Installation d'Ejabberd sur CentOS
Ejabberd est un serveur xmpp (jabber) robuste, écrit en erlang. Ce how-to décrit l'installation sur une CentOS
Installation d'une CentOS de base
Suivre ce how-to pour l'installation de base
Configuration des dépôts tiers
Suivre ce how-to pour configurer les dépôts tiers
Installer Ejabberd
Le dépôt EPEL propose un paquet pour Ejabberd
yum --enablerepo=epel install ejabberd
On peut aussi installer le serveur mysql pour le stockage des données
yum install mysql-server
Ainsi que les modules supplémentaires pour Ejabberd (intégrant entre autre le driver mysql natif)
yum --enablerepo=fws-testing install ejabberd-modules
Préparations
Par soucis de performance, et de facilité d'administration, nous allons utiliser une base MySQL pour stocker les informations relatives au serveur jabber (par défaut, Ejabberd utilise une base Mnesia, fournit par erlang)
Configuration de mysqld
Ejabberd a besoin du moteur InnoDB, il faut donc l'activer. Il faut aussi activer l'écoute sur le réseau (Ejabberd ne sachant pas communiquer avec un socket UNIX)
Voici un exemple de configuration my.cnf (à ajuster en fonction des besoins)
cp -a /etc/my.cnf /etc/my.cnf.default echo '' > /etc/my.cnf vim /etc/my.cnf
Puis y placer les ligne suivantes:
[mysqld] pid-file=/var/run/mysqld/mysqld.pid basedir=/usr datadir=/var/lib/mysql innodb_data_home_dir = /var/lib/mysql/ innodb_data_file_path = ibdata1:10M:autoextend innodb_log_group_home_dir = /var/lib/mysql/ innodb_log_arch_dir = /var/lib/mysql/ innodb_buffer_pool_size = 16M innodb_additional_mem_pool_size = 2M innodb_log_file_size = 5M innodb_log_buffer_size = 8M innodb_flush_log_at_trx_commit = 1 innodb_lock_wait_timeout = 50 innodb_file_per_table socket=/var/lib/mysql/mysql.sock # networking is enabled log-error=/var/log/mysqld.log max_allowed_packet=16M user=mysql [mysqld_safe]
Création d'un mot de passe root (mysql)
/usr/bin/openssl rand -base64 60 | tr -c -d '[:alnum:]' > ~/.my.pw chmod 600 ~/.my.pw /usr/bin/mysqladmin -u root password $(cat ~/.my.pw) echo '[client]' > ~/.my.cnf echo "password="$(cat ~/.my.pw) >> ~/.my.cnf
Création d'une base de donnée pour Ejabberd
/usr/bin/openssl rand -base64 50 | tr -c -d '[:alnum:]' > /etc/ejabberd/db.pw chmod 600 /etc/ejabberd/db.pw mysql -e 'create database ejabberd' mysql -e "grant all privileges on ejabberd.* to 'ejabberd'@'localhost' identified by $(cat /etc/ejabberd/db.pw)" mysql -e 'flush privileges'
Importation du schéma pour Ejabberd
mysql ejabberd < /usr/share/doc/ejabberd-modules-0.1/mysql.sql
Configuration de de base
Le fichier de configuration d'Ejabberd est /etc/ejabberd/ejabberd.cfg La syntaxe est en erlang
Voici un exemple:
% Users that have admin access. Add line like one of the following after you % will be successfully registered on server to get admin access: {acl, admin, {user, "admin"}}. % {acl, admin, {user, "user1"}}. % Local users: {acl, local, {user_regexp, ""}}. % Blocked users: %{acl, blocked, {user, "test"}}. % Everybody can create pubsub nodes {access, pubsub_createnode, [{allow, all}]}. % Only admins can use configuration interface: {access, configure, [{allow, admin}]}. % Registration is disabled {access, register, [{deny,all}]}. % Only admins can send announcement messages : {access, announce, [{allow, admin}]}. % Only non-blocked users can use c2s connections: {access, c2s, [{deny, blocked}, {allow, all}]}. % Set shaper with name "normal" to limit traffic speed to 1000B/s {shaper, normal, {maxrate, 1000}}. % Set shaper with name "fast" to limit traffic speed to 50000B/s {shaper, fast, {maxrate, 50000}}. % For all users except admins used "normal" shaper {access, c2s_shaper, [{none, admin}, {normal, all}]}. % For all S2S connections used "fast" shaper {access, s2s_shaper, [{fast, all}]}. % Admins of this server are also admins of MUC service: {access, muc_admin, [{allow, admin}]}. % All users are allowed to use MUC service: {access, muc, [{allow, all}]}. {access, muc_log, [{allow, admin}, {deny, all}]}. % Allow access only for local users: {access, local, [{allow, local}]}. %% Being Acls for MSN users % This example will deny communication with MSN users, except % The ones listed in good_msn_users % Requires mod_filter {acl, good_msn_users, {user, "user1\\40hotmail.com", "msn.domain.tld"}}. {acl, good_msn_users, {user, "user2\\40hotmail.fr", "msn.domain.tld"}}. {acl, good_msn_users, {user, "", "msn.domain.tld"}}. {acl, msn_users, {server_glob, "msn*"}}. {access, mod_filter, [{allow, all}]}. {access, mod_filter_presence, [{allow, all}]}. {access, mod_filter_message, [{allow, all}]}. {access, mod_filter_iq, [{allow, all}]}. {access, mod_filter, [ % Filter incoming messages; allow only