This is out-dated documentation. Please go to http://jabberd.org/ for up-to-date documentation.

Jabberd 1.4.x Administration Guide - External authentication

Copyright © 1999 - 2003 The Jabber Manual Team

This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openp ub/).

When installing Jabber in an Intranet or corporate site, you will likely have existing accounts for your users. As of version 1.4.2 of the jabberd server, it is possible to use external authentication mechanisms. This has the following advantages:

  1. Users won't have to remember another user/password pair for this new service.

  2. Admins will not need to care about maintaining the user accounts in sync.

To set this up, you will need the xdb_auth_cpile component by Chris Pile. This component implements external authentication in a generic way, so that with little configuration you will have your jabberd server to validate user/passwords against any of the following services: RADIUS, PAM, LDAP, IMAP, POP3, SAMBA or MYSQL. Because of the generality of this component, you can easily add other services to validate against, in case you need something more specific.



Here, we will show you an example to add IMAP authentication to your jabberd server.

First step will be to download and install xdb_auth_cpile. The component is written in perl so you will not need to compile anything. Be careful though, as it relies on other Jabber perl modules (Jabber::Connection), so you may need to take a look at CPAN.

The component provides a XML configuration file like this one:

        <config>
          <script>
            <logfile>./xdb_auth.log</logfile>

            <pidfile>./xdb_auth.pid</pidfile>
            <!-- debug can be "1" or "0" (on/off) -->
            <debug>0</debug>
          </script>
          <connection>

            <id>xdb_auth_cpile</id>
            <ip>127.0.0.1</ip>
            <port>5999</port>
            <secret>testing</secret>

          </connection>
        </config>

At this moment, we have configured the component settings related to its communication with the jabberd server. As always, we must remind you not to use the default password, even if they will communicate through localhost. We will now have to rename one of the example authentication submodules, which is xdb_auth_cpile.pm.imap in our case, to xdb_auth_cpile.pm. Last thing to do is to edit this file to reflect which is our IMAP server, which is mail.example.org:

      my $imap_server = "mail.example.org";



Next is to prepare the jabberd server to talk to the component. Edit your jabber.xml and follow the example:

        <jabber>

          <xdb id="xdb_auth_cpile">
            <host/>

            <ns>jabber:iq:auth</ns>
            <accept>
              <ip>127.0.0.1</ip>
              <port>5999</port>

              <secret>testing</secret>
            </accept>
          </xdb>

          <!--
          This is the Jabber server configuration file. The file is
          .
          .



Now, you should add a <ns/> tag to the <xdb> section:

          <xdb id="xdb">
            <host/>

            <!-- below is the extra <ns/> tag -->
            <ns/>
            <load>
              <xdb_file>./xdb_file/xdb_file.so</xdb_file>

            </load>
            <xdb_file xmlns="jabber:config:xdb_file">
              <spool><jabberd:cmdline flag='s'>./spool</jabberd:cmdline></spool>
            </xdb_file>
          </xdb>



The real final step is to disable Zero-Knowledge and Digest authentication, so that xdb_auth_cpile gets the password in clear (so it will be able to do something useful):

      <mod_auth_plain>./jsm/jsm.so</mod_auth_plain>
      <!--
      <mod_auth_digest>./jsm/jsm.so</mod_auth_digest>

      <mod_auth_0k>./jsm/jsm.so</mod_auth_0k>
      -->

Once the server is restarted with the new configuration, start the auth script:

        ./xdb_auth_cpile.pl config_file

If no config file is specified on the command line, it will attempt to load the config file ./xdb_auth_cpile.xml.

We are now done. You should be able to login to your server with your existing external user/password data. Another thing that should be mentioned is that if you do not disable mod_register, the Jabber accounts will be created on the first successful login.

As a sidenote, you should know that passwords will travel in clear because that is the way xdb_auth_cpile needs them. If you care a bit about security, you should set up SSL on the Jabber server.



Comments

Please Note: If you are going to use PAM with shadow authention, then standard rules apply to the user that _MUST_ run the xdb_auth_cpile daemon. To read the shadow passwords xdb_auth_cpile _MUST_ be run as root, this is horrible.
Posted by Norman Rasmussen on 2004-05-03 16:34

As these Perl scripts are not multithreaded, they block as long as any single authentication is not completed.
Posted by Maqi (admin) on 2004-06-15 04:47

Looks like there's a bug in jabberd's session setup code. The user data structure may get freed by the "garbage collector" if the collector runs while a user's password gets checked, resulting in a crash. Add <usergc>600</usergc> to the <jsm/> section of your jabber.xml configuration file to make this coincidence less likely (sets garbage collection interval to 600 seconds instead of 60 seconds default).
Posted by Maqi (admin) on 2004-08-27 09:58

The bug in jabberd14's session setup code has been fixed in CVS.
Posted by Maqi (admin) on 2004-10-14 14:53



Back to the Admin Guide