupattr, "cn"}, {ldap_groupdesc, "description"}, {ldap_memberattr, "memberUid"}, {ldap_useruid, "uid"}, {ldap_userdesc, "cn"} ]},
Si on veut limiter à un nombre précis de groupe, il suffit de l'ajouter dans le filtre, comme ceci:
{mod_shared_roster_ldap,[ {ldap_base, "dc=firewall-services,dc=com"}, {ldap_rfilter, "(objectClass=mailboxRelatedObject)"}, {ldap_gfilter, "(|(cn=techniciens)(cn=ventes)(cn=equipe))"}, {ldap_groupattr, "cn"}, {ldap_groupdesc, "description"}, {ldap_memberattr, "memberUid"}, {ldap_useruid, "uid"}, {ldap_userdesc, "cn"} ]},
Seuls les groupes techniciens, ventes et equipe seront recherchés
Configurer mod_archive
On va utiliser pour ceci le module mod_archive_odbc (voir http://www.ndl.kiev.ua/content/mod_archive_odbc-release). Pour cela, on va devoir installer des modules supplémentaires pour ejabberd:
yum --enablerepo=fws install ejabberd-modules
Puis, il faut créer une base de donnée mysql et y ajouter le schéma nécessaire:
openssl rand -base64 40 > ejabberd.pw chmod 600 ejabberd.pw PW=$(cat ./ejabberd.pw) db configuration setprop ejabberd DbName ejabberd DbUser ejabberd DbPassword $PW mysql -e "create database ejabberd" mysql -e "grant all privileges on ejabberd.* to 'ejabberd'@'localhost' identified by '$PW'" mysql -e "flush privileges" mysql ejabberd < /usr/share/doc/ejabberd-modules-0.1/mod_archive_odbc_mysql.sql
Puis, on rajoute la configuration nécessaire dans le fichier ejabberd.cfg:
- Dans la section modules
{mod_archive_odbc, [{database_type, "mysql"}, {default_auto_save, true}, {enforce_default_auto_save, false}, {default_expire, infinity}, {enforce_min_expire, 0}, {enforce_max_expire, infinity}, {replication_expire, 31536000}, {session_duration, 1800}, {wipeout_interval, 86400}]}
- Au niveau global (format templates SME)
cat <<EOF > /etc/e-smith/templates-custom/etc/ejabberd/ejabberd.cfg/10database % mysql database access \{odbc_server, \{mysql, "localhost", "{"\$ejabberd{DbName}"}", "{"\$ejabberd{DbUser}"}", "{"\$ejabberd{DbPassword}"}"\}\}. EOF