good messages {allow, good_msn_users}, {deny, msn_users}, % Filter the rest, including outgoing messages {filter_msn, all} ]}. {access, filter_msn, [ % Users can send messages to good MSN users {allow, good_msn_users}, % but not to other MSN users {deny, msn_users}, % All non-MSN traffic is allowed {allow, all} ]}. %% End filter example % Auth MySQL {auth_method, odbc}. % mysql database access, with native mysql driver {odbc_server, {mysql, "localhost", "ejabberd", "ejabberd", "__SECRET__"}}. % Host name: {hosts, ["domain.tld"]}. %% Define the maximum number of time a single user is allowed to connect: {max_user_sessions, 10}. % Default language for server messages {language, "fr"}. % Listened ports: {listen, [ % Standard port 5222 with TLS support (and required) {5222, ejabberd_c2s, [{access, c2s}, {shaper, c2s_shaper}, starttls_required, {certfile, "/etc/ejabberd/ejabberd.pem"}]}, % Deprecated SSL port on 5223 {5223, ejabberd_c2s, [{access, c2s}, tls, {certfile, "/etc/ejabberd/ejabberd.pem"}]} % Uncomment this line to allow s2s connections: % ,{5269, ejabberd_s2s_in, [{shaper, s2s_shaper}, {max_stanza_size, 131072}]} % Example of transport configuration % ,{5347, ejabberd_service, [{host, "msn.domain.tld", % [{password, "secret"}]}]} ]}. % If SRV lookup fails, then port 5269 is used to communicate with remote server % Uncomment this line to allow s2s connections % {outgoing_s2s_port, 5269}. % Modules {modules, [ % {mod_register, [{access, register}]}, {mod_roster_odbc, []}, {mod_privacy_odbc, []}, {mod_adhoc, []}, {mod_configure, []}, % Depends on mod_adhoc {mod_configure2, []}, {mod_disco, []}, {mod_stats, []}, {mod_vcard_odbc, []}, %% if you prefer ldap based vcard service, use the following %% adapt it to your needs % {mod_vcard_ldap, % [ % {ldap_base, "ou=Users,dc=domain,dc=tld"}, % {ldap_filter, "(objectClass=inetOrgPerson)"}, % {ldap_vcard_map, %% vcard patterns % [{"NICKNAME", "%u", []}, % just use user's part of JID as his nickname % {"GIVEN", "%s", ["givenName"]}, % {"FAMILY", "%s", ["sn"]}, % {"FN", "%s, %s", ["sn", "givenName"]}, % example: "Smith, John" % {"EMAIL", "%s", ["mail"]}, % {"BDAY", "%s", ["birthDay"]}, % {"ORGNAME", "%s", ["o"]}, % {"ORGUNIT", "%s", ["ou"]}, % {"LOCALITY", "%s", ["l"]}, % {"STREET", "%s", ["Street"]}, % {"TEL", "%s", ["Phone"]} % ]}, % %% Search form % {ldap_search_fields, % [{"User", "%u"}, % {"Name", "givenName"}, % {"Family Name", "sn"}, % {"Email", "mail"}]}, % %% vCard fields to be reported % %% Note that JID is always returned with search results % {ldap_search_reported, % [{"Full Name", "FN"}, % {"Nickname", "NICKNAME"}]} % ]}, % {mod_vcard_odbc, []}, {mod_caps, []}, {mod_offline_odbc, []}, {mod_announce, [{access, announce}]}, % Depends on mod_adhoc {mod_private_odbc, []}, {mod_irc, []}, % Default options for mod_muc: % host: "conference." ++ ?MYNAME % access: all % access_create: all % access_admin: none (only room creator has owner privileges) {mod_muc, [{access, muc}, {access_create, muc}, {access_admin, muc_admin}]}, {mod_muc_log, []}, {mod_shared_roster, []}, {mod_pubsub, [ {access_createnode, pubsub_createnode}, {plugins, ["flat", "hometree", "pep"]} ]}, {mod_time, []}, {mod_last_odbc, []}, % {mod_xmlrpc,[{port, 4560},{timeout, 5000}]}, {mod_version, []}, {mod_admin_extra, []}, % {mod_archive_odbc, [{database_type, "mysql"}, % {default_auto_save, true}, % {enforce_default_auto_save, false}, % {default_expire, infinity}, % {enforce_min_expire, 0}, % {enforce_max_expire, infinity}, % {replication_expire, 31536000}, % {session_duration, 1800}, % {wipeout_interval, 86400}]}, % {mod_log_chat, [{path, "/var/log/ejabberd/chat"}, {format, text}]}, {mod_echo, [{host, "echo.domain.tld"}]} ]}. %%% Local Variables: %%% mode: erlang %%% End:
On remplace maintenant par le mot de passe mysql pour ejabberd:
export PASS=$(cat /etc/ejabberd/db.pw) sed -i -e "s/__SECRET/$PASS/g" /etc/ejabberd/ejabberd.cfg unset PASS
Installer spectrum
Spectrum permet de fournir des passerelles (transports) entre xmpp et d'autres protocoles. Il supportes de nombreux protocoles, dont MSN. Il est disponible dans le dépôt EPEL également
yum --enablerepo=epel install spectrum
Configurer la passerelle MSN
Il faut d'abord créer le fichier de configuration /etc/spectrum/msn.cfg
[service] # enable this spectrum instance enable=1 # one of: aim, facebook, gg, icq, irc, msn, myspace, qq, simple, xmpp, yahoo protocol=msn # component ip server=127.0.0.1 # if use_proxy is 1, the http_proxy env var will be used as the proxy server # for example export http_proxy="http://user:passwd@your.proxy.server:port/" use_proxy=0 # component JID jid=$protocol.domain.tld # component secret password=secret # component port port=5347 config_interface = /var/run/spectrum/$jid.sock # IP:port where filetransfer proxy binds to. This has to be public IP. #filetransfer_bind_address=192.0.2.1:12345 # IP:port which will be sent in filetransfer request as stream host. #filetransfer_public_address=192.0.2.1:12345 # admin JIDs - Jabber IDs of transport administrators who have access to admin adhoc commands # separated by semicolons #admins=admin@example.com;foo@bar.cz # directory where downloaded files will be saved filetransfer_cache=/var/lib/spectrum/filetransfer_cache # URL used to acces filestransfer_cache directory from the web. filetransfer_web=http://example.com/files/ # name of transport (this will appear in service discovery) name=MSN Transport # default language language=fr # transport features separated by semicolons # combination of: avatars, chatstate, filetransfer # if commented, all features will be used # This variable is DEPRECATED and will be removed in future versions. Use [features] instead. #transport_features = avatars;chatstate;filetransfer # if vip_mode is 1, users are divided to 2 groups according to 'vip' database field vip_mode=0 # if vip_mode is 1, you can set transport to be availabe only for VIP users by setting only_for_vip to 1. only_for_vip=0 # if vip_mode is 1 and only_for_vip is 1, users can connect from these servers even they are not VIP. # This feature is useful, if you want to enable transport only for users from your server, but also want # to give access to VIP users from other servers (for example from GTalk) # seperated by semicolons allowed_servers=localhost;domain.tld # transport features separated by semicolons which will be used for VIP users. # combination of: avatars, chatstate, filetransfer # if commented, all features will be used # This variable is DEPRECATED and will be removed in future versions. Use [vip-features] instead. #vip_features = avatars;chatstate;filetransfer # pid file pid_file=/var/run/spectrum/$jid.pid # require_tls to connect legacy network #require_tls=false # Eventloop used by Spectrum. Allows to change default use of poll to epoll, # which should be faster and handles more connections better. # WARNING: some 3rd party libpurple protocol plugins are not prepared to be # used with different eventloop, but protocols included in libpurple by default # works OK. #eventloop=glib [registration] # Set to 0 to disable transport registration to everyone except # people from host from allowed_servers list. enable_public_registration=0 # You can override username registered by transport user. This is useful # for example if you want to let users to register only their Facebook name # and internally connect them to facebook_name@chat.facebook.com. # $username variable is replaced by username which has been registered # by particular user. #username_mask = $username@chat.facebook.com # This option allows you to white-list newly created accounts according # to regexp. for example allowed_usernames=*.\.gmail\.com$ will allow only # GTalk users to register. If you use username_mask, then username_mask is # applied before this option. allowed_usernames=*.\.firewall-services\.com$ # Label used to described username field in registration form #username_label = Facebook username # This variable overrides default instructions text in registration form. #instructions = Type your Facebook name here: # Transport features, all features are enabled by default. [features] #filetransfer=1 #avatars=1 #chatstates=1 #statistics=1 # Transport features for VIP users, all features are enabled by default. [vip-features] #filetransfer=1 #avatars=1 #chatstates=1 [logging] # log file, needs to be unique for each spectrum instance log_file=/var/log/spectrum/$jid.log # log areas # combination of: xml, purple log_areas=xml;purple [database] # mysql or sqlite type=sqlite # hostname (not needed for sqlite) #host=localhost # username (not needed for sqlite) #user=user # password (not needed for sqlite) #password=password # sqlite: set path to database file here # mysql: set to name of database database=/var/lib/spectrum/$jid/database.sqlite # table prefix for multiple transport instances sharing the same database #prefix=icq_ [purple] # avatar, vcard, roster storage # needs to be unique for each spectrum instance userdir=/var/lib/spectrum/$jid/userdir
Puis, il faut démarrer spectrum:
/etc/init.d/spectrum start
Les logs d'Ejabberd devraient indiquer qu'un nouveau composant s'est enregistré
Activer les services
Une fois que tout est fonctionnel, il ne reste qu'à configurer les différents services pour qu'ils démarrent automatiquement:
chkconfig ejabberd on chkconfig mysqld on chkconfig spectrum